Plume/src/routes/session.rs

use rocket::{
    http::{Cookie, Cookies, SameSite, uri::Uri},
    response::Redirect,
    request::{LenientForm,FlashMessage}
};
use rocket::http::ext::IntoOwned;
use rocket_i18n::I18n;
use std::borrow::Cow;
use validator::{Validate, ValidationError, ValidationErrors};
use template_utils::Ructe;

use plume_models::{
    db_conn::DbConn,
    users::{User, AUTH_COOKIE}
};

#[get("/login?<m>")]
pub fn new(user: Option<User>, conn: DbConn, m: Option<String>, intl: I18n) -> Ructe {
    render!(session::login(
        &(&*conn, &intl.catalog, user),
        m,
        &LoginForm::default(),
        ValidationErrors::default()
    ))
}

#[derive(Default, FromForm, Validate, Serialize)]
pub struct LoginForm {
    #[validate(length(min = "1", message = "We need an email or a username to identify you"))]
    pub email_or_name: String,
    #[validate(length(min = "1", message = "Your password can't be empty"))]
    pub password: String
}

#[post("/login", data = "<form>")]
pub fn create(conn: DbConn, form: LenientForm<LoginForm>, flash: Option<FlashMessage>, mut cookies: Cookies, intl: I18n) -> Result<Redirect, Ructe> {
    let user = User::find_by_email(&*conn, &form.email_or_name)
        .or_else(|| User::find_local(&*conn, &form.email_or_name));
    let mut errors = match form.validate() {
        Ok(_) => ValidationErrors::new(),
        Err(e) => e
    };

    if let Some(user) = user.clone() {
        if !user.auth(&form.password) {
            let mut err = ValidationError::new("invalid_login");
            err.message = Some(Cow::from("Invalid username or password"));
            errors.add("email_or_name", err)
        }
    } else {
        // Fake password verification, only to avoid different login times
        // that could be used to see if an email adress is registered or not
        User::get(&*conn, 1).map(|u| u.auth(&form.password));

        let mut err = ValidationError::new("invalid_login");
        err.message = Some(Cow::from("Invalid username or password"));
        errors.add("email_or_name", err)
    }

    if errors.is_empty() {
        cookies.add_private(Cookie::build(AUTH_COOKIE, user.unwrap().id.to_string())
                                            .same_site(SameSite::Lax)
                                            .finish());

        let destination = flash
            .and_then(|f| if f.name() == "callback" {
                Some(f.msg().to_owned())
            } else {
                None
            })
            .unwrap_or_else(|| "/".to_owned());

        let uri = Uri::parse(&destination)
            .map(|x| x.into_owned())
           .map_err(|_| render!(session::login(
                &(&*conn, &intl.catalog, None),
                None,
                &*form,
                errors
            )))?;

        Ok(Redirect::to(uri))
    } else {
        Err(render!(session::login(
            &(&*conn, &intl.catalog, None),
            None,
            &*form,
            errors
        )))
    }
}

#[get("/logout")]
pub fn delete(mut cookies: Cookies) -> Redirect {
    if let Some(cookie) = cookies.get_private(AUTH_COOKIE) {
        cookies.remove_private(cookie);
    }
    Redirect::to("/")
}
Reorganize use statements 2018-05-19 09:39:59 +02:00			`use rocket::{`
Update cookie management a bit Update to latest rocket_csrf Make user_id a samesite lax cookie (see https://github.com/Plume-org/Plume/issues/233#issuecomment-422660275) 2018-09-30 11:56:12 +02:00			`http::{Cookie, Cookies, SameSite, uri::Uri},`
Actually validate forms 2018-07-06 11:51:19 +02:00			`response::Redirect,`
Add csrf protection 2018-06-24 18:58:57 +02:00			`request::{LenientForm,FlashMessage}`
Reorganize use statements 2018-05-19 09:39:59 +02:00			`};`
deps: Update to a more recent rocket and rust toolchain With this patch, Plume will be use a more up-to-date revision of Rocket, that works with nightly-2018-07-17. It may have been able to make it work with a more recent revision, but it turns out rocket has introduced several breaking changes so I’d rather fix those. Besides updating rocket_i18n and rocket_csrf to use the same revision than Plume, this patch deals with the new implementation of the Uri<'_> type. It silents a class of warnings, to deal with a change in rustc which affects diesel. This latter change should be reverted as soon as diesel releases a new version of its crate. 2018-09-08 01:11:27 +02:00			`use rocket::http::ext::IntoOwned;`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`use rocket_i18n::I18n;`
Fix #167 2018-08-18 12:37:40 +02:00			`use std::borrow::Cow;`
Actually validate forms 2018-07-06 11:51:19 +02:00			`use validator::{Validate, ValidationError, ValidationErrors};`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`use template_utils::Ructe;`
Reorganize uses 2018-04-24 11:21:39 +02:00
Big repository reorganization The code is divided in three crates: - plume-common, for the ActivityPub module, and some common utils - plume-models, for the models and database-related code - plume, the app itself This new organization will allow to test it more easily, but also to create other tools that only reuse a little part of the code (for instance a Wordpress import tool, that would just use the plume-models crate) 2018-06-23 18:36:11 +02:00			`use plume_models::{`
			`db_conn::DbConn,`
			`users::{User, AUTH_COOKIE}`
			`};`
Authentication 2018-04-23 11:52:44 +02:00
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`#[get("/login?<m>")]`
Remove useless pagination routes (#351) Rocket 0.4 let us have routes with optional query parameter 2018-12-13 22:20:19 +01:00			`pub fn new(user: Option<User>, conn: DbConn, m: Option<String>, intl: I18n) -> Ructe {`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`render!(session::login(`
			`&(&*conn, &intl.catalog, user),`
Remove useless pagination routes (#351) Rocket 0.4 let us have routes with optional query parameter 2018-12-13 22:20:19 +01:00			`m,`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`&LoginForm::default(),`
			`ValidationErrors::default()`
			`))`
add optional login message and callback 2018-06-04 20:21:43 +02:00			`}`

Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`#[derive(Default, FromForm, Validate, Serialize)]`
			`pub struct LoginForm {`
HTML validation + Actually associate messages to errors + Fix inverted behavior on new blog and post form 2018-07-07 22:51:48 +02:00			`#[validate(length(min = "1", message = "We need an email or a username to identify you"))]`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`pub email_or_name: String,`
Fix #167 2018-08-18 12:37:40 +02:00			`#[validate(length(min = "1", message = "Your password can't be empty"))]`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`pub password: String`
Authentication 2018-04-23 11:52:44 +02:00			`}`

Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`#[post("/login", data = "<form>")]`
			`pub fn create(conn: DbConn, form: LenientForm<LoginForm>, flash: Option<FlashMessage>, mut cookies: Cookies, intl: I18n) -> Result<Redirect, Ructe> {`
Run cargo clippy on whole project (#322) * Run cargo clippy on plume-common Run clippy on plume-common and adjuste code accordingly * Run cargo clippy on plume-model Run clippy on plume-model and adjuste code accordingly * Reduce need for allocation in plume-common * Reduce need for allocation in plume-model add a quick compilation failure if no database backend is enabled * Run cargo clippy on plume-cli * Run cargo clippy on plume 2018-11-26 10:21:52 +01:00			`let user = User::find_by_email(&*conn, &form.email_or_name)`
			`.or_else(\|\| User::find_local(&*conn, &form.email_or_name));`
Actually validate forms 2018-07-06 11:51:19 +02:00			`let mut errors = match form.validate() {`
			`Ok(_) => ValidationErrors::new(),`
			`Err(e) => e`
Authentication 2018-04-23 11:52:44 +02:00			`};`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00
Normalize panic message and return 400 or 404 when suitable 2018-10-20 11:04:20 +02:00			`if let Some(user) = user.clone() {`
Run cargo clippy on whole project (#322) * Run cargo clippy on plume-common Run clippy on plume-common and adjuste code accordingly * Run cargo clippy on plume-model Run clippy on plume-model and adjuste code accordingly * Reduce need for allocation in plume-common * Reduce need for allocation in plume-model add a quick compilation failure if no database backend is enabled * Run cargo clippy on plume-cli * Run cargo clippy on plume 2018-11-26 10:21:52 +01:00			`if !user.auth(&form.password) {`
Normalize panic message and return 400 or 404 when suitable 2018-10-20 11:04:20 +02:00			`let mut err = ValidationError::new("invalid_login");`
			`err.message = Some(Cow::from("Invalid username or password"));`
			`errors.add("email_or_name", err)`
			`}`
			`} else {`
Fake password verification when trying to login with inexistant account Fix #170 2018-09-03 19:04:21 +02:00			`// Fake password verification, only to avoid different login times`
			`// that could be used to see if an email adress is registered or not`
Run cargo clippy on whole project (#322) * Run cargo clippy on plume-common Run clippy on plume-common and adjuste code accordingly * Run cargo clippy on plume-model Run clippy on plume-model and adjuste code accordingly * Reduce need for allocation in plume-common * Reduce need for allocation in plume-model add a quick compilation failure if no database backend is enabled * Run cargo clippy on plume-cli * Run cargo clippy on plume 2018-11-26 10:21:52 +01:00			`User::get(&*conn, 1).map(\|u\| u.auth(&form.password));`
Fake password verification when trying to login with inexistant account Fix #170 2018-09-03 19:04:21 +02:00
Fix #167 2018-08-18 12:37:40 +02:00			`let mut err = ValidationError::new("invalid_login");`
			`err.message = Some(Cow::from("Invalid username or password"));`
			`errors.add("email_or_name", err)`
Actually validate forms 2018-07-06 11:51:19 +02:00			`}`
Fix #167 2018-08-18 12:37:40 +02:00
Actually validate forms 2018-07-06 11:51:19 +02:00			`if errors.is_empty() {`
Update cookie management a bit Update to latest rocket_csrf Make user_id a samesite lax cookie (see https://github.com/Plume-org/Plume/issues/233#issuecomment-422660275) 2018-09-30 11:56:12 +02:00			`cookies.add_private(Cookie::build(AUTH_COOKIE, user.unwrap().id.to_string())`
			`.same_site(SameSite::Lax)`
			`.finish());`
deps: Update to a more recent rocket and rust toolchain With this patch, Plume will be use a more up-to-date revision of Rocket, that works with nightly-2018-07-17. It may have been able to make it work with a more recent revision, but it turns out rocket has introduced several breaking changes so I’d rather fix those. Besides updating rocket_i18n and rocket_csrf to use the same revision than Plume, this patch deals with the new implementation of the Uri<'_> type. It silents a class of warnings, to deal with a change in rustc which affects diesel. This latter change should be reverted as soon as diesel releases a new version of its crate. 2018-09-08 01:11:27 +02:00
			`let destination = flash`
			`.and_then(\|f\| if f.name() == "callback" {`
			`Some(f.msg().to_owned())`
			`} else {`
			`None`
			`})`
Run cargo clippy on whole project (#322) * Run cargo clippy on plume-common Run clippy on plume-common and adjuste code accordingly * Run cargo clippy on plume-model Run clippy on plume-model and adjuste code accordingly * Reduce need for allocation in plume-common * Reduce need for allocation in plume-model add a quick compilation failure if no database backend is enabled * Run cargo clippy on plume-cli * Run cargo clippy on plume 2018-11-26 10:21:52 +01:00			`.unwrap_or_else(\|\| "/".to_owned());`
deps: Update to a more recent rocket and rust toolchain With this patch, Plume will be use a more up-to-date revision of Rocket, that works with nightly-2018-07-17. It may have been able to make it work with a more recent revision, but it turns out rocket has introduced several breaking changes so I’d rather fix those. Besides updating rocket_i18n and rocket_csrf to use the same revision than Plume, this patch deals with the new implementation of the Uri<'_> type. It silents a class of warnings, to deal with a change in rustc which affects diesel. This latter change should be reverted as soon as diesel releases a new version of its crate. 2018-09-08 01:11:27 +02:00
			`let uri = Uri::parse(&destination)`
			`.map(\|x\| x.into_owned())`
Upgrade plume dependencies (#332) * Bump base64 from 0.9.3 to 0.10.0 * Bump bcrypt from 0.2.0 to 0.2.1 * Bump canapi from 0.1.0 to 0.2.0 * Bump failure from 0.1.2 to 0.1.3 * Bump hyper from 0.11.27 to 0.12.11 * Bump hyper from 0.11.27 to 0.12.16 * Bump lazy_static from 1.1.0 to 1.2.0 * Bump multipart from 0.15.3 to 0.15.4 * Bump openssl from 0.10.12 to 0.10.15 * Bump pulldown-cmark from 0.1.2 to 0.2.0 * Bump reqwest from 0.9.2 to 0.9.5 * Bump rocket from 0.4.0-rc.1 to 0.4.0 * Bump rpassword from 2.0.0 to 2.1.0 * Bump ructe from 0.5.2 to 0.5.4 * Bump serde_derive from 1.0.79 to 1.0.80 * Bump serde from 1.0.79 to 1.0.80 * Bump serde_json from 1.0.32 to 1.0.33 * Bump tera from 0.11.17 to 0.11.20 * Bump url from 1.7.1 to 1.7.2 * Bump validator to from 0.7.2 to 0.8.0 * Bump validator_derive from 0.7.2 to 0.8.0 * Bump whatlang from 0.5.0 to 0.6.0 * Remove hyper from plume-common dependencies * Remove rpassword from Plume dependancies * Upgrade compiler to nightly-2018-12-06 2018-12-07 21:00:12 +01:00			`.map_err(\|_\| render!(session::login(`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`&(&*conn, &intl.catalog, None),`
			`None,`
			`&*form,`
			`errors`
			`)))?;`
deps: Update to a more recent rocket and rust toolchain With this patch, Plume will be use a more up-to-date revision of Rocket, that works with nightly-2018-07-17. It may have been able to make it work with a more recent revision, but it turns out rocket has introduced several breaking changes so I’d rather fix those. Besides updating rocket_i18n and rocket_csrf to use the same revision than Plume, this patch deals with the new implementation of the Uri<'_> type. It silents a class of warnings, to deal with a change in rustc which affects diesel. This latter change should be reverted as soon as diesel releases a new version of its crate. 2018-09-08 01:11:27 +02:00
			`Ok(Redirect::to(uri))`
Actually validate forms 2018-07-06 11:51:19 +02:00			`} else {`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`Err(render!(session::login(`
			`&(&*conn, &intl.catalog, None),`
			`None,`
			`&*form,`
			`errors`
			`)))`
Authentication 2018-04-23 11:52:44 +02:00			`}`
			`}`
Implement logout 2018-04-23 13:13:49 +02:00
			`#[get("/logout")]`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`pub fn delete(mut cookies: Cookies) -> Redirect {`
Run cargo clippy on whole project (#322) * Run cargo clippy on plume-common Run clippy on plume-common and adjuste code accordingly * Run cargo clippy on plume-model Run clippy on plume-model and adjuste code accordingly * Reduce need for allocation in plume-common * Reduce need for allocation in plume-model add a quick compilation failure if no database backend is enabled * Run cargo clippy on plume-cli * Run cargo clippy on plume 2018-11-26 10:21:52 +01:00			`if let Some(cookie) = cookies.get_private(AUTH_COOKIE) {`
			`cookies.remove_private(cookie);`
			`}`
Implement logout 2018-04-23 13:13:49 +02:00			`Redirect::to("/")`
			`}`