Plume/src/api/mod.rs

#![warn(clippy::too_many_arguments)]
use rocket::{
    request::{Form, Request},
    response::{self, Responder},
};
use rocket_contrib::json::Json;
use serde_json;

use plume_common::utils::random_hex;
use plume_models::{api_tokens::*, apps::App, db_conn::DbConn, users::User, Error};

#[derive(Debug)]
pub struct ApiError(Error);

impl From<Error> for ApiError {
    fn from(err: Error) -> ApiError {
        ApiError(err)
    }
}

impl<'r> Responder<'r> for ApiError {
    fn respond_to(self, req: &Request) -> response::Result<'r> {
        match self.0 {
            Error::NotFound => Json(json!({
                "error": "Not found"
            }))
            .respond_to(req),
            Error::Unauthorized => Json(json!({
                "error": "You are not authorized to access this resource"
            }))
            .respond_to(req),
            _ => Json(json!({
                "error": "Server error"
            }))
            .respond_to(req),
        }
    }
}

#[derive(FromForm)]
pub struct OAuthRequest {
    client_id: String,
    client_secret: String,
    password: String,
    username: String,
    scopes: String,
}

#[get("/oauth2?<query..>")]
pub fn oauth(query: Form<OAuthRequest>, conn: DbConn) -> Result<Json<serde_json::Value>, ApiError> {
    let app = App::find_by_client_id(&*conn, &query.client_id)?;
    if app.client_secret == query.client_secret {
        if let Ok(user) = User::find_by_fqn(&*conn, &query.username) {
            if user.auth(&query.password) {
                let token = ApiToken::insert(
                    &*conn,
                    NewApiToken {
                        app_id: app.id,
                        user_id: user.id,
                        value: random_hex(),
                        scopes: query.scopes.clone(),
                    },
                )?;
                Ok(Json(json!({
                    "token": token.value
                })))
            } else {
                Ok(Json(json!({
                    "error": "Invalid credentials"
                })))
            }
        } else {
            // Making fake password verification to avoid different
            // response times that would make it possible to know
            // if a username is registered or not.
            User::get(&*conn, 1)?.auth(&query.password);
            Ok(Json(json!({
                "error": "Invalid credentials"
            })))
        }
    } else {
        Ok(Json(json!({
            "error": "Invalid client_secret"
        })))
    }
}

pub mod apps;
pub mod authorization;
pub mod posts;
Refactor with the help of Clippy (#462) We add clippy as our build — also rectifying the missing `plume-cli` build! In the next step we follow clippy's advise and fix some of the "simple" mistakes in our code, such as style or map usage. Finally, we refactor some hard bits that need extraction of new types, or refactoring of function call-types, especially those that thread thru macros, and, of course functions with ~15 parameters should probably be rethought. 2019-03-19 14:37:56 +01:00			`#![warn(clippy::too_many_arguments)]`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`use rocket::{`
			`request::{Form, Request},`
			`response::{self, Responder},`
			`};`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`use rocket_contrib::json::Json;`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`use serde_json;`

			`use plume_common::utils::random_hex;`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`use plume_models::{api_tokens::*, apps::App, db_conn::DbConn, users::User, Error};`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`#[derive(Debug)]`
			`pub struct ApiError(Error);`

			`impl From<Error> for ApiError {`
			`fn from(err: Error) -> ApiError {`
			`ApiError(err)`
			`}`
			`}`

			`impl<'r> Responder<'r> for ApiError {`
			`fn respond_to(self, req: &Request) -> response::Result<'r> {`
			`match self.0 {`
			`Error::NotFound => Json(json!({`
			`"error": "Not found"`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`}))`
			`.respond_to(req),`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`Error::Unauthorized => Json(json!({`
			`"error": "You are not authorized to access this resource"`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`}))`
			`.respond_to(req),`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`_ => Json(json!({`
			`"error": "Server error"`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`}))`
			`.respond_to(req),`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`}`
			`}`
			`}`

Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`#[derive(FromForm)]`
Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`pub struct OAuthRequest {`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`client_id: String,`
			`client_secret: String,`
			`password: String,`
			`username: String,`
			`scopes: String,`
			`}`

Use Ructe (#327) All the template are now compiled at compile-time with the `ructe` crate. I preferred to use it instead of askama because it allows more complex Rust expressions, where askama only supports a small subset of expressions and doesn't allow them everywhere (for instance, `{{ macro!() \| filter }}` would result in a parsing error). The diff is quite huge, but there is normally no changes in functionality. Fixes #161 and unblocks #110 and #273 2018-12-06 18:54:16 +01:00			`#[get("/oauth2?<query..>")]`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`pub fn oauth(query: Form<OAuthRequest>, conn: DbConn) -> Result<Json<serde_json::Value>, ApiError> {`
			`let app = App::find_by_client_id(&*conn, &query.client_id)?;`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`if app.client_secret == query.client_secret {`
Add a fqn field to blogs and users (#457) Fixes #319 2019-03-06 18:28:10 +01:00			`if let Ok(user) = User::find_by_fqn(&*conn, &query.username) {`
Run cargo clippy on whole project (#322) * Run cargo clippy on plume-common Run clippy on plume-common and adjuste code accordingly * Run cargo clippy on plume-model Run clippy on plume-model and adjuste code accordingly * Reduce need for allocation in plume-common * Reduce need for allocation in plume-model add a quick compilation failure if no database backend is enabled * Run cargo clippy on plume-cli * Run cargo clippy on plume 2018-11-26 10:21:52 +01:00			`if user.auth(&query.password) {`
Run 'cargo fmt' to format code (#489) 2019-03-20 17:56:17 +01:00			`let token = ApiToken::insert(`
			`&*conn,`
			`NewApiToken {`
			`app_id: app.id,`
			`user_id: user.id,`
			`value: random_hex(),`
			`scopes: query.scopes.clone(),`
			`},`
			`)?;`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`Ok(Json(json!({`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`"token": token.value`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`})))`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`} else {`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`Ok(Json(json!({`
Make it impossible to know if an username is used or not with the API 2018-10-23 11:50:52 +02:00			`"error": "Invalid credentials"`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`})))`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`}`
			`} else {`
Make it impossible to know if an username is used or not with the API 2018-10-23 11:50:52 +02:00			`// Making fake password verification to avoid different`
			`// response times that would make it possible to know`
			`// if a username is registered or not.`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`User::get(&*conn, 1)?.auth(&query.password);`
			`Ok(Json(json!({`
Make it impossible to know if an username is used or not with the API 2018-10-23 11:50:52 +02:00			`"error": "Invalid credentials"`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`})))`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`}`
			`} else {`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`Ok(Json(json!({`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`"error": "Invalid client_secret"`
Avoid panics (#392) - Use `Result` as much as possible - Display errors instead of panicking TODO (maybe in another PR? this one is already quite big): - Find a way to merge Ructe/ErrorPage types, so that we can have routes returning `Result<X, ErrorPage>` instead of panicking when we have an `Error` - Display more details about the error, to make it easier to debug (sorry, this isn't going to be fun to review, the diff is huge, but it is always the same changes) 2018-12-29 09:36:07 +01:00			`})))`
Add an ApiToken model, and an endpoint to get one 2018-10-22 15:30:04 +02:00			`}`
			`}`

Add an API endpoint to register apps 2018-10-21 18:22:27 +02:00			`pub mod apps;`
New request guard: Authorization<Action, Scope> Filter requests that don't have an API token authorized to read or write a specific scope; 2018-10-23 11:37:24 +02:00			`pub mod authorization;`
Add canapi and try to use for the API 2018-09-19 16:49:34 +02:00			`pub mod posts;`