Plume/src/routes/session.rs

use rocket::{
    http::{Cookie, Cookies, uri::Uri},
    response::Redirect,
    request::{LenientForm,FlashMessage}
};
use rocket_contrib::Template;
use rocket::http::ext::IntoOwned;
use std::borrow::Cow;
use validator::{Validate, ValidationError, ValidationErrors};

use plume_models::{
    db_conn::DbConn,
    users::{User, AUTH_COOKIE}
};

#[get("/login")]
fn new(user: Option<User>, conn: DbConn) -> Template {
    Template::render("session/login", json!({
        "account": user.map(|u| u.to_json(&*conn)),
        "errors": null,
        "form": null
    }))
}

#[derive(FromForm)]
struct Message {
	m: String
}

#[get("/login?<message>")]
fn new_message(user: Option<User>, message: Message, conn: DbConn) -> Template {
    Template::render("session/login", json!({
        "account": user.map(|u| u.to_json(&*conn)),
        "message": message.m,
        "errors": null,
        "form": null
    }))
}


#[derive(FromForm, Validate, Serialize)]
struct LoginForm {
    #[validate(length(min = "1", message = "We need an email or a username to identify you"))]
    email_or_name: String,
    #[validate(length(min = "1", message = "Your password can't be empty"))]
    password: String
}

#[post("/login", data = "<data>")]
fn create(conn: DbConn, data: LenientForm<LoginForm>, flash: Option<FlashMessage>, mut cookies: Cookies) -> Result<Redirect, Template> {
    let form = data.get();
    let user = User::find_by_email(&*conn, form.email_or_name.to_string())
        .map(|u| Ok(u))
        .unwrap_or_else(|| User::find_local(&*conn, form.email_or_name.to_string()).map(|u| Ok(u)).unwrap_or(Err(())));

    let mut errors = match form.validate() {
        Ok(_) => ValidationErrors::new(),
        Err(e) => e
    };
    if let Err(_) = user.clone() {
        // Fake password verification, only to avoid different login times
        // that could be used to see if an email adress is registered or not
        User::get(&*conn, 1).map(|u| u.auth(form.password.clone()));

        let mut err = ValidationError::new("invalid_login");
        err.message = Some(Cow::from("Invalid username or password"));
        errors.add("email_or_name", err)
    } else if !user.clone().expect("User not found").auth(form.password.clone()) {
        let mut err = ValidationError::new("invalid_login");
        err.message = Some(Cow::from("Invalid username or password"));
        errors.add("email_or_name", err)
    }

    if errors.is_empty() {
        cookies.add_private(Cookie::new(AUTH_COOKIE, user.unwrap().id.to_string()));

        let destination = flash
            .and_then(|f| if f.name() == "callback" {
                Some(f.msg().to_owned())
            } else {
                None
            })
            .unwrap_or("/".to_owned());

        let uri = Uri::parse(&destination)
            .map(|x| x.into_owned())
            .map_err(|_| {
            Template::render("session/login", json!({
                "account": null,
                "errors": errors.inner(),
                "form": form
            }))
        })?;

        Ok(Redirect::to(uri))
    } else {
        println!("{:?}", errors);
        Err(Template::render("session/login", json!({
            "account": null,
            "errors": errors.inner(),
            "form": form
        })))
    }
}

#[get("/logout")]
fn delete(mut cookies: Cookies) -> Redirect {
    let cookie = cookies.get_private(AUTH_COOKIE).unwrap();
    cookies.remove_private(cookie);
    Redirect::to("/")
}
Reorganize use statements 2018-05-19 09:39:59 +02:00			`use rocket::{`
Update to the latest version of Rocket, to use rocket_contrib::Template::custom 2018-06-16 19:39:22 +02:00			`http::{Cookie, Cookies, uri::Uri},`
Actually validate forms 2018-07-06 11:51:19 +02:00			`response::Redirect,`
Add csrf protection 2018-06-24 18:58:57 +02:00			`request::{LenientForm,FlashMessage}`
Reorganize use statements 2018-05-19 09:39:59 +02:00			`};`
Reorganize uses 2018-04-24 11:21:39 +02:00			`use rocket_contrib::Template;`
deps: Update to a more recent rocket and rust toolchain With this patch, Plume will be use a more up-to-date revision of Rocket, that works with nightly-2018-07-17. It may have been able to make it work with a more recent revision, but it turns out rocket has introduced several breaking changes so I’d rather fix those. Besides updating rocket_i18n and rocket_csrf to use the same revision than Plume, this patch deals with the new implementation of the Uri<'_> type. It silents a class of warnings, to deal with a change in rustc which affects diesel. This latter change should be reverted as soon as diesel releases a new version of its crate. 2018-09-08 01:11:27 +02:00			`use rocket::http::ext::IntoOwned;`
Fix #167 2018-08-18 12:37:40 +02:00			`use std::borrow::Cow;`
Actually validate forms 2018-07-06 11:51:19 +02:00			`use validator::{Validate, ValidationError, ValidationErrors};`
Reorganize uses 2018-04-24 11:21:39 +02:00
Big repository reorganization The code is divided in three crates: - plume-common, for the ActivityPub module, and some common utils - plume-models, for the models and database-related code - plume, the app itself This new organization will allow to test it more easily, but also to create other tools that only reuse a little part of the code (for instance a Wordpress import tool, that would just use the plume-models crate) 2018-06-23 18:36:11 +02:00			`use plume_models::{`
			`db_conn::DbConn,`
			`users::{User, AUTH_COOKIE}`
			`};`
Authentication 2018-04-23 11:52:44 +02:00
			`#[get("/login")]`
Redesign menu items 2018-09-03 15:59:02 +02:00			`fn new(user: Option<User>, conn: DbConn) -> Template {`
Start an actual design 2018-05-10 22:31:52 +02:00			`Template::render("session/login", json!({`
Redesign menu items 2018-09-03 15:59:02 +02:00			`"account": user.map(\|u\| u.to_json(&*conn)),`
			`"errors": null,`
Display errors on invalid forms It will probably need a bit of styling… 2018-07-06 19:29:36 +02:00			`"form": null`
Start an actual design 2018-05-10 22:31:52 +02:00			`}))`
Authentication 2018-04-23 11:52:44 +02:00			`}`

add optional login message and callback 2018-06-04 20:21:43 +02:00			`#[derive(FromForm)]`
			`struct Message {`
			`m: String`
			`}`

			`#[get("/login?<message>")]`
Redesign menu items 2018-09-03 15:59:02 +02:00			`fn new_message(user: Option<User>, message: Message, conn: DbConn) -> Template {`
add optional login message and callback 2018-06-04 20:21:43 +02:00			`Template::render("session/login", json!({`
Redesign menu items 2018-09-03 15:59:02 +02:00			`"account": user.map(\|u\| u.to_json(&*conn)),`
Display errors on invalid forms It will probably need a bit of styling… 2018-07-06 19:29:36 +02:00			`"message": message.m,`
			`"errors": null,`
			`"form": null`
add optional login message and callback 2018-06-04 20:21:43 +02:00			`}))`
			`}`


Make LoginForm serializable 2018-07-06 21:59:17 +02:00			`#[derive(FromForm, Validate, Serialize)]`
Authentication 2018-04-23 11:52:44 +02:00			`struct LoginForm {`
HTML validation + Actually associate messages to errors + Fix inverted behavior on new blog and post form 2018-07-07 22:51:48 +02:00			`#[validate(length(min = "1", message = "We need an email or a username to identify you"))]`
Authentication 2018-04-23 11:52:44 +02:00			`email_or_name: String,`
Fix #167 2018-08-18 12:37:40 +02:00			`#[validate(length(min = "1", message = "Your password can't be empty"))]`
Authentication 2018-04-23 11:52:44 +02:00			`password: String`
			`}`

			`#[post("/login", data = "<data>")]`
Actually validate forms 2018-07-06 11:51:19 +02:00			`fn create(conn: DbConn, data: LenientForm<LoginForm>, flash: Option<FlashMessage>, mut cookies: Cookies) -> Result<Redirect, Template> {`
Authentication 2018-04-23 11:52:44 +02:00			`let form = data.get();`
Actually validate forms 2018-07-06 11:51:19 +02:00			`let user = User::find_by_email(&*conn, form.email_or_name.to_string())`
			`.map(\|u\| Ok(u))`
			`.unwrap_or_else(\|\| User::find_local(&*conn, form.email_or_name.to_string()).map(\|u\| Ok(u)).unwrap_or(Err(())));`
Fix #167 2018-08-18 12:37:40 +02:00
Actually validate forms 2018-07-06 11:51:19 +02:00			`let mut errors = match form.validate() {`
			`Ok(_) => ValidationErrors::new(),`
			`Err(e) => e`
Authentication 2018-04-23 11:52:44 +02:00			`};`
Actually validate forms 2018-07-06 11:51:19 +02:00			`if let Err(_) = user.clone() {`
Fake password verification when trying to login with inexistant account Fix #170 2018-09-03 19:04:21 +02:00			`// Fake password verification, only to avoid different login times`
			`// that could be used to see if an email adress is registered or not`
			`User::get(&*conn, 1).map(\|u\| u.auth(form.password.clone()));`

Fix #167 2018-08-18 12:37:40 +02:00			`let mut err = ValidationError::new("invalid_login");`
			`err.message = Some(Cow::from("Invalid username or password"));`
			`errors.add("email_or_name", err)`
Actually validate forms 2018-07-06 11:51:19 +02:00			`} else if !user.clone().expect("User not found").auth(form.password.clone()) {`
Fix #167 2018-08-18 12:37:40 +02:00			`let mut err = ValidationError::new("invalid_login");`
			`err.message = Some(Cow::from("Invalid username or password"));`
			`errors.add("email_or_name", err)`
Actually validate forms 2018-07-06 11:51:19 +02:00			`}`
Fix #167 2018-08-18 12:37:40 +02:00
Actually validate forms 2018-07-06 11:51:19 +02:00			`if errors.is_empty() {`
			`cookies.add_private(Cookie::new(AUTH_COOKIE, user.unwrap().id.to_string()));`
deps: Update to a more recent rocket and rust toolchain With this patch, Plume will be use a more up-to-date revision of Rocket, that works with nightly-2018-07-17. It may have been able to make it work with a more recent revision, but it turns out rocket has introduced several breaking changes so I’d rather fix those. Besides updating rocket_i18n and rocket_csrf to use the same revision than Plume, this patch deals with the new implementation of the Uri<'_> type. It silents a class of warnings, to deal with a change in rustc which affects diesel. This latter change should be reverted as soon as diesel releases a new version of its crate. 2018-09-08 01:11:27 +02:00
			`let destination = flash`
			`.and_then(\|f\| if f.name() == "callback" {`
			`Some(f.msg().to_owned())`
			`} else {`
			`None`
			`})`
			`.unwrap_or("/".to_owned());`

			`let uri = Uri::parse(&destination)`
			`.map(\|x\| x.into_owned())`
			`.map_err(\|_\| {`
			`Template::render("session/login", json!({`
			`"account": null,`
			`"errors": errors.inner(),`
			`"form": form`
			`}))`
			`})?;`

			`Ok(Redirect::to(uri))`
Actually validate forms 2018-07-06 11:51:19 +02:00			`} else {`
Fix #167 2018-08-18 12:37:40 +02:00			`println!("{:?}", errors);`
Actually validate forms 2018-07-06 11:51:19 +02:00			`Err(Template::render("session/login", json!({`
Fix #167 2018-08-18 12:37:40 +02:00			`"account": null,`
Display errors on invalid forms It will probably need a bit of styling… 2018-07-06 19:29:36 +02:00			`"errors": errors.inner(),`
			`"form": form`
Actually validate forms 2018-07-06 11:51:19 +02:00			`})))`
Authentication 2018-04-23 11:52:44 +02:00			`}`
			`}`
Implement logout 2018-04-23 13:13:49 +02:00
			`#[get("/logout")]`
			`fn delete(mut cookies: Cookies) -> Redirect {`
			`let cookie = cookies.get_private(AUTH_COOKIE).unwrap();`
			`cookies.remove_private(cookie);`
			`Redirect::to("/")`
			`}`