New request guard: Authorization<Action, Scope>
Filter requests that don't have an API token authorized to read or write a specific scope;
This commit is contained in:
parent
cd4ae5b7f5
commit
31641b1ea1
@ -44,7 +44,7 @@ impl ApiToken {
|
|||||||
insert!(api_tokens, NewApiToken);
|
insert!(api_tokens, NewApiToken);
|
||||||
find_by!(api_tokens, find_by_value, value as String);
|
find_by!(api_tokens, find_by_value, value as String);
|
||||||
|
|
||||||
fn can(&self, what: &'static str, scope: &'static str) -> bool {
|
pub fn can(&self, what: &'static str, scope: &'static str) -> bool {
|
||||||
let full_scope = what.to_owned() + ":" + scope;
|
let full_scope = what.to_owned() + ":" + scope;
|
||||||
for s in self.scopes.split('+') {
|
for s in self.scopes.split('+') {
|
||||||
if s == what || s == full_scope {
|
if s == what || s == full_scope {
|
||||||
|
57
src/api/authorization.rs
Normal file
57
src/api/authorization.rs
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
use rocket::{
|
||||||
|
Outcome,
|
||||||
|
http::Status,
|
||||||
|
request::{self, FromRequest, Request}
|
||||||
|
};
|
||||||
|
use plume_models::{self, api_tokens::ApiToken};
|
||||||
|
|
||||||
|
// Actions
|
||||||
|
pub trait Action {
|
||||||
|
fn to_str() -> &'static str;
|
||||||
|
}
|
||||||
|
pub struct Read;
|
||||||
|
impl Action for Read {
|
||||||
|
fn to_str() -> &'static str {
|
||||||
|
"read"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
pub struct Write;
|
||||||
|
impl Action for Write {
|
||||||
|
fn to_str() -> &'static str {
|
||||||
|
"write"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// Scopes
|
||||||
|
pub trait Scope {
|
||||||
|
fn to_str() -> &'static str;
|
||||||
|
}
|
||||||
|
impl Scope for plume_models::posts::Post {
|
||||||
|
fn to_str() -> &'static str {
|
||||||
|
"posts"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// We have to use A and S in the struct definition
|
||||||
|
// otherwise rustc complains they are useless
|
||||||
|
//
|
||||||
|
// A nicer solution is probably possible.
|
||||||
|
pub struct Authorization<A, S> (Option<A>, Option<S>);
|
||||||
|
|
||||||
|
impl<'a, 'r, A, S> FromRequest<'a, 'r> for Authorization<A, S>
|
||||||
|
where A: Action,
|
||||||
|
S: Scope
|
||||||
|
{
|
||||||
|
type Error = ();
|
||||||
|
|
||||||
|
fn from_request(request: &'a Request<'r>) -> request::Outcome<Authorization<A, S>, ()> {
|
||||||
|
request.guard::<ApiToken>()
|
||||||
|
.map_failure(|_| (Status::Unauthorized, ()))
|
||||||
|
.and_then(|token| if token.can(A::to_str(), S::to_str()) {
|
||||||
|
Outcome::Success(Authorization(None, None))
|
||||||
|
} else {
|
||||||
|
Outcome::Failure((Status::Unauthorized, ()))
|
||||||
|
})
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -51,4 +51,5 @@ fn oauth(query: OAuthRequest, conn: DbConn) -> Json<serde_json::Value> {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub mod apps;
|
pub mod apps;
|
||||||
|
pub mod authorization;
|
||||||
pub mod posts;
|
pub mod posts;
|
||||||
|
@ -7,31 +7,20 @@ use serde_qs;
|
|||||||
use plume_api::posts::PostEndpoint;
|
use plume_api::posts::PostEndpoint;
|
||||||
use plume_models::{
|
use plume_models::{
|
||||||
Connection,
|
Connection,
|
||||||
api_tokens::ApiToken,
|
|
||||||
db_conn::DbConn,
|
db_conn::DbConn,
|
||||||
posts::Post,
|
posts::Post,
|
||||||
};
|
};
|
||||||
|
use api::authorization::*;
|
||||||
|
|
||||||
#[get("/posts/<id>")]
|
#[get("/posts/<id>")]
|
||||||
fn get(id: i32, conn: DbConn, token: ApiToken) -> Json<serde_json::Value> {
|
fn get(id: i32, conn: DbConn, _auth: Authorization<Read, Post>) -> Json<serde_json::Value> {
|
||||||
if token.can_read("posts") {
|
let post = <Post as Provider<Connection>>::get(&*conn, id).ok();
|
||||||
let post = <Post as Provider<Connection>>::get(&*conn, id).ok();
|
Json(json!(post))
|
||||||
Json(json!(post))
|
|
||||||
} else {
|
|
||||||
Json(json!({
|
|
||||||
"error": "Unauthorized"
|
|
||||||
}))
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#[get("/posts")]
|
#[get("/posts")]
|
||||||
fn list(conn: DbConn, uri: &Origin, token: ApiToken) -> Json<serde_json::Value> {
|
fn list(conn: DbConn, uri: &Origin, _auth: Authorization<Read, Post>) -> Json<serde_json::Value> {
|
||||||
if token.can_read("posts") {
|
let query: PostEndpoint = serde_qs::from_str(uri.query().unwrap_or("")).expect("api::list: invalid query error");
|
||||||
let query: PostEndpoint = serde_qs::from_str(uri.query().unwrap_or("")).expect("api::list: invalid query error");
|
let post = <Post as Provider<Connection>>::list(&*conn, query);
|
||||||
let post = <Post as Provider<Connection>>::list(&*conn, query);
|
Json(json!(post))
|
||||||
Json(json!(post))
|
}
|
||||||
} else {
|
|
||||||
Json(json!({
|
|
||||||
"error": "Unauthorized"
|
|
||||||
}))
|
|
||||||
}}
|
|
||||||
|
Loading…
Reference in New Issue
Block a user