Added a user system with no proper user validation but working authorisation. #1
@ -76,18 +76,12 @@ impl<'r> FromRequest<'r> for schema::User {
|
|||||||
let header = match req.headers().get_one(AUTH_HEADER) {
|
let header = match req.headers().get_one(AUTH_HEADER) {
|
||||||
Some(header) => header,
|
Some(header) => header,
|
||||||
None => {
|
None => {
|
||||||
return Outcome::Failure((
|
return Outcome::Forward(())
|
||||||
Status::BadRequest,
|
|
||||||
ApiError::RequestError("No authorization header found".to_string()),
|
|
||||||
))
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
if !header.starts_with(BEARER) {
|
if !header.starts_with(BEARER) {
|
||||||
return Outcome::Failure((
|
return Outcome::Forward(());
|
||||||
Status::BadRequest,
|
|
||||||
ApiError::RequestError("Invalid Authorization header.".to_string()),
|
|
||||||
));
|
|
||||||
};
|
};
|
||||||
|
|
||||||
let app_config = req.guard::<&State<AppConfig>>().await.unwrap().inner();
|
let app_config = req.guard::<&State<AppConfig>>().await.unwrap().inner();
|
||||||
@ -98,11 +92,8 @@ impl<'r> FromRequest<'r> for schema::User {
|
|||||||
&Validation::default(),
|
&Validation::default(),
|
||||||
) {
|
) {
|
||||||
Ok(token) => token,
|
Ok(token) => token,
|
||||||
Err(error) => {
|
Err(_) => {
|
||||||
return Outcome::Failure((
|
return Outcome::Forward(())
|
||||||
Status::BadRequest,
|
|
||||||
ApiError::RequestError(error.to_string()),
|
|
||||||
))
|
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
let id = token.claims.uid;
|
let id = token.claims.uid;
|
||||||
@ -113,13 +104,14 @@ impl<'r> FromRequest<'r> for schema::User {
|
|||||||
}
|
}
|
||||||
|
|
||||||
#[get("/gamenights")]
|
#[get("/gamenights")]
|
||||||
pub async fn gamenights(conn: DbConn, user: Option<schema::User>) -> ApiResponseVariant {
|
pub async fn gamenights(conn: DbConn, _user: schema::User) -> ApiResponseVariant {
|
||||||
if user.is_some() {
|
|
||||||
let gamenights = schema::get_all_gamenights(conn).await;
|
let gamenights = schema::get_all_gamenights(conn).await;
|
||||||
ApiResponseVariant::Value(json!(gamenights))
|
ApiResponseVariant::Value(json!(gamenights))
|
||||||
} else {
|
|
||||||
ApiResponseVariant::Status(Status::Unauthorized)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#[get("/gamenights", rank = 2)]
|
||||||
|
pub async fn gamenights_unauthorized() -> ApiResponseVariant {
|
||||||
|
ApiResponseVariant::Status(Status::Unauthorized)
|
||||||
}
|
}
|
||||||
|
|
||||||
Roflin marked this conversation as resolved
|
|||||||
#[post("/gamenight", format = "application/json", data = "<gamenight_json>")]
|
#[post("/gamenight", format = "application/json", data = "<gamenight_json>")]
|
||||||
|
@ -58,6 +58,7 @@ fn rocket() -> _ {
|
|||||||
"/api",
|
"/api",
|
||||||
routes![
|
routes![
|
||||||
api::gamenights,
|
api::gamenights,
|
||||||
|
api::gamenights_unauthorized,
|
||||||
api::gamenight_post_json,
|
api::gamenight_post_json,
|
||||||
api::register_post_json,
|
api::register_post_json,
|
||||||
api::login_post_json
|
api::login_post_json
|
||||||
|
@ -57,8 +57,8 @@ table! {
|
|||||||
}
|
}
|
||||||
|
|
||||||
table! {
|
table! {
|
||||||
pwd(id) {
|
pwd(user_id) {
|
||||||
id -> Integer,
|
user_id -> Integer,
|
||||||
password -> Text,
|
password -> Text,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -129,7 +129,7 @@ pub async fn insert_user(conn: DbConn, new_user: Register) -> Result<(), Databas
|
|||||||
};
|
};
|
||||||
|
|
||||||
diesel::insert_into(pwd::table)
|
diesel::insert_into(pwd::table)
|
||||||
.values((pwd::id.eq(ids[0]), pwd::password.eq(&password_hash)))
|
.values((pwd::user_id.eq(ids[0]), pwd::password.eq(&password_hash)))
|
||||||
.execute(c)
|
.execute(c)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
@ -154,7 +154,7 @@ pub async fn login(conn: DbConn, login: Login) -> Result<LoginResult, DatabaseEr
|
|||||||
};
|
};
|
||||||
|
|
||||||
let pwd: String = match pwd::table
|
let pwd: String = match pwd::table
|
||||||
.filter(pwd::id.eq(id))
|
.filter(pwd::user_id.eq(id))
|
||||||
.select(pwd::password)
|
.select(pwd::password)
|
||||||
.get_results::<String>(c)
|
.get_results::<String>(c)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user
I think you can use a Request Guard (see https://api.rocket.rs/v0.5-rc/rocket/request/trait.FromRequest.html) to authenticate the user and role: For example, endpoints that require admin privileges could accept a non-optional
Admin
struct containing a user id and the request guard that generates it would only returnSuccess
if the user is logged and has the admin role.See also the examples under the header "Request-Local State" in the above link.
Reading more carefully I see you're already doing this, just that you're accepting an
Option<User>
and then checking it's notNone
while you could accept aUser
and be sure.