mirror of
https://github.com/girlbossceo/conduwuit.git
synced 2025-03-14 12:45:37 +00:00
304 lines
8.6 KiB
Rust
304 lines
8.6 KiB
Rust
use axum::extract::State;
|
|
use axum_client_ip::InsecureClientIp;
|
|
use conduwuit::{debug, err, info, utils::ReadyExt, warn, Err};
|
|
use futures::StreamExt;
|
|
use ruma::{
|
|
api::client::{
|
|
error::ErrorKind,
|
|
session::{
|
|
get_login_types::{
|
|
self,
|
|
v3::{ApplicationServiceLoginType, PasswordLoginType},
|
|
},
|
|
login::{
|
|
self,
|
|
v3::{DiscoveryInfo, HomeserverInfo},
|
|
},
|
|
logout, logout_all,
|
|
},
|
|
uiaa::UserIdentifier,
|
|
},
|
|
UserId,
|
|
};
|
|
use serde::Deserialize;
|
|
|
|
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
|
|
use crate::{utils, utils::hash, Error, Result, Ruma};
|
|
|
|
#[derive(Debug, Deserialize)]
|
|
struct Claims {
|
|
sub: String,
|
|
//exp: usize,
|
|
}
|
|
|
|
/// # `GET /_matrix/client/v3/login`
|
|
///
|
|
/// Get the supported login types of this server. One of these should be used as
|
|
/// the `type` field when logging in.
|
|
#[tracing::instrument(skip_all, fields(%client), name = "login")]
|
|
pub(crate) async fn get_login_types_route(
|
|
InsecureClientIp(client): InsecureClientIp,
|
|
_body: Ruma<get_login_types::v3::Request>,
|
|
) -> Result<get_login_types::v3::Response> {
|
|
Ok(get_login_types::v3::Response::new(vec![
|
|
get_login_types::v3::LoginType::Password(PasswordLoginType::default()),
|
|
get_login_types::v3::LoginType::ApplicationService(ApplicationServiceLoginType::default()),
|
|
]))
|
|
}
|
|
|
|
/// # `POST /_matrix/client/v3/login`
|
|
///
|
|
/// Authenticates the user and returns an access token it can use in subsequent
|
|
/// requests.
|
|
///
|
|
/// - The user needs to authenticate using their password (or if enabled using a
|
|
/// json web token)
|
|
/// - If `device_id` is known: invalidates old access token of that device
|
|
/// - If `device_id` is unknown: creates a new device
|
|
/// - Returns access token that is associated with the user and device
|
|
///
|
|
/// Note: You can use [`GET
|
|
/// /_matrix/client/r0/login`](fn.get_supported_versions_route.html) to see
|
|
/// supported login types.
|
|
#[tracing::instrument(skip_all, fields(%client), name = "login")]
|
|
pub(crate) async fn login_route(
|
|
State(services): State<crate::State>,
|
|
InsecureClientIp(client): InsecureClientIp,
|
|
body: Ruma<login::v3::Request>,
|
|
) -> Result<login::v3::Response> {
|
|
// Validate login method
|
|
// TODO: Other login methods
|
|
let user_id = match &body.login_info {
|
|
#[allow(deprecated)]
|
|
| login::v3::LoginInfo::Password(login::v3::Password {
|
|
identifier,
|
|
password,
|
|
user,
|
|
..
|
|
}) => {
|
|
debug!("Got password login type");
|
|
let user_id = if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
|
|
UserId::parse_with_server_name(
|
|
user_id.to_lowercase(),
|
|
services.globals.server_name(),
|
|
)
|
|
} else if let Some(user) = user {
|
|
UserId::parse(user)
|
|
} else {
|
|
warn!("Bad login type: {:?}", &body.login_info);
|
|
return Err!(Request(Forbidden("Bad login type.")));
|
|
}
|
|
.map_err(|_| Error::BadRequest(ErrorKind::InvalidUsername, "Username is invalid."))?;
|
|
|
|
let hash = services
|
|
.users
|
|
.password_hash(&user_id)
|
|
.await
|
|
.map_err(|_| err!(Request(Forbidden("Wrong username or password."))))?;
|
|
|
|
if hash.is_empty() {
|
|
return Err!(Request(UserDeactivated("The user has been deactivated")));
|
|
}
|
|
|
|
if hash::verify_password(password, &hash).is_err() {
|
|
return Err!(Request(Forbidden("Wrong username or password.")));
|
|
}
|
|
|
|
user_id
|
|
},
|
|
| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
|
|
debug!("Got token login type");
|
|
if let Some(jwt_decoding_key) = services.globals.jwt_decoding_key() {
|
|
let token = jsonwebtoken::decode::<Claims>(
|
|
token,
|
|
jwt_decoding_key,
|
|
&jsonwebtoken::Validation::default(),
|
|
)
|
|
.map_err(|e| {
|
|
warn!("Failed to parse JWT token from user logging in: {e}");
|
|
Error::BadRequest(ErrorKind::InvalidUsername, "Token is invalid.")
|
|
})?;
|
|
|
|
let username = token.claims.sub.to_lowercase();
|
|
|
|
UserId::parse_with_server_name(username, services.globals.server_name()).map_err(
|
|
|e| {
|
|
err!(Request(InvalidUsername(debug_error!(
|
|
?e,
|
|
"Failed to parse login username"
|
|
))))
|
|
},
|
|
)?
|
|
} else {
|
|
return Err!(Request(Unknown(
|
|
"Token login is not supported (server has no jwt decoding key)."
|
|
)));
|
|
}
|
|
},
|
|
#[allow(deprecated)]
|
|
| login::v3::LoginInfo::ApplicationService(login::v3::ApplicationService {
|
|
identifier,
|
|
user,
|
|
}) => {
|
|
debug!("Got appservice login type");
|
|
let user_id = if let Some(UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
|
|
UserId::parse_with_server_name(
|
|
user_id.to_lowercase(),
|
|
services.globals.server_name(),
|
|
)
|
|
} else if let Some(user) = user {
|
|
UserId::parse(user)
|
|
} else {
|
|
warn!("Bad login type: {:?}", &body.login_info);
|
|
return Err(Error::BadRequest(ErrorKind::forbidden(), "Bad login type."));
|
|
}
|
|
.map_err(|e| {
|
|
warn!("Failed to parse username from appservice logging in: {e}");
|
|
Error::BadRequest(ErrorKind::InvalidUsername, "Username is invalid.")
|
|
})?;
|
|
|
|
if let Some(ref info) = body.appservice_info {
|
|
if !info.is_user_match(&user_id) {
|
|
return Err(Error::BadRequest(
|
|
ErrorKind::Exclusive,
|
|
"User is not in namespace.",
|
|
));
|
|
}
|
|
} else {
|
|
return Err(Error::BadRequest(
|
|
ErrorKind::MissingToken,
|
|
"Missing appservice token.",
|
|
));
|
|
}
|
|
|
|
user_id
|
|
},
|
|
| _ => {
|
|
warn!("Unsupported or unknown login type: {:?}", &body.login_info);
|
|
debug!("JSON body: {:?}", &body.json_body);
|
|
return Err(Error::BadRequest(
|
|
ErrorKind::Unknown,
|
|
"Unsupported or unknown login type.",
|
|
));
|
|
},
|
|
};
|
|
|
|
// Generate new device id if the user didn't specify one
|
|
let device_id = body
|
|
.device_id
|
|
.clone()
|
|
.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
|
|
|
|
// Generate a new token for the device
|
|
let token = utils::random_string(TOKEN_LENGTH);
|
|
|
|
// Determine if device_id was provided and exists in the db for this user
|
|
let device_exists = if body.device_id.is_some() {
|
|
services
|
|
.users
|
|
.all_device_ids(&user_id)
|
|
.ready_any(|v| v == device_id)
|
|
.await
|
|
} else {
|
|
false
|
|
};
|
|
|
|
if device_exists {
|
|
services
|
|
.users
|
|
.set_token(&user_id, &device_id, &token)
|
|
.await?;
|
|
} else {
|
|
services
|
|
.users
|
|
.create_device(
|
|
&user_id,
|
|
&device_id,
|
|
&token,
|
|
body.initial_device_display_name.clone(),
|
|
Some(client.to_string()),
|
|
)
|
|
.await?;
|
|
}
|
|
|
|
// send client well-known if specified so the client knows to reconfigure itself
|
|
let client_discovery_info: Option<DiscoveryInfo> = services
|
|
.server
|
|
.config
|
|
.well_known
|
|
.client
|
|
.as_ref()
|
|
.map(|server| DiscoveryInfo::new(HomeserverInfo::new(server.to_string())));
|
|
|
|
info!("{user_id} logged in");
|
|
|
|
// home_server is deprecated but apparently must still be sent despite it being
|
|
// deprecated over 6 years ago. initially i thought this macro was unnecessary,
|
|
// but ruma uses this same macro for the same reason so...
|
|
#[allow(deprecated)]
|
|
Ok(login::v3::Response {
|
|
user_id,
|
|
access_token: token,
|
|
device_id,
|
|
well_known: client_discovery_info,
|
|
expires_in: None,
|
|
home_server: Some(services.globals.server_name().to_owned()),
|
|
refresh_token: None,
|
|
})
|
|
}
|
|
|
|
/// # `POST /_matrix/client/v3/logout`
|
|
///
|
|
/// Log out the current device.
|
|
///
|
|
/// - Invalidates access token
|
|
/// - Deletes device metadata (device id, device display name, last seen ip,
|
|
/// last seen ts)
|
|
/// - Forgets to-device events
|
|
/// - Triggers device list updates
|
|
#[tracing::instrument(skip_all, fields(%client), name = "logout")]
|
|
pub(crate) async fn logout_route(
|
|
State(services): State<crate::State>,
|
|
InsecureClientIp(client): InsecureClientIp,
|
|
body: Ruma<logout::v3::Request>,
|
|
) -> Result<logout::v3::Response> {
|
|
let sender_user = body.sender_user.as_ref().expect("user is authenticated");
|
|
let sender_device = body.sender_device.as_ref().expect("user is authenticated");
|
|
|
|
services
|
|
.users
|
|
.remove_device(sender_user, sender_device)
|
|
.await;
|
|
|
|
Ok(logout::v3::Response::new())
|
|
}
|
|
|
|
/// # `POST /_matrix/client/r0/logout/all`
|
|
///
|
|
/// Log out all devices of this user.
|
|
///
|
|
/// - Invalidates all access tokens
|
|
/// - Deletes all device metadata (device id, device display name, last seen ip,
|
|
/// last seen ts)
|
|
/// - Forgets all to-device events
|
|
/// - Triggers device list updates
|
|
///
|
|
/// Note: This is equivalent to calling [`GET
|
|
/// /_matrix/client/r0/logout`](fn.logout_route.html) from each device of this
|
|
/// user.
|
|
#[tracing::instrument(skip_all, fields(%client), name = "logout")]
|
|
pub(crate) async fn logout_all_route(
|
|
State(services): State<crate::State>,
|
|
InsecureClientIp(client): InsecureClientIp,
|
|
body: Ruma<logout_all::v3::Request>,
|
|
) -> Result<logout_all::v3::Response> {
|
|
let sender_user = body.sender_user.as_ref().expect("user is authenticated");
|
|
|
|
services
|
|
.users
|
|
.all_device_ids(sender_user)
|
|
.for_each(|device_id| services.users.remove_device(sender_user, device_id))
|
|
.await;
|
|
|
|
Ok(logout_all::v3::Response::new())
|
|
}
|