some work

2023-05-31 13:24:15 -04:00 · 2023-05-31 13:24:15 -04:00 · 996db62ab2
parent 3b242290d6
commit 996db62ab2
11 changed files with 318 additions and 8 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -25,6 +25,21 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "actix-cors"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b340e9cfa5b08690aae90fb61beb44e9b06f44fe3d0f93781aaa58cfba86245e"
+dependencies = [
+ "actix-utils",
+ "actix-web",
+ "derive_more",
+ "futures-util",
+ "log",
+ "once_cell",
+ "smallvec",
+]
+
 [[package]]
 name = "actix-http"
 version = "3.3.1"
@ -3522,6 +3537,7 @@ dependencies = [
 name = "trifid-api"
 version = "0.1.0"
 dependencies = [
+ "actix-cors",
 "actix-request-identifier",
 "actix-web",
 "aes-gcm",
--- a/tfweb/src/components/LoadingWrapper.svelte
+++ b/tfweb/src/components/LoadingWrapper.svelte
@ -1,5 +1,5 @@
 <script lang="ts">
-    import {Logger, logSetup} from "$lib/logger";
+    import {logDeltaReset, Logger, logSetup} from "$lib/logger";

    export let isLoading;
    export let isError;
@ -11,6 +11,7 @@
    function loadingproclog() {
        if (!isLoading) {
            logger.info("page loaded - content paint");
+            logDeltaReset();
        }
    }

--- a/tfweb/src/lib/auth.ts
+++ b/tfweb/src/lib/auth.ts
@ -1,4 +1,5 @@
 import {Logger, logSetup} from "$lib/logger";
+import {PUBLIC_BASE_URL} from "$env/static/public";

 export enum AuthResult {
    Failed = 0,
@ -13,7 +14,7 @@ export interface SessionInfo {
    hasTOTP: boolean
 }

-export interface SessionAuthError {
+export interface APIError {
    code: string,
    message: string
 }
@ -21,7 +22,119 @@ export interface SessionAuthError {
 logSetup();
 const logger = new Logger("auth.ts");

-export async function isAuthedSession(): Promise<[AuthResult, SessionInfo | SessionAuthError]> {
+export async function isAuthedSession(): Promise<[AuthResult, SessionInfo | APIError]> {
    logger.info('Checking for session authentication');
-    return [AuthResult.Failed, {code: "asdji", message: "asdioj"}]
+
+    if (window.localStorage.getItem("session") === null) {
+        logger.error('unable to check session: session token not set');
+        return [AuthResult.Failed, {code: "missing_token", message: "not logged in"}];
+    }
+
+    try {
+        logger.debug(`api call: baseurl ${PUBLIC_BASE_URL}`);
+        const resp = await fetch(`${PUBLIC_BASE_URL}/v2/whoami`, {
+            'method': 'GET',
+            'headers': {
+                'Authorization': `Bearer ${window.localStorage.getItem("session")}`
+            }
+        });
+        if (!resp.ok) {
+            const rawerror = JSON.parse(await resp.text()).errors[0];
+            logger.error(`error fetching user information: ${rawerror.message}`);
+            return [AuthResult.Failed, {code: rawerror.code, message: rawerror.message}];
+        }
+        return [AuthResult.Successful, JSON.parse(await resp.text()).data.actor]
+    } catch (e) {
+        logger.error(`error making API request: ${e}`);
+        return [AuthResult.Failed, {code: "api_call_failed", message: `${e}`}]
+    }
+}
+
+export async function isAuthedMFA(): Promise<[AuthResult, SessionInfo | APIError]> {
+    logger.info('Checking for MFA authentication');
+
+    if (window.localStorage.getItem("mfa") === null) {
+        logger.error('unable to check mfa: mfa token not set');
+        return [AuthResult.Failed, {code: "missing_token", message: "not logged in"}];
+    }
+
+    const sess = await isAuthedSession();
+    if (sess[0] !== AuthResult.Successful) {
+        logger.error('unable to check mfa: session token invalid');
+        return [AuthResult.Failed, sess[1]];
+    }
+
+    try {
+        logger.debug(`api call: baseurl ${PUBLIC_BASE_URL}`);
+        const resp = await fetch(`${PUBLIC_BASE_URL}/v2/whoami`, {
+            'method': 'GET',
+            'headers': {
+                'Authorization': `Bearer ${window.localStorage.getItem("session")} ${window.localStorage.getItem("mfa")}`
+            }
+        });
+        if (!resp.ok) {
+            const rawerror = JSON.parse(await resp.text()).errors[0];
+            logger.error(`error fetching user information: ${rawerror.message}`);
+            return [AuthResult.Failed, {code: rawerror.code, message: rawerror.message}];
+        }
+        return [AuthResult.Successful, JSON.parse(await resp.text()).data.actor]
+    } catch (e) {
+        logger.error(`error making API request: ${e}`);
+        return [AuthResult.Failed, {code: "api_call_failed", message: `${e}`}]
+    }
+}
+
+export async function authSession(email: string): Promise<[AuthResult, null | APIError]> {
+    logger.info('Sending new session authentication');
+
+    try {
+        logger.debug(`api call: baseurl ${PUBLIC_BASE_URL}`);
+        const resp = await fetch(`${PUBLIC_BASE_URL}/v1/auth/magic-link`, {
+            'method': 'POST',
+            'body': JSON.stringify({
+                email: email
+            }),
+            'headers': {
+                'Content-Type': 'application/json'
+            }
+        });
+        if (!resp.ok) {
+            const rawerror = JSON.parse(await resp.text()).errors[0];
+            logger.error(`error sending authentication: ${rawerror.message}`);
+            return [AuthResult.Failed, {code: rawerror.code, message: rawerror.message}];
+        }
+        return [AuthResult.Successful, null]
+    } catch (e) {
+        logger.error(`error making API request: ${e}`);
+        return [AuthResult.Failed, {code: "api_call_failed", message: `${e}`}]
+    }
+}
+
+export async function verifyLink(ml: string): Promise<[AuthResult, null | APIError]> {
+    logger.info('checking magic link authentication');
+
+    try {
+        logger.debug(`api call: baseurl ${PUBLIC_BASE_URL}`);
+        const resp = await fetch(`${PUBLIC_BASE_URL}/v1/auth/verify-magic-link`, {
+            'method': 'POST',
+            'body': JSON.stringify({
+                magicLinkToken: ml
+            }),
+            'headers': {
+                'Content-Type': 'application/json'
+            }
+        });
+        if (!resp.ok) {
+            const rawerror = JSON.parse(await resp.text()).errors[0];
+            logger.error(`error sending authentication: ${rawerror.message}`);
+            return [AuthResult.Failed, {code: rawerror.code, message: rawerror.message}];
+        }
+
+        window.localStorage.setItem("session", JSON.parse(await resp.text()).data.sessionToken);
+
+        return [AuthResult.Successful, null]
+    } catch (e) {
+        logger.error(`error making API request: ${e}`);
+        return [AuthResult.Failed, {code: "api_call_failed", message: `${e}`}]
+    }
 }
--- a/tfweb/src/lib/i18n/locales/en.json
+++ b/tfweb/src/lib/i18n/locales/en.json
@ -5,11 +5,36 @@
    "linkbody": "Perhaps you meant to visit the {link0}?",
    "linkbody.link0": "admin panel"
  },
+  "login": {
+    "title": "Log in to your account",
+    "subtitle": "We'll send you an email with a \"magic link\"",
+    "label": "What is your email?",
+    "button": "Log in",
+    "email": "Check your email",
+    "emailbody": "We sent you an email with a link to complete logging in.",
+    "emailbody2": "Didn't work? Check your junk inbox or click {link0} to try again.",
+    "emailbody2.link0": "here",
+    "error": {
+      "invalidEmail": "That email address isn't valid. Try again.",
+      "generic": "There was an error logging you in. Try again or contact support with the error code {err}",
+      "usermissing": "That user does not exist."
+    }
+  },
+  "ml": {
+    "header": "Authenticated!",
+    "body": "Redirecting to admin page...",
+    "error": {
+      "notoken": "magic link token missing",
+      "badtoken": "token is invalid or has expired"
+    }
+  },
  "common": {
    "title": "{title} | Trifid Web UI",
    "page": {
      "itworks": "It Works!",
-      "admin": "Admin Panel"
+      "admin": "Admin Panel",
+      "login": "Login",
+      "ml": "Verify Magic Link"
    }
  }
 }
--- a/tfweb/src/lib/logger.ts
+++ b/tfweb/src/lib/logger.ts
@ -38,6 +38,12 @@ export function logSetup() {
    logger.info("Logger setup complete");
 }

+export function logDeltaReset() {
+    timestampStart = Date.now();
+    deltaTimestamp = Date.now();
+    logger.info("delta reset");
+}
+
 function log(level: number, module: string, message: string) {
    const log = {
        level: level,
--- a/tfweb/src/routes/+page.svelte
+++ b/tfweb/src/routes/+page.svelte
@ -20,6 +20,6 @@
 <LoadingWrapper isLoading={currentlyLoading} isError={isError} error={error}>
    <h1>{$t('itworks.header')}</h1>
    <p>{$t('itworks.body')}</p>
-    <!-- eslint-disable-next-line -->
+    <!-- eslint-disable-next-line svelte/no-at-html-tags -->
    <p>{@html $t('itworks.linkbody', {values:{link0:'<a href="/admin">'+$t('itworks.linkbody.link0')+'</a>'}})}</p>
 </LoadingWrapper>
--- a/tfweb/src/routes/admin/+page.svelte
+++ b/tfweb/src/routes/admin/+page.svelte
@ -4,7 +4,7 @@
    import {onMount} from "svelte";
    import {AuthResult, isAuthedSession} from "$lib/auth.ts";
    import {Logger, logSetup} from "$lib/logger";
-    import type {SessionAuthError} from "$lib/auth.ts";
+    import type {APIError} from "$lib/auth.ts";

    let loading = true;
    let isError = false;
@ -17,7 +17,7 @@
    onMount(async () => {
        let session_load_info = await isAuthedSession();
        if (session_load_info[0] == AuthResult.Failed) {
-            let err = session_load_info[1] as SessionAuthError;
+            let err = session_load_info[1] as APIError;
            logger.error(`session load failed: ${err.code} ${err.message}`);
            window.location.href = '/login';
            return;
--- a/tfweb/src/routes/login/+page.svelte
+++ b/tfweb/src/routes/login/+page.svelte
@ -0,0 +1,92 @@
+<script lang="ts">
+    import {isLoading, t} from "svelte-i18n";
+    import LoadingWrapper from "$components/LoadingWrapper.svelte";
+    import {onMount} from "svelte";
+    import {AuthResult, authSession, isAuthedSession} from "$lib/auth.ts";
+    import type {APIError} from "$lib/auth.ts";
+    import {Logger, logSetup} from "$lib/logger";
+
+    let loading = true;
+    let isError = false;
+    let error = '';
+    $: currentlyLoading = $isLoading || loading;
+
+    logSetup();
+    let logger = new Logger("login/+page.svelte");
+
+    onMount(async () => {
+        let session_load_info = await isAuthedSession();
+        if (session_load_info[0] != AuthResult.Failed) {
+            logger.error(`session load success, the user is already logged in`);
+            window.location.href = '/2fa';
+            return;
+        }
+
+        loading = false;
+    })
+
+    let email = '';
+    let email_regexp = new RegExp(/^(([^<>()[\]\\.,;:\s@"]+(\.[^<>()[\]\\.,;:\s@"]+)*)|(".+"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/);
+
+    let hasErrForm = false;
+    let errForm = '';
+
+    let isDone = false;
+
+    async function onSubmit() {
+        loading = true;
+
+        if (!email_regexp.test(email)) {
+            errForm = $t('login.error.invalidEmail');
+            hasErrForm = true;
+            loading = false;
+            return;
+        }
+
+        let auth_result = await authSession(email);
+
+        if (auth_result[0] === AuthResult.Failed) {
+
+            hasErrForm = true;
+
+            // parse the error and filter out common ones for more specific error messages
+            let err = auth_result[1] as APIError;
+
+            if (err.code == "ERR_USER_DOES_NOT_EXIST") {
+                errForm = $t('login.error.usermissing');
+            } else {
+                errForm = $t('login.error.generic', {values: {err: (auth_result[1] as APIError).code}});
+            }
+
+            loading = false;
+            return;
+        }
+
+        isDone = true;
+        loading = false;
+    }
+</script>
+
+<svelte:head>
+    <title>{$t("common.title", {values: {title: $t("common.page.login")}})}</title>
+</svelte:head>
+
+<LoadingWrapper isLoading={currentlyLoading} isError={isError} error={error}>
+    {#if isDone}
+        <h1>{$t('login.email')}</h1>
+        <p>{$t('login.emailbody')}</p>
+        <!-- eslint-disable-next-line svelte/no-at-html-tags -->
+        <p>{@html $t('login.emailbody2', {values:{link0:'<a href="/login">'+$t('login.emailbody2.link0')+'</a>'}})}</p>
+    {:else}
+        <h1>{$t('login.title')}</h1>
+        <h3>{$t('login.subtitle')}</h3>
+        <form on:submit|preventDefault={onSubmit}>
+            <label for="email">{$t('login.label')}</label>
+            <input type="email" bind:value={email} placeholder="john.doe@google.com" id="email"/>
+            <button>{$t('login.button')}</button>
+            {#if hasErrForm}
+                <p>{errForm}</p>
+            {/if}
+        </form>
+    {/if}
+</LoadingWrapper>
--- a/tfweb/src/routes/magic-link/+page.svelte
+++ b/tfweb/src/routes/magic-link/+page.svelte
@ -0,0 +1,54 @@
+<script lang="ts">
+    import {isLoading, t} from "svelte-i18n";
+    import LoadingWrapper from "$components/LoadingWrapper.svelte";
+    import {onMount} from "svelte";
+    import {AuthResult, verifyLink} from "$lib/auth.ts";
+    import type {APIError} from "$lib/auth.ts";
+    import {Logger, logSetup} from "$lib/logger";
+
+    let loading = true;
+    let isError = false;
+    let error = '';
+    $: currentlyLoading = $isLoading || loading;
+
+    logSetup();
+    let logger = new Logger("magic-link/+page.svelte");
+
+    onMount(async () => {
+        let url = new URLSearchParams(window.location.search);
+        if (!url.has("magicLinkToken")) {
+            logger.error('url does not contain magicLinkToken');
+            isError = true;
+            error = $t("ml.error.notoken");
+        }
+
+        let call_result = await verifyLink(url.get("magicLinkToken"));
+
+        if (call_result[0] !== AuthResult.Successful) {
+            let err = (call_result[1] as APIError).code;
+
+            if (err === "ERR_UNAUTHORIZED" || err === "ERR_EXPIRED") {
+                error = $t('ml.error.badtoken');
+            } else {
+                error = err;
+            }
+
+            isError = true;
+            loading = false;
+            setTimeout(() => window.location.href = "/login", 1000);
+        } else {
+            loading = false;
+            window.location.href = "/admin";
+        }
+
+    })
+</script>
+
+<svelte:head>
+    <title>{$t("common.title", {values: {title: $t("common.page.login")}})}</title>
+</svelte:head>
+
+<LoadingWrapper isLoading={currentlyLoading} isError={isError} error={error}>
+    <h1>{$t('ml.header')}</h1>
+    <p>{$t('ml.body')}</p>
+</LoadingWrapper>
--- a/trifid-api/Cargo.toml
+++ b/trifid-api/Cargo.toml
@ -8,6 +8,7 @@ edition = "2021"
 [dependencies]
 actix-web = "4"                 # Web framework
 actix-request-identifier = "4"  # Web framework
+actix-cors = "0.6.4"            # Web framework

 serde = { version = "1", features = ["derive"] }    # Serialization and deserialization
 serde_json = "1.0.95"                               # Serialization and deserialization (cursors)
--- a/trifid-api/src/main.rs
+++ b/trifid-api/src/main.rs
@ -23,6 +23,7 @@ use log::{info, Level};
 use sea_orm::{ConnectOptions, Database, DatabaseConnection};
 use std::error::Error;
 use std::time::Duration;
+use actix_cors::Cors;

 use crate::config::CONFIG;
 use crate::error::{APIError, APIErrorsResponse};
@ -75,6 +76,7 @@ async fn main() -> Result<(), Box<dyn Error>> {

    HttpServer::new(move || {
        App::new()
+            .wrap(Cors::permissive())
            .app_data(data.clone())
            .app_data(
                JsonConfig::default()