oswilno/crates/oswilno-session/src/lib.rs

use std::ops::Add;
use std::sync::Arc;

use actix_jwt_session::SessionStorage;
pub use actix_jwt_session::{Error, RedisMiddlewareFactory};
use actix_web::web::{Data, Form, ServiceConfig};
use actix_web::{get, post, HttpRequest, HttpResponse};
use askama_actix::Template;
use autometrics::autometrics;
use garde::Validate;
use jsonwebtoken::*;
use oswilno_view::{Errors, Lang, Layout, Main, MainOpts, TranslationStorage};
use ring::rand::SystemRandom;
use ring::signature::{Ed25519KeyPair, KeyPair};
use sea_orm::DatabaseConnection;
use serde::{Deserialize, Serialize};
use time::OffsetDateTime;

mod hashing;

pub use oswilno_view::filters;

pub type Authenticated = actix_jwt_session::Authenticated<Claims>;
pub type MaybeAuthenticated = actix_jwt_session::MaybeAuthenticated<Claims>;

#[derive(Clone, Copy)]
pub struct JWTTtl(std::time::Duration);

#[derive(Debug, Serialize, Deserialize, Clone, Eq, PartialEq, Hash)]
#[serde(rename_all = "snake_case")]
pub enum Audience {
    Web,
}

#[derive(Debug, Serialize, Deserialize, Clone, Eq, PartialEq, Hash)]
#[serde(rename_all = "snake_case")]
pub struct Claims {
    #[serde(rename = "exp")]
    pub expires_at: usize,
    #[serde(rename = "iat")]
    pub issues_at: usize,
    /// Account login
    #[serde(rename = "sub")]
    pub subject: String,
    #[serde(rename = "aud")]
    pub audience: Audience,
    #[serde(rename = "jti")]
    pub jwt_id: uuid::Uuid,
    #[serde(rename = "aci")]
    pub account_id: i32,
}

impl actix_jwt_session::Claims for Claims {
    fn jti(&self) -> uuid::Uuid {
        self.jwt_id
    }
}

impl Claims {
    pub fn account_id(&self) -> i32 {
        self.account_id
    }
}

#[derive(Serialize, Deserialize)]
pub struct EmptyResponse {}

#[derive(Debug, Serialize, Deserialize)]
pub struct LoginResponse {
    bearer_token: String,
    claims: Claims,
}

#[derive(Clone)]
pub struct SessionConfigurator {
    jwt_ttl: Data<JWTTtl>,
    factory: RedisMiddlewareFactory<Claims>,
}

impl SessionConfigurator {
    pub fn app_data(self, config: &mut ServiceConfig) {
        config
            .app_data(self.jwt_ttl)
            .service(login)
            .service(login_view)
            .service(logout)
            .service(session_info)
            .service(register)
            .service(register_view);
    }

    pub fn factory(&self) -> RedisMiddlewareFactory<Claims> {
        self.factory.clone()
    }

    pub fn translations(&self, l10n: &mut oswilno_view::TranslationStorage) {
        l10n
            // English
            .with_lang(oswilno_view::Lang::En)
            .add("Sign in", "Sign in")
            .add("Sign up", "Sign up")
            .add("Bad credentials", "Bad credentials")
            .done()
            // Polish
            .with_lang(oswilno_view::Lang::Pl)
            .add("Sign in", "Logowanie")
            .add("Sign up", "Rejestracja")
            .add("Bad credentials", "Złe dane uwierzytelniające")
            .add("is taken", "jest zajęty")
            .add("is not strong enough", "jest za słabe")
            .add(
                "length is lower than 8",
                "długość jest mniejsza niż 8 znaków",
            )
            .add(
                "Login or email already taken",
                "Login lub adres e-mail jest zajęty",
            )
            .add("Password", "Hasło")
            .add("Submit", "Wyślij")
            .done();
    }

    pub fn new(redis: redis_async_pool::RedisPool) -> Self {
        let jwt_ttl = JWTTtl(std::time::Duration::from_secs(31 * 60 * 60));
        let jwt_signing_keys = JwtSigningKeys::generate().unwrap();
        let auth_middleware_factory = RedisMiddlewareFactory::<Claims>::new(
            Arc::new(jwt_signing_keys.encoding_key),
            Arc::new(jwt_signing_keys.decoding_key),
            Algorithm::EdDSA,
            redis,
        );

        Self {
            jwt_ttl: Data::new(jwt_ttl.clone()),
            factory: auth_middleware_factory,
        }
    }
}

#[derive(Template)]
#[template(path = "./sign-in/partial.html")]
struct SignInPartialTemplate {
    form: SignInPayload,
    lang: Lang,
    t: Arc<TranslationStorage>,
    errors: Errors,
}

#[derive(Debug, Serialize, Deserialize, Clone, Eq, PartialEq, Default)]
pub struct SignInPayload {
    login: String,
    password: String,
}

#[get("/login")]
async fn login_view(req: HttpRequest, t: Data<TranslationStorage>) -> HttpResponse {
    HttpResponse::Ok().body(
        if oswilno_view::is_partial(&req) {
            Main {
                body: SignInPartialTemplate {
                    form: SignInPayload::default(),
                    lang: Lang::Pl,
                    t: t.into_inner(),
                    errors: Errors::default(),
                },
                opts: MainOpts {
                    show: true,
                    search: None,
                    session: None,
                },
            }
            .render()
        } else {
            Layout {
                main: Main {
                    body: SignInPartialTemplate {
                        form: SignInPayload::default(),
                        lang: Lang::Pl,
                        t: t.into_inner(),
                        errors: Errors::default(),
                    },
                    opts: MainOpts {
                        show: true,
                        ..Default::default()
                    },
                },
            }
            .render()
        }
        .unwrap_or_default(),
    )
}

#[autometrics]
#[post("/login")]
async fn login(
    jwt_ttl: Data<JWTTtl>,
    db: Data<DatabaseConnection>,
    redis: Data<SessionStorage<Claims>>,
    payload: Form<SignInPayload>,
    t: Data<oswilno_view::TranslationStorage>,
    lang: Lang,
) -> Result<HttpResponse, Error> {
    let t = t.into_inner();
    let mut errors = Errors::default();
    match login_inner(
        jwt_ttl.into_inner(),
        payload.into_inner(),
        db.into_inner(),
        redis.into_inner(),
        &mut errors,
    )
    .await
    {
        Ok(res) => Ok(res),
        Err(form) => Ok(HttpResponse::Ok().body(
            (SignInPartialTemplate {
                form,
                lang,
                t,
                errors,
            })
            .render()
            .unwrap(),
        )),
    }
}

async fn login_inner(
    jwt_ttl: Arc<JWTTtl>,
    payload: SignInPayload,
    db: Arc<DatabaseConnection>,
    redis: Arc<SessionStorage<Claims>>,
    errors: &mut Errors,
) -> Result<HttpResponse, SignInPayload> {
    let iat = OffsetDateTime::now_utc().unix_timestamp() as usize;
    let expires_at = OffsetDateTime::now_utc().add(jwt_ttl.0);
    let exp = expires_at.unix_timestamp() as usize;

    use sea_orm::*;
    let account = match oswilno_contract::accounts::Entity::find()
        .filter(oswilno_contract::accounts::Column::Login.eq(payload.login.as_str()))
        .filter(oswilno_contract::accounts::Column::Banned.eq(false))
        // TODO: Add email confirmation
        //.filter(oswilno_contract::accounts::Column::Confirmed.eq(true))
        .one(&*db)
        .await
    {
        Ok(Some(a)) => a,
        Ok(None) => {
            errors.push_global("Bad credentials");
            return Err(payload);
        }
        Err(e) => {
            tracing::warn!("Failed to find account: {e}");
            errors.push_global("Bad credentials");
            return Err(payload);
        }
    };
    if let Err(e) = hashing::verify(account.pass_hash.as_str(), payload.password.as_str()) {
        tracing::warn!("Hashing verification failed: {e}");
        errors.push_global("Bad credentials");
        return Err(payload);
    }

    let jwt_claims = Claims {
        issues_at: iat,
        subject: account.login.clone(),
        expires_at: exp,
        audience: Audience::Web,
        jwt_id: uuid::Uuid::new_v4(),
        account_id: account.id,
    };
    let jwt_token = match redis.store(jwt_claims.clone(), jwt_ttl.0).await {
        Err(e) => {
            tracing::warn!("Failed to set sign-in claims in redis: {e}");
            errors.push_global("Failed to sign in. Please try later");
            return Err(payload);
        }
        Ok(jwt_token) => jwt_token,
    };
    let bearer_token = match jwt_token.encode() {
        Ok(token) => token,
        Err(e) => {
            tracing::warn!("Failed to encode claims: {e}");
            errors.push_global("Failed to sign in. Please try later");
            return Err(payload);
        }
    };
    Ok(HttpResponse::Ok()
        .append_header((
            actix_jwt_session::HEADER_NAME,
            format!("Bearer {bearer_token}").as_str(),
        ))
        .body(""))
}

#[autometrics]
#[get("/session")]
async fn session_info(authenticated: Authenticated) -> Result<HttpResponse, Error> {
    Ok(HttpResponse::Ok().json(&*authenticated))
}

#[autometrics]
#[get("/logout")]
async fn logout(
    authenticated: Authenticated,
    redis: Data<SessionStorage<Claims>>,
) -> Result<HttpResponse, Error> {
    let jwt_id = authenticated.jwt_id;
    if let Err(_e) = redis.erase(jwt_id).await {};
    Ok(HttpResponse::SeeOther()
        .append_header(("Location", "/"))
        .body(""))
}

#[derive(Debug, Default, Serialize, Deserialize, Clone, Eq, PartialEq, garde::Validate)]
#[garde(context(RegisterContext))]
struct AccountInfo {
    #[garde(length(min = 4, max = 30), custom(is_login_free))]
    #[serde(rename = "login")]
    input_login: String,
    #[garde(email, custom(is_email_free))]
    email: String,
    #[garde(length(min = 8, max = 50), custom(is_strong_password))]
    password: String,
    #[garde(
        length(min = 8, max = 50),
        custom(is_strong_password),
        custom(check_pass_differ)
    )]
    password_confirmation: String,
}

#[get("/register")]
async fn register_view(req: HttpRequest, t: Data<TranslationStorage>) -> HttpResponse {
    HttpResponse::Ok().body(
        if oswilno_view::is_partial(&req) {
            Main {
                body: RegisterPartialTemplate {
                    form: AccountInfo::default(),
                    t: t.into_inner(),
                    lang: Lang::Pl,
                    errors: oswilno_view::Errors::default(),
                },
                opts: MainOpts {
                    show: true,
                    search: None,
                    session: None,
                },
            }
            .render()
        } else {
            Layout {
                main: Main {
                    body: RegisterPartialTemplate {
                        form: AccountInfo::default(),
                        t: t.into_inner(),
                        lang: Lang::Pl,
                        errors: oswilno_view::Errors::default(),
                    },
                    opts: MainOpts::default(),
                },
            }
            .render()
        }
        .unwrap_or_default(),
    )
}

#[derive(askama_actix::Template)]
#[template(path = "./register/partial.html")]
struct RegisterPartialTemplate {
    form: AccountInfo,
    t: Arc<TranslationStorage>,
    lang: Lang,
    errors: oswilno_view::Errors,
}

#[autometrics]
#[post("/register")]
async fn register(
    req: HttpRequest,
    db: Data<DatabaseConnection>,
    payload: Form<AccountInfo>,
    t: Data<oswilno_view::TranslationStorage>,
    lang: Lang,
) -> Result<HttpResponse, Error> {
    let t = t.into_inner();
    let mut errors = oswilno_view::Errors::default();
    Ok(
        match register_internal(req, db.into_inner(), payload.into_inner(), &mut errors).await {
            Ok(res) => res,
            Err(p) => HttpResponse::BadRequest().body(
                RegisterPartialTemplate {
                    form: p,
                    t,
                    lang,
                    errors,
                }
                .render()
                .unwrap(),
            ),
        },
    )
}

struct RegisterContext {
    login_taken: bool,
    email_taken: bool,
    pass_differ: bool,
}

fn is_email_free(_value: &str, context: &RegisterContext) -> garde::Result {
    if context.email_taken {
        return Err(garde::Error::new("is taken"));
    }
    Ok(())
}
fn is_login_free(_value: &str, context: &RegisterContext) -> garde::Result {
    if context.login_taken {
        return Err(garde::Error::new("is taken"));
    }
    Ok(())
}

static WEAK_PASS: &str = "is not strong enough";
fn check_pass_differ(_v: &str, ctx: &RegisterContext) -> garde::Result {
    if ctx.pass_differ {
        Err(garde::Error::new(DIFFER_PASS))
    } else {
        Ok(())
    }
}

static DIFFER_PASS: &str = "passwords differ";
fn is_strong_password(value: &str, _context: &RegisterContext) -> garde::Result {
    if !(8..50).contains(&value.len()) {
        return Err(garde::Error::new(WEAK_PASS));
    }
    let mut num = false;
    let mut low = false;
    let mut up = false;
    let mut spec = false;
    for c in value.chars() {
        if num && low && up && spec {
            return Ok(());
        }
        num = num || c.is_numeric();
        low = low || c.is_lowercase();
        up = up || c.is_uppercase();
        spec = spec || !c.is_alphanumeric();
    }

    return Err(garde::Error::new(WEAK_PASS));
}

async fn register_internal(
    _req: HttpRequest,
    db: Arc<DatabaseConnection>,
    p: AccountInfo,
    errors: &mut oswilno_view::Errors,
) -> Result<HttpResponse, AccountInfo> {
    use oswilno_contract::accounts::*;
    use sea_orm::*;

    let query_result = db
        .query_one(sea_orm::Statement::from_sql_and_values(
            sea_orm::DbBackend::Postgres,
            "select login = $1 as login_taken, email = $2 as email_taken from accounts",
            [p.input_login.clone().into(), p.email.clone().into()],
        ))
        .await
        .map_err(|e| {
            tracing::error!("{e}");
            errors.push_global("Something went wrong");
            p.clone()
        })?;
    let (login_taken, email_taken) = if let Some(query_result) = query_result {
        let Ok((login_taken, email_taken)): Result<(bool,bool), _> = query_result.try_get_many("", &["login_taken".into(), "email_taken".into()]) else {
            tracing::warn!("Failed to fetch fields from query result while checking if account info exists in db");
            errors.push_global("Something went wrong");
            return Err(p);
        };
        (login_taken, email_taken)
    } else {
        (false, false)
    };

    if let Err(e) = p.validate(&RegisterContext {
        login_taken,
        email_taken,
        pass_differ: p.password != p.password_confirmation,
    }) {
        errors.consume_garde(e);
        return Err(p);
    }
    tracing::warn!("{errors:#?}");

    let pass = match hashing::encrypt(p.password.as_str()) {
        Ok(p) => p,
        Err(e) => {
            tracing::warn!("{e}");
            return Ok(HttpResponse::InternalServerError().body(""));
        }
    };
    let model = (ActiveModel {
        id: NotSet,
        login: Set(p.input_login.to_string()),
        email: Set(p.email.to_string()),
        pass_hash: Set(pass),
        ..Default::default()
    })
    .save(&*db)
    .await
    .map_err(|e| {
        tracing::warn!("{e}");
        errors.push_global("Login or email already taken");
        p
    })?;

    tracing::info!("{model:?}");

    Ok(HttpResponse::SeeOther()
        .append_header(("Location", "/login"))
        .append_header(("Accept", "text/html-partial"))
        .body(""))
}

pub struct JwtSigningKeys {
    encoding_key: EncodingKey,
    decoding_key: DecodingKey,
}

impl JwtSigningKeys {
    fn generate() -> Result<Self, Box<dyn std::error::Error>> {
        let doc = Ed25519KeyPair::generate_pkcs8(&SystemRandom::new())?;
        let keypair = Ed25519KeyPair::from_pkcs8(doc.as_ref())?;
        let encoding_key = EncodingKey::from_ed_der(doc.as_ref());
        let decoding_key = DecodingKey::from_ed_der(keypair.public_key().as_ref());
        Ok(JwtSigningKeys {
            encoding_key,
            decoding_key,
        })
    }
}