upub/routes/src/auth.rs

use axum::{extract::{FromRef, FromRequestParts}, http::{header, request::Parts}};
use sea_orm::{ColumnTrait, Condition, EntityTrait, QueryFilter};
use httpsign::HttpSignature;
use upub::traits::{fetch::RequestError, Fetcher};

use crate::ApiError;

#[derive(Debug, Clone)]
pub enum Identity {
	Anonymous,
	Remote {
		user: String,
		domain: String,
		internal: i64,
	},
	Local {
		id: String,
		internal: i64,
	},
}

impl Identity {
	// TODO i hate having to do this, but if i don't include `activity.actor` column
	//      we can't see our own activities (likes, announces, follows), and if i do
	//      all queries which don't bring up activities break. so it's necessary to
	//      split these two in order to manually include the extra filter when
	//      needed

	pub fn filter_objects(&self) -> Condition {
		let base_cond = Condition::any().add(upub::model::addressing::Column::Actor.is_null());
		match self {
			Identity::Anonymous => base_cond,
			Identity::Remote { internal, .. } => base_cond.add(upub::model::addressing::Column::Instance.eq(*internal)), 
			Identity::Local { internal, id } => base_cond
				.add(upub::model::addressing::Column::Actor.eq(*internal))
				.add(upub::model::object::Column::AttributedTo.eq(id))
		}
	}

	pub fn filter_activities(&self) -> Condition {
		let base_cond = Condition::any().add(upub::model::addressing::Column::Actor.is_null());
		match self {
			Identity::Anonymous => base_cond,
			Identity::Remote { internal, .. } => base_cond.add(upub::model::addressing::Column::Instance.eq(*internal)), 
			Identity::Local { internal, id } => base_cond
				.add(upub::model::addressing::Column::Actor.eq(*internal))
				.add(upub::model::object::Column::AttributedTo.eq(id))
				.add(upub::model::activity::Column::Actor.eq(id)),
		}
	}

	pub fn my_id(&self) -> Option<i64> {
		match self {
			Identity::Local { internal, .. } => Some(*internal),
			_ => None,
		}
	}

	pub fn is(&self, uid: &str) -> bool {
		match self {
			Identity::Anonymous => false,
			Identity::Remote { .. } => false, // TODO per-actor server auth should check this
			Identity::Local { id, .. } => id.as_str() == uid
		}
	}

	#[allow(unused)]
	pub fn is_anon(&self) -> bool {
		matches!(self, Self::Anonymous)
	}

	#[allow(unused)]
	pub fn is_local(&self) -> bool {
		matches!(self, Self::Local { .. })
	}

	#[allow(unused)]
	pub fn is_remote(&self) -> bool {
		matches!(self, Self::Remote { .. })
	}
}

pub struct AuthIdentity(pub Identity);

#[axum::async_trait]
impl<S> FromRequestParts<S> for AuthIdentity
where
	upub::Context: FromRef<S>,
	S: Send + Sync,
{
	type Rejection = ApiError;

	async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
		let ctx = upub::Context::from_ref(state);
		let mut identity = Identity::Anonymous;

		let auth_header = parts
			.headers
			.get(header::AUTHORIZATION)
			.map(|v| v.to_str().unwrap_or(""))
			.unwrap_or("");

		if auth_header.starts_with("Bearer ") {
			match upub::model::session::Entity::find()
				.filter(upub::model::session::Column::Secret.eq(auth_header.replace("Bearer ", "")))
				.filter(upub::model::session::Column::Expires.gt(chrono::Utc::now()))
				.one(ctx.db())
				.await?
			{
				None => return Err(ApiError::unauthorized()),
				Some(x) => {
					// TODO could we store both actor ap id and internal id in session? to avoid this extra
					// lookup on *every* local authed request we receive...
					let internal = upub::model::actor::Entity::ap_to_internal(&x.actor, ctx.db())
						.await?
						.ok_or_else(ApiError::internal_server_error)?;
					identity = Identity::Local { id: x.actor, internal };
				},
			}
		}

		if let Some(sig) = parts
			.headers
			.get("Signature")
			.map(|v| v.to_str().unwrap_or(""))
		{
			tracing::debug!("validating http signature '{sig}'");
			let mut http_signature = HttpSignature::parse(sig);

			// TODO assert payload's digest is equal to signature's
			//      really annoying to do here because we're streaming
			//      the request, maybe even impossible with this design?

			let user_id = http_signature.key_id
				.replace("/main-key", "") // gotosocial whyyyyy
				.split('#')
				.next().ok_or(ApiError::bad_request())?
				.to_string();

			match ctx.fetch_user(&user_id, ctx.db()).await {
				Err(RequestError::Database(x)) => return Err(RequestError::Database(x).into()),
				Err(e) => tracing::debug!("could not fetch {user_id} to verify signature: {e}"),
				Ok(user) => {
					let signature = http_signature.build_from_parts(parts);
					tracing::debug!("constructed http signature {signature:?}");
					let valid = signature.verify(&user.public_key)?;

					if !valid {
						tracing::warn!("refusing mismatching http signature");
						return Err(ApiError::unauthorized());
					}

					if ctx.cfg().reject.requests.contains(&user.domain) {
						return Err(ApiError::Status(axum::http::StatusCode::UNAVAILABLE_FOR_LEGAL_REASONS));
					}

					if !ctx.cfg().reject.access.contains(&user.domain) {
						let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
							.await?
							.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
						identity = Identity::Remote { user: user.id, domain: user.domain, internal };
					}
				},
			}

		}

		Ok(AuthIdentity(identity))
	}
}
feat: reimplemented from scratch http sig verify 2024-04-13 05:26:50 +02:00			`use axum::{extract::{FromRef, FromRequestParts}, http::{header, request::Parts}};`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`use sea_orm::{ColumnTrait, Condition, EntityTrait, QueryFilter};`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`use httpsign::HttpSignature;`
chore: renamed PullError in RequestError 2024-07-06 06:08:42 +02:00			`use upub::traits::{fetch::RequestError, Fetcher};`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`use crate::ApiError;`
fix: insert addressings after fetching also refactored fetcher into a trait of context 2024-04-18 05:25:56 +02:00
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`#[derive(Debug, Clone)]`
			`pub enum Identity {`
			`Anonymous,`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`Remote {`
chore: instrument inbox/outbox this is where side effects happen, so better keep them under control also trying out tracing, i should redo how i trace stuff in upub... 2024-05-31 14:43:48 +02:00			`user: String,`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`domain: String,`
			`internal: i64,`
			`},`
			`Local {`
			`id: String,`
			`internal: i64,`
			`},`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`}`

feat: inbox/outbox security and obj embedding 2024-04-12 19:36:00 +02:00			`impl Identity {`
fix: split again auth filter i hate having to do this, but if i don't include `activity.actor` column we can't see our own activities (likes, announces, follows), and if i do all queries which don't bring up activities break. so it's necessary to split these two in order to manually include the extra filter when needed 2024-12-10 23:21:52 +01:00			// TODO i hate having to do this, but if i don't include `activity.actor` column
			`// we can't see our own activities (likes, announces, follows), and if i do`
			`// all queries which don't bring up activities break. so it's necessary to`
			`// split these two in order to manually include the extra filter when`
			`// needed`

			`pub fn filter_objects(&self) -> Condition {`
			`let base_cond = Condition::any().add(upub::model::addressing::Column::Actor.is_null());`
			`match self {`
			`Identity::Anonymous => base_cond,`
			`Identity::Remote { internal, .. } => base_cond.add(upub::model::addressing::Column::Instance.eq(*internal)),`
			`Identity::Local { internal, id } => base_cond`
			`.add(upub::model::addressing::Column::Actor.eq(*internal))`
			`.add(upub::model::object::Column::AttributedTo.eq(id))`
			`}`
			`}`

			`pub fn filter_activities(&self) -> Condition {`
fix: oops leftovers aha 2024-06-08 02:18:45 +02:00			`let base_cond = Condition::any().add(upub::model::addressing::Column::Actor.is_null());`
			`match self {`
			`Identity::Anonymous => base_cond,`
			`Identity::Remote { internal, .. } => base_cond.add(upub::model::addressing::Column::Instance.eq(*internal)),`
fix: auth filter includes own objects previously each route had to opt-in showing your own objects (which aren't addressed to self to not appear on TLs and in notifications, but that may change?), now the base filter includes that condition hope this doesn't break anything? :3 i think it was with actors and relations that i made it simpler but objects should be safe 2024-11-08 14:15:34 +01:00			`Identity::Local { internal, id } => base_cond`
			`.add(upub::model::addressing::Column::Actor.eq(*internal))`
fix: show activities by self 2024-12-10 22:47:44 +01:00			`.add(upub::model::object::Column::AttributedTo.eq(id))`
			`.add(upub::model::activity::Column::Actor.eq(id)),`
fix: oops leftovers aha 2024-06-08 02:18:45 +02:00			`}`
			`}`

chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`pub fn my_id(&self) -> Option<i64> {`
feat: query and show objects liked by you it shows it in quite a jank way: inside the "audience" collections you find your id as only item. it's weird af but technically valid ap i think? will probably be replaced with a local api extension as soon as i read about those 2024-04-30 01:50:25 +02:00			`match self {`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`Identity::Local { internal, .. } => Some(*internal),`
feat: query and show objects liked by you it shows it in quite a jank way: inside the "audience" collections you find your id as only item. it's weird af but technically valid ap i think? will probably be replaced with a local api extension as soon as i read about those 2024-04-30 01:50:25 +02:00			`_ => None,`
			`}`
			`}`

fix: no more errors! no more warnings!! finished upgrading inbox to new schema, there's ton of space for improvement but lets first see if it works 2024-05-27 05:38:51 +02:00			`pub fn is(&self, uid: &str) -> bool {`
feat: allow checking if identity is someone 2024-05-01 17:47:21 +02:00			`match self {`
			`Identity::Anonymous => false,`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`Identity::Remote { .. } => false, // TODO per-actor server auth should check this`
fix: no more errors! no more warnings!! finished upgrading inbox to new schema, there's ton of space for improvement but lets first see if it works 2024-05-27 05:38:51 +02:00			`Identity::Local { id, .. } => id.as_str() == uid`
feat: allow checking if identity is someone 2024-05-01 17:47:21 +02:00			`}`
			`}`

chore: silenced unused warnings 2024-05-27 16:58:51 +02:00			`#[allow(unused)]`
feat: helper methods to handle auth cases 2024-04-18 03:06:40 +02:00			`pub fn is_anon(&self) -> bool {`
fix: increase follow counts on Accept both for inbox and outbox 2024-04-18 03:41:27 +02:00			`matches!(self, Self::Anonymous)`
feat: helper methods to handle auth cases 2024-04-18 03:06:40 +02:00			`}`

chore: silenced unused warnings 2024-05-27 16:58:51 +02:00			`#[allow(unused)]`
feat: local users can request to fetch remote stuff 2024-04-18 04:48:49 +02:00			`pub fn is_local(&self) -> bool {`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`matches!(self, Self::Local { .. })`
feat: local users can request to fetch remote stuff 2024-04-18 04:48:49 +02:00			`}`

chore: silenced unused warnings 2024-05-27 16:58:51 +02:00			`#[allow(unused)]`
feat: local users can request to fetch remote stuff 2024-04-18 04:48:49 +02:00			`pub fn is_remote(&self) -> bool {`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`matches!(self, Self::Remote { .. })`
feat: local users can request to fetch remote stuff 2024-04-18 04:48:49 +02:00			`}`
feat: inbox/outbox security and obj embedding 2024-04-12 19:36:00 +02:00			`}`

feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`pub struct AuthIdentity(pub Identity);`

feat: use cargo-leptos for all-in-one ssr binary.. ... that doesn't work?!? spent hours getting this to compile, it munched 20GB like it was nothing, took its damn time just to then crash while running because "cannot access imported statics on non-wasm targets" ?!?!!?? no clue, also not super sold on this SSR thing because it adds so much complexity, will probably leave this branch up here for future reference in case i want to try this again, and go back to trunk + include! static assets and full CSR for leptos 2025-01-21 02:39:43 +01:00			`#[axum::async_trait]`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`impl<S> FromRequestParts<S> for AuthIdentity`
			`where`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`upub::Context: FromRef<S>,`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`S: Send + Sync,`
			`{`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`type Rejection = ApiError;`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00
			`async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`let ctx = upub::Context::from_ref(state);`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`let mut identity = Identity::Anonymous;`

			`let auth_header = parts`
			`.headers`
			`.get(header::AUTHORIZATION)`
			`.map(\|v\| v.to_str().unwrap_or(""))`
			`.unwrap_or("");`

			`if auth_header.starts_with("Bearer ") {`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`match upub::model::session::Entity::find()`
			`.filter(upub::model::session::Column::Secret.eq(auth_header.replace("Bearer ", "")))`
			`.filter(upub::model::session::Column::Expires.gt(chrono::Utc::now()))`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`.one(ctx.db())`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`.await?`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`{`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`None => return Err(ApiError::unauthorized()),`
			`Some(x) => {`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`// TODO could we store both actor ap id and internal id in session? to avoid this extra`
			`// lookup on every local authed request we receive...`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`let internal = upub::model::actor::Entity::ap_to_internal(&x.actor, ctx.db())`
			`.await?`
			`.ok_or_else(ApiError::internal_server_error)?;`
chore: helpers for internal ids, fix routes and ctx basically just need to do inbox/outbox? then there's still some issues with relays relations and auth extra selects but may actually work again 2024-05-25 07:00:03 +02:00			`identity = Identity::Local { id: x.actor, internal };`
			`},`
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`}`
			`}`

feat: verify inbox http signatures 2024-04-13 01:49:23 +02:00			`if let Some(sig) = parts`
			`.headers`
			`.get("Signature")`
			`.map(\|v\| v.to_str().unwrap_or(""))`
			`{`
fix: temporary extra debug to fix iceshrimp 2024-06-29 16:50:31 +02:00			`tracing::debug!("validating http signature '{sig}'");`
feat: improved http signatures code 2024-04-13 21:22:19 +02:00			`let mut http_signature = HttpSignature::parse(sig);`
feat: reimplemented from scratch http sig verify 2024-04-13 05:26:50 +02:00
feat: improved http signatures code 2024-04-13 21:22:19 +02:00			`// TODO assert payload's digest is equal to signature's`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`// really annoying to do here because we're streaming`
			`// the request, maybe even impossible with this design?`

fix: not all keys are #main-key 2024-04-16 19:19:49 +02:00			`let user_id = http_signature.key_id`
fix: gts uses a path but its not real??? 2024-05-31 15:56:25 +02:00			`.replace("/main-key", "") // gotosocial whyyyyy`
fix: not all keys are #main-key 2024-04-16 19:19:49 +02:00			`.split('#')`
chore!: HUGE REFACTOR not even sure stuff will stay this way but phewwwwww this was time consuming asffff 2024-06-01 05:21:57 +02:00			`.next().ok_or(ApiError::bad_request())?`
fix: not all keys are #main-key 2024-04-16 19:19:49 +02:00			`.to_string();`
feat: improved http signatures code 2024-04-13 21:22:19 +02:00
fix: more appropriate http signature errors if we cant fetch from db its our fault (500), if we cant fetch your actor its your fault (4xx) 2024-06-07 19:05:37 +02:00			`match ctx.fetch_user(&user_id, ctx.db()).await {`
chore: renamed PullError in RequestError 2024-07-06 06:08:42 +02:00			`Err(RequestError::Database(x)) => return Err(RequestError::Database(x).into()),`
fix: show why http sign failed fetching in dbg 2024-06-15 02:13:52 +02:00			`Err(e) => tracing::debug!("could not fetch {user_id} to verify signature: {e}"),`
fix: more appropriate http signature errors if we cant fetch from db its our fault (500), if we cant fetch your actor its your fault (4xx) 2024-06-07 19:05:37 +02:00			`Ok(user) => {`
fix: temporary extra debug to fix iceshrimp 2024-06-29 16:50:31 +02:00			`let signature = http_signature.build_from_parts(parts);`
			`tracing::debug!("constructed http signature {signature:?}");`
			`let valid = signature.verify(&user.public_key)?;`
fix: http signatures errors are 500, not 401 if user provides an http signature and we fail to verify, bail out! if our db didn't give us the local user its unlikely that we will be able to serve anything anyway, just give up 2024-06-06 21:04:04 +02:00
fix: more appropriate http signature errors if we cant fetch from db its our fault (500), if we cant fetch your actor its your fault (4xx) 2024-06-07 19:05:37 +02:00			`if !valid {`
			`tracing::warn!("refusing mismatching http signature");`
			`return Err(ApiError::unauthorized());`
			`}`
fix: http signatures errors are 500, not 401 if user provides an http signature and we fail to verify, bail out! if our db didn't give us the local user its unlikely that we will be able to serve anything anyway, just give up 2024-06-06 21:04:04 +02:00
chore: rename "prevent.fetch" to "prevent.requests" 2024-12-31 16:30:45 +01:00			`if ctx.cfg().reject.requests.contains(&user.domain) {`
feat: more federation policies also allow to prevent access via http signatures or straight out reject all fetches. note that this last option is rather ineffective as remotes can just fetch public objects anonimously 2024-12-29 03:31:59 +01:00			`return Err(ApiError::Status(axum::http::StatusCode::UNAVAILABLE_FOR_LEGAL_REASONS));`
			`}`

			`if !ctx.cfg().reject.access.contains(&user.domain) {`
			`let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())`
			`.await?`
			`.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???`
			`identity = Identity::Remote { user: user.id, domain: user.domain, internal };`
			`}`
fix: more appropriate http signature errors if we cant fetch from db its our fault (500), if we cant fetch your actor its your fault (4xx) 2024-06-07 19:05:37 +02:00			`},`
fix: continue as anon if can't fetch user 2024-04-13 03:31:37 +02:00			`}`
fix: http signatures errors are 500, not 401 if user provides an http signature and we fail to verify, bail out! if our db didn't give us the local user its unlikely that we will be able to serve anything anyway, just give up 2024-06-06 21:04:04 +02:00
feat: verify inbox http signatures 2024-04-13 01:49:23 +02:00			`}`
feat: initial work on validating http signatures 2024-03-25 05:12:49 +01:00
feat: initial auth extractor 2024-03-25 01:58:30 +01:00			`Ok(AuthIdentity(identity))`
			`}`
			`}`
No results found.