|
|
|
@ -3,7 +3,7 @@ use std::collections::HashMap;
|
|
|
|
|
use rocket::{Route, Outcome};
|
|
|
|
|
use rocket::request::{self, Request, FromRequest, Form, FormItems, FromForm};
|
|
|
|
|
|
|
|
|
|
use rocket_contrib::Json;
|
|
|
|
|
use rocket_contrib::{Json, Value};
|
|
|
|
|
|
|
|
|
|
use db::DbConn;
|
|
|
|
|
use db::models::*;
|
|
|
|
@ -19,19 +19,42 @@ pub fn routes() -> Vec<Route> {
|
|
|
|
|
#[post("/connect/token", data = "<connect_data>")]
|
|
|
|
|
fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn) -> JsonResult {
|
|
|
|
|
let data = connect_data.get();
|
|
|
|
|
println!("{:#?}", data);
|
|
|
|
|
|
|
|
|
|
let mut device = match data.grant_type {
|
|
|
|
|
GrantType::RefreshToken => {
|
|
|
|
|
match data.grant_type {
|
|
|
|
|
GrantType::RefreshToken =>_refresh_login(data, device_type, conn),
|
|
|
|
|
GrantType::Password => _password_login(data, device_type, conn)
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn _refresh_login(data: &ConnectData, _device_type: DeviceType, conn: DbConn) -> JsonResult {
|
|
|
|
|
// Extract token
|
|
|
|
|
let token = data.get("refresh_token").unwrap();
|
|
|
|
|
|
|
|
|
|
// Get device by refresh token
|
|
|
|
|
match Device::find_by_refresh_token(token, &conn) {
|
|
|
|
|
let mut device = match Device::find_by_refresh_token(token, &conn) {
|
|
|
|
|
Some(device) => device,
|
|
|
|
|
None => err!("Invalid refresh token")
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
GrantType::Password => {
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// COMMON
|
|
|
|
|
let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
|
|
|
|
|
let orgs = UserOrganization::find_by_user(&user.uuid, &conn);
|
|
|
|
|
|
|
|
|
|
let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
|
|
|
|
|
device.save(&conn);
|
|
|
|
|
|
|
|
|
|
Ok(Json(json!({
|
|
|
|
|
"access_token": access_token,
|
|
|
|
|
"expires_in": expires_in,
|
|
|
|
|
"token_type": "Bearer",
|
|
|
|
|
"refresh_token": device.refresh_token,
|
|
|
|
|
"Key": user.key,
|
|
|
|
|
"PrivateKey": user.private_key,
|
|
|
|
|
})))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn _password_login(data: &ConnectData, device_type: DeviceType, conn: DbConn) -> JsonResult {
|
|
|
|
|
// Validate scope
|
|
|
|
|
let scope = data.get("scope").unwrap();
|
|
|
|
|
if scope != "api offline_access" {
|
|
|
|
@ -51,19 +74,6 @@ fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn)
|
|
|
|
|
err!("Username or password is incorrect. Try again.")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if totp code is required and the value is correct
|
|
|
|
|
let totp_code = util::parse_option_string(data.get("twoFactorToken"));
|
|
|
|
|
|
|
|
|
|
if !user.check_totp_code(totp_code) {
|
|
|
|
|
// Return error 400
|
|
|
|
|
err_json!(json!({
|
|
|
|
|
"error" : "invalid_grant",
|
|
|
|
|
"error_description" : "Two factor required.",
|
|
|
|
|
"TwoFactorProviders" : [ 0 ],
|
|
|
|
|
"TwoFactorProviders2" : { "0" : null }
|
|
|
|
|
}))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Let's only use the header and ignore the 'devicetype' parameter
|
|
|
|
|
let device_type_num = device_type.0;
|
|
|
|
|
|
|
|
|
@ -78,7 +88,7 @@ fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn)
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// Find device or create new
|
|
|
|
|
match Device::find_by_uuid(&device_id, &conn) {
|
|
|
|
|
let mut device = match Device::find_by_uuid(&device_id, &conn) {
|
|
|
|
|
Some(device) => {
|
|
|
|
|
// Check if valid device
|
|
|
|
|
if device.user_uuid != user.uuid {
|
|
|
|
@ -90,27 +100,111 @@ fn login(connect_data: Form<ConnectData>, device_type: DeviceType, conn: DbConn)
|
|
|
|
|
}
|
|
|
|
|
None => {
|
|
|
|
|
// Create new device
|
|
|
|
|
Device::new(device_id, user.uuid, device_name, device_type_num)
|
|
|
|
|
Device::new(device_id, user.uuid.clone(), device_name, device_type_num)
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
let twofactor_token = if user.requires_twofactor() {
|
|
|
|
|
let twofactor_provider = util::parse_option_string(data.get("twoFactorProvider")).unwrap_or(0);
|
|
|
|
|
let twofactor_code = match data.get("twoFactorToken") {
|
|
|
|
|
Some(code) => code,
|
|
|
|
|
None => err_json!(_json_err_twofactor())
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
match twofactor_provider {
|
|
|
|
|
0 /* TOTP */ => {
|
|
|
|
|
let totp_code: u64 = match twofactor_code.parse() {
|
|
|
|
|
Ok(code) => code,
|
|
|
|
|
Err(_) => err!("Invalid Totp code")
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if !user.check_totp_code(totp_code) {
|
|
|
|
|
err_json!(_json_err_twofactor())
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if util::parse_option_string(data.get("twoFactorRemember")).unwrap_or(0) == 1 {
|
|
|
|
|
device.refresh_twofactor_remember();
|
|
|
|
|
device.twofactor_remember.clone()
|
|
|
|
|
} else {
|
|
|
|
|
device.delete_twofactor_remember();
|
|
|
|
|
None
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
5 /* Remember */ => {
|
|
|
|
|
match device.twofactor_remember {
|
|
|
|
|
Some(ref remember) if remember == twofactor_code => (),
|
|
|
|
|
_ => err_json!(_json_err_twofactor())
|
|
|
|
|
};
|
|
|
|
|
None // No twofactor token needed here
|
|
|
|
|
},
|
|
|
|
|
_ => err!("Invalid two factor provider"),
|
|
|
|
|
}
|
|
|
|
|
} else { None }; // No twofactor token if twofactor is disabled
|
|
|
|
|
|
|
|
|
|
// Common
|
|
|
|
|
let user = User::find_by_uuid(&device.user_uuid, &conn).unwrap();
|
|
|
|
|
let orgs = UserOrganization::find_by_user(&user.uuid, &conn);
|
|
|
|
|
|
|
|
|
|
let (access_token, expires_in) = device.refresh_tokens(&user, orgs);
|
|
|
|
|
device.save(&conn);
|
|
|
|
|
|
|
|
|
|
Ok(Json(json!({
|
|
|
|
|
let mut result = json!({
|
|
|
|
|
"access_token": access_token,
|
|
|
|
|
"expires_in": expires_in,
|
|
|
|
|
"token_type": "Bearer",
|
|
|
|
|
"refresh_token": device.refresh_token,
|
|
|
|
|
"Key": user.key,
|
|
|
|
|
"PrivateKey": user.private_key
|
|
|
|
|
})))
|
|
|
|
|
"PrivateKey": user.private_key,
|
|
|
|
|
//"TwoFactorToken": "11122233333444555666777888999"
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if let Some(token) = twofactor_token {
|
|
|
|
|
result["TwoFactorToken"] = Value::String(token);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
Ok(Json(result))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
fn _json_err_twofactor() -> Value {
|
|
|
|
|
json!({
|
|
|
|
|
"error" : "invalid_grant",
|
|
|
|
|
"error_description" : "Two factor required.",
|
|
|
|
|
"TwoFactorProviders" : [ 0 ],
|
|
|
|
|
"TwoFactorProviders2" : { "0" : null }
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
ConnectData {
|
|
|
|
|
grant_type: Password,
|
|
|
|
|
is_device: false,
|
|
|
|
|
data: {
|
|
|
|
|
"scope": "api offline_access",
|
|
|
|
|
"client_id": "web",
|
|
|
|
|
"grant_type": "password",
|
|
|
|
|
"username": "dani@mail",
|
|
|
|
|
"password": "8IuV1sJ94tPjyYIK+E+PTjblzjm4W6C4N5wqM0KKsSg="
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
RETURNS "TwoFactorToken": "11122233333444555666777888999"
|
|
|
|
|
|
|
|
|
|
Next login
|
|
|
|
|
ConnectData {
|
|
|
|
|
grant_type: Password,
|
|
|
|
|
is_device: false,
|
|
|
|
|
data: {
|
|
|
|
|
"scope": "api offline_access",
|
|
|
|
|
"username": "dani@mail",
|
|
|
|
|
"client_id": "web",
|
|
|
|
|
"twofactorprovider": "5",
|
|
|
|
|
"twofactortoken": "11122233333444555666777888999",
|
|
|
|
|
"grant_type": "password",
|
|
|
|
|
"twofactorremember": "0",
|
|
|
|
|
"password": "8IuV1sJ94tPjyYIK+E+PTjblzjm4W6C4N5wqM0KKsSg="
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct DeviceType(i32);
|
|
|
|
|