ferri/ferri-server/src/endpoints/oauth.rs

use crate::Db;
use rocket::{
    FromForm,
    form::Form,
    get, post,
    response::Redirect,
    serde::{Deserialize, Serialize, json::Json},
};
use rocket_db_pools::Connection;

#[get("/oauth/authorize?<client_id>&<scope>&<redirect_uri>&<response_type>")]
pub async fn authorize(
    client_id: &str,
    scope: &str,
    redirect_uri: &str,
    response_type: &str,
    mut db: Connection<Db>,
) -> Redirect {
    // For now, we will always authorize the request and assign it to an admin user
    let user_id = "9b9d497b-2731-435f-a929-e609ca69dac9";
    let code = main::gen_token(15);

    // This will act as a token for the user, but we will in future say that it expires very shortly
    // and can only be used for obtaining an access token etc
    sqlx::query!(
        r#"
      INSERT INTO auth (token, user_id)
      VALUES (?1, ?2)
    "#,
        code,
        user_id
    )
    .execute(&mut **db)
    .await
    .unwrap();

    let id_token = main::gen_token(10);
    
    // Add an oauth entry for the `code` which /oauth/token will rewrite
    sqlx::query!(
        r#"
      INSERT INTO oauth (id_token, client_id, expires_in, scope, access_token)
      VALUES (?1, ?2, ?3, ?4, ?5)
    "#,
        id_token,
        client_id,
        3600,
        scope,
        code
    )
    .execute(&mut **db)
    .await
    .unwrap();

    Redirect::temporary(format!("{}?code={}", redirect_uri, code))
}

#[derive(Serialize, Deserialize, Debug)]
#[serde(crate = "rocket::serde")]
pub struct Token {
    pub access_token: String,
    pub token_type: String,
    pub expires_in: i64,
    pub scope: String,
    pub id_token: String,
}

#[derive(Deserialize, Debug, FromForm)]
#[serde(crate = "rocket::serde")]
struct NewTokenRequest {
    client_id: String,
    redirect_uri: String,
    grant_type: String,
    code: String,
    client_secret: String,
}

#[post("/oauth/token", data = "<req>")]
pub async fn new_token(req: Form<NewTokenRequest>, mut db: Connection<Db>) -> Json<Token> {
    let oauth = sqlx::query!(
        r#"
      SELECT o.*, a.*
      FROM oauth o
      INNER JOIN auth a ON a.token = ?2
      WHERE o.access_token = ?1
    "#,
        req.code,
        req.code
    )
    .fetch_one(&mut **db)
    .await
    .unwrap();

    let access_token = main::gen_token(15);

    // Important: setup 'auth' first
    sqlx::query!(
        r#"
      INSERT INTO auth (token, user_id)
      VALUES (?1, ?2)
    "#,
        access_token,
        oauth.user_id
    )
    .execute(&mut **db)
    .await
    .unwrap();

    sqlx::query!(
        "UPDATE oauth SET access_token = ?1 WHERE access_token = ?2",
        access_token,
        req.code
    )
    .execute(&mut **db)
    .await
    .unwrap();

    sqlx::query!("DELETE FROM auth WHERE token = ?1", req.code)
        .execute(&mut **db)
        .await
        .unwrap();

    Json(Token {
        access_token: access_token.to_string(),
        token_type: "Bearer".to_string(),
        expires_in: oauth.expires_in,
        scope: oauth.scope.to_string(),
        id_token: oauth.id_token,
    })
}
feat: auth basics 2025-04-24 20:19:54 +01:00			`use crate::Db;`
chore: tidy up ID usage; fmt 2025-04-12 15:16:40 +01:00			`use rocket::{`
feat: auth basics 2025-04-24 20:19:54 +01:00			`FromForm,`
			`form::Form,`
chore: tidy up ID usage; fmt 2025-04-12 15:16:40 +01:00			`get, post,`
			`response::Redirect,`
			`serde::{Deserialize, Serialize, json::Json},`
			`};`
feat: auth basics 2025-04-24 20:19:54 +01:00			`use rocket_db_pools::Connection;`
refactor: everything 2025-04-11 12:29:29 +01:00
			`#[get("/oauth/authorize?<client_id>&<scope>&<redirect_uri>&<response_type>")]`
			`pub async fn authorize(`
			`client_id: &str,`
			`scope: &str,`
			`redirect_uri: &str,`
			`response_type: &str,`
feat: auth basics 2025-04-24 20:19:54 +01:00			`mut db: Connection<Db>,`
refactor: everything 2025-04-11 12:29:29 +01:00			`) -> Redirect {`
feat: auth basics 2025-04-24 20:19:54 +01:00			`// For now, we will always authorize the request and assign it to an admin user`
			`let user_id = "9b9d497b-2731-435f-a929-e609ca69dac9";`
			`let code = main::gen_token(15);`

			`// This will act as a token for the user, but we will in future say that it expires very shortly`
			`// and can only be used for obtaining an access token etc`
			`sqlx::query!(`
			`r#"`
			`INSERT INTO auth (token, user_id)`
			`VALUES (?1, ?2)`
			`"#,`
			`code,`
			`user_id`
			`)`
			`.execute(&mut **db)`
			`.await`
			`.unwrap();`

			`let id_token = main::gen_token(10);`

			// Add an oauth entry for the `code` which /oauth/token will rewrite
			`sqlx::query!(`
			`r#"`
			`INSERT INTO oauth (id_token, client_id, expires_in, scope, access_token)`
			`VALUES (?1, ?2, ?3, ?4, ?5)`
			`"#,`
			`id_token,`
			`client_id,`
			`3600,`
			`scope,`
			`code`
			`)`
			`.execute(&mut **db)`
			`.await`
			`.unwrap();`

			`Redirect::temporary(format!("{}?code={}", redirect_uri, code))`
refactor: everything 2025-04-11 12:29:29 +01:00			`}`

			`#[derive(Serialize, Deserialize, Debug)]`
			`#[serde(crate = "rocket::serde")]`
			`pub struct Token {`
			`pub access_token: String,`
			`pub token_type: String,`
			`pub expires_in: i64,`
			`pub scope: String,`
			`pub id_token: String,`
			`}`

feat: auth basics 2025-04-24 20:19:54 +01:00			`#[derive(Deserialize, Debug, FromForm)]`
			`#[serde(crate = "rocket::serde")]`
			`struct NewTokenRequest {`
			`client_id: String,`
			`redirect_uri: String,`
			`grant_type: String,`
			`code: String,`
			`client_secret: String,`
			`}`

			`#[post("/oauth/token", data = "<req>")]`
			`pub async fn new_token(req: Form<NewTokenRequest>, mut db: Connection<Db>) -> Json<Token> {`
			`let oauth = sqlx::query!(`
			`r#"`
			`SELECT o., a.`
			`FROM oauth o`
			`INNER JOIN auth a ON a.token = ?2`
			`WHERE o.access_token = ?1`
			`"#,`
			`req.code,`
			`req.code`
			`)`
			`.fetch_one(&mut **db)`
			`.await`
			`.unwrap();`

			`let access_token = main::gen_token(15);`

			`// Important: setup 'auth' first`
			`sqlx::query!(`
			`r#"`
			`INSERT INTO auth (token, user_id)`
			`VALUES (?1, ?2)`
			`"#,`
			`access_token,`
			`oauth.user_id`
			`)`
			`.execute(&mut **db)`
			`.await`
			`.unwrap();`

			`sqlx::query!(`
			`"UPDATE oauth SET access_token = ?1 WHERE access_token = ?2",`
			`access_token,`
			`req.code`
			`)`
			`.execute(&mut **db)`
			`.await`
			`.unwrap();`

			`sqlx::query!("DELETE FROM auth WHERE token = ?1", req.code)`
			`.execute(&mut **db)`
			`.await`
			`.unwrap();`

refactor: everything 2025-04-11 12:29:29 +01:00			`Json(Token {`
feat: auth basics 2025-04-24 20:19:54 +01:00			`access_token: access_token.to_string(),`
refactor: everything 2025-04-11 12:29:29 +01:00			`token_type: "Bearer".to_string(),`
feat: auth basics 2025-04-24 20:19:54 +01:00			`expires_in: oauth.expires_in,`
			`scope: oauth.scope.to_string(),`
			`id_token: oauth.id_token,`
refactor: everything 2025-04-11 12:29:29 +01:00			`})`
			`}`