Compare commits
No commits in common. "master" and "feat_user_panel_authorizations" have entirely different histories.
master
...
feat_user_
106 changed files with 604 additions and 1858 deletions
|
@ -1,7 +0,0 @@
|
|||
target
|
||||
.env
|
||||
tmp
|
||||
Dockerfile
|
||||
.dockerignore
|
||||
justfile
|
||||
config.toml
|
541
Cargo.lock
generated
541
Cargo.lock
generated
File diff suppressed because it is too large
Load diff
51
Cargo.toml
51
Cargo.toml
|
@ -1,36 +1,31 @@
|
|||
# cargo-features = ["codegen-backend"]
|
||||
cargo-features = ["codegen-backend"]
|
||||
|
||||
# [profile.dev]
|
||||
# codegen-backend = "cranelift"
|
||||
# # END OF
|
||||
[profile.dev]
|
||||
codegen-backend = "cranelift"
|
||||
|
||||
[workspace]
|
||||
resolver = "2"
|
||||
members = [
|
||||
"lib/kernel",
|
||||
"lib/utils",
|
||||
"lib/http_server",
|
||||
"lib/admin_cli"
|
||||
]
|
||||
[package]
|
||||
name = "minauthator"
|
||||
description = "Identity provider and OAuth2 server for an small-scale organization."
|
||||
version = "0.1.0"
|
||||
edition = "2021"
|
||||
|
||||
[workspace.dependencies]
|
||||
[dependencies]
|
||||
# commons utils
|
||||
anyhow = "1.0"
|
||||
thiserror = "2"
|
||||
fully_pub = "0.1"
|
||||
argon2 = "0.5"
|
||||
strum = "0.26.3"
|
||||
strum_macros = "0.26"
|
||||
uuid = { version = "1.8", features = ["serde", "v4"] }
|
||||
dotenvy = "0.15.7"
|
||||
base64 = "0.22.1"
|
||||
rand = "0.8.5"
|
||||
rand_core = { version = "0.6.4", features = ["std"] }
|
||||
url = "2.5.3"
|
||||
sha2 = "0.10"
|
||||
hex-literal = "0.4"
|
||||
|
||||
# CLI
|
||||
argh = "0.1"
|
||||
argh = "0.1" # for CLI
|
||||
|
||||
# Async
|
||||
tokio = { version = "1.40.0", features = ["rt-multi-thread", "macros"] }
|
||||
tokio = { version = "1.40.0", features = ["rt-multi-thread"] }
|
||||
|
||||
# Logging
|
||||
log = "0.4"
|
||||
|
@ -39,6 +34,7 @@ env_logger = "0.11"
|
|||
# Serialization
|
||||
serde = { version = "1.0", features = ["derive"] }
|
||||
serde_json = "1.0"
|
||||
serde_urlencoded = "0.7.1"
|
||||
toml = "0.8"
|
||||
|
||||
chrono = { version = "0.4", features = ["serde"] }
|
||||
|
@ -47,6 +43,21 @@ chrono = { version = "0.4", features = ["serde"] }
|
|||
sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "chrono", "uuid"] }
|
||||
redis = { version = "0.27.3", default-features = false, features = ["acl"] }
|
||||
|
||||
# Web
|
||||
axum = { version = "0.7.7", features = ["json", "multipart"] }
|
||||
axum-extra = { version = "0.9.4", features = ["cookie"] }
|
||||
axum-template = { version = "2.4.0", features = ["minijinja"] }
|
||||
axum_typed_multipart = "0.13.1"
|
||||
minijinja = { version = "2.1", features = ["builtins"] }
|
||||
# to make work the static assets server
|
||||
tower-http = { version = "0.6.1", features = ["fs"] }
|
||||
|
||||
# Auth utils
|
||||
totp-rs = "5.6"
|
||||
minijinja-embed = "2.3.1"
|
||||
axum-macros = "0.4.2"
|
||||
jsonwebtoken = "9.3.0"
|
||||
time = "0.3.36"
|
||||
|
||||
[build-dependencies]
|
||||
minijinja-embed = "2.3.1"
|
||||
|
|
37
Dockerfile
37
Dockerfile
|
@ -1,37 +0,0 @@
|
|||
FROM rust:1.83-alpine3.20 AS builder
|
||||
|
||||
WORKDIR /usr/src/minauthator
|
||||
COPY . .
|
||||
|
||||
RUN apk add musl-dev
|
||||
|
||||
RUN cargo install --bin minauthator-admin --locked --path lib/admin_cli
|
||||
RUN cargo install --bin minauthator-server --locked --path lib/http_server
|
||||
|
||||
FROM alpine:3.20 AS base
|
||||
|
||||
RUN apk add sqlite
|
||||
COPY --from=builder /usr/local/cargo/bin/minauthator-server /usr/local/bin/minauthator-server
|
||||
COPY --from=builder /usr/local/cargo/bin/minauthator-admin /usr/local/bin/minauthator-admin
|
||||
RUN mkdir -p \
|
||||
/usr/local/src/minauthator/migrations \
|
||||
/usr/local/lib/minauthator/assets \
|
||||
/var/lib/minauthator \
|
||||
/etc/minauthator
|
||||
COPY --from=builder /usr/src/minauthator/migrations/all.sql /usr/local/src/minauthator/migrations
|
||||
COPY --from=builder /usr/src/minauthator/init_db.sh /usr/local/bin/minauthator_init_db.sh
|
||||
COPY --from=builder /usr/src/minauthator/assets /usr/local/lib/minauthator/assets
|
||||
|
||||
RUN addgroup -g 1000 app && \
|
||||
adduser -S -u 1000 -G app -s /bin/sh app && \
|
||||
chown -R app:app /var/lib/minauthator && \
|
||||
chmod -R u=rwx,g=rwx,o= /var/lib/minauthator
|
||||
|
||||
USER app:app
|
||||
ENV RUST_LOG=info
|
||||
ENV RUST_BACKTRACE=1
|
||||
ENV APP_JWT_SECRET="DummyAppSecret20241029"
|
||||
|
||||
CMD ["minauthator-server", "--listen-host", "0.0.0.0", "--listen-port", "8080"]
|
||||
|
||||
|
49
README.md
49
README.md
|
@ -1,45 +1,24 @@
|
|||
# Minauthator
|
||||
|
||||
Minauthator is an identity provider server supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
|
||||
Minauthator is an identity provider supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
|
||||
|
||||
This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software (FOSS).
|
||||
|
||||
This project also aims to provide features while being frugal and minimalist.
|
||||
This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software.
|
||||
|
||||
**Project status: *early development, work-in-progress***
|
||||
|
||||
## Features
|
||||
|
||||
- [x] Login
|
||||
- [x] Register
|
||||
- [x] OpenID Connect & OAuth 2.0
|
||||
- [x] Activation token
|
||||
- [x] Profile details
|
||||
- [x] Static apps
|
||||
- [x] Admin CLI to manage user.
|
||||
- [x] User invitation with human token
|
||||
- [ ] User roles
|
||||
- [ ] User groups
|
||||
- [ ] MFA/TOTP
|
||||
- [ ] Email notifications
|
||||
- [ ] Login page customization
|
||||
- [x] App listing (App presentation to users)
|
||||
- [x] Implicit OAuth 2.0 flow
|
||||
- [ ] Email verification
|
||||
- [ ] GPG keys verification and signing
|
||||
- [ ] Docker deployment
|
||||
- [ ] Full user panel & user privacy control
|
||||
|
||||
## Architecture
|
||||
|
||||
- Sqlite DB
|
||||
- Kernel
|
||||
- Http server
|
||||
- Public API
|
||||
- User API
|
||||
- Third-party OAuth2 app/client API
|
||||
- Web GUI (no Javascript)
|
||||
- Admin CLI
|
||||
- Login
|
||||
- Register
|
||||
- OpenID Connect & OAuth 2.0
|
||||
- Activation token
|
||||
- Profile details
|
||||
- Static apps
|
||||
- User roles
|
||||
- MFA/TOTP
|
||||
- Email notifications
|
||||
- Login page customization
|
||||
- App carousel (App presentation to users)
|
||||
|
||||
## Deps
|
||||
|
||||
|
@ -49,4 +28,4 @@ This project also aims to provide features while being frugal and minimalist.
|
|||
|
||||
- [Authentik](https://goauthentik.io/)
|
||||
- [Keycloak](https://www.keycloak.org/)
|
||||
- [Kanidm](https://kanidm.com/)
|
||||
|
||||
|
|
58
TODO.md
58
TODO.md
|
@ -1,23 +1,5 @@
|
|||
# TODO
|
||||
|
||||
- [ ] i18n strings in the http website.
|
||||
|
||||
- [ ] Instance customization support
|
||||
|
||||
- [ ] Public endpoint to get user avatar by id
|
||||
- [ ] Rework avatar upload to limit size and process the image?
|
||||
|
||||
- Authorize form
|
||||
- [ ] Show details about permissions
|
||||
- [ ] Show app logo
|
||||
|
||||
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
|
||||
|
||||
- [ ] feat(perms): add groups and roles
|
||||
|
||||
- [ ] UserWebGUI: add TOTP
|
||||
- [ ] send emails to users
|
||||
|
||||
- [x] Login form
|
||||
- [x] Register form
|
||||
- [x] Redirect to login form if unauthenticated
|
||||
|
@ -31,22 +13,36 @@
|
|||
- [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c)
|
||||
- .well-known/openid-configuration
|
||||
|
||||
- [x] architecture refactor
|
||||
- [x] AdminCLI: init
|
||||
- [x] AdminCLI: list users
|
||||
- [x] AdminCLI: create and invite user
|
||||
|
||||
- [x] UserWebGUI: Invitation
|
||||
- [ ] i18n strings in the http website.
|
||||
|
||||
- [ ] App config
|
||||
- Add app logo (URI?)
|
||||
|
||||
- [ ] Public endpoint to get user avatar by id
|
||||
- [ ] Rework avatar upload to limit size and process the image?
|
||||
|
||||
- [ ] Authorize form
|
||||
- Show details about permissions
|
||||
- Show app logo
|
||||
|
||||
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
|
||||
|
||||
- [x] UserWebGUI: Redirect to login when JWT expire
|
||||
- [x] UserWebGUI: Show user authorizations.
|
||||
- [x] UserWebGUI: Allow to revoke an authorization
|
||||
- [x] UserWebGUI: Show available apps (basic)
|
||||
- [x] UserWebGUI: Direct user grant flow, User can login to the target app/client, event if it did not started here.
|
||||
- all apps must have a `/oauth2/login` URL that redirect to the right minauth /authorize URL, `login_uri` in config.toml
|
||||
- [ ] UserWebGUI: Allow to revoke an authorization
|
||||
- [ ] UserWebGUI: Show available apps
|
||||
- [ ] UserWebGUI: Direct user grant flow, User can login to the target app/client, event if it did not started here.
|
||||
- all apps must have a `/oauth2/login` URL that redirect to the right minauth /authorize URL
|
||||
|
||||
- [x] UserWebGUI: activate account with token
|
||||
- [ ] UserWebGUI: add TOTP
|
||||
- [ ] send emails to users
|
||||
|
||||
- [X] basic docker setup
|
||||
- [ ] make `docker stop` working (handle SIGTERM/SIGINT)
|
||||
- [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/
|
||||
- Architecture: do we have an admin API?
|
||||
|
||||
- [ ] AdminCLI: init
|
||||
- [ ] AdminCLI: create invitation links
|
||||
|
||||
- [ ] Add admin panel via API
|
||||
- [ ] AdminWebGUI: Ability to create invitation links
|
||||
- [ ] Add admin CLI
|
||||
|
|
3
admin.sh
3
admin.sh
|
@ -1,3 +0,0 @@
|
|||
#!/usr/bin/sh
|
||||
|
||||
cargo run -q --bin minauthator-admin -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets $@
|
30
config.toml
30
config.toml
|
@ -9,38 +9,10 @@ name = "Demo app"
|
|||
description = "A super application where you can do everything you want."
|
||||
client_id = "a1785786-8be1-443c-9a6f-35feed703609"
|
||||
client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
|
||||
login_uri = "https://localhost:9876"
|
||||
allowed_redirect_uris = [
|
||||
"http://localhost:9090/callback",
|
||||
"http://localhost:9090/authorize",
|
||||
"http://localhost:9876/callback"
|
||||
]
|
||||
visibility = "Internal"
|
||||
authorize_flow = "Implicit"
|
||||
|
||||
[[applications]]
|
||||
slug = "wiki"
|
||||
name = "Wiki app"
|
||||
description = "The knowledge base of the exemple org."
|
||||
client_id = "f9de1885-448d-44bb-8c48-7e985486a8c6"
|
||||
client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
|
||||
login_uri = "https://wiki.example.org/login"
|
||||
allowed_redirect_uris = [
|
||||
"https://wiki.example.org/oauth2/callback"
|
||||
]
|
||||
visibility = "Public"
|
||||
authorize_flow = "Implicit"
|
||||
|
||||
[[applications]]
|
||||
slug = "private_app"
|
||||
name = "Demo app"
|
||||
description = "Private app you should never discover"
|
||||
client_id = "c8a08783-2342-4ce3-a3cb-9dc89b6bdf"
|
||||
client_secret = "this_is_the_secret"
|
||||
login_uri = "https://private-app.org"
|
||||
allowed_redirect_uris = [
|
||||
"http://localhost:9091/authorize",
|
||||
]
|
||||
visibility = "Private"
|
||||
authorize_flow = "Implicit"
|
||||
|
||||
[[roles]]
|
||||
|
|
|
@ -3,51 +3,3 @@
|
|||
https://datatracker.ietf.org/doc/html/rfc6749
|
||||
|
||||
https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path-in-a-minijinja-template
|
||||
|
||||
## Oauth2 test
|
||||
|
||||
-> authorize
|
||||
|
||||
# User flow
|
||||
|
||||
## Invitation flow
|
||||
|
||||
- Create invite
|
||||
- generate A random
|
||||
- user.reset_password_token = A
|
||||
- user.status = "Invited"
|
||||
- Send email with link to https://instance/reset-password?token=A&reason=invitation
|
||||
- GET /reset-password?token=A&reason=invitation
|
||||
- verification of token
|
||||
- show form
|
||||
- POST /reset-password
|
||||
- BODY: with params token
|
||||
- check token validity
|
||||
- set new password hash
|
||||
- if user.status == "invited"
|
||||
- enable new account (user.status = "active")
|
||||
- send welcome email
|
||||
- redirect to login page with a message
|
||||
- we need to redirect to the login page, so the user remember how to login later, and can
|
||||
verify the setup of his/her password manager.
|
||||
|
||||
We can instead send link to https://instance/invitation?token=A
|
||||
|
||||
## Reset password flow
|
||||
|
||||
- Reset password request
|
||||
- generate A random
|
||||
- user.reset_password_token = A
|
||||
- Send email with link to https://instance/reset-password?token=A&reason=lost_password
|
||||
- GET /reset-password?token=A&reason=lost_password
|
||||
- verification of token
|
||||
- show form
|
||||
- POST /reset-password
|
||||
- BODY: with params token
|
||||
- check token validity
|
||||
- set new password hash
|
||||
- redirect to login page with a message
|
||||
- we need to redirect to the login page, so the user remember how to login later, and can
|
||||
verify the setup of his/her password manager.
|
||||
|
||||
We can instead send link to https://instance/reset-password?token=A
|
||||
|
|
|
@ -6,7 +6,7 @@ curl -v http://localhost:8085/authorize \
|
|||
--cookie "tmp/.curl-cookies" \
|
||||
-d client_id="a1785786-8be1-443c-9a6f-35feed703609" \
|
||||
-d response_type="code" \
|
||||
-d redirect_uri="http://localhost:9090/callback" \
|
||||
-d redirect_uri="http://localhost:9090/authorize" \
|
||||
-d scope="user_read_basic" \
|
||||
-d state="qxYAfk4kf6pbZkms78jM"
|
||||
|
10
init_db.sh
10
init_db.sh
|
@ -1,10 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
DEFAULT_DB_PATH="/var/lib/minauthator/minauthator.db"
|
||||
DEFAULT_MIGRATION_PATH="/usr/local/src/minauthator/migrations/all.sql"
|
||||
|
||||
DB_PATH="${DB_PATH:-$DEFAULT_DB_PATH}"
|
||||
MIGRATION_PATH="${MIGRATION_PATH:-$DEFAULT_MIGRATION_PATH}"
|
||||
|
||||
sqlite3 $DB_PATH < $MIGRATION_PATH
|
||||
|
34
justfile
34
justfile
|
@ -1,32 +1,20 @@
|
|||
export RUST_BACKTRACE := "1"
|
||||
export RUST_LOG := "trace"
|
||||
export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets"
|
||||
|
||||
watch-server:
|
||||
cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
|
||||
watch-run:
|
||||
cargo-watch -x 'run -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets'
|
||||
|
||||
server:
|
||||
cargo run --bin minauthator-server -- $CONTEXT_ARGS
|
||||
|
||||
admin:
|
||||
cargo run --bin minauthator-admin -- $CONTEXT_ARGS
|
||||
|
||||
docker-build:
|
||||
docker build -t lefuturiste/minauthator .
|
||||
|
||||
docker-init-db:
|
||||
docker run \
|
||||
-v ./tmp/docker/config:/etc/minauthator \
|
||||
-v minauthator-db:/var/lib/minauthator \
|
||||
lefuturiste/minauthator \
|
||||
/usr/local/bin/minauthator_init_db.sh
|
||||
run:
|
||||
cargo run -- --database ./tmp/dbs/minauthator.db --config ./config.toml --static-assets ./assets
|
||||
|
||||
docker-run:
|
||||
docker run \
|
||||
-p 127.0.0.1:3085:8080 \
|
||||
-v ./tmp/docker/config:/etc/minauthator \
|
||||
-v minauthator-db:/var/lib/minauthator \
|
||||
lefuturiste/minauthator
|
||||
docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator
|
||||
|
||||
docker-init-db:
|
||||
docker run -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator /usr/local/bin/minauthator_init_db.sh
|
||||
|
||||
docker-build:
|
||||
docker build -t minauthator .
|
||||
|
||||
init-db:
|
||||
sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql
|
||||
|
|
|
@ -1,18 +0,0 @@
|
|||
[package]
|
||||
name = "admin_cli"
|
||||
edition = "2021"
|
||||
|
||||
[[bin]]
|
||||
name = "minauthator-admin"
|
||||
path = "src/main.rs"
|
||||
|
||||
[dependencies]
|
||||
anyhow = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
fully_pub = { workspace = true }
|
||||
argh = { workspace = true }
|
||||
tokio = { workspace = true }
|
||||
log = { workspace = true }
|
||||
env_logger = { workspace = true }
|
||||
|
||||
kernel = { path = "../kernel" }
|
|
@ -1 +0,0 @@
|
|||
pub mod users;
|
|
@ -1,115 +0,0 @@
|
|||
use anyhow::{Context, Result};
|
||||
use argh::FromArgs;
|
||||
use fully_pub::fully_pub;
|
||||
use kernel::{context::KernelContext, models::user::User, repositories::users::get_users};
|
||||
use log::info;
|
||||
|
||||
#[fully_pub]
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
#[argh(
|
||||
subcommand, name = "create",
|
||||
description = "Create user in DB."
|
||||
)]
|
||||
struct CreateUserCommand {
|
||||
/// aka login, username
|
||||
#[argh(option)]
|
||||
handle: String,
|
||||
|
||||
/// displayed name (eg. first name and last name)
|
||||
#[argh(option)]
|
||||
full_name: Option<String>,
|
||||
|
||||
/// use to identify and prove user identity
|
||||
/// formated as specified in RFC 2821, RFC 3696
|
||||
#[argh(option)]
|
||||
email: String,
|
||||
|
||||
/// if true, create an invitation token
|
||||
#[argh(switch)]
|
||||
invite: bool
|
||||
}
|
||||
|
||||
#[fully_pub]
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
#[argh(
|
||||
subcommand, name = "delete",
|
||||
description = "Delete user in DB."
|
||||
)]
|
||||
struct DeleteUserCommand {
|
||||
/// delete by user Uuid
|
||||
#[argh(option)]
|
||||
id: String
|
||||
}
|
||||
|
||||
|
||||
#[fully_pub]
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
#[argh(
|
||||
subcommand, name = "list",
|
||||
description = "List users in DB."
|
||||
)]
|
||||
struct ListUsersCommand {
|
||||
/// how many users to return
|
||||
#[argh(option)]
|
||||
limit: Option<usize>,
|
||||
}
|
||||
|
||||
#[fully_pub]
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
#[argh(subcommand)]
|
||||
enum UsersSubCommands {
|
||||
Create(CreateUserCommand),
|
||||
List(ListUsersCommand),
|
||||
Delete(DeleteUserCommand),
|
||||
}
|
||||
|
||||
#[fully_pub]
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
#[argh(
|
||||
subcommand, name = "users",
|
||||
description = "Manage instance users."
|
||||
)]
|
||||
struct UsersCommand {
|
||||
#[argh(subcommand)]
|
||||
nested: UsersSubCommands,
|
||||
}
|
||||
|
||||
|
||||
pub async fn list_users(cmd: ListUsersCommand, ctx: KernelContext) -> Result<()> {
|
||||
for user in get_users(&ctx.storage).await? {
|
||||
println!(
|
||||
"{0: <36} | [{1:<8}] | {2: <15} | {3: <25}",
|
||||
user.id, user.status, user.handle, user.email.unwrap_or("()".to_string())
|
||||
);
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub async fn create_user(cmd: CreateUserCommand, ctx: KernelContext) -> Result<()> {
|
||||
let mut user = User::new(cmd.handle);
|
||||
user.email = Some(cmd.email);
|
||||
user.full_name = cmd.full_name;
|
||||
if cmd.invite {
|
||||
user.invite();
|
||||
println!("Generated invite code: {}", user.reset_password_token.as_ref().unwrap());
|
||||
}
|
||||
let _res = kernel::actions::users::create_user(ctx, user).await?;
|
||||
info!("Created user.");
|
||||
if cmd.invite {
|
||||
// TODO: Send invitation email
|
||||
info!("Not sending invitation email.");
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub async fn delete_user(cmd: DeleteUserCommand, ctx: KernelContext) -> Result<()> {
|
||||
todo!()
|
||||
}
|
||||
|
||||
pub async fn handle_command_tree(cmd: UsersCommand, ctx: KernelContext) -> Result<()> {
|
||||
match cmd.nested {
|
||||
UsersSubCommands::List(sc) => list_users(sc, ctx).await,
|
||||
UsersSubCommands::Create(sc) => create_user(sc, ctx).await,
|
||||
UsersSubCommands::Delete(sc) => delete_user(sc, ctx).await
|
||||
}
|
||||
}
|
|
@ -1,49 +0,0 @@
|
|||
use argh::FromArgs;
|
||||
use anyhow::{Context, Result};
|
||||
use commands::users;
|
||||
use kernel::context::{get_kernel_context, StartKernelConfig};
|
||||
use log::info;
|
||||
|
||||
pub mod commands;
|
||||
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
#[argh(subcommand)]
|
||||
enum SubCommands {
|
||||
Users(users::UsersCommand),
|
||||
}
|
||||
|
||||
#[derive(FromArgs, PartialEq, Debug)]
|
||||
/// Minauthator admin top level
|
||||
struct AdminCliTopLevelCommand {
|
||||
#[argh(subcommand)]
|
||||
nested: SubCommands,
|
||||
|
||||
/// path to YAML config file to use to configure this instance
|
||||
#[argh(option)]
|
||||
config: Option<String>,
|
||||
|
||||
/// path to the Sqlite3 DB file to use
|
||||
#[argh(option)]
|
||||
database: Option<String>,
|
||||
|
||||
/// path to the static assets dir
|
||||
#[argh(option)]
|
||||
static_assets: Option<String>,
|
||||
}
|
||||
|
||||
/// handle CLI arguments to run admin CLI
|
||||
#[tokio::main]
|
||||
pub async fn main() -> Result<()> {
|
||||
info!("Starting minauth");
|
||||
let command_input: AdminCliTopLevelCommand = argh::from_env();
|
||||
let ctx = get_kernel_context(StartKernelConfig {
|
||||
config_path: command_input.config.clone(),
|
||||
database_path: command_input.database.clone()
|
||||
}).await.context("Getting kernel context")?;
|
||||
|
||||
match command_input.nested {
|
||||
SubCommands::Users(sc) => {
|
||||
users::handle_command_tree(sc, ctx).await
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,52 +0,0 @@
|
|||
[package]
|
||||
name = "http_server"
|
||||
edition = "2021"
|
||||
|
||||
[dependencies]
|
||||
kernel = { path = "../kernel" }
|
||||
utils = { path = "../utils" }
|
||||
|
||||
# common
|
||||
log = { workspace = true }
|
||||
env_logger = { workspace = true }
|
||||
|
||||
strum = { workspace = true }
|
||||
strum_macros = { workspace = true }
|
||||
|
||||
anyhow = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
fully_pub = { workspace = true }
|
||||
|
||||
tokio = { workspace = true }
|
||||
|
||||
# Web
|
||||
axum = { version = "0.7.7", features = ["json", "multipart"] }
|
||||
axum-extra = { version = "0.9.4", features = ["cookie"] }
|
||||
axum-template = { version = "2.4.0", features = ["minijinja"] }
|
||||
axum_typed_multipart = "0.13.1"
|
||||
minijinja = { version = "2.1", features = ["builtins"] }
|
||||
# to make work the static assets server
|
||||
tower-http = { version = "0.6.1", features = ["fs"] }
|
||||
|
||||
minijinja-embed = "2.3.1"
|
||||
axum-macros = "0.4.2"
|
||||
jsonwebtoken = "9.3.0"
|
||||
time = "0.3.36"
|
||||
|
||||
serde = { workspace = true }
|
||||
serde_json = { workspace = true }
|
||||
serde_urlencoded = "0.7.1"
|
||||
chrono = { workspace = true }
|
||||
|
||||
argh = { workspace = true }
|
||||
|
||||
sqlx = { workspace = true }
|
||||
uuid = { workspace = true }
|
||||
url = { workspace = true }
|
||||
|
||||
[build-dependencies]
|
||||
minijinja-embed = "2.3.1"
|
||||
|
||||
[[bin]]
|
||||
name = "minauthator-server"
|
||||
path = "src/main.rs"
|
|
@ -1,14 +0,0 @@
|
|||
use axum::{extract::State, response::IntoResponse, Json};
|
||||
use serde_json::json;
|
||||
|
||||
use crate::AppState;
|
||||
|
||||
pub async fn get_index(
|
||||
State(app_state): State<AppState>,
|
||||
) -> impl IntoResponse {
|
||||
Json(json!({
|
||||
"software": "Minauthator",
|
||||
"name": app_state.config.instance.name,
|
||||
"base_uri": app_state.config.instance.base_uri
|
||||
}))
|
||||
}
|
|
@ -1,27 +0,0 @@
|
|||
use axum::{extract::{Path, State}, http::{header, HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse}};
|
||||
use kernel::repositories::users::get_user_asset_by_id;
|
||||
|
||||
use crate::AppState;
|
||||
|
||||
pub async fn get_user_asset(
|
||||
State(app_state): State<AppState>,
|
||||
Path(asset_id): Path<String>
|
||||
) -> impl IntoResponse {
|
||||
let user_asset = match get_user_asset_by_id(&app_state.db, &asset_id).await {
|
||||
Err(_) => {
|
||||
return (
|
||||
StatusCode::NOT_FOUND,
|
||||
Html("Could not find user asset")
|
||||
).into_response();
|
||||
},
|
||||
Ok(ua) => ua
|
||||
};
|
||||
|
||||
let mut hm = HeaderMap::new();
|
||||
hm.insert(
|
||||
header::CONTENT_TYPE,
|
||||
HeaderValue::from_str(&user_asset.mime_type).expect("Constructing header value.")
|
||||
);
|
||||
|
||||
(hm, user_asset.content).into_response()
|
||||
}
|
|
@ -1,32 +0,0 @@
|
|||
use axum::{extract::State, response::IntoResponse, Extension};
|
||||
use minijinja::context;
|
||||
|
||||
use kernel::models::{config::AppVisibility, config::Application};
|
||||
use crate::{
|
||||
renderer::TemplateRenderer,
|
||||
AppState
|
||||
};
|
||||
|
||||
pub async fn list_apps(
|
||||
State(app_state): State<AppState>,
|
||||
Extension(renderer): Extension<TemplateRenderer>,
|
||||
) -> impl IntoResponse {
|
||||
// implement app discovery
|
||||
// for now, we just list all apps in the organization
|
||||
let apps: Vec<&Application> = app_state.config
|
||||
.applications
|
||||
.iter()
|
||||
.filter(|a|
|
||||
a.visibility == AppVisibility::Public ||
|
||||
a.visibility == AppVisibility::Internal
|
||||
).collect();
|
||||
|
||||
renderer.render(
|
||||
"pages/apps",
|
||||
context!(
|
||||
apps => apps
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
|
|
@ -1,139 +0,0 @@
|
|||
use axum::{extract::{MatchedPath, Query, State}, http::StatusCode, response::{Html, IntoResponse, Redirect}, Extension, Form};
|
||||
use log::{error, info};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use minijinja::context;
|
||||
use fully_pub::fully_pub;
|
||||
|
||||
use crate::{renderer::TemplateRenderer, AppState};
|
||||
|
||||
use kernel::models::user::{User, UserStatus};
|
||||
use utils::get_password_hash;
|
||||
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
#[fully_pub]
|
||||
enum ResetPasswordReason {
|
||||
LostPassword,
|
||||
Invitation
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
#[fully_pub]
|
||||
struct ResetPasswordQueryParams {
|
||||
token: String
|
||||
}
|
||||
|
||||
pub async fn reset_password_form(
|
||||
State(app_state): State<AppState>,
|
||||
path: MatchedPath,
|
||||
Extension(renderer): Extension<TemplateRenderer>,
|
||||
Query(query_params): Query<ResetPasswordQueryParams>
|
||||
) -> impl IntoResponse {
|
||||
let reason: ResetPasswordReason = match path.as_str() {
|
||||
"/invitation" => ResetPasswordReason::Invitation,
|
||||
"/reset-password" => ResetPasswordReason::LostPassword,
|
||||
_ => unreachable!()
|
||||
};
|
||||
// 1. Verify token
|
||||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
|
||||
.bind(&query_params.token)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.await;
|
||||
let _user = match user_res {
|
||||
Ok(u) => u,
|
||||
Err(sqlx::Error::RowNotFound) => {
|
||||
return (
|
||||
StatusCode::BAD_REQUEST,
|
||||
Html("Invalid reset password token.")
|
||||
).into_response();
|
||||
},
|
||||
Err(err) => {
|
||||
error!("Failed to retreive user from reset password token. {}", err);
|
||||
return (
|
||||
StatusCode::INTERNAL_SERVER_ERROR,
|
||||
Html("Internal server error: Failed to retreive user.")
|
||||
).into_response();
|
||||
}
|
||||
};
|
||||
renderer.render(
|
||||
"pages/reset_password",
|
||||
context!(
|
||||
reason => reason,
|
||||
token => query_params.token,
|
||||
)
|
||||
).into_response()
|
||||
}
|
||||
|
||||
|
||||
#[derive(Debug, Deserialize)]
|
||||
#[fully_pub]
|
||||
struct ResetPasswordForm {
|
||||
token: String,
|
||||
password: String,
|
||||
password_confirmation: String
|
||||
}
|
||||
|
||||
pub async fn perform_reset_password(
|
||||
State(app_state): State<AppState>,
|
||||
Form(reset_form): Form<ResetPasswordForm>
|
||||
) -> impl IntoResponse {
|
||||
// 1. Verify token
|
||||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
|
||||
.bind(&reset_form.token)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.await;
|
||||
let user = match user_res {
|
||||
Ok(u) => u,
|
||||
Err(sqlx::Error::RowNotFound) => {
|
||||
return (
|
||||
StatusCode::BAD_REQUEST,
|
||||
Html("Invalid reset password token.")
|
||||
).into_response();
|
||||
},
|
||||
Err(err) => {
|
||||
error!("Failed to retreive user from reset password token. {}", err);
|
||||
return (
|
||||
StatusCode::INTERNAL_SERVER_ERROR,
|
||||
Html("Internal server error: Failed to retreive user.")
|
||||
).into_response();
|
||||
}
|
||||
};
|
||||
if reset_form.password != reset_form.password_confirmation {
|
||||
return (
|
||||
StatusCode::BAD_REQUEST,
|
||||
Html("Form data error: The two passwords are differents.")
|
||||
).into_response();
|
||||
}
|
||||
|
||||
let password_hash = Some(
|
||||
get_password_hash(reset_form.password)
|
||||
.expect("To process password").1
|
||||
);
|
||||
if user.status == UserStatus::Invited {
|
||||
info!("The password of an Invited user was set: activation of user account");
|
||||
// TODO: send welcome email
|
||||
}
|
||||
let res = sqlx::query("UPDATE users
|
||||
SET password_hash = $2, status = $3, reset_password_token = NULL
|
||||
WHERE id = $1
|
||||
")
|
||||
.bind(user.id)
|
||||
.bind(password_hash)
|
||||
.bind(UserStatus::Active)
|
||||
.execute(&app_state.db.0)
|
||||
.await;
|
||||
match res {
|
||||
Err(err) => {
|
||||
error!("Cannot update user: {}", err);
|
||||
return (
|
||||
StatusCode::INTERNAL_SERVER_ERROR,
|
||||
Html("Internal server error: Failed to update user.")
|
||||
).into_response();
|
||||
},
|
||||
Ok(_v) => {
|
||||
info!("Changed user's password successfuly.");
|
||||
}
|
||||
};
|
||||
// TODO: add either "Successfully changed password" or "Account enabled successfully" message
|
||||
Redirect::to("/login").into_response()
|
||||
}
|
||||
|
|
@ -1,34 +0,0 @@
|
|||
{% extends "layouts/base.html" %}
|
||||
{% block body %}
|
||||
<h1>Available apps</h1>
|
||||
<p>List of apps you can use with Single-Sign-On in this organization.</p>
|
||||
<div class="apps-mosaic">
|
||||
<div class="row">
|
||||
{% for app in apps %}
|
||||
<div class="col-xs-12 col-sm-6 col-lg-3 mb-3 mb-sm-0">
|
||||
<div class="card">
|
||||
<div class="card-body">
|
||||
{% if app.logo_uri %}
|
||||
<img src="{{ app.logo_uri}}" class="card-img-top" alt="{{ app.name }} logo">
|
||||
{% endif %}
|
||||
<h5 class="card-title">
|
||||
{{ app.name }}
|
||||
</h5>
|
||||
<p class="card-text">
|
||||
{{ app.description }}
|
||||
</p>
|
||||
<a
|
||||
href="{{ app.login_uri }}"
|
||||
class="btn btn-primary"
|
||||
title="Open the app or login"
|
||||
>
|
||||
Open app
|
||||
</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
{% endfor %}
|
||||
</div>
|
||||
</div>
|
||||
{% endblock %}
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
{% extends "layouts/base.html" %}
|
||||
{% block body %}
|
||||
<h1>Internal server error</h1>
|
||||
|
||||
{% if error %}
|
||||
<div class="alert alert-danger">
|
||||
We are sorry. We've rencountered an unrecoverable error.
|
||||
</div>
|
||||
{% endif %}
|
||||
{% endblock %}
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
{% extends "layouts/base.html" %}
|
||||
{% block body %}
|
||||
{% if reason == "Invitation" %}
|
||||
<h1>Invitation</h1>
|
||||
{% endif %}
|
||||
{% if reason == "LostPassword" %}
|
||||
<h1>Reset your password</h1>
|
||||
{% endif %}
|
||||
<!-- Reset password form -->
|
||||
{% if error %}
|
||||
<div class="alert alert-danger">
|
||||
Error: {{ error }}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if info %}
|
||||
<div class="alert alert-info">
|
||||
Info: {{ info }}
|
||||
</div>
|
||||
{% endif %}
|
||||
{% if reason == "Invitation" %}
|
||||
<p>
|
||||
Pour activer votre compte, veuillez définir votre mot de passe.
|
||||
</p>
|
||||
{% endif %}
|
||||
{% if reason == "LostPassword" %}
|
||||
<p>
|
||||
Votre mot de passe est perdu, veuillez définir un nouveau mot de passe.
|
||||
</p>
|
||||
{% endif %}
|
||||
<form id="reset-password-form" method="post" action="/reset-password">
|
||||
<div class="mb-3">
|
||||
<label for="password" class="form-label">New password</label>
|
||||
<input
|
||||
id="password" name="password" type="password"
|
||||
required
|
||||
class="form-control"
|
||||
/>
|
||||
</div>
|
||||
<div class="mb-3">
|
||||
<label for="password" class="form-label">New password confirmation</label>
|
||||
<input
|
||||
id="password_confirmation" name="password_confirmation" type="password"
|
||||
required
|
||||
class="form-control"
|
||||
/>
|
||||
</div>
|
||||
<input
|
||||
id="token" name="token" type="hidden"
|
||||
value="{{ token }}"
|
||||
/>
|
||||
|
||||
<button type="submit" class="btn btn-primary">Change password</button>
|
||||
</form>
|
||||
{% endblock %}
|
|
@ -1,25 +0,0 @@
|
|||
[package]
|
||||
name = "kernel"
|
||||
edition = "2021"
|
||||
|
||||
[dependencies]
|
||||
utils = { path = "../utils" }
|
||||
|
||||
anyhow = { workspace = true }
|
||||
thiserror = { workspace = true }
|
||||
log = { workspace = true }
|
||||
env_logger = { workspace = true }
|
||||
fully_pub = { workspace = true }
|
||||
strum = { workspace = true }
|
||||
strum_macros = { workspace = true }
|
||||
serde = { workspace = true }
|
||||
serde_json = { workspace = true }
|
||||
chrono = { workspace = true }
|
||||
toml = { workspace = true }
|
||||
sqlx = { workspace = true }
|
||||
dotenvy = { workspace = true }
|
||||
sha2 = { workspace = true }
|
||||
hex-literal = { workspace = true }
|
||||
|
||||
uuid = { workspace = true }
|
||||
url = { workspace = true }
|
|
@ -1 +0,0 @@
|
|||
pub mod users;
|
|
@ -1,44 +0,0 @@
|
|||
use crate::{context::KernelContext, models::user::User};
|
||||
|
||||
use anyhow::{Context, Result};
|
||||
use chrono::SecondsFormat;
|
||||
use thiserror::Error;
|
||||
|
||||
#[derive(Error, Debug)]
|
||||
pub enum CreateUserErr {
|
||||
#[error("Handle or email for user is already used.")]
|
||||
HandleOrEmailNotUnique,
|
||||
|
||||
#[error("Database error.")]
|
||||
DatabaseErr(String)
|
||||
}
|
||||
|
||||
pub async fn create_user(ctx: KernelContext, user: User) -> Result<(), CreateUserErr> {
|
||||
let res = sqlx::query("
|
||||
INSERT INTO users
|
||||
(id, handle, email, status, roles, password_hash, reset_password_token, created_at)
|
||||
VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
|
||||
")
|
||||
.bind(user.id)
|
||||
.bind(user.handle)
|
||||
.bind(user.email)
|
||||
.bind(user.status.to_string())
|
||||
.bind(user.roles)
|
||||
.bind(user.password_hash)
|
||||
.bind(user.reset_password_token)
|
||||
.bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||
.execute(&ctx.storage.0)
|
||||
.await;
|
||||
match res {
|
||||
Err(err) => {
|
||||
let db_err = &err.as_database_error().unwrap();
|
||||
if db_err.code().unwrap() == "2067" {
|
||||
Err(CreateUserErr::HandleOrEmailNotUnique)
|
||||
} else {
|
||||
dbg!(&err);
|
||||
Err(CreateUserErr::DatabaseErr(db_err.to_string()))
|
||||
}
|
||||
}
|
||||
Ok(_) => Ok(())
|
||||
}
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
|
||||
pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
|
||||
pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml";
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
use std::{env, fs};
|
||||
use anyhow::{Result, Context, anyhow};
|
||||
use fully_pub::fully_pub;
|
||||
|
||||
use log::info;
|
||||
use sqlx::{Pool, Sqlite};
|
||||
use crate::{
|
||||
consts::{DEFAULT_CONFIG_PATH, DEFAULT_DB_PATH}, database::prepare_database, models::config::Config, repositories::storage::Storage
|
||||
};
|
||||
|
||||
/// get server config
|
||||
fn get_config(path: String) -> Result<Config> {
|
||||
let inp_def_yaml = fs::read_to_string(path)
|
||||
.expect("Should have been able to read the the config file");
|
||||
|
||||
toml::from_str(&inp_def_yaml)
|
||||
.map_err(|e| anyhow!("Failed to parse config, {:?}", e))
|
||||
}
|
||||
|
||||
#[fully_pub]
|
||||
struct StartKernelConfig {
|
||||
config_path: Option<String>,
|
||||
database_path: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
#[fully_pub]
|
||||
struct AppSecrets {
|
||||
jwt_secret: String
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
#[fully_pub]
|
||||
struct KernelContext {
|
||||
config: Config,
|
||||
secrets: AppSecrets,
|
||||
storage: Storage
|
||||
}
|
||||
|
||||
pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
|
||||
env_logger::init();
|
||||
let _ = dotenvy::dotenv();
|
||||
|
||||
let database_path = &start_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
|
||||
info!("Using database file at {}", database_path);
|
||||
let storage = prepare_database(database_path).await.context("Could not prepare db.")?;
|
||||
|
||||
let config_path = start_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
|
||||
info!("Using config file at {}", &config_path);
|
||||
let config: Config = get_config(config_path)
|
||||
.expect("Cannot get config.");
|
||||
|
||||
let _ = dotenvy::dotenv();
|
||||
let secrets = AppSecrets {
|
||||
jwt_secret: env::var("APP_JWT_SECRET")
|
||||
.context("Expected APP_JWT_SECRET environment variable to exists.")?
|
||||
};
|
||||
|
||||
Ok(KernelContext {
|
||||
config,
|
||||
secrets,
|
||||
storage
|
||||
})
|
||||
}
|
|
@ -1,7 +0,0 @@
|
|||
pub mod models;
|
||||
pub mod database;
|
||||
pub mod consts;
|
||||
pub mod context;
|
||||
pub mod actions;
|
||||
pub mod repositories;
|
||||
|
|
@ -1,61 +0,0 @@
|
|||
use fully_pub::fully_pub;
|
||||
use chrono::{DateTime, Utc};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use sqlx::types::Json;
|
||||
use utils::get_random_human_token;
|
||||
use uuid::Uuid;
|
||||
|
||||
#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
|
||||
#[derive(strum_macros::Display)]
|
||||
#[fully_pub]
|
||||
enum UserStatus {
|
||||
Disabled,
|
||||
Invited,
|
||||
Active
|
||||
}
|
||||
|
||||
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
|
||||
#[fully_pub]
|
||||
struct User {
|
||||
/// uuid
|
||||
id: String,
|
||||
handle: String,
|
||||
full_name: Option<String>,
|
||||
email: Option<String>,
|
||||
website: Option<String>,
|
||||
avatar_asset_id: Option<String>,
|
||||
password_hash: Option<String>, // argon2 password hash
|
||||
status: UserStatus,
|
||||
roles: Json<Vec<String>>,
|
||||
reset_password_token: Option<String>,
|
||||
|
||||
last_login_at: Option<DateTime<Utc>>,
|
||||
created_at: DateTime<Utc>
|
||||
}
|
||||
|
||||
impl User {
|
||||
pub fn new(
|
||||
handle: String
|
||||
) -> User {
|
||||
User {
|
||||
id: Uuid::new_v4().to_string(),
|
||||
handle,
|
||||
full_name: None,
|
||||
email: None,
|
||||
website: None,
|
||||
avatar_asset_id: None,
|
||||
password_hash: None,
|
||||
status: UserStatus::Disabled,
|
||||
roles: Json(Vec::new()),
|
||||
reset_password_token: None,
|
||||
last_login_at: None,
|
||||
created_at: Utc::now()
|
||||
}
|
||||
}
|
||||
|
||||
pub fn invite(self: &mut Self) {
|
||||
self.reset_password_token = Some(get_random_human_token());
|
||||
self.status = UserStatus::Invited;
|
||||
}
|
||||
|
||||
}
|
|
@ -1,41 +0,0 @@
|
|||
use fully_pub::fully_pub;
|
||||
use chrono::{DateTime, Utc};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use uuid::Uuid;
|
||||
use sha2::{Sha256, Digest};
|
||||
|
||||
use super::user::User;
|
||||
|
||||
|
||||
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
|
||||
#[fully_pub]
|
||||
struct UserAsset {
|
||||
/// uuid
|
||||
id: String,
|
||||
user_id: String,
|
||||
mime_type: String,
|
||||
fingerprint: String,
|
||||
name: Option<String>,
|
||||
content: Vec<u8>,
|
||||
created_at: DateTime<Utc>
|
||||
}
|
||||
|
||||
impl UserAsset {
|
||||
pub fn new(
|
||||
user: &User,
|
||||
content: Vec<u8>,
|
||||
mime_type: String,
|
||||
name: Option<String>
|
||||
) -> UserAsset {
|
||||
let digest = Sha256::digest(&content);
|
||||
UserAsset {
|
||||
id: Uuid::new_v4().to_string(),
|
||||
user_id: user.id.clone(),
|
||||
fingerprint: format!("{:x}", digest),
|
||||
mime_type,
|
||||
content,
|
||||
name,
|
||||
created_at: Utc::now()
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,2 +0,0 @@
|
|||
pub mod storage;
|
||||
pub mod users;
|
|
@ -1,7 +0,0 @@
|
|||
use fully_pub::fully_pub;
|
||||
use sqlx::{Pool, Sqlite};
|
||||
|
||||
/// storage interface
|
||||
#[fully_pub]
|
||||
#[derive(Clone, Debug)]
|
||||
struct Storage(Pool<Sqlite>);
|
|
@ -1,48 +0,0 @@
|
|||
// user repositories
|
||||
|
||||
use crate::models::{user::User, user_asset::UserAsset};
|
||||
|
||||
use super::storage::Storage;
|
||||
use anyhow::{Result, Context};
|
||||
|
||||
pub async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
|
||||
sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
.bind(user_id)
|
||||
.fetch_one(&storage.0)
|
||||
.await
|
||||
.context("To get user by id.")
|
||||
}
|
||||
|
||||
pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
|
||||
sqlx::query_as::<_, User>("SELECT * FROM users")
|
||||
.fetch_all(&storage.0)
|
||||
.await
|
||||
.context("To get users.")
|
||||
}
|
||||
|
||||
pub async fn create_user_asset(storage: &Storage, asset: UserAsset) -> Result<()> {
|
||||
sqlx::query("INSERT INTO user_assets
|
||||
(id, user_id, mime_type, fingerprint, content, created_at)
|
||||
VALUES ($1, $2, $3, $4, $5, $6)
|
||||
")
|
||||
.bind(&asset.id)
|
||||
.bind(&asset.user_id)
|
||||
.bind(&asset.mime_type)
|
||||
.bind(&asset.fingerprint)
|
||||
.bind(&asset.content)
|
||||
.bind(&asset.created_at)
|
||||
.execute(&storage.0)
|
||||
.await
|
||||
.context("While inserting user asset.")?;
|
||||
// .bind(details_update.avatar.contents.to_vec())
|
||||
Ok(())
|
||||
}
|
||||
|
||||
pub async fn get_user_asset_by_id(storage: &Storage, id: &str) -> Result<UserAsset> {
|
||||
sqlx::query_as("SELECT * FROM user_assets WHERE id = $1")
|
||||
.bind(id)
|
||||
.fetch_one(&storage.0)
|
||||
.await
|
||||
.context("To get user asset by id.")
|
||||
}
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
[package]
|
||||
name = "utils"
|
||||
edition = "2021"
|
||||
|
||||
[dependencies]
|
||||
anyhow = { workspace = true }
|
||||
argon2 = "0.5"
|
||||
base64 = "0.22"
|
||||
rand = "0.8.5"
|
||||
rand_core = { version = "0.6.4", features = ["std"] }
|
|
@ -1,29 +1,18 @@
|
|||
DROP TABLE IF EXISTS users;
|
||||
CREATE TABLE users (
|
||||
id TEXT PRIMARY KEY,
|
||||
handle TEXT NOT NULL UNIQUE,
|
||||
full_name TEXT,
|
||||
email TEXT UNIQUE,
|
||||
website TEXT,
|
||||
roles TEXT NOT NULL, -- json array of user roles
|
||||
avatar_asset_id TEXT,
|
||||
id TEXT PRIMARY KEY,
|
||||
handle TEXT NOT NULL UNIQUE,
|
||||
full_name TEXT,
|
||||
email TEXT UNIQUE,
|
||||
website TEXT,
|
||||
picture BLOB,
|
||||
roles TEXT NOT NULL, -- json array of user roles
|
||||
|
||||
status TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
|
||||
password_hash TEXT,
|
||||
reset_password_token TEXT,
|
||||
last_login_at DATETIME,
|
||||
created_at DATETIME NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS user_assets;
|
||||
CREATE TABLE user_assets (
|
||||
id TEXT PRIMARY KEY,
|
||||
user_id TEXT NOT NULL,
|
||||
mime_type TEXT NOT NULL,
|
||||
fingerprint TEXT NOT NULL,
|
||||
name TEXT, -- file name
|
||||
content BLOB NOT NULL,
|
||||
created_at DATETIME NOT NULL
|
||||
status TEXT CHECK(status IN ('Active','Disabled')) NOT NULL DEFAULT 'Disabled',
|
||||
password_hash TEXT,
|
||||
activation_token TEXT,
|
||||
last_login_at DATETIME,
|
||||
created_at DATETIME NOT NULL
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS authorizations;
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
use argh::FromArgs;
|
||||
use anyhow::{Context, Result};
|
||||
use http_server::{start_http_server, ServerConfig};
|
||||
use kernel::{consts::DEFAULT_ASSETS_PATH, context::{get_kernel_context, StartKernelConfig}};
|
||||
use log::info;
|
||||
|
||||
use crate::{get_app_context, server::{start_http_server, ServerConfig}, DEFAULT_ASSETS_PATH};
|
||||
|
||||
#[derive(Debug, FromArgs)]
|
||||
/// Minauthator daemon
|
||||
struct ServerCliFlags {
|
||||
|
@ -27,21 +27,22 @@ struct ServerCliFlags {
|
|||
listen_port: u32
|
||||
}
|
||||
|
||||
/// handle CLI arguments to start HTTP server daemon
|
||||
#[tokio::main]
|
||||
pub async fn main() -> Result<()> {
|
||||
/// handle CLI arguments to start process daemon
|
||||
pub async fn start_server_cli() -> Result<()> {
|
||||
info!("Starting minauth");
|
||||
let flags: ServerCliFlags = argh::from_env();
|
||||
let kernel_context = get_kernel_context(StartKernelConfig {
|
||||
let (config, secrets, db_pool) = get_app_context(crate::StartAppConfig {
|
||||
config_path: flags.config,
|
||||
database_path: flags.database
|
||||
}).await.context("Getting kernel context")?;
|
||||
}).await.context("Getting app context")?;
|
||||
start_http_server(
|
||||
ServerConfig {
|
||||
assets_path: flags.static_assets.unwrap_or(DEFAULT_ASSETS_PATH.to_string()),
|
||||
listen_host: flags.listen_host,
|
||||
listen_port: flags.listen_port
|
||||
},
|
||||
kernel_context
|
||||
config,
|
||||
secrets,
|
||||
db_pool
|
||||
).await
|
||||
}
|
1
src/consts.rs
Normal file
1
src/consts.rs
Normal file
|
@ -0,0 +1 @@
|
|||
pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";
|
|
@ -1,5 +1,3 @@
|
|||
pub mod index;
|
||||
pub mod oauth2;
|
||||
pub mod read_user;
|
||||
pub mod openid;
|
||||
pub mod public_assets;
|
|
@ -4,9 +4,10 @@ use fully_pub::fully_pub;
|
|||
use log::error;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use kernel::models::authorization::Authorization;
|
||||
use crate::{
|
||||
services::{app_session::AppClientSession, session::create_token}, token_claims::AppUserTokenClaims, AppState
|
||||
models::{authorization::Authorization, token_claims::AppUserTokenClaims},
|
||||
server::AppState,
|
||||
services::{app_session::AppClientSession, session::create_token}
|
||||
};
|
||||
|
||||
const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;
|
||||
|
@ -42,7 +43,7 @@ pub async fn get_access_token(
|
|||
)
|
||||
.bind(&form.code)
|
||||
.bind(&app_client_session.client_id)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await;
|
||||
let authorization = match authorizations_res {
|
||||
Ok(val) => val,
|
|
@ -1,10 +1,9 @@
|
|||
use axum::{extract::State, response::IntoResponse, Json};
|
||||
use fully_pub::fully_pub;
|
||||
use kernel::models::authorization::AuthorizationScope;
|
||||
use serde::Serialize;
|
||||
use strum::IntoEnumIterator;
|
||||
|
||||
use crate::AppState;
|
||||
use crate::{models::authorization::AuthorizationScope, server::AppState};
|
||||
|
||||
#[derive(Serialize)]
|
||||
#[fully_pub]
|
|
@ -2,8 +2,7 @@ use axum::{extract::State, response::IntoResponse, Extension, Json};
|
|||
use fully_pub::fully_pub;
|
||||
use serde::Serialize;
|
||||
|
||||
use crate::{token_claims::AppUserTokenClaims, AppState};
|
||||
use kernel::models::user::User;
|
||||
use crate::{models::{token_claims::AppUserTokenClaims, user::User}, server::AppState};
|
||||
|
||||
#[derive(Serialize)]
|
||||
#[fully_pub]
|
||||
|
@ -20,10 +19,10 @@ pub async fn read_user_basic(
|
|||
State(app_state): State<AppState>,
|
||||
Extension(token_claims): Extension<AppUserTokenClaims>,
|
||||
) -> impl IntoResponse {
|
||||
// 1. This handler require app user authentification (JWT)
|
||||
// 1. This handler require client user authentification (JWT)
|
||||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
.bind(&token_claims.user_id)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await
|
||||
.expect("To get user from claim");
|
||||
let output = ReadUserBasicExtract {
|
|
@ -7,15 +7,14 @@ use serde::{Deserialize, Serialize};
|
|||
use url::Url;
|
||||
use uuid::Uuid;
|
||||
|
||||
use kernel::{
|
||||
models::{authorization::Authorization, config::AppAuthorizeFlow}
|
||||
};
|
||||
use utils::get_random_alphanumerical;
|
||||
use crate::{
|
||||
renderer::TemplateRenderer, services::oauth2::{parse_scope, verify_redirect_uri}, token_claims::UserTokenClaims, AppState
|
||||
models::{authorization::Authorization, config::AppAuthorizeFlow, token_claims::UserTokenClaims},
|
||||
renderer::TemplateRenderer, server::AppState,
|
||||
services::oauth2::{parse_scope, verify_redirect_uri},
|
||||
utils::get_random_alphanumerical
|
||||
};
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
#[derive(Serialize, Deserialize)]
|
||||
#[fully_pub]
|
||||
/// query params described in [RFC6749 section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
|
||||
struct AuthorizationParams {
|
||||
|
@ -106,7 +105,7 @@ pub async fn authorize_form(
|
|||
.bind(&token_claims.sub)
|
||||
.bind(&authorization_params.client_id)
|
||||
.bind(sqlx::types::Json(&scopes))
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await;
|
||||
|
||||
match authorizations_res {
|
||||
|
@ -120,7 +119,7 @@ pub async fn authorize_form(
|
|||
.bind(existing_authorization.id)
|
||||
.bind(authorization_code.clone())
|
||||
.bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||
.execute(&app_state.db.0)
|
||||
.execute(&app_state.db)
|
||||
.await.unwrap();
|
||||
|
||||
// Authorization already given, just redirect to the app
|
||||
|
@ -220,7 +219,7 @@ pub async fn perform_authorize(
|
|||
.bind(authorization.code)
|
||||
.bind(authorization.last_used_at.map(|x| x.to_rfc3339_opts(SecondsFormat::Millis, true)))
|
||||
.bind(authorization.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||
.execute(&app_state.db.0)
|
||||
.execute(&app_state.db)
|
||||
.await;
|
||||
if let Err(err) = res {
|
||||
error!("Failed to save authorization in DB. {}", err);
|
|
@ -1,15 +1,15 @@
|
|||
use axum_extra::extract::{cookie::{Cookie, SameSite}, CookieJar};
|
||||
use chrono::{SecondsFormat, Utc};
|
||||
use kernel::models::user::{User, UserStatus};
|
||||
use log::info;
|
||||
use serde::Deserialize;
|
||||
use axum::{extract::{Query, State}, http::StatusCode, response::{IntoResponse, Redirect}, Extension, Form};
|
||||
use axum::{extract::{Query, State}, http::{HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse, Redirect}, Extension, Form};
|
||||
use fully_pub::fully_pub;
|
||||
use minijinja::context;
|
||||
use time::Duration;
|
||||
use utils::verify_password_hash;
|
||||
|
||||
use crate::{renderer::TemplateRenderer, services::session::create_token, token_claims::UserTokenClaims, AppState, WEB_GUI_JWT_COOKIE_NAME};
|
||||
use crate::{
|
||||
consts::WEB_GUI_JWT_COOKIE_NAME, models::{token_claims::UserTokenClaims, user::{User, UserStatus}}, renderer::TemplateRenderer, server::AppState, services::{password::verify_password_hash, session::create_token}
|
||||
};
|
||||
|
||||
pub async fn login_form(
|
||||
Extension(renderer): Extension<TemplateRenderer>
|
||||
|
@ -47,7 +47,7 @@ pub async fn perform_login(
|
|||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE handle = $1 OR email = $2")
|
||||
.bind(&login.login)
|
||||
.bind(&login.login)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await;
|
||||
|
||||
let password_hash = match &user_res {
|
||||
|
@ -87,7 +87,7 @@ pub async fn perform_login(
|
|||
let _result = sqlx::query("UPDATE users SET last_login_at = $2 WHERE id = $1")
|
||||
.bind(user.id.clone())
|
||||
.bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||
.execute(&app_state.db.0)
|
||||
.execute(&app_state.db)
|
||||
.await.unwrap();
|
||||
|
||||
let jwt_max_age = Duration::days(15);
|
|
@ -1,7 +1,7 @@
|
|||
use axum::response::{IntoResponse, Redirect};
|
||||
use axum_extra::extract::CookieJar;
|
||||
|
||||
use crate::WEB_GUI_JWT_COOKIE_NAME;
|
||||
use crate::consts::WEB_GUI_JWT_COOKIE_NAME;
|
||||
|
||||
pub async fn perform_logout(
|
||||
cookies: CookieJar
|
|
@ -1,16 +1,14 @@
|
|||
use anyhow::Context;
|
||||
use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
|
||||
use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
|
||||
use fully_pub::fully_pub;
|
||||
use log::{error, info};
|
||||
use log::error;
|
||||
use minijinja::context;
|
||||
|
||||
use crate::{
|
||||
token_claims::UserTokenClaims,
|
||||
models::{token_claims::UserTokenClaims, user::User},
|
||||
renderer::TemplateRenderer,
|
||||
AppState
|
||||
server::AppState
|
||||
};
|
||||
use kernel::{models::{user::User, user_asset::UserAsset}, repositories::users::create_user_asset};
|
||||
|
||||
pub async fn me_page(
|
||||
State(app_state): State<AppState>,
|
||||
|
@ -19,7 +17,7 @@ pub async fn me_page(
|
|||
) -> impl IntoResponse {
|
||||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await
|
||||
.expect("To get user from claim");
|
||||
|
||||
|
@ -40,7 +38,7 @@ pub async fn me_update_details_form(
|
|||
|
||||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await
|
||||
.expect("To get user from claim");
|
||||
|
||||
|
@ -62,7 +60,7 @@ struct UserDetailsUpdateForm {
|
|||
website: String,
|
||||
|
||||
#[form_data(limit = "5MiB")]
|
||||
avatar: FieldData<Bytes>
|
||||
picture: FieldData<Bytes>
|
||||
}
|
||||
|
||||
|
||||
|
@ -74,43 +72,19 @@ pub async fn me_perform_update_details(
|
|||
) -> impl IntoResponse {
|
||||
let template_path = "pages/me/details-form";
|
||||
|
||||
let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.await
|
||||
.expect("To get user from claim");
|
||||
|
||||
let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5 WHERE id = $1")
|
||||
let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5, picture = $6 WHERE id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.bind(details_update.handle)
|
||||
.bind(details_update.email)
|
||||
.bind(details_update.full_name)
|
||||
.bind(details_update.website)
|
||||
.execute(&app_state.db.0)
|
||||
.bind(details_update.picture.contents.to_vec())
|
||||
.execute(&app_state.db)
|
||||
.await;
|
||||
|
||||
if !details_update.avatar.contents.is_empty() {
|
||||
let user_asset = UserAsset::new(
|
||||
&user,
|
||||
details_update.avatar.contents.to_vec(),
|
||||
details_update.avatar.metadata.content_type.expect("Expected mimetype on avatar content"),
|
||||
details_update.avatar.metadata.name
|
||||
);
|
||||
let _update_res = sqlx::query("UPDATE users SET avatar_asset_id = $2 WHERE id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.bind(user_asset.id.clone())
|
||||
.execute(&app_state.db.0)
|
||||
.await;
|
||||
// TODO: handle possible error
|
||||
let _ = create_user_asset(&app_state.db, user_asset)
|
||||
.await
|
||||
.context("Creating user avatar asset.");
|
||||
info!("Uploaded new avatar as user asset");
|
||||
}
|
||||
|
||||
let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.fetch_one(&app_state.db.0)
|
||||
.fetch_one(&app_state.db)
|
||||
.await
|
||||
.expect("To get user from claim");
|
||||
|
||||
|
@ -120,7 +94,7 @@ pub async fn me_perform_update_details(
|
|||
template_path,
|
||||
context!(
|
||||
success => true,
|
||||
user => user
|
||||
user => user_res
|
||||
)
|
||||
)
|
||||
},
|
||||
|
@ -130,7 +104,7 @@ pub async fn me_perform_update_details(
|
|||
template_path,
|
||||
context!(
|
||||
error => Some("Cannot update user details.".to_string()),
|
||||
user => user
|
||||
user => user_res
|
||||
)
|
||||
)
|
||||
}
|
|
@ -5,5 +5,3 @@ pub mod register;
|
|||
pub mod me;
|
||||
pub mod logout;
|
||||
pub mod user_panel;
|
||||
pub mod apps;
|
||||
pub mod reset_password;
|
|
@ -7,10 +7,7 @@ use fully_pub::fully_pub;
|
|||
use sqlx::types::Json;
|
||||
use uuid::Uuid;
|
||||
|
||||
use crate::{renderer::TemplateRenderer, AppState};
|
||||
|
||||
use kernel::models::user::{User, UserStatus};
|
||||
use utils::get_password_hash;
|
||||
use crate::{models::user::{User, UserStatus}, renderer::TemplateRenderer, server::AppState, services::password::get_password_hash};
|
||||
|
||||
pub async fn register_form(
|
||||
State(app_state): State<AppState>
|
||||
|
@ -46,12 +43,12 @@ pub async fn perform_register(
|
|||
email: Some(register.email),
|
||||
handle: register.handle,
|
||||
full_name: None,
|
||||
avatar_asset_id: None,
|
||||
picture: None,
|
||||
|
||||
password_hash,
|
||||
status: UserStatus::Active,
|
||||
roles: Json(Vec::new()), // take the default role in the config
|
||||
reset_password_token: None,
|
||||
activation_token: None,
|
||||
created_at: Utc::now(),
|
||||
website: None,
|
||||
last_login_at: None
|
||||
|
@ -69,7 +66,7 @@ pub async fn perform_register(
|
|||
.bind(user.roles)
|
||||
.bind(user.password_hash)
|
||||
.bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
|
||||
.execute(&app_state.db.0)
|
||||
.execute(&app_state.db)
|
||||
.await;
|
||||
match res {
|
||||
Err(err) => {
|
||||
|
@ -96,7 +93,7 @@ pub async fn perform_register(
|
|||
StatusCode::OK,
|
||||
"pages/register",
|
||||
context!(
|
||||
success => true
|
||||
success => true
|
||||
)
|
||||
)
|
||||
}
|
|
@ -4,8 +4,7 @@ use log::error;
|
|||
use minijinja::context;
|
||||
use serde::Deserialize;
|
||||
|
||||
use kernel::models::authorization::Authorization;
|
||||
use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
|
||||
use crate::{models::{authorization::Authorization, token_claims::UserTokenClaims}, renderer::TemplateRenderer, server::AppState};
|
||||
|
||||
pub async fn get_authorizations(
|
||||
State(app_state): State<AppState>,
|
||||
|
@ -14,7 +13,7 @@ pub async fn get_authorizations(
|
|||
) -> impl IntoResponse {
|
||||
let user_authorizations = sqlx::query_as::<_, Authorization>("SELECT * FROM authorizations WHERE user_id = $1")
|
||||
.bind(&token_claims.sub)
|
||||
.fetch_all(&app_state.db.0)
|
||||
.fetch_all(&app_state.db)
|
||||
.await
|
||||
.expect("To get user authorization with user_id from claim");
|
||||
renderer.render(
|
||||
|
@ -38,7 +37,7 @@ pub async fn revoke_authorization(
|
|||
) -> impl IntoResponse {
|
||||
let delete_res = sqlx::query("DELETE FROM authorizations WHERE id = $1")
|
||||
.bind(&form.authorization_id)
|
||||
.execute(&app_state.db.0)
|
||||
.execute(&app_state.db)
|
||||
.await;
|
||||
match delete_res {
|
||||
Ok(_) => {},
|
|
@ -1,10 +1,8 @@
|
|||
use anyhow::{Context, Result};
|
||||
use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, ConnectOptions};
|
||||
use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, Pool, Sqlite, ConnectOptions};
|
||||
use std::str::FromStr;
|
||||
|
||||
use crate::repositories::storage::Storage;
|
||||
|
||||
pub async fn prepare_database(sqlite_db_path: &str) -> Result<Storage> {
|
||||
pub async fn prepare_database(sqlite_db_path: &str) -> Result<Pool<Sqlite>> {
|
||||
let conn_str = format!("sqlite:{}", sqlite_db_path);
|
||||
|
||||
let pool = SqlitePoolOptions::new()
|
||||
|
@ -16,6 +14,6 @@ pub async fn prepare_database(sqlite_db_path: &str) -> Result<Storage> {
|
|||
.await
|
||||
.context("could not connect to database_url")?;
|
||||
|
||||
Ok(Storage(pool))
|
||||
Ok(pool)
|
||||
}
|
||||
|
62
src/main.rs
Normal file
62
src/main.rs
Normal file
|
@ -0,0 +1,62 @@
|
|||
pub mod models;
|
||||
pub mod controllers;
|
||||
pub mod router;
|
||||
pub mod server;
|
||||
pub mod database;
|
||||
pub mod cli;
|
||||
pub mod utils;
|
||||
pub mod services;
|
||||
pub mod middlewares;
|
||||
pub mod renderer;
|
||||
pub mod consts;
|
||||
|
||||
use std::{env, fs};
|
||||
use anyhow::{Result, Context, anyhow};
|
||||
|
||||
use database::prepare_database;
|
||||
use log::info;
|
||||
use sqlx::{Pool, Sqlite};
|
||||
use models::config::{AppSecrets, Config};
|
||||
|
||||
pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
|
||||
pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
|
||||
pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.yaml";
|
||||
|
||||
fn get_config(path: String) -> Result<Config> {
|
||||
let inp_def_yaml = fs::read_to_string(path)
|
||||
.expect("Should have been able to read the the config file");
|
||||
|
||||
toml::from_str(&inp_def_yaml)
|
||||
.map_err(|e| anyhow!("Failed to parse config, {:?}", e))
|
||||
}
|
||||
|
||||
struct StartAppConfig {
|
||||
config_path: Option<String>,
|
||||
database_path: Option<String>,
|
||||
}
|
||||
|
||||
#[tokio::main]
|
||||
async fn main() -> Result<()> {
|
||||
cli::start_server_cli().await
|
||||
}
|
||||
|
||||
async fn get_app_context(start_app_config: StartAppConfig) -> Result<(Config, AppSecrets, Pool<Sqlite>)> {
|
||||
env_logger::init();
|
||||
let _ = dotenvy::dotenv();
|
||||
|
||||
let database_path = &start_app_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
|
||||
info!("Using database file at {}", database_path);
|
||||
let pool = prepare_database(database_path).await.context("Could not prepare db.")?;
|
||||
|
||||
let config_path = start_app_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
|
||||
info!("Using config file at {}", &config_path);
|
||||
let config: Config = get_config(config_path)
|
||||
.expect("Cannot get config.");
|
||||
|
||||
dotenvy::dotenv().context("loading .env")?;
|
||||
let secrets = AppSecrets {
|
||||
jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
|
||||
};
|
||||
|
||||
Ok((config, secrets, pool))
|
||||
}
|
|
@ -5,12 +5,9 @@ use axum::{
|
|||
response::{Html, IntoResponse, Response},
|
||||
Extension
|
||||
};
|
||||
use utils::parse_basic_auth;
|
||||
|
||||
use crate::{
|
||||
services::{app_session::AppClientSession, session::verify_token},
|
||||
token_claims::AppUserTokenClaims,
|
||||
AppState
|
||||
models::token_claims::AppUserTokenClaims, server::AppState, services::{app_session::AppClientSession, session::verify_token}, utils::parse_basic_auth
|
||||
};
|
||||
|
||||
|
|
@ -1,5 +1,6 @@
|
|||
use axum::{extract::{Request, State}, http::StatusCode, middleware::Next, response::Response, Extension};
|
||||
use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
|
||||
|
||||
use crate::{models::token_claims::UserTokenClaims, renderer::TemplateRenderer, server::AppState};
|
||||
|
||||
pub async fn renderer_middleware(
|
||||
State(app_state): State<AppState>,
|
|
@ -7,9 +7,7 @@ use axum::{
|
|||
use axum_extra::extract::CookieJar;
|
||||
|
||||
use crate::{
|
||||
services::session::verify_token,
|
||||
token_claims::UserTokenClaims,
|
||||
AppState, WEB_GUI_JWT_COOKIE_NAME
|
||||
consts::WEB_GUI_JWT_COOKIE_NAME, models::token_claims::UserTokenClaims, server::AppState, services::session::verify_token
|
||||
};
|
||||
|
||||
|
|
@ -21,31 +21,16 @@ enum AppAuthorizeFlow {
|
|||
Implicit
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
|
||||
#[fully_pub]
|
||||
enum AppVisibility {
|
||||
/// app is public (visible to non-signed in user), useful for app discovery
|
||||
Public,
|
||||
/// app is visible to all signed-in users
|
||||
Internal,
|
||||
/// app will be only visible when the user reach the login endpoint
|
||||
Private
|
||||
}
|
||||
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
#[fully_pub]
|
||||
struct Application {
|
||||
slug: String,
|
||||
name: String,
|
||||
description: String,
|
||||
logo_uri: Option<String>,
|
||||
client_id: String,
|
||||
client_secret: String,
|
||||
allowed_redirect_uris: Vec<String>,
|
||||
authorize_flow: AppAuthorizeFlow,
|
||||
visibility: AppVisibility,
|
||||
login_uri: String
|
||||
authorize_flow: AppAuthorizeFlow
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
|
@ -69,6 +54,7 @@ struct Config {
|
|||
roles: Vec<Role>
|
||||
}
|
||||
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
#[fully_pub]
|
||||
struct AppSecrets {
|
|
@ -1,4 +1,4 @@
|
|||
pub mod config;
|
||||
pub mod user;
|
||||
pub mod user_asset;
|
||||
pub mod authorization;
|
||||
pub mod token_claims;
|
|
@ -1,9 +1,10 @@
|
|||
use fully_pub::fully_pub;
|
||||
use jsonwebtoken::get_current_timestamp;
|
||||
use kernel::models::authorization::AuthorizationScope;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use time::Duration;
|
||||
|
||||
use super::authorization::AuthorizationScope;
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize, Clone)]
|
||||
#[fully_pub]
|
||||
struct UserTokenClaims {
|
31
src/models/user.rs
Normal file
31
src/models/user.rs
Normal file
|
@ -0,0 +1,31 @@
|
|||
use fully_pub::fully_pub;
|
||||
use chrono::{DateTime, Utc};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use sqlx::types::Json;
|
||||
|
||||
#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
|
||||
#[derive(strum_macros::Display)]
|
||||
#[fully_pub]
|
||||
enum UserStatus {
|
||||
Active,
|
||||
Disabled
|
||||
}
|
||||
|
||||
#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
|
||||
#[fully_pub]
|
||||
struct User {
|
||||
/// uuid
|
||||
id: String,
|
||||
handle: String,
|
||||
full_name: Option<String>,
|
||||
email: Option<String>,
|
||||
website: Option<String>,
|
||||
picture: Option<Vec<u8>>, // embeded blob to store profile pic
|
||||
password_hash: Option<String>, // argon2 password hash
|
||||
status: UserStatus,
|
||||
roles: Json<Vec<String>>,
|
||||
activation_token: Option<String>,
|
||||
|
||||
last_login_at: Option<DateTime<Utc>>,
|
||||
created_at: DateTime<Utc>
|
||||
}
|
|
@ -1,11 +1,9 @@
|
|||
use axum::{http::StatusCode, response::{Html, IntoResponse}};
|
||||
use fully_pub::fully_pub;
|
||||
use kernel::models::config::Config;
|
||||
use log::error;
|
||||
use minijinja::{context, Environment, Value};
|
||||
use utils::encode_base64_picture;
|
||||
|
||||
use crate::token_claims::UserTokenClaims;
|
||||
use crate::models::token_claims::UserTokenClaims;
|
||||
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
|
@ -45,14 +43,3 @@ impl TemplateRenderer {
|
|||
}
|
||||
}
|
||||
|
||||
pub fn build_templating_env(config: &Config) -> Environment<'static> {
|
||||
let mut env = Environment::new();
|
||||
|
||||
minijinja_embed::load_templates!(&mut env);
|
||||
|
||||
env.add_global("gl", context! {
|
||||
instance => config.instance
|
||||
});
|
||||
env.add_function("inline_picture", encode_base64_picture);
|
||||
env
|
||||
}
|
|
@ -9,7 +9,7 @@ use crate::{
|
|||
app_auth,
|
||||
renderer::renderer_middleware
|
||||
},
|
||||
AppState, ServerConfig
|
||||
server::{AppState, ServerConfig}
|
||||
};
|
||||
|
||||
pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router<AppState> {
|
||||
|
@ -19,9 +19,6 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
|
|||
.route("/register", post(ui::register::perform_register))
|
||||
.route("/login", get(ui::login::login_form))
|
||||
.route("/login", post(ui::login::perform_login))
|
||||
.route("/invitation", get(ui::reset_password::reset_password_form))
|
||||
.route("/reset-password", get(ui::reset_password::reset_password_form))
|
||||
.route("/reset-password", post(ui::reset_password::perform_reset_password))
|
||||
.layer(middleware::from_fn_with_state(app_state.clone(), renderer_middleware))
|
||||
.layer(middleware::from_fn_with_state(app_state.clone(), user_auth::auth_middleware));
|
||||
|
||||
|
@ -29,7 +26,6 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
|
|||
.route("/logout", get(ui::logout::perform_logout))
|
||||
.route("/authorize", get(ui::authorize::authorize_form))
|
||||
.route("/authorize", post(ui::authorize::perform_authorize))
|
||||
.route("/apps", get(ui::apps::list_apps))
|
||||
.route("/me", get(ui::me::me_page))
|
||||
.route("/me/details-form", get(ui::me::me_update_details_form))
|
||||
.route("/me/details-form", post(ui::me::me_perform_update_details))
|
||||
|
@ -46,9 +42,7 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
|
|||
|
||||
let api_user_routes = Router::new()
|
||||
.route("/api/user", get(api::read_user::read_user_basic))
|
||||
.layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware))
|
||||
.route("/api", get(api::index::get_index))
|
||||
.route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
|
||||
.layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware));
|
||||
|
||||
let well_known_routes = Router::new()
|
||||
.route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));
|
|
@ -1,22 +1,24 @@
|
|||
pub mod controllers;
|
||||
pub mod router;
|
||||
pub mod services;
|
||||
pub mod middlewares;
|
||||
pub mod renderer;
|
||||
pub mod token_claims;
|
||||
|
||||
use base64::{prelude::BASE64_STANDARD, Engine};
|
||||
use fully_pub::fully_pub;
|
||||
use anyhow::{Result, Context};
|
||||
use kernel::{context::{AppSecrets, KernelContext}, models::config::Config, repositories::storage::Storage};
|
||||
use log::info;
|
||||
use minijinja::Environment;
|
||||
use minijinja::{context, Environment};
|
||||
use sqlx::{Pool, Sqlite};
|
||||
use crate::{models::config::{AppSecrets, Config}, router::build_router};
|
||||
|
||||
use crate::{
|
||||
router::build_router,
|
||||
renderer::build_templating_env
|
||||
};
|
||||
fn build_templating_env(config: &Config) -> Environment<'static> {
|
||||
let mut env = Environment::new();
|
||||
|
||||
pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";
|
||||
minijinja_embed::load_templates!(&mut env);
|
||||
|
||||
env.add_global("gl", context! {
|
||||
instance => config.instance
|
||||
});
|
||||
env.add_function("encode_b64str", |bin_val: Vec<u8>| {
|
||||
BASE64_STANDARD.encode(bin_val)
|
||||
});
|
||||
env
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
#[fully_pub]
|
||||
|
@ -32,20 +34,22 @@ pub struct ServerConfig {
|
|||
pub struct AppState {
|
||||
secrets: AppSecrets,
|
||||
config: Config,
|
||||
db: Storage,
|
||||
db: Pool<Sqlite>,
|
||||
templating_env: Environment<'static>
|
||||
}
|
||||
|
||||
pub async fn start_http_server(
|
||||
server_config: ServerConfig,
|
||||
ctx: KernelContext
|
||||
config: Config,
|
||||
secrets: AppSecrets,
|
||||
db_pool: Pool<Sqlite>
|
||||
) -> Result<()> {
|
||||
// build state
|
||||
let state = AppState {
|
||||
templating_env: build_templating_env(&ctx.config),
|
||||
config: ctx.config,
|
||||
secrets: ctx.secrets,
|
||||
db: ctx.storage
|
||||
templating_env: build_templating_env(&config),
|
||||
config,
|
||||
secrets,
|
||||
db: db_pool
|
||||
};
|
||||
|
||||
// build routes
|
|
@ -1,3 +1,4 @@
|
|||
pub mod password;
|
||||
pub mod session;
|
||||
pub mod oauth2;
|
||||
pub mod app_session;
|
|
@ -1,7 +1,7 @@
|
|||
use std::str::FromStr;
|
||||
use anyhow::{Result, Context};
|
||||
|
||||
use kernel::models::{authorization::AuthorizationScope, config::Application};
|
||||
use crate::models::{authorization::AuthorizationScope, config::Application};
|
||||
|
||||
pub fn verify_redirect_uri(app: &Application, input_redirect_uri: &str) -> bool {
|
||||
app.allowed_redirect_uris
|
35
src/services/password.rs
Normal file
35
src/services/password.rs
Normal file
|
@ -0,0 +1,35 @@
|
|||
use anyhow::{anyhow, Result};
|
||||
use argon2::{
|
||||
password_hash::{
|
||||
rand_core::OsRng,
|
||||
PasswordHash, PasswordHasher, PasswordVerifier, SaltString
|
||||
},
|
||||
Argon2
|
||||
};
|
||||
|
||||
pub fn get_password_hash(password: String) -> Result<(String, String)> {
|
||||
let salt = SaltString::generate(&mut OsRng);
|
||||
|
||||
// Argon2 with default params (Argon2id v19)
|
||||
let argon2 = Argon2::default();
|
||||
|
||||
// Hash password to PHC string ($argon2id$v=19$...)
|
||||
match argon2.hash_password(password.as_bytes(), &salt) {
|
||||
Ok(val) => Ok((salt.to_string(), val.to_string())),
|
||||
Err(_) => Err(anyhow!("Failed to process password."))
|
||||
}
|
||||
}
|
||||
|
||||
pub fn verify_password_hash(password_hash: String, password: String) -> Result<()> {
|
||||
let parsed_hash = match PasswordHash::new(&password_hash) {
|
||||
Ok(val) => val,
|
||||
Err(_) => {
|
||||
return Err(anyhow!("Failed to parse password hash"));
|
||||
}
|
||||
};
|
||||
match Argon2::default().verify_password(password.as_bytes(), &parsed_hash) {
|
||||
Ok(()) => Ok(()),
|
||||
Err(_) => Err(anyhow!("Failed to verify password."))
|
||||
}
|
||||
}
|
||||
|
|
@ -1,7 +1,8 @@
|
|||
use anyhow::Result;
|
||||
use serde::{de::DeserializeOwned, Serialize};
|
||||
use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
|
||||
use kernel::context::AppSecrets;
|
||||
|
||||
use crate::models::config::AppSecrets;
|
||||
|
||||
|
||||
pub fn create_token<T: Serialize>(secrets: &AppSecrets, claims: T) -> String {
|
|
@ -9,23 +9,20 @@
|
|||
</li>
|
||||
</ul>
|
||||
<ul class="navbar-nav">
|
||||
{% if token_claims %}
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/apps">Apps</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/me">Me</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/logout">Logout</a>
|
||||
</li>
|
||||
{% else %}
|
||||
{% if token_claims is none %}
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/login">Login</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/register">Register</a>
|
||||
</li>
|
||||
{% else %}
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/me">Me</a>
|
||||
</li>
|
||||
<li class="nav-item">
|
||||
<a class="nav-link" href="/logout">Logout</a>
|
||||
</li>
|
||||
{% endif %}
|
||||
</ul>
|
||||
</div>
|
|
@ -55,9 +55,10 @@
|
|||
/>
|
||||
</div>
|
||||
<div class="mb-3">
|
||||
<label for="avatar">Profile picture</label>
|
||||
<label for="picture">Profile picture</label>
|
||||
<!-- for now, no JPEG -->
|
||||
<input
|
||||
id="avatar" name="avatar"
|
||||
id="picture" name="picture"
|
||||
type="file"
|
||||
accept="image/gif, image/png, image/jpeg"
|
||||
class="form-control"
|
|
@ -5,12 +5,9 @@
|
|||
<a href="/me/details-form">Update details.</a>
|
||||
<a href="/me/authorizations">Manage authorizations.</a>
|
||||
|
||||
{% if user.avatar_asset_id %}
|
||||
<div class="my-3">
|
||||
<img
|
||||
src="http://localhost:8085/api/user-assets/{{ user.avatar_asset_id }}"
|
||||
style="width: 150px; height: 150px; object-fit: contain">
|
||||
</div>
|
||||
<p>
|
||||
{% if user.picture %}
|
||||
<img src="data:image/*;base64,{{ encode_b64str(user.picture) }}" style="width: 150px; height: 150px; object-fit: contain">
|
||||
{% endif %}
|
||||
<ul>
|
||||
<li>
|
|
@ -43,18 +43,6 @@ pub fn get_random_alphanumerical(length: usize) -> String {
|
|||
.collect()
|
||||
}
|
||||
|
||||
/// Generate easy to type token
|
||||
pub fn get_random_human_token() -> String {
|
||||
return format!(
|
||||
"{}-{}-{}-{}-{}",
|
||||
get_random_alphanumerical(4),
|
||||
get_random_alphanumerical(4),
|
||||
get_random_alphanumerical(4),
|
||||
get_random_alphanumerical(4),
|
||||
get_random_alphanumerical(4)
|
||||
).to_uppercase();
|
||||
}
|
||||
|
||||
pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
|
||||
let header_val_components: Vec<&str> = header_value.split(" ").collect();
|
||||
let encoded_header_value: &str = header_val_components
|
||||
|
@ -73,7 +61,3 @@ pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
|
|||
))
|
||||
}
|
||||
|
||||
pub fn encode_base64_picture(picture_bytes: Vec<u8>) -> String {
|
||||
let encoded = BASE64_STANDARD.encode(picture_bytes);
|
||||
return format!("data:image/*;base64,{}", encoded);
|
||||
}
|
|
@ -1,39 +0,0 @@
|
|||
#!/usr/bin/sh
|
||||
|
||||
set -eou pipefail
|
||||
|
||||
scenario_name="$1"
|
||||
project_root="$(dirname $(cargo locate-project | jq -r .root))"
|
||||
scenario_dir="$project_root/tests/hurl_integration/$1"
|
||||
scenario_tmp_dir_path="$project_root/tmp/tests/$scenario_name"
|
||||
database_path="$project_root/tmp/tests/$scenario_name/minauthator.db"
|
||||
|
||||
echo "Starting scenario $scenario_name."
|
||||
mkdir -p $scenario_tmp_dir_path
|
||||
if [ -f $database_path ]; then
|
||||
rm $database_path
|
||||
fi
|
||||
sqlite3 $database_path < $project_root/migrations/all.sql
|
||||
|
||||
export DB_PATH=$database_path
|
||||
if [ -f $scenario_dir/init_db.sh ]; then
|
||||
$scenario_dir/init_db.sh
|
||||
fi
|
||||
|
||||
pkill -f $project_root/target/debug/minauthator-server &
|
||||
sleep 0.1
|
||||
$project_root/target/debug/minauthator-server \
|
||||
--config "$scenario_dir/config.toml" \
|
||||
--database $database_path \
|
||||
--listen-host "127.0.0.1" \
|
||||
--listen-port "8086" \
|
||||
--static-assets "$project_root/assets" &
|
||||
|
||||
server_pid=$!
|
||||
sleep 0.2
|
||||
hurl \
|
||||
--variable base_url="http://localhost:8086" \
|
||||
--test --error-format long \
|
||||
$scenario_dir/main.hurl
|
||||
kill $server_pid
|
||||
echo "End of scenario."
|
|
@ -1,56 +0,0 @@
|
|||
[instance]
|
||||
base_uri = "http://localhost:8086"
|
||||
name = "Example org"
|
||||
logo_uri = "https://example.org/logo.png"
|
||||
|
||||
[[applications]]
|
||||
slug = "demo_app"
|
||||
name = "Demo app"
|
||||
description = "A super application where you can do everything you want."
|
||||
client_id = "00000001-0000-0000-0000-000000000001"
|
||||
client_secret = "dummy_client_secret"
|
||||
login_uri = "https://localhost:9876"
|
||||
allowed_redirect_uris = [
|
||||
"http://localhost:9090/callback",
|
||||
"http://localhost:9876/callback"
|
||||
]
|
||||
visibility = "Internal"
|
||||
authorize_flow = "Implicit"
|
||||
|
||||
[[applications]]
|
||||
slug = "wiki"
|
||||
name = "Wiki app"
|
||||
description = "The knowledge base of the exemple org."
|
||||
client_id = "f9de1885-448d-44bb-8c48-7e985486a8c6"
|
||||
client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
|
||||
login_uri = "https://wiki.example.org/login"
|
||||
allowed_redirect_uris = [
|
||||
"https://wiki.example.org/oauth2/callback"
|
||||
]
|
||||
visibility = "Public"
|
||||
authorize_flow = "Implicit"
|
||||
|
||||
[[applications]]
|
||||
slug = "private_app"
|
||||
name = "Demo app"
|
||||
description = "Private app you should never discover"
|
||||
client_id = "c8a08783-2342-4ce3-a3cb-9dc89b6bdf"
|
||||
client_secret = "this_is_the_secret"
|
||||
login_uri = "https://private-app.org"
|
||||
allowed_redirect_uris = [
|
||||
"http://localhost:9091/authorize",
|
||||
]
|
||||
visibility = "Private"
|
||||
authorize_flow = "Implicit"
|
||||
|
||||
[[roles]]
|
||||
slug = "basic"
|
||||
name = "Basic"
|
||||
description = "Basic user"
|
||||
default = true
|
||||
|
||||
[[roles]]
|
||||
slug = "admin"
|
||||
name = "Administrator"
|
||||
description = "Full power on organization instance"
|
||||
|
|
@ -1,11 +0,0 @@
|
|||
#!/usr/bin/bash
|
||||
|
||||
password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
|
||||
echo $password_hash
|
||||
SQL=$(cat <<EOF
|
||||
INSERT INTO users
|
||||
(id, handle, email, roles, status, password_hash, created_at)
|
||||
VALUES
|
||||
('$(uuid)', 'root', 'root@example.org', '[]', 'Active', '$password_hash', '2024-11-30T00:00:00Z');
|
||||
EOF)
|
||||
echo $SQL | sqlite3 $DB_PATH
|
Binary file not shown.
Before Width: | Height: | Size: 30 KiB |
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue