From ecca0e8cef755899049e7f541c86b9d06b2438a4 Mon Sep 17 00:00:00 2001 From: Cara Salter Date: Mon, 30 May 2022 00:24:40 -0400 Subject: meta: Add Bearer authentication Makes use of a pre-shared key. Do not expose this to the internet! --- src/handlers/ships.rs | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'src/handlers') diff --git a/src/handlers/ships.rs b/src/handlers/ships.rs index 75f5dc5..42367ea 100644 --- a/src/handlers/ships.rs +++ b/src/handlers/ships.rs @@ -4,13 +4,13 @@ use axum::{Json, extract::Path, Extension}; use hyper::StatusCode; use solarlib::ship::{Ship, DbShip, Sha256}; use sqlx::{query_as, query, Error as SqlxError}; +use axum_auth::AuthBearer; +use tracing::log::warn; use crate::{errors::{JsonResult, StringResult, ServiceError}, State}; pub async fn list(state: Extension>) -> JsonResult>> { - let mut result: Vec = Vec::new(); - let mut conn = state.conn.acquire().await?; let db_ships = query_as!(DbShip, "SELECT * FROM ships").fetch_all(&mut conn).await?; @@ -20,7 +20,8 @@ pub async fn list(state: Extension>) -> JsonResult>> { Ok(Json(ships)) } -pub async fn new(Json(new_ship): Json, state: Extension>) -> StringResult { +pub async fn new(Json(new_ship): Json, state: Extension>, AuthBearer(token): AuthBearer) -> StringResult { + check_bearer(token)?; let mut conn = state.conn.acquire().await?; query!("INSERT INTO ships (name, shasum, download_url, version) VALUES ($1, $2, $3, $4)", new_ship.name, new_ship.shasum.to_string(), new_ship.download_url, new_ship.version).execute(&mut conn).await?; @@ -29,6 +30,7 @@ pub async fn new(Json(new_ship): Json, state: Extension>) -> St } pub async fn delete(Path(shasum): Path, state: Extension>) -> StringResult { + check_bearer(token)?; let mut conn = state.conn.acquire().await?; query!("DELETE FROM ships WHERE shasum=$1", shasum.to_string()).execute(&mut conn).await?; @@ -55,3 +57,19 @@ pub async fn get(Path(shasum): Path, state: Extension>) -> Js Ok(Json(db_ship)) } + +fn check_bearer(token: String) -> Result<(), ServiceError> { + let expected_token = match std::env::var("SHARED_KEY") { + Ok(t) => t, + Err(_) => { + warn!("No pre-shared key set in environment. This is not secure!"); + "bad-key".into() + } + }; + + if token != expected_token { + Err(ServiceError::NotAuthorized) + } else { + Ok(()) + } +} -- cgit v1.2.3