Implement server-side logout

2023-04-12 14:25:13 +00:00 · 2021-05-23 16:20:26 +02:00 · 2021-05-23 16:20:26 +02:00 · 10404abbb0
commit 10404abbb0
parent 28a941924e
6 changed files with 204 additions and 86 deletions
--- a/src/infra/auth_service.rs
+++ b/src/infra/auth_service.rs
@ -1,24 +1,30 @@
-use crate::{domain::handler::*, infra::{tcp_backend_handler::*, tcp_server::{AppState, error_to_http_response}}};
+use crate::{
+    domain::handler::*,
+    infra::{
+        tcp_backend_handler::*,
+        tcp_server::{error_to_http_response, AppState},
+    },
+};
+use actix_web::{
+    cookie::{Cookie, SameSite},
+    dev::{Service, ServiceRequest, ServiceResponse, Transform},
+    error::{ErrorBadRequest, ErrorUnauthorized},
+    web, HttpRequest, HttpResponse,
+};
+use actix_web_httpauth::extractors::bearer::BearerAuth;
+use anyhow::Result;
+use chrono::prelude::*;
+use futures::future::{ok, Ready};
+use futures_util::{FutureExt, TryFutureExt};
 use hmac::Hmac;
 use jwt::{SignWithKey, VerifyWithKey};
 use log::*;
+use sha2::Sha512;
 use std::collections::{hash_map::DefaultHasher, HashSet};
 use std::hash::{Hash, Hasher};
-use time::ext::NumericalDuration;
-use actix_web_httpauth::extractors::bearer::BearerAuth;
-use anyhow::Result;
-use std::task::{Context, Poll};
 use std::pin::Pin;
-use actix_web::{
-    cookie::{Cookie, SameSite},
-    dev::{ServiceRequest, Service, Transform, ServiceResponse},
-    error::{ErrorBadRequest, ErrorUnauthorized},
-    web, HttpRequest, HttpResponse
-};
-use futures_util::{FutureExt, TryFutureExt};
-use futures::future::{ok, Ready};
-use chrono::prelude::*;
-use sha2::Sha512;
+use std::task::{Context, Poll};
+use time::ext::NumericalDuration;

 type Token<S> = jwt::Token<jwt::Header, JWTClaims, S>;
 type SignedToken = Token<jwt::token::Signed>;
@ -37,6 +43,18 @@ fn create_jwt(key: &Hmac<Sha512>, user: String, groups: HashSet<String>) -> Sign
    jwt::Token::new(header, claims).sign_with_key(key).unwrap()
 }

+fn get_refresh_token_from_cookie(
+    request: HttpRequest,
+) -> std::result::Result<(String, String), HttpResponse> {
+    match request.cookie("refresh_token") {
+        None => Err(HttpResponse::Unauthorized().body("Missing refresh token")),
+        Some(t) => match t.value().split_once("+") {
+            None => Err(HttpResponse::Unauthorized().body("Invalid refresh token")),
+            Some((t, u)) => Ok((t.to_string(), u.to_string())),
+        },
+    }
+}
+
 async fn get_refresh<Backend>(
    data: web::Data<AppState<Backend>>,
    request: HttpRequest,
@ -46,18 +64,14 @@ where
 {
    let backend_handler = &data.backend_handler;
    let jwt_key = &data.jwt_key;
-    let (refresh_token, user) = match request.cookie("refresh_token") {
-        None => {
-            return HttpResponse::Unauthorized().body("Missing refresh token")
-        }
-        Some(t) => match t.value().split_once("+") {
-            None => {
-                return HttpResponse::Unauthorized().body("Invalid refresh token")
-            }
-            Some((t, u)) => (t.to_string(), u.to_string()),
-        },
+    let (refresh_token, user) = match get_refresh_token_from_cookie(request) {
+        Ok(t) => t,
+        Err(http_response) => return http_response,
    };
-    let res_found = data.backend_handler.check_token(&refresh_token, &user).await;
+    let res_found = data
+        .backend_handler
+        .check_token(&refresh_token, &user)
+        .await;
    // Async closures are not supported yet.
    match res_found {
        Ok(found) => {
@ -87,6 +101,59 @@ where
    .unwrap_or_else(error_to_http_response)
 }

+async fn get_logout<Backend>(
+    data: web::Data<AppState<Backend>>,
+    request: HttpRequest,
+) -> HttpResponse
+where
+    Backend: TcpBackendHandler + BackendHandler + 'static,
+{
+    let (refresh_token, user) = match get_refresh_token_from_cookie(request) {
+        Ok(t) => t,
+        Err(http_response) => return http_response,
+    };
+    if let Err(response) = data
+        .backend_handler
+        .delete_refresh_token(&refresh_token)
+        .map_err(error_to_http_response)
+        .await
+    {
+        return response;
+    };
+    match data
+        .backend_handler
+        .blacklist_jwts(&user)
+        .map_err(error_to_http_response)
+        .await
+    {
+        Ok(new_blacklisted_jwts) => {
+            let mut jwt_blacklist = data.jwt_blacklist.write().unwrap();
+            for jwt in new_blacklisted_jwts {
+                jwt_blacklist.insert(jwt);
+        }
+        },
+        Err(response) => return response,
+    };
+    HttpResponse::Ok()
+        .cookie(
+            Cookie::build("token", "")
+                .max_age(0.days())
+                .path("/api")
+                .http_only(true)
+                .same_site(SameSite::Strict)
+                .finish(),
+        )
+        .cookie(
+            Cookie::build("refresh_token", "")
+                .max_age(0.days())
+                .path("/api/authorize/refresh")
+                .http_only(true)
+                .same_site(SameSite::Strict)
+                .finish(),
+        )
+        .finish()
+}
+
 async fn post_authorize<Backend>(
    data: web::Data<AppState<Backend>>,
    request: web::Json<BindRequest>,
@ -211,7 +278,7 @@ where
        credentials.token().hash(&mut s);
        s.finish()
    };
-    if state.jwt_blacklist.contains(&jwt_hash) {
+    if state.jwt_blacklist.read().unwrap().contains(&jwt_hash) {
        return Err(ErrorUnauthorized("JWT was logged out"));
    }
    let groups = &token.claims().groups;
@ -225,13 +292,11 @@ where
    }
 }

-
-pub fn configure_server<Backend>(
-    cfg: &mut web::ServiceConfig,
-) where
+pub fn configure_server<Backend>(cfg: &mut web::ServiceConfig)
+where
    Backend: TcpBackendHandler + BackendHandler + 'static,
 {
-    cfg
-    .service(web::resource("").route(web::post().to(post_authorize::<Backend>)))
-    .service(web::resource("/refresh").route(web::get().to(get_refresh::<Backend>)));
+    cfg.service(web::resource("").route(web::post().to(post_authorize::<Backend>)))
+        .service(web::resource("/refresh").route(web::get().to(get_refresh::<Backend>)))
+        .service(web::resource("/logout").route(web::get().to(get_logout::<Backend>)));
 }
--- a/src/infra/jwt_sql_tables.rs
+++ b/src/infra/jwt_sql_tables.rs
@ -13,11 +13,12 @@ pub enum JwtRefreshStorage {

 /// Contains the blacklisted JWT that haven't expired yet.
 #[derive(Iden)]
-pub enum JwtBlacklist {
+pub enum JwtStorage {
    Table,
    JwtHash,
    UserId,
    ExpiryDate,
+    Blacklisted,
 }

 /// This needs to be initialized after the domain tables are.
@ -57,29 +58,35 @@ pub async fn init_table(pool: &Pool) -> sqlx::Result<()> {

    sqlx::query(
        &Table::create()
-            .table(JwtBlacklist::Table)
+            .table(JwtStorage::Table)
            .if_not_exists()
            .col(
-                ColumnDef::new(JwtBlacklist::JwtHash)
+                ColumnDef::new(JwtStorage::JwtHash)
                    .big_integer()
                    .not_null()
                    .primary_key(),
            )
            .col(
-                ColumnDef::new(JwtBlacklist::UserId)
+                ColumnDef::new(JwtStorage::UserId)
                    .string_len(255)
                    .not_null(),
            )
            .col(
-                ColumnDef::new(JwtBlacklist::ExpiryDate)
+                ColumnDef::new(JwtStorage::ExpiryDate)
                    .date_time()
                    .not_null(),
            )
+            .col(
+                ColumnDef::new(JwtStorage::Blacklisted)
+                    .boolean()
+                    .default(false)
+                    .not_null(),
+            )
            .foreign_key(
                ForeignKey::create()
-                    .name("JwtBlacklistUserForeignKey")
-                    .table(JwtBlacklist::Table, Users::Table)
-                    .col(JwtBlacklist::UserId, Users::UserId)
+                    .name("JwtStorageUserForeignKey")
+                    .table(JwtStorage::Table, Users::Table)
+                    .col(JwtStorage::UserId, Users::UserId)
                    .on_delete(ForeignKeyAction::Cascade)
                    .on_update(ForeignKeyAction::Cascade),
            )
--- a/src/infra/sql_backend_handler.rs
+++ b/src/infra/sql_backend_handler.rs
@ -4,19 +4,21 @@ use async_trait::async_trait;
 use futures_util::StreamExt;
 use sea_query::{Expr, Iden, Query, SimpleExpr};
 use sqlx::Row;
+use std::collections::hash_map::DefaultHasher;
 use std::collections::HashSet;
+use std::hash::{Hash, Hasher};

 #[async_trait]
 impl TcpBackendHandler for SqlBackendHandler {
    async fn get_jwt_blacklist(&self) -> anyhow::Result<HashSet<u64>> {
        use sqlx::Result;
        let query = Query::select()
-            .column(JwtBlacklist::JwtHash)
-            .from(JwtBlacklist::Table)
+            .column(JwtStorage::JwtHash)
+            .from(JwtStorage::Table)
            .to_string(DbQueryBuilder {});

        sqlx::query(&query)
-            .map(|row: DbRow| row.get::<i64, _>(&*JwtBlacklist::JwtHash.to_string()) as u64)
+            .map(|row: DbRow| row.get::<i64, _>(&*JwtStorage::JwtHash.to_string()) as u64)
            .fetch(&self.sql_pool)
            .collect::<Vec<sqlx::Result<u64>>>()
            .await
@ -60,8 +62,6 @@ impl TcpBackendHandler for SqlBackendHandler {
    }

    async fn check_token(&self, token: &str, user: &str) -> Result<bool> {
-        use std::collections::hash_map::DefaultHasher;
-        use std::hash::{Hash, Hasher};
        let refresh_token_hash = {
            let mut s = DefaultHasher::new();
            token.hash(&mut s);
@ -78,4 +78,40 @@ impl TcpBackendHandler for SqlBackendHandler {
            .await?
            .is_some())
    }
+    async fn blacklist_jwts(&self, user: &str) -> DomainResult<HashSet<u64>> {
+        use sqlx::Result;
+        let query = Query::select()
+            .column(JwtStorage::JwtHash)
+            .from(JwtStorage::Table)
+            .and_where(Expr::col(JwtStorage::UserId).eq(user))
+            .and_where(Expr::col(JwtStorage::Blacklisted).eq(true))
+            .to_string(DbQueryBuilder {});
+        let result = sqlx::query(&query)
+            .map(|row: DbRow| row.get::<i64, _>(&*JwtStorage::JwtHash.to_string()) as u64)
+            .fetch(&self.sql_pool)
+            .collect::<Vec<sqlx::Result<u64>>>()
+            .await
+            .into_iter()
+            .collect::<Result<HashSet<u64>>>();
+        let query = Query::update()
+            .table(JwtStorage::Table)
+            .values(vec![(JwtStorage::Blacklisted, true.into())])
+            .and_where(Expr::col(JwtStorage::UserId).eq(user))
+            .to_string(DbQueryBuilder {});
+        sqlx::query(&query).execute(&self.sql_pool).await?;
+        Ok(result?)
+    }
+    async fn delete_refresh_token(&self, token: &str) -> DomainResult<()> {
+        let refresh_token_hash = {
+            let mut s = DefaultHasher::new();
+            token.hash(&mut s);
+            s.finish()
+        };
+        let query = Query::delete()
+            .from_table(JwtRefreshStorage::Table)
+            .and_where(Expr::col(JwtRefreshStorage::RefreshTokenHash).eq(refresh_token_hash))
+            .to_string(DbQueryBuilder {});
+        sqlx::query(&query).execute(&self.sql_pool).await?;
+        Ok(())
+    }
 }
--- a/src/infra/tcp_api.rs
+++ b/src/infra/tcp_api.rs
@ -1,10 +1,12 @@
 use crate::{
    domain::handler::*,
-    infra::{tcp_server::{AppState, error_to_http_response}, tcp_backend_handler::*},
+    infra::{
+        tcp_backend_handler::*,
+        tcp_server::{error_to_http_response, AppState},
+    },
 };
 use actix_web::{web, HttpResponse};

-
 fn error_to_api_response<T>(error: DomainError) -> ApiResult<T> {
    ApiResult::Right(error_to_http_response(error))
 }
@ -54,12 +56,15 @@ mod tests {
    use super::*;
    use hmac::{Hmac, NewMac};
    use std::collections::HashSet;
+    use std::sync::RwLock;

-    fn get_data(handler: MockTestTcpBackendHandler) -> web::Data<AppState<MockTestTcpBackendHandler>> {
+    fn get_data(
+        handler: MockTestTcpBackendHandler,
+    ) -> web::Data<AppState<MockTestTcpBackendHandler>> {
        let app_state = AppState::<MockTestTcpBackendHandler> {
            backend_handler: handler,
            jwt_key: Hmac::new_varkey(b"jwt_secret").unwrap(),
-            jwt_blacklist: HashSet::new(),
+            jwt_blacklist: RwLock::new(HashSet::new()),
        };
        web::Data::<AppState<MockTestTcpBackendHandler>>::new(app_state)
    }
--- a/src/infra/tcp_backend_handler.rs
+++ b/src/infra/tcp_backend_handler.rs
@ -1,5 +1,5 @@
-use std::collections::HashSet;
 use async_trait::async_trait;
+use std::collections::HashSet;

 pub type DomainError = crate::domain::error::Error;
 pub type DomainResult<T> = crate::domain::error::Result<T>;
@ -9,6 +9,8 @@ pub trait TcpBackendHandler {
    async fn get_jwt_blacklist(&self) -> anyhow::Result<HashSet<u64>>;
    async fn create_refresh_token(&self, user: &str) -> DomainResult<(String, chrono::Duration)>;
    async fn check_token(&self, token: &str, user: &str) -> DomainResult<bool>;
+    async fn blacklist_jwts(&self, user: &str) -> DomainResult<HashSet<u64>>;
+    async fn delete_refresh_token(&self, token: &str) -> DomainResult<()>;
 }

 #[cfg(test)]
@ -31,5 +33,7 @@ mockall::mock! {
        async fn get_jwt_blacklist(&self) -> anyhow::Result<HashSet<u64>>;
        async fn create_refresh_token(&self, user: &str) -> DomainResult<(String, chrono::Duration)>;
        async fn check_token(&self, token: &str, user: &str) -> DomainResult<bool>;
+        async fn blacklist_jwts(&self, user: &str) -> DomainResult<HashSet<u64>>;
+        async fn delete_refresh_token(&self, token: &str) -> DomainResult<()>;
    }
 }
--- a/src/infra/tcp_server.rs
+++ b/src/infra/tcp_server.rs
@ -1,6 +1,6 @@
 use crate::{
    domain::handler::*,
-    infra::{auth_service, tcp_api, configuration::Configuration, tcp_backend_handler::*},
+    infra::{auth_service, configuration::Configuration, tcp_api, tcp_backend_handler::*},
 };
 use actix_files::{Files, NamedFile};
 use actix_http::HttpServiceBuilder;
@ -13,6 +13,7 @@ use hmac::{Hmac, NewMac};
 use sha2::Sha512;
 use std::collections::HashSet;
 use std::path::PathBuf;
+use std::sync::RwLock;

 async fn index(req: HttpRequest) -> actix_web::Result<NamedFile> {
    let mut path = PathBuf::new();
@ -41,7 +42,7 @@ fn http_config<Backend>(
    cfg.data(AppState::<Backend> {
        backend_handler,
        jwt_key: Hmac::new_varkey(&jwt_secret.as_bytes()).unwrap(),
-        jwt_blacklist,
+        jwt_blacklist: RwLock::new(jwt_blacklist),
    })
    // Serve index.html and main.js, and default to index.html.
    .route(
@ -70,7 +71,7 @@ where
 {
    pub backend_handler: Backend,
    pub jwt_key: Hmac<Sha512>,
-    pub jwt_blacklist: HashSet<u64>,
+    pub jwt_blacklist: RwLock<HashSet<u64>>,
 }

 pub async fn build_tcp_server<Backend>(