refactor(tokens)!: DangerousUser -> User & use token table.

I refactore & renamed the DangerousUser struct.
The sessions table has been replaced with tokens table in the db.
& The tokens table is now being used for token storage
BREAKING CHANGE: `user.sessions` column replaced by table `tokens` in db.

migrations/U10__sessions.sql → migrations/U10__tokens.sql

@@ -1,4 +1,4 @@
-CREATE TABLE IF NOT EXISTS sessions (id TEXT PRIMARY KEY
+CREATE TABLE IF NOT EXISTS tokens (id TEXT PRIMARY KEY
 ,   username TEXT NOT NULL
 ,   FOREIGN KEY (username) REFERENCES users(username)
 )

migrations/U5__users.sql

@@ -1,5 +1,4 @@
 CREATE TABLE IF NOT EXISTS users (username TEXT PRIMARY KEY
 ,   permissions TEXT NOT NULL DEFAULT ''
 ,   hash TEXT NOT NULL
-,   sessions TEXT NOT NULL DEFAULT ''
 )

src/api/music/albums.rs

@@ -3,14 +3,14 @@ use rocket_sync_db_pools::rusqlite::{params, Error::QueryReturnedNoRows, ToSql};
 
 use crate::{
     api::errors::ApiError,
-    database::{albums::Album, database::Database, permissions::Permission, users::DangerousUser},
+    database::{albums::Album, database::Database, permissions::Permission, users::User},
 };
 
 type Result<T> = std::result::Result<T, ApiError>;
 
 #[post("/album", data = "<album>")]
-async fn album_write(db: Database, user: DangerousUser, album: Json<Album>) -> Result<Json<Album>> {
-    if !user.has_permissions(&[Permission::AlbumWrite]) {
+async fn album_write(db: Database, user: User, album: Json<Album>) -> Result<Json<Album>> {
+    if !user.permissions.contains(&Permission::AlbumWrite) {
         Err(Status::Forbidden)?
     }
 
@@ -55,7 +55,7 @@ async fn album_write(db: Database, user: DangerousUser, album: Json<Album>) -> R
 #[get("/album?<id>&<name>&<maxrelease>&<minrelease>&<genres>&<maxcount>&<mincount>&<limit>")]
 async fn album_get(
     db: Database,
-    user: DangerousUser,
+    user: User,
     id: Option<String>,
     name: Option<String>,
     maxrelease: Option<u16>,
@@ -65,7 +65,7 @@ async fn album_get(
     mincount: Option<u16>,
     limit: Option<u16>,
 ) -> Result<Json<Vec<Album>>> {
-    if !user.has_permissions(&[Permission::AlbumRead]) {
+    if !user.permissions.contains(&Permission::AlbumRead) {
         Err(Status::Forbidden)?
     }
 
@@ -154,8 +154,8 @@ async fn album_get(
 }
 
 #[delete("/album/<id>")]
-async fn album_delete(db: Database, user: DangerousUser, id: String) -> Result<()> {
-    if !user.has_permissions(&[Permission::AlbumDelete]) {
+async fn album_delete(db: Database, user: User, id: String) -> Result<()> {
+    if !user.permissions.contains(&Permission::AlbumDelete) {
         Err(Status::Forbidden)?
     }
 

src/api/music/artists.rs

@@ -4,7 +4,7 @@ use rocket_sync_db_pools::rusqlite::{params, Error::QueryReturnedNoRows, ToSql};
 use crate::{
     api::errors::ApiError,
     database::{
-        artists::Artist, database::Database, permissions::Permission, users::DangerousUser,
+        artists::Artist, database::Database, permissions::Permission, users::User,
     },
 };
 
@@ -13,10 +13,10 @@ type Result<T> = std::result::Result<T, ApiError>;
 #[post("/artist", data = "<artist>")]
 async fn artist_write(
     db: Database,
-    user: DangerousUser,
+    user: User,
     artist: Json<Artist>,
 ) -> Result<Json<Artist>> {
-    if !user.has_permissions(&[Permission::ArtistWrite]) {
+    if !user.permissions.contains(&Permission::ArtistWrite) {
         Err(Status::Forbidden)?
     }
 
@@ -59,13 +59,13 @@ async fn artist_write(
 #[get("/artist?<id>&<name>&<genres>&<limit>")]
 async fn artist_get(
     db: Database,
-    user: DangerousUser,
+    user: User,
     id: Option<String>,
     name: Option<String>,
     genres: Option<Json<Vec<String>>>,
     limit: Option<u16>,
 ) -> Result<Json<Vec<Artist>>> {
-    if !user.has_permissions(&[Permission::ArtistRead]) {
+    if !user.permissions.contains(&Permission::ArtistRead) {
         Err(Status::Forbidden)?
     }
 
@@ -116,8 +116,8 @@ async fn artist_get(
 }
 
 #[delete("/artist/<id>")]
-async fn artist_delete(db: Database, user: DangerousUser, id: String) -> Result<()> {
-    if !user.has_permissions(&[Permission::ArtistDelete]) {
+async fn artist_delete(db: Database, user: User, id: String) -> Result<()> {
+    if !user.permissions.contains(&Permission::ArtistDelete) {
         Err(Status::Forbidden)?
     }
 

src/api/music/genres.rs

@@ -1,15 +1,15 @@
 use crate::{
     api::errors::ApiError,
-    database::{database::Database, permissions::Permission, users::DangerousUser},
+    database::{database::Database, permissions::Permission, users::User},
 };
 use rocket::{fairing::AdHoc, http::Status, serde::json::Json};
 use rocket_sync_db_pools::rusqlite::{params, Error::QueryReturnedNoRows, ToSql};
 
 type Result<T> = std::result::Result<T, ApiError>;
 
 #[post("/genre/<genre>")]
-async fn genre_write(db: Database, user: DangerousUser, genre: String) -> Result<Json<String>> {
-    if !user.has_permissions(&[Permission::GenreWrite]) {
+async fn genre_write(db: Database, user: User, genre: String) -> Result<Json<String>> {
+    if !user.permissions.contains(&Permission::GenreWrite) {
         Err(Status::Forbidden)?
     }
     db.run(move |conn| -> Result<Json<String>> {
@@ -23,11 +23,11 @@ async fn genre_write(db: Database, user: DangerousUser, genre: String) -> Result
 #[get("/genre?<genre>&<limit>")]
 async fn genre_get(
     db: Database,
-    user: DangerousUser,
+    user: User,
     genre: Option<String>,
     limit: Option<u16>,
 ) -> Result<Json<Vec<String>>> {
-    if !user.has_permissions(&[Permission::GenreRead]) {
+    if !user.permissions.contains(&Permission::GenreRead) {
         Err(Status::Forbidden)?
     }
 
@@ -56,8 +56,8 @@ async fn genre_get(
 }
 
 #[delete("/genre/<genre>")]
-async fn genre_delete(db: Database, user: DangerousUser, genre: String) -> Result<()> {
-    if !user.has_permissions(&[Permission::GenreDelete]) {
+async fn genre_delete(db: Database, user: User, genre: String) -> Result<()> {
+    if !user.permissions.contains(&Permission::GenreDelete) {
         Err(Status::Forbidden)?
     }
 

src/api/music/tracks.rs

@@ -3,14 +3,14 @@ use rocket_sync_db_pools::rusqlite::{params, Error::QueryReturnedNoRows, ToSql};
 
 use crate::{
     api::errors::ApiError,
-    database::{database::Database, permissions::Permission, tracks::Track, users::DangerousUser},
+    database::{database::Database, permissions::Permission, tracks::Track, users::User},
 };
 
 type Result<T> = std::result::Result<T, ApiError>;
 
 #[post("/track", data = "<track>")]
-async fn track_write(db: Database, user: DangerousUser, track: Json<Track>) -> Result<Json<Track>> {
-    if !user.has_permissions(&[Permission::TrackWrite]) {
+async fn track_write(db: Database, user: User, track: Json<Track>) -> Result<Json<Track>> {
+    if !user.permissions.contains(&Permission::TrackWrite) {
         Err(Status::Forbidden)?
     }
 
@@ -56,7 +56,7 @@ async fn track_write(db: Database, user: DangerousUser, track: Json<Track>) -> R
 #[get("/track?<id>&<name>&<maxrelease>&<minrelease>&<genres>&<albums>&<artists>&<lyrics>&<limit>")]
 async fn track_get(
     db: Database,
-    user: DangerousUser,
+    user: User,
     id: Option<String>,
     name: Option<String>,
     maxrelease: Option<u16>,
@@ -67,7 +67,7 @@ async fn track_get(
     lyrics: Option<String>,
     limit: Option<u16>,
 ) -> Result<Json<Vec<Track>>> {
-    if !user.has_permissions(&[Permission::TrackRead]) {
+    if !user.permissions.contains(&Permission::TrackRead) {
         Err(Status::Forbidden)?
     }
     db.run(move |conn| -> Result<Json<Vec<Track>>> {
@@ -164,8 +164,8 @@ async fn track_get(
 }
 
 #[delete("/track/<id>")]
-async fn track_delete(db: Database, user: DangerousUser, id: String) -> Result<()> {
-    if !user.has_permissions(&[Permission::TrackDelete]) {
+async fn track_delete(db: Database, user: User, id: String) -> Result<()> {
+    if !user.permissions.contains(&Permission::TrackDelete) {
         Err(Status::Forbidden)?
     }
 

src/api/user/invites.rs

@@ -10,7 +10,7 @@ use crate::{
         database::Database,
         invites::Invite,
         permissions::Permission,
-        users::{DangerousLogin, DangerousUser},
+        users::{DangerousLogin, User},
     },
 };
 
@@ -33,12 +33,11 @@ async fn invite_use(db: Database, code: String, login: Json<DangerousLogin>) ->
             .map_err(|e| ApiError::from(e))?;
 
         tx.execute(
-            "INSERT INTO users (username, permissions, hash, sessions) VALUES (?1, ?2, ?3, ?4)",
+            "INSERT INTO users (username, permissions, hash) VALUES (?1, ?2, ?3)",
             params![
                 login.username,
                 permissions,
                 hash(login.password, DEFAULT_COST)?,
-                ""
             ],
         )?;
 
@@ -57,15 +56,15 @@ async fn invite_use(db: Database, code: String, login: Json<DangerousLogin>) ->
 }
 
 #[post("/invite", data = "<invite>")]
-async fn invite_write(
-    db: Database,
-    user: DangerousUser,
-    invite: Json<Invite>,
-) -> Result<Json<Invite>> {
+async fn invite_write(db: Database, user: User, invite: Json<Invite>) -> Result<Json<Invite>> {
     let mut invite = invite.into_inner();
     let mut required_permissions = invite.permissions.inner().to_owned();
     required_permissions.push(Permission::InviteWrite);
-    if !user.has_permissions(&required_permissions) {
+
+    if !required_permissions
+        .iter()
+        .all(|permission| user.permissions.contains(permission))
+    {
         Err(Status::Forbidden)?
     }
 
@@ -96,15 +95,15 @@ async fn invite_write(
 #[get("/invite?<code>&<permissions>&<maxremaining>&<minremaining>&<creator>&<limit>")]
 async fn invite_get(
     db: Database,
-    user: DangerousUser,
+    user: User,
     code: Option<String>,
     permissions: Option<Json<Vec<Permission>>>,
     maxremaining: Option<u16>,
     minremaining: Option<u16>,
     creator: Option<String>,
     limit: Option<u16>,
 ) -> Result<Json<Vec<Invite>>> {
-    if !user.has_permissions(&[Permission::InviteRead]) {
+    if !user.permissions.contains(&Permission::InviteRead) {
         return Err(Status::Forbidden)?;
     }
 
@@ -154,8 +153,8 @@ async fn invite_get(
 }
 
 #[delete("/invite/<code>")]
-async fn invite_delete(db: Database, user: DangerousUser, code: String) -> Result<()> {
-    if !user.has_permissions(&[Permission::InviteDelete]) {
+async fn invite_delete(db: Database, user: User, code: String) -> Result<()> {
+    if !user.permissions.contains(&Permission::InviteDelete) {
         return Err(Status::Forbidden)?;
     }
 

src/api/user/permissions.rs

@@ -4,23 +4,26 @@ use sqlvec::SqlVec;
 
 use crate::{
     api::errors::ApiError,
-    database::{database::Database, permissions::Permission, users::DangerousUser},
+    database::{database::Database, permissions::Permission, users::User},
 };
 
 type Result<T> = std::result::Result<T, ApiError>;
 
 #[post("/permissions/<username>", data = "<permissions_to_add>")]
 async fn permissions_add(
     db: Database,
-    user: DangerousUser,
+    user: User,
     username: String,
     permissions_to_add: Json<Vec<Permission>>,
 ) -> Result<()> {
     let permissions_to_add = permissions_to_add.into_inner();
 
     let mut required_permissions = permissions_to_add.clone();
     required_permissions.push(Permission::PermissionAdd);
-    if !user.has_permissions(&required_permissions) {
+    if !required_permissions
+        .iter()
+        .all(|permission| user.permissions.contains(permission))
+    {
         Err(Status::Forbidden)?
     }
 
@@ -53,7 +56,7 @@ async fn permissions_add(
 #[delete("/permissions/<username>", data = "<permissions_to_delete>")]
 async fn permissions_delete(
     db: Database,
-    user: DangerousUser,
+    user: User,
     username: String,
     permissions_to_delete: Json<Vec<Permission>>,
 ) -> Result<()> {
@@ -72,7 +75,10 @@ async fn permissions_delete(
 
         let mut required_permissions = current_permissions.clone();
         required_permissions.push(Permission::PermissionDelete);
-        if !user.has_permissions(&required_permissions) {
+        if !required_permissions
+            .iter()
+            .all(|permission| user.permissions.contains(permission))
+        {
             Err(Status::Forbidden)?
         }
 

src/api/user/tokens.rs

@@ -5,15 +5,14 @@ use rocket::{
     serde::json::Json,
 };
 use rocket_sync_db_pools::rusqlite::params;
-use sqlvec::SqlVec;
 use uuid::Uuid;
 
 use crate::{
     api::errors::ApiError,
     database::{
         database::Database,
         permissions::Permission,
-        users::{DangerousLogin, DangerousUser},
+        users::{DangerousLogin, User},
     },
 };
 
@@ -30,27 +29,21 @@ async fn token_write(
         .run(move |conn| -> Result<String> {
             let tx = conn.transaction()?;
 
-            let (hash, mut tokens): (String, Vec<String>) = tx.query_row(
-                "SELECT hash, sessions FROM users WHERE username = ?",
+            let hash: String = tx.query_row(
+                "SELECT hash FROM users WHERE username = ?",
                 params![&login.username],
-                |row| {
-                    Ok((
-                        row.get(0)?,
-                        row.get::<usize, SqlVec<String>>(1)?.into_inner(),
-                    ))
-                },
+                |row| row.get("hash"),
             )?;
 
             if !verify(login.password, &hash)? {
                 Err(Status::Forbidden)?
             }
 
             let token: String = Uuid::new_v4().to_string();
-            tokens.push(token.clone());
 
             tx.execute(
-                "UPDATE users SET sessions = ? WHERE username = ?",
-                params![SqlVec::new(tokens), login.username],
+                "INSERT INTO tokens (id, username) VALUES (?1, ?2)",
+                params![token, login.username],
             )?;
 
             tx.commit()?;
@@ -63,18 +56,13 @@ async fn token_write(
 }
 
 #[delete("/token/<username>")]
-async fn token_delete(db: Database, user: DangerousUser, username: String) -> Result<()> {
-    if username != user.username && !user.has_permissions(&[Permission::TokenDelete]) {
+async fn token_delete(db: Database, user: User, username: String) -> Result<()> {
+    if username != user.username && !user.permissions.contains(&Permission::TokenDelete) {
         Err(Status::Forbidden)?
     }
 
-    db.run(move |conn| {
-        conn.execute(
-            "UPDATE users SET sessions = '' WHERE username = ?",
-            params![username],
-        )
-    })
-    .await?;
+    db.run(move |conn| conn.execute("DELETE FROM tokens WHERE username = ?", params![username]))
+        .await?;
     Ok(())
 }