Make auth extractor extendable (refactored), better redirect for OIDC…

…, add link to swagger UI for utoipa, update utoipa dependency version, fix path normalization for swagger docs

create-rust-app/Cargo.toml

@@ -81,7 +81,7 @@ base64 = { optional = true, version = "0.21.2" }
 openidconnect = { optional = true, version = "3.3.0" }
 
 # plugin_utoipa dependencies
-utoipa = { optional = true, version = "3", features = [
+utoipa = { optional = true, version = "4", features = [
  "actix_extras",
  "chrono",
  "openapi_extensions",
@@ -177,7 +177,7 @@ plugin_storage = [
  "futures-util"
 ]
 plugin_graphql = []
-plugin_utoipa = ["utoipa", "backend_actix-web"]
+plugin_utoipa = ["utoipa", "backend_actix-web"] # for now, only works with actix-web!
 plugin_tasks = ["fang", "tokio"]
 backend_poem = ["poem", "anyhow", "mime_guess", "tokio"]
 backend_actix-web = [

create-rust-app/src/auth/extractors/auth.rs

@@ -0,0 +1,48 @@
+use std::collections::HashSet;
+
+use crate::auth::{Permission, ID};
+
+#[derive(Debug, Clone)]
+/// roles and permissions available to a User
+///
+/// use to control what users are and are not allowed to do
+pub struct Auth {
+ pub user_id: ID,
+ pub roles: HashSet<String>,
+ pub permissions: HashSet<Permission>,
+}
+
+impl Auth {
+ /// does the user with the id [`self.user_id`](`ID`) have the given `permission`
+ pub fn has_permission(&self, permission: String) -> bool {
+ self.permissions.contains(&Permission {
+ permission,
+ from_role: String::new(),
+ })
+ }
+
+ /// does the user with the id [`self.user_id`](`ID`) have all of the given `perms`
+ pub fn has_all_permissions(&self, perms: Vec<String>) -> bool {
+ perms.iter().all(|p| self.has_permission(p.to_string()))
+ }
+
+ /// does the user with the id [`self.user_id`](`ID`) have any of the given `perms`
+ pub fn has_any_permission(&self, perms: Vec<String>) -> bool {
+ perms.iter().any(|p| self.has_permission(p.to_string()))
+ }
+
+ /// does the user with the id [`self.user_id`](`ID`) have the given `role`
+ pub fn has_role(&self, role: String) -> bool {
+ self.roles.contains(&role)
+ }
+
+ /// does the user with the id [`self.user_id`](`ID`) have all of the given `roles`
+ pub fn has_all_roles(&self, roles: Vec<String>) -> bool {
+ roles.iter().all(|r| self.has_role(r.to_string()))
+ }
+
+ /// does the user with the id [`self.user_id`](`ID`) have any of the given `roles`
+ pub fn has_any_roles(&self, roles: Vec<String>) -> bool {
+ roles.iter().any(|r| self.has_role(r.to_string()))
+ }
+}

create-rust-app/src/auth/extractors/auth_actixweb.rs

@@ -1,4 +1,5 @@
-use crate::auth::{permissions::Permission, AccessTokenClaims, ID};
+use super::auth::Auth;
+use crate::auth::{permissions::Permission, AccessTokenClaims};
 use actix_http::header::HeaderValue;
 use actix_web::dev::Payload;
 use actix_web::error::ResponseError;
@@ -13,63 +14,30 @@ use serde_json::json;
 use std::collections::HashSet;
 use std::iter::FromIterator;
 
-#[derive(Debug, Clone)]
-/// roles and permissions available to a User
-///
-/// use to control what users are and are not allowed to do
-pub struct Auth {
- pub user_id: ID,
- pub roles: HashSet<String>,
- pub permissions: HashSet<Permission>,
+#[derive(Debug, Display, Error)]
+#[display(fmt = "Unauthorized ({:?}), reason: {:?}", status, reason)]
+/// custom error type for Authorization related errors
+pub struct AuthError {
+ reason: String,
+ status: StatusCode,
 }
 
-impl Auth {
- /// does the user with the id [`self.user_id`](`ID`) have the given `permission`
- pub fn has_permission(&self, permission: String) -> bool {
- self.permissions.contains(&Permission {
- permission,
- from_role: String::new(),
- })
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have all of the given `perms`
- pub fn has_all_permissions(&self, perms: Vec<String>) -> bool {
- perms.iter().all(|p| self.has_permission(p.to_string()))
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have any of the given `perms`
- pub fn has_any_permission(&self, perms: Vec<String>) -> bool {
- perms.iter().any(|p| self.has_permission(p.to_string()))
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have the given `role`
- pub fn has_role(&self, role: String) -> bool {
- self.roles.contains(&role)
+impl AuthError {
+ pub fn new(reason: String, status: StatusCode) -> Self {
+ Self { reason, status }
  }
 
- /// does the user with the id [`self.user_id`](`ID`) have all of the given `roles`
- pub fn has_all_roles(&self, roles: Vec<String>) -> bool {
- roles.iter().all(|r| self.has_role(r.to_string()))
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have any of the given `roles`
- pub fn has_any_roles(&self, roles: Vec<String>) -> bool {
- roles.iter().any(|r| self.has_role(r.to_string()))
+ pub fn reason(reason: String) -> Self {
+ Self {
+ reason,
+ status: StatusCode::UNAUTHORIZED,
+ }
  }
 }
 
-#[derive(Debug, Display, Error)]
-#[display(fmt = "Unauthorized, reason: {}", self.reason)]
-/// custom error type for Authorization related errors
-pub struct AuthError {
- reason: String,
-}
-
 impl ResponseError for AuthError {
  /// builds an [`HttpResponse`] for [`self`](`AuthError`)
  fn error_response(&self) -> HttpResponse {
- // HttpResponse::Unauthorized().json(self.reason.as_str())
- // println!("error_response");
  HttpResponse::build(self.status_code()).body(
  json!({
  "message": self.reason.as_str()
@@ -93,17 +61,17 @@ impl FromRequest for Auth {
  let auth_header_opt: Option<&HeaderValue> = req.headers().get("Authorization");
 
  if auth_header_opt.is_none() {
- return ready(Err(AuthError {
- reason: "Authorization header required".to_string(),
- }));
+ return ready(Err(AuthError::reason(
+ "Authorization header required".to_string(),
+ )));
  }
 
  let access_token_str = auth_header_opt.unwrap().to_str().unwrap_or("");
 
  if !access_token_str.starts_with("Bearer ") {
- return ready(Err(AuthError {
- reason: "Invalid authorization header".to_string(),
- }));
+ return ready(Err(AuthError::reason(
+ "Invalid authorization header".to_string(),
+ )));
  }
 
  let access_token = decode::<AccessTokenClaims>(
@@ -113,9 +81,7 @@ impl FromRequest for Auth {
  );
 
  if access_token.is_err() {
- return ready(Err(AuthError {
- reason: "Invalid access token".to_string(),
- }));
+ return ready(Err(AuthError::reason("Invalid access token".to_string())));
  }
 
  let access_token = access_token.unwrap();
@@ -125,9 +91,7 @@ impl FromRequest for Auth {
  .token_type
  .eq_ignore_ascii_case("access_token")
  {
- return ready(Err(AuthError {
- reason: "Invalid access token".to_string(),
- }));
+ return ready(Err(AuthError::reason("Invalid access token".to_string())));
  }
 
  let user_id = access_token.claims.sub;

create-rust-app/src/auth/extractors/auth_poem.rs

@@ -4,57 +4,13 @@ use poem::{
 };
 use std::collections::HashSet;
 
+use super::auth::Auth;
 use crate::auth::{permissions::Permission, AccessTokenClaims, ID};
 use jsonwebtoken::decode;
 use jsonwebtoken::DecodingKey;
 use jsonwebtoken::Validation;
 use std::iter::FromIterator;
 
-#[derive(Debug, Clone)]
-/// roles and permissions available to a User
-///
-/// use to control what users are and are not allowed to do
-pub struct Auth {
- pub user_id: ID,
- pub roles: HashSet<String>,
- pub permissions: HashSet<Permission>,
-}
-
-impl Auth {
- /// does the user with the id [`self.user_id`](`ID`) have the given `permission`
- pub fn has_permission(&self, permission: String) -> bool {
- self.permissions.contains(&Permission {
- permission,
- from_role: String::new(),
- })
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have all of the given `perms`
- pub fn has_all_permissions(&self, perms: Vec<String>) -> bool {
- perms.iter().all(|p| self.has_permission(p.to_string()))
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have any of the given `perms`
- pub fn has_any_permissions(&self, perms: Vec<String>) -> bool {
- perms.iter().any(|p| self.has_permission(p.to_string()))
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have the given `role`
- pub fn has_role(&self, role: String) -> bool {
- self.roles.contains(&role)
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have all of the given `roles`
- pub fn has_all_roles(&self, roles: Vec<String>) -> bool {
- roles.iter().all(|r| self.has_role(r.to_string()))
- }
-
- /// does the user with the id [`self.user_id`](`ID`) have any of the given `roles`
- pub fn has_any_roles(&self, roles: Vec<String>) -> bool {
- roles.iter().any(|r| self.has_role(r.to_string()))
- }
-}
-
 #[async_trait]
 impl<'a> FromRequest<'a> for Auth {
  /// extracts [`Auth`] from the given [`req`](`Request`)

create-rust-app/src/auth/extractors/mod.rs

@@ -1,9 +1,10 @@
+mod auth;
+pub use auth::Auth;
+
 #[cfg(feature = "backend_actix-web")]
 mod auth_actixweb;
 #[cfg(feature = "backend_actix-web")]
-pub use auth_actixweb::Auth;
+pub use auth_actixweb::AuthError;
 
 #[cfg(feature = "backend_poem")]
 mod auth_poem;
-#[cfg(feature = "backend_poem")]
-pub use auth_poem::Auth;

create-rust-app/src/auth/oidc/controller.rs

@@ -60,7 +60,7 @@ pub async fn oidc_login_url(
 
  let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
 
- // TODO: factor in nonce
+ // TODO: set redirect_uri from provider config
  let (auth_url, csrf_token, nonce) = client
  .authorize_url(
  CoreAuthenticationFlow::AuthorizationCode,

create-rust-app/src/tasks/mod.rs

@@ -16,6 +16,7 @@ pub fn queue() -> &'static Queue {
  static QUEUE: OnceCell<Queue> = OnceCell::new();
 
  QUEUE.get_or_init(|| {
+ // TODO: make the number of connections in the pool configurable
  let db = Database::new();
 
  Queue::builder().connection_pool(db.pool.clone()).build()

create-rust-app_cli/src/plugins/auth.rs

@@ -63,12 +63,12 @@ import { ResetPage } from './containers/ResetPage'"#,
  "frontend/src/App.tsx",
  r#"{/* CRA: routes */}"#,
  r#"{/* CRA: routes */}
-  <Route path="/login" element={<LoginPage />} />
-  <Route path="/recovery" element={<RecoveryPage />} />
-  <Route path="/reset" element={<ResetPage />} />
-  <Route path="/activate" element={<ActivationPage />} />
-  <Route path="/register" element={<RegistrationPage />} />
-  <Route path="/account" element={<AccountPage />} />
+ <Route path="/login" element={<LoginPage />} />
+ <Route path="/recovery" element={<RecoveryPage />} />
+ <Route path="/reset" element={<ResetPage />} />
+ <Route path="/activate" element={<ActivationPage />} />
+ <Route path="/register" element={<RegistrationPage />} />
+ <Route path="/account" element={<AccountPage />} />
  "#,
  )?;
  fs::replace(

create-rust-app_cli/src/plugins/auth_oidc.rs

@@ -188,10 +188,24 @@ completeOIDCLogin"#},
  "frontend/src/hooks/useAuth.tsx",
  "const logout = async ()",
  indoc! {r#"
-const loginOIDC = async (provider: string) => {
+const loginOIDC = async (
+ provider: string,
+ options?: { redirectUrl?: 'current-url' | string }
+) => {
+ if (options?.redirectUrl) {
+ localStorage.setItem(
+ 'create_rust_app_oauth_redirect',
+ options?.redirectUrl === 'current-url'
+ ? window.location.href
+ : options.redirectUrl
+ )
+ } else {
+ localStorage.removeItem('create_rust_app_oauth_redirect')
+ }
+
  window.location.href = `/api/auth/oidc/${provider}`
 }
-
+ 
 const completeOIDCLogin = (): boolean => {
  const params = new URLSearchParams(window.location.search);
  let access_token = params.get('access_token');
@@ -213,6 +227,13 @@ const completeOIDCLogin = (): boolean => {
  hasRole: permissions.hasRole,
  })
 
+
+ if (localStorage.getItem('create_rust_app_oauth_redirect')) {
+ window.location.href = localStorage.getItem(
+ 'create_rust_app_oauth_redirect'
+ ) as string
+ }
+
  return true
  }
 }