feat(api): implemented /account/auth

docs/api.md

@@ -4,7 +4,7 @@
 
 - /account
     - [X] `POST` /register
-    - [ ] `POST` /auth
+    - [X] `POST` /auth
     - [ ] `POST` /delete
     - [ ] `GET`  /blob
     - [ ] `POST` /blob

src/api/endpoints/account/mod.rs

@@ -4,6 +4,8 @@ use crate::backend::Backend;
 use actix_web::{post, web, HttpResponse, Responder};
 use log::error;
 use serde::{Deserialize, Serialize};
+use std::str::FromStr;
+use uuid::Uuid;
 
 #[derive(Debug, Deserialize)]
 struct RegisterRequest {
@@ -13,7 +15,7 @@ struct RegisterRequest {
 
 #[derive(Debug, Serialize)]
 struct RegisterResponse {
-    uuid: String,
+    userid: String,
 }
 
 #[post("/account/register")]
@@ -30,8 +32,39 @@ pub async fn register(
         Ok(res) => match res {
             Err(e) => e.into(),
             Ok(uuid) => HttpResponse::Ok().json(RegisterResponse {
-                uuid: uuid.to_string(),
+                userid: uuid.to_string(),
             }),
         },
     }
 }
+
+#[derive(Debug, Deserialize)]
+struct AuthRequest {
+    userid: String,
+    password: String,
+}
+
+#[derive(Debug, Serialize)]
+struct AuthResponse {
+    token: String,
+}
+
+#[post("/account/auth")]
+pub async fn auth(backend: web::Data<Backend>, body: web::Json<AuthRequest>) -> impl Responder {
+    let body = body.into_inner();
+    let userid = match Uuid::from_str(&body.userid) {
+        Ok(userid) => userid,
+        Err(_) => return HttpResponse::BadRequest().finish(),
+    };
+
+    match backend.authenticate(userid, body.password).await {
+        Err(e) => {
+            error!("{e}");
+            HttpResponse::InternalServerError().finish()
+        }
+        Ok(res) => match res {
+            Err(e) => e.into(),
+            Ok(token) => HttpResponse::Ok().json(AuthResponse { token }),
+        },
+    }
+}

src/api/mod.rs

@@ -11,6 +11,7 @@ pub async fn start(config: &Config, backend: Backend) -> Result<()> {
         App::new()
             .app_data(web::Data::new(backend.clone()))
             .service(endpoints::account::register)
+            .service(endpoints::account::auth)
             .service(endpoints::account::invite::new)
     })
     .bind((config.addr.as_str(), config.port))?;

src/backend/error.rs

@@ -4,15 +4,18 @@ use thiserror::Error;
 
 #[derive(Debug, Error, Serialize, Copy, Clone)]
 pub enum Error {
+    #[error("Failed to authenticate with the given credentials")]
+    AuthenticationFailure,
+
     #[error("The given token is invalid")]
     InvalidToken,
 
-    #[error("The given token is expired")]
-    TokenExpired,
-
     #[error("Permission denied: {0}")]
     PermissionDenied(&'static str),
 
+    #[error("The given token is expired")]
+    TokenExpired,
+
     #[error("The given user cannot be found")]
     UserNotFound,
 }
@@ -31,9 +34,10 @@ impl Into<HttpResponse> for Error {
         };
 
         match self {
+            Error::AuthenticationFailure => HttpResponse::Unauthorized().json(body),
             Error::InvalidToken => HttpResponse::Unauthorized().json(body),
-            Error::TokenExpired => HttpResponse::Gone().json(body),
             Error::PermissionDenied(_) => HttpResponse::Forbidden().json(body),
+            Error::TokenExpired => HttpResponse::Gone().json(body),
             Error::UserNotFound => HttpResponse::NotFound().json(body),
         }
     }

src/backend/mod.rs

@@ -5,7 +5,7 @@ mod user;
 
 use crate::backend::{error::Error, permissions::Permission, user::IntoUser};
 use crate::config::Config;
-use anyhow::Result;
+use anyhow::{bail, Result};
 use argon2::{
     password_hash::{rand_core::OsRng, PasswordHasher, SaltString},
     Argon2,
@@ -99,7 +99,7 @@ impl Backend {
     }
 
     /// Check whether an invite-token is valid or not.
-    async fn check_activation_token(&self, token: &str) -> Result<Result<(), Error>> {
+    async fn check_invite_token(&self, token: &str) -> Result<Result<(), Error>> {
         match sqlx::query_as!(
             InviteTokensRow,
             r#"SELECT * FROM InviteTokens WHERE token = ?;"#,
@@ -149,7 +149,7 @@ impl Backend {
         token: String,
         password: String,
     ) -> Result<Result<Uuid, Error>> {
-        if let Err(e) = self.check_activation_token(&token).await? {
+        if let Err(e) = self.check_invite_token(&token).await? {
             return Ok(Err(e));
         }
 
@@ -173,6 +173,43 @@ impl Backend {
         Ok(Ok(userid))
     }
 
+    /// Generates an auth token for a user, given their UUID and password.
+    pub async fn authenticate(
+        &self,
+        userid: Uuid,
+        password: String,
+    ) -> Result<Result<String, Error>> {
+        let user = match userid.into_user(&self).await? {
+            Ok(user) => user,
+            Err(e) => return Ok(Err(e)),
+        };
+
+        if !user.verify_password(&password)? {
+            return Ok(Err(Error::AuthenticationFailure));
+        }
+
+        let mut token = rand::distributions::Alphanumeric.sample_string(&mut OsRng, 48);
+        // just for the case, that there's some duplication
+        loop {
+            match self.resolve_auth_token(&token).await? {
+                Ok(_) => token = rand::distributions::Alphanumeric.sample_string(&mut OsRng, 48),
+                Err(Error::InvalidToken) | Err(Error::TokenExpired) => break,
+                Err(e) => bail!("!THIS ERROR SHOULDN'T BE HERE! -> {e}"),
+            }
+        }
+
+        sqlx::query!(
+            r#"INSERT INTO AuthTokens VALUES (?, ?, ?);"#,
+            token,
+            userid.as_bytes().as_slice(),
+            Utc::now().naive_utc().checked_add_days(Days::new(14))
+        )
+        .execute(&self.pool)
+        .await?;
+
+        Ok(Ok(token))
+    }
+
     /// Generates a new invite token, if the user identified by the UUID has the permission to do so.
     pub async fn create_invite(&self, user: impl IntoUser) -> Result<Result<String, Error>> {
         let user = match user.into_user(&self).await? {
@@ -188,11 +225,10 @@ impl Backend {
 
         let token = rand::distributions::Alphanumeric.sample_string(&mut OsRng, 48);
 
-        // TODO: change days to 7
         sqlx::query!(
             r#"INSERT INTO InviteTokens VALUES (?, ?);"#,
             token,
-            Utc::now().naive_utc().checked_add_days(Days::new(14))
+            Utc::now().naive_utc().checked_add_days(Days::new(7))
         )
         .execute(&self.pool)
         .await?;

src/backend/user.rs

@@ -2,6 +2,7 @@ use crate::backend::db_structures::UsersRow;
 use crate::backend::error::Error;
 use crate::backend::{permissions::Permission, Backend};
 use anyhow::Result;
+use argon2::PasswordVerifier;
 use std::str::FromStr;
 use uuid::Uuid;
 
@@ -27,6 +28,20 @@ impl User {
         (self.permissions & permission.as_u16()) > 0
     }
 
+    pub fn verify_password(&self, password: &str) -> Result<bool> {
+        let hash = argon2::PasswordHash::new(self.password.as_str()).map_err(|_| {
+            anyhow::Error::msg(format!(
+                "Failed to parse the password hash of user: {}",
+                self.uuid
+            ))
+        })?;
+
+        match argon2::Argon2::default().verify_password(password.as_bytes(), &hash) {
+            Err(_) => Ok(false),
+            Ok(_) => Ok(true),
+        }
+    }
+
     async fn flush(&self, backend: &Backend) -> Result<()> {
         sqlx::query!(
             r#"UPDATE Users SET password = ?, permissions = ? WHERE userid = ?;"#,