2025-04-27 23:11:37 -04:00
|
|
|
use base64::{engine::general_purpose::URL_SAFE as base64url, Engine};
|
|
|
|
|
use serde::{Serialize, Deserialize};
|
|
|
|
|
use tetratto_shared::hash::hash;
|
|
|
|
|
use super::{Result, Error};
|
|
|
|
|
|
2025-05-31 14:38:38 -04:00
|
|
|
#[derive(Clone, Debug, Serialize, Deserialize)]
|
|
|
|
|
pub struct AuthGrant {
|
|
|
|
|
pub id: usize,
|
2025-06-14 14:45:52 -04:00
|
|
|
/// The ID of the application associated with this grant.
|
|
|
|
|
pub app: usize,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// The code challenge for PKCE verifiers associated with this grant.
|
|
|
|
|
///
|
|
|
|
|
/// This challenge is *all* that is required to refresh this grant's auth token.
|
|
|
|
|
/// While there can only be one token at a time, it can be refreshed whenever as long
|
|
|
|
|
/// as the provided verifier matches that of the challenge.
|
|
|
|
|
///
|
|
|
|
|
/// The challenge should never be changed. To change the challenge, the grant
|
|
|
|
|
/// should be removed and recreated.
|
|
|
|
|
pub challenge: String,
|
|
|
|
|
/// The encoding method for the initial verifier in the challenge.
|
|
|
|
|
pub method: PkceChallengeMethod,
|
|
|
|
|
/// The access token associated with the account. This is **not** the same as
|
|
|
|
|
/// regular account access tokens, as the token can only be used with the requested `scopes`.
|
|
|
|
|
pub token: String,
|
|
|
|
|
/// Scopes define what the grant's token is actually allowed to do.
|
|
|
|
|
///
|
|
|
|
|
/// No scope shall ever be allowed to change scopes or manage grants on behalf of the user.
|
|
|
|
|
/// A regular user token **must** be provided to manage grants.
|
|
|
|
|
pub scopes: Vec<AppScope>,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
|
2025-04-27 23:11:37 -04:00
|
|
|
pub enum PkceChallengeMethod {
|
|
|
|
|
S256,
|
|
|
|
|
}
|
|
|
|
|
|
2025-05-31 14:38:38 -04:00
|
|
|
#[derive(Clone, Debug, Serialize, Deserialize, PartialEq, Eq)]
|
2025-04-27 23:11:37 -04:00
|
|
|
pub enum AppScope {
|
2025-06-13 17:47:00 -04:00
|
|
|
/// Read the profile of other user's on behalf of the user.
|
|
|
|
|
UserReadProfiles,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Read the user's profile (username, bio, etc).
|
2025-04-27 23:11:37 -04:00
|
|
|
UserReadProfile,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Read the user's settings.
|
|
|
|
|
UserReadSettings,
|
|
|
|
|
/// Read the user's sessions and info.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserReadSessions,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Read posts as the user.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserReadPosts,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Read messages as the user.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserReadMessages,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Read drafts as the user.
|
|
|
|
|
UserReadDrafts,
|
|
|
|
|
/// Read the user's communities.
|
|
|
|
|
UserReadCommunities,
|
|
|
|
|
/// Connect to sockets on the user's behalf.
|
|
|
|
|
UserReadSockets,
|
2025-06-13 17:47:00 -04:00
|
|
|
/// Read the user's notifications.
|
|
|
|
|
UserReadNotifications,
|
|
|
|
|
/// Read the user's requests.
|
|
|
|
|
UserReadRequests,
|
2025-06-13 23:25:10 -04:00
|
|
|
/// Read questions as the user.
|
|
|
|
|
UserReadQuestions,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Create posts as the user.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserCreatePosts,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Create messages as the user.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserCreateMessages,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Ask questions as the user.
|
|
|
|
|
UserCreateQuestions,
|
|
|
|
|
/// Create IP blocks as the user.
|
|
|
|
|
UserCreateIpBlock,
|
|
|
|
|
/// Create drafts on behalf of the user.
|
|
|
|
|
UserCreateDrafts,
|
|
|
|
|
/// Create communities on behalf of the user.
|
|
|
|
|
UserCreateCommunities,
|
2025-06-13 22:07:36 -04:00
|
|
|
/// Create stacks on behalf of the user.
|
|
|
|
|
UserCreateStacks,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Delete posts owned by the user.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserDeletePosts,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Delete messages owned by the user.
|
2025-05-04 16:19:34 -04:00
|
|
|
UserDeleteMessages,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Delete questions as the user.
|
|
|
|
|
UserDeleteQuestions,
|
|
|
|
|
/// Delete drafts as the user.
|
|
|
|
|
UserDeleteDrafts,
|
|
|
|
|
/// Edit the user's settings and upload avatars/banners on behalf of the user.
|
|
|
|
|
UserManageProfile,
|
2025-05-31 14:38:38 -04:00
|
|
|
/// Manage stacks owned by the user.
|
|
|
|
|
UserManageStacks,
|
|
|
|
|
/// Manage the user's following/unfollowing.
|
|
|
|
|
UserManageRelationships,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Manage the user's community memberships.
|
|
|
|
|
///
|
|
|
|
|
/// Also includes managing the membership of users in the user's communities.
|
|
|
|
|
UserManageMemberships,
|
2025-06-13 17:47:00 -04:00
|
|
|
/// Follow/unfollow users on behalf of the user.
|
|
|
|
|
UserManageFollowing,
|
|
|
|
|
/// Accept follow requests on behalf of the user.
|
|
|
|
|
UserManageFollowers,
|
|
|
|
|
/// Block/unblock users on behalf of the user.
|
|
|
|
|
UserManageBlocks,
|
|
|
|
|
/// Manage the user's notifications.
|
|
|
|
|
UserManageNotifications,
|
|
|
|
|
/// Manage the user's requests.
|
|
|
|
|
UserManageRequests,
|
2025-06-13 22:07:36 -04:00
|
|
|
/// Manage the user's uploads.
|
|
|
|
|
UserManageUploads,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Edit posts created by the user.
|
|
|
|
|
UserEditPosts,
|
|
|
|
|
/// Edit drafts created by the user.
|
|
|
|
|
UserEditDrafts,
|
|
|
|
|
/// Vote in polls as the user.
|
|
|
|
|
UserVote,
|
2025-06-13 22:07:36 -04:00
|
|
|
/// React to posts on behalf of the user. Also allows the removal of reactions.
|
|
|
|
|
UserReact,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Join communities on behalf of the user.
|
|
|
|
|
UserJoinCommunities,
|
|
|
|
|
/// Permanently delete posts.
|
|
|
|
|
ModPurgePosts,
|
|
|
|
|
/// Restore deleted posts.
|
|
|
|
|
ModDeletePosts,
|
2025-06-13 17:47:00 -04:00
|
|
|
/// Manage user warnings.
|
|
|
|
|
ModManageWarnings,
|
2025-06-13 12:49:09 -04:00
|
|
|
/// Get a list of all emojis available to the user.
|
|
|
|
|
UserReadEmojis,
|
|
|
|
|
/// Create emojis on behalf of the user.
|
|
|
|
|
CommunityCreateEmojis,
|
|
|
|
|
/// Manage emojis on behalf of the user.
|
|
|
|
|
CommunityManageEmojis,
|
|
|
|
|
/// Delete communities on behalf of the user.
|
|
|
|
|
CommunityDelete,
|
|
|
|
|
/// Manage communities on behalf of the user.
|
|
|
|
|
CommunityManage,
|
|
|
|
|
/// Transfer ownership of communities on behalf of the user.
|
|
|
|
|
CommunityTransferOwnership,
|
|
|
|
|
/// Read the membership of users in communities owned by the current user.
|
|
|
|
|
CommunityReadMemberships,
|
2025-06-13 22:07:36 -04:00
|
|
|
/// Create channels in the user's communities.
|
|
|
|
|
CommunityCreateChannels,
|
|
|
|
|
/// Manage channels in the user's communities.
|
|
|
|
|
CommunityManageChannels,
|
2025-05-04 16:19:34 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl AppScope {
|
|
|
|
|
/// Parse the given input string as a list of scopes.
|
|
|
|
|
pub fn parse(input: &str) -> Vec<AppScope> {
|
|
|
|
|
let mut out: Vec<AppScope> = Vec::new();
|
|
|
|
|
for scope in input.split(" ") {
|
|
|
|
|
out.push(match scope {
|
2025-06-13 17:47:00 -04:00
|
|
|
"user-read-profiles" => Self::UserReadProfiles,
|
2025-05-04 16:19:34 -04:00
|
|
|
"user-read-profile" => Self::UserReadProfile,
|
2025-05-31 14:38:38 -04:00
|
|
|
"user-read-settings" => Self::UserReadSettings,
|
2025-05-04 16:19:34 -04:00
|
|
|
"user-read-sessions" => Self::UserReadSessions,
|
|
|
|
|
"user-read-posts" => Self::UserReadPosts,
|
|
|
|
|
"user-read-messages" => Self::UserReadMessages,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-read-drafts" => Self::UserReadDrafts,
|
|
|
|
|
"user-read-communities" => Self::UserReadCommunities,
|
|
|
|
|
"user-read-sockets" => Self::UserReadSockets,
|
2025-06-13 17:47:00 -04:00
|
|
|
"user-read-notifications" => Self::UserReadNotifications,
|
|
|
|
|
"user-read-requests" => Self::UserReadRequests,
|
2025-06-13 23:25:10 -04:00
|
|
|
"user-read-questions" => Self::UserReadQuestions,
|
2025-05-04 16:19:34 -04:00
|
|
|
"user-create-posts" => Self::UserCreatePosts,
|
|
|
|
|
"user-create-messages" => Self::UserCreateMessages,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-create-questions" => Self::UserCreateQuestions,
|
|
|
|
|
"user-create-ip-blocks" => Self::UserCreateIpBlock,
|
|
|
|
|
"user-create-drafts" => Self::UserCreateDrafts,
|
|
|
|
|
"user-create-communities" => Self::UserCreateCommunities,
|
2025-05-04 16:19:34 -04:00
|
|
|
"user-delete-posts" => Self::UserDeletePosts,
|
|
|
|
|
"user-delete-messages" => Self::UserDeleteMessages,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-delete-questions" => Self::UserDeleteQuestions,
|
|
|
|
|
"user-delete-drafts" => Self::UserDeleteDrafts,
|
|
|
|
|
"user-manage-profile" => Self::UserManageProfile,
|
2025-05-31 14:38:38 -04:00
|
|
|
"user-manage-stacks" => Self::UserManageStacks,
|
|
|
|
|
"user-manage-relationships" => Self::UserManageRelationships,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-manage-memberships" => Self::UserManageMemberships,
|
2025-06-13 17:47:00 -04:00
|
|
|
"user-manage-following" => Self::UserManageFollowing,
|
|
|
|
|
"user-manage-followers" => Self::UserManageFollowers,
|
|
|
|
|
"user-manage-blocks" => Self::UserManageBlocks,
|
|
|
|
|
"user-manage-notifications" => Self::UserManageNotifications,
|
|
|
|
|
"user-manage-requests" => Self::UserManageRequests,
|
2025-06-13 22:07:36 -04:00
|
|
|
"user-manage-uploads" => Self::UserManageUploads,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-edit-posts" => Self::UserEditPosts,
|
|
|
|
|
"user-edit-drafts" => Self::UserEditDrafts,
|
|
|
|
|
"user-vote" => Self::UserVote,
|
2025-06-13 22:07:36 -04:00
|
|
|
"user-react" => Self::UserReact,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-join-communities" => Self::UserJoinCommunities,
|
|
|
|
|
"mod-purge-posts" => Self::ModPurgePosts,
|
|
|
|
|
"mod-delete-posts" => Self::ModDeletePosts,
|
2025-06-13 17:47:00 -04:00
|
|
|
"mod-manage-warnings" => Self::ModManageWarnings,
|
2025-06-13 12:49:09 -04:00
|
|
|
"user-read-emojis" => Self::UserReadEmojis,
|
|
|
|
|
"community-create-emojis" => Self::CommunityCreateEmojis,
|
|
|
|
|
"community-manage-emojis" => Self::CommunityManageEmojis,
|
|
|
|
|
"community-delete" => Self::CommunityDelete,
|
|
|
|
|
"community-manage" => Self::CommunityManage,
|
|
|
|
|
"community-transfer-ownership" => Self::CommunityTransferOwnership,
|
|
|
|
|
"community-read-memberships" => Self::CommunityReadMemberships,
|
2025-06-13 22:07:36 -04:00
|
|
|
"community-create-channels" => Self::CommunityCreateChannels,
|
|
|
|
|
"community-manage-channels" => Self::CommunityManageChannels,
|
2025-05-04 16:19:34 -04:00
|
|
|
_ => continue,
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
out
|
|
|
|
|
}
|
2025-04-27 23:11:37 -04:00
|
|
|
}
|
|
|
|
|
|
2025-06-13 12:49:09 -04:00
|
|
|
impl AuthGrant {
|
|
|
|
|
/// Check a verifier against the stored challenge (using the given [`PkceChallengeMethod`]).
|
|
|
|
|
pub fn check_verifier(&self, verifier: &str) -> Result<()> {
|
|
|
|
|
if self.method != PkceChallengeMethod::S256 {
|
|
|
|
|
return Err(Error::MiscError("only S256 is supported".to_string()));
|
|
|
|
|
}
|
2025-04-27 23:11:37 -04:00
|
|
|
|
2025-06-13 12:49:09 -04:00
|
|
|
let decoded = match base64url.decode(self.challenge.as_bytes()) {
|
|
|
|
|
Ok(hash) => hash,
|
|
|
|
|
Err(e) => return Err(Error::MiscError(e.to_string())),
|
|
|
|
|
};
|
2025-04-27 23:11:37 -04:00
|
|
|
|
2025-06-13 12:49:09 -04:00
|
|
|
let hash = hash(verifier.to_string());
|
2025-04-27 23:11:37 -04:00
|
|
|
|
2025-06-13 12:49:09 -04:00
|
|
|
if hash.as_bytes() != decoded {
|
|
|
|
|
// the verifier we received does not match the verifier from the stored challenge
|
|
|
|
|
return Err(Error::NotAllowed);
|
|
|
|
|
}
|
2025-04-27 23:11:37 -04:00
|
|
|
|
2025-06-13 12:49:09 -04:00
|
|
|
Ok(())
|
|
|
|
|
}
|
2025-04-27 23:11:37 -04:00
|
|
|
}
|
