implement config + Pull SSO data from config

.env.sample

@@ -1 +1,2 @@
-DATABASE_URL=postgresql://server:5432/database?user=user&password=password&connectTimeout=30&currentSchema=storage;
+DATABASE_URL=postgresql://server:5432/database?user=user&password=password&connectTimeout=30&currentSchema=storage;
+STORAGE_AUTH_OIDC_ISSUER_URL = ""

Cargo.lock

@@ -3284,6 +3284,7 @@ dependencies = [
  "bcrypt",
  "chrono",
  "dotenvy",
+ "figment",
  "humanize-bytes",
  "int-enum",
  "log",

Cargo.toml

@@ -26,3 +26,4 @@ bcrypt = "0.17.0"
 openidconnect = "4.0.0"
 reqwest = "0.12.15"
 moka = { version = "0.12.10", features = ["future"] }
+figment = "0.10.19"

config.sample.toml

@@ -1,25 +1,41 @@
 [general]
 listen_ip = "0.0.0.0"
-listen_port = 80
-# if under reverse proxy
+listen_port = 8080
+
+# The public facing url, this is where users will access the app
+# Used for OIDC callbacks
+# - if under reverse proxy (nginx, traefik, caddy, etc):
 #public_url = "https://storage.example.com"
-#public_port = 443
 public_url = "http://localhost:8080"
-public_port = 80
 
 [backends.local]
 path = "/var/tmp/test"
 
 [auth]
-enable_registration = true
-oidc_enabled = true
-# Where the .well-known/openid-configuration exists
-oidc_issuer_url = "https://accounts.example.com"
-oidc_client_id = ""
-oidc_client_secret = ""
-oidc_claims = []
+# Is account registration disabled? Users will not be able to create
+# a new account with email/username + pass
+disable_registration = false
+[auth.oidc]
+enabled = true
+# The url the .well-known/openid-configuration exists, this can be a subpath
+# Example, for authentik: https://sso.example.com/application/o/YOURAPPSLUG
+issuer_url = ""
+client_id = ""
+client_secret = ""
+claims = ["email", "profile"]
 # Should an account be created if SSO user id doesn't exist already
-oidc_create_account = true
+create_account = true
+# Should normal login (username/email+pass) be disabled, forcing users to use sso?
+disable_normal_login = false
 
 [smtp]
-# TODO: 
+enabled = false
+hostname = "smtp.example.com"
+port = 587
+username = ""
+password = ""
+# Name to be used for emails, defaults to public_url's domain
+#from_name = ""
+# The email address to send as, defaults to username
+#from_address = ""
+tls = "none" # "none", "starttls" or "tls"

src/config.rs

@@ -1,27 +1,92 @@
-use rocket::serde::{Serialize,Deserialize};
+use std::collections::HashMap;
+use std::env::var;
+use figment::Figment;
+use figment::providers::{Env, Format, Toml};
+use log::error;
+use openidconnect::core::{CoreClient, CoreProviderMetadata};
+use openidconnect::IssuerUrl;
+use openidconnect::url::Url;
+use rocket::serde::{Serialize, Deserialize};
 
 #[derive(Debug, Serialize, Deserialize)]
-pub struct Config {
-    general: GeneralConfig,
-    auth: AuthConfig,
-    smtp: EmailConfig
+#[serde(rename_all = "kebab-case")]
+pub struct AppConfig {
+    pub general: GeneralConfig,
+    pub auth: AuthConfig,
+    pub smtp: Option<EmailConfig>
 }
 
+pub fn get_settings() -> AppConfig {
+    let f = Figment::new()
+        .merge(Toml::file("config.toml"))
+        .merge(Env::prefixed("STORAGE_")
+            .map(|f| f.as_str().replace("__", "-").into()))
+        .extract();
+    match f {
+        Ok(settings) => settings,
+        Err(e) => {
+            error!("Failed to read configuration");
+            error!("{}", e);
+            std::process::exit(1);
+        }
+    }
+}
+
+
+
+
 #[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
 pub struct GeneralConfig {
     pub listen_ip: Option<String>,
-    pub listen_port: Option<u32>
+    pub listen_port: Option<u16>,
+    pub public_url: String,
+    pub database_url: Option<String>,
+}
+impl GeneralConfig {
+    pub fn get_public_url(&self) -> Url {
+        self.public_url.parse().expect("failed to parse general.public-url")
+    }
 }
 #[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
 pub struct AuthConfig {
     pub disable_registration: bool,
-    pub openid_enabled: Option<bool>,
-    pub openid_issuer_url: Option<String>,
-    pub openid_client_id: Option<String>,
-    pub openid_client_secret: Option<String>
+    pub oidc: Option<OidcConfig>,
+}
 
+#[derive(Debug, Serialize, Deserialize, Clone)]
+#[serde(rename_all = "kebab-case")]
+pub struct OidcConfig {
+    #[serde(default)]
+    pub enabled: bool,
+    pub issuer_url: String,
+    pub client_id: String,
+    pub client_secret: String,
+    #[serde(default)]
+    pub claims: Vec<String>,
+    #[serde(default)]
+    pub create_account: bool,
+    #[serde(default)]
+    pub disable_normal_login: bool
 }
 #[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "lowercase")]
+pub enum SmtpEncryption {
+    None,
+    StartTls,
+    Tls
+}
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
 pub struct EmailConfig {
-
-}
+    #[serde(default)]
+    pub enabled: bool,
+    pub hostname: String,
+    pub  port: u16,
+    pub username: String,
+    pub password: String,
+    pub tls: Option<SmtpEncryption>,
+    pub from_name: Option<String>,
+    pub from_email: Option<String>,
+}

src/consts.rs

@@ -4,6 +4,7 @@ use std::sync::{LazyLock, OnceLock};
 use std::time::Duration;
 use rocket::data::ByteUnit;
 use rocket::serde::Serialize;
+use crate::GlobalMetadata;
 
 /// The maximum amount of bytes that can be uploaded at once
 pub const MAX_UPLOAD_SIZE: ByteUnit = ByteUnit::Mebibyte(100_000);
@@ -32,5 +33,12 @@ pub const FILE_CONSTANTS: FileConstants = FileConstants {
 pub static DISABLE_LOGIN_CHECK: LazyLock<bool> = LazyLock::new(|| {
     env::var("DANGER_DISABLE_LOGIN_CHECKS").is_ok()
 });
+pub static APP_METADATA: LazyLock<GlobalMetadata> = LazyLock::new(|| {
+    GlobalMetadata {
+        app_name: env!("CARGO_PKG_NAME").to_string(),
+        app_version: env!("CARGO_PKG_VERSION").to_string(),
+        repo_url: env!("CARGO_PKG_REPOSITORY").to_string(),
+    }
+});
 pub fn init_statics() {
 }

src/main.rs

@@ -1,4 +1,4 @@
-use std::net::IpAddr;
+use std::net::{IpAddr, SocketAddr};
 use std::sync::Arc;
 use std::time::Duration;
 use log::{debug, error, info, trace, warn};
@@ -22,9 +22,11 @@ use tracing_subscriber::fmt::writer::MakeWriterExt;
 use crate::managers::libraries::LibraryManager;
 use crate::managers::repos::RepoManager;
 use crate::objs::library::Library;
-use crate::util::{setup_logger, JsonErrorResponse, ResponseError};
+use crate::util::{setup_db, setup_logger, setup_session_store, JsonErrorResponse, ResponseError};
 use routes::api;
+use crate::config::{get_settings, AppConfig};
 use crate::consts::{init_statics, SESSION_COOKIE_NAME, SESSION_LIFETIME_SECONDS};
+use crate::managers::sso::{SSOState, SSO};
 use crate::models::user::UserModel;
 use crate::routes::ui;
 
@@ -78,16 +80,25 @@ async fn rocket() -> _ {
     warn!("warn");
     error!("error");
 
-    // TODO: move to own fn
-    let pool = PgPoolOptions::new()
-        .max_connections(5)
-        .connect(std::env::var("DATABASE_URL").unwrap().as_str())
-        .await
-        .unwrap();
-
-    migrate!("./migrations")
-        .run(&pool)
-        .await.unwrap();
+    let settings: AppConfig = get_settings();
+    info!("Auth | Registration={} Login={} | OIDC={} CreateAccount={}",
+        if settings.auth.disable_registration { "N" } else { "Y" },
+        settings.auth.oidc.as_ref().map(|oidc| if oidc.disable_normal_login { "N" } else { "Y" } ).unwrap_or("Y"),
+        settings.auth.oidc.as_ref().map(|oidc| if oidc.enabled { "Y" } else { "N" } ).unwrap_or("N"),
+        settings.auth.oidc.as_ref().map(|oidc| if oidc.create_account { "Y" } else { "N" }).unwrap_or("-"),
+    );
+    let listen_ip: IpAddr = settings.general.listen_ip.as_ref()
+        .map(|s| s.to_string())
+        .unwrap_or_else(||"0.0.0.0".to_string())
+        .parse().expect("bad listen ip");
+    let listen_addr = SocketAddr::new(listen_ip, settings.general.listen_port.unwrap_or(8080));
+    info!("Listening on {} | Public URL: {}", listen_addr, settings.general.public_url);
+    if let Some(ref smtp) = settings.smtp {
+        if smtp.enabled {
+            info!("SMTP Enabled");
+        }
+    }
+    let pool = setup_db().await;
 
     let repo_manager = {
         let mut manager = RepoManager::new(pool.clone());
@@ -100,32 +111,21 @@ async fn rocket() -> _ {
     };
 
     // TODO: move to own func
-    let memory_store: MemoryStore::<SessionData> = MemoryStore::default();
-    let store: SessionStore<SessionData> = SessionStore {
-        store: Box::new(memory_store),
-        name: SESSION_COOKIE_NAME.into(),
-        duration: Duration::from_secs(SESSION_LIFETIME_SECONDS),
-        // The cookie builder is used to set the cookie's path and other options.
-        // Name and value don't matter, they'll be overridden on each request.
-        cookie_builder: CookieBuilder::new("", "")
-            // Most web apps will want to use "/", but if your app is served from
-            // `example.com/myapp/` for example you may want to use "/myapp/" (note the trailing
-            // slash which prevents the cookie from being sent for `example.com/myapp2/`).
-            .path("/")
+    let store = setup_session_store();
+    let sso: SSOState = {
+        if settings.auth.oidc.is_some() { Some(Arc::new(Mutex::new(SSO::create(&settings).await)) ) } else { None }
     };
 
-    // TODO: move to constants
-    let metadata = GlobalMetadata {
-        app_name: env!("CARGO_PKG_NAME").to_string(),
-        app_version: env!("CARGO_PKG_VERSION").to_string(),
-        repo_url: env!("CARGO_PKG_REPOSITORY").to_string(),
-    };
+    let figment = rocket::Config::figment()
+        .merge(("port", listen_addr.port()))
+        .merge(("address", listen_addr.ip()));
 
-    rocket::build()
+    rocket::custom(figment)
         .manage(pool)
         .manage(repo_manager)
         .manage(libraries_manager)
-        .manage(metadata)
+        .manage(settings)
+        .manage(sso)
 
         .attach(store.fairing())
         .attach(Template::custom(|engines| {

src/managers.rs

@@ -1,2 +1,3 @@
 pub mod repos;
-pub mod libraries;
+pub mod libraries;
+pub mod sso;

src/managers/sso.rs

@@ -0,0 +1,148 @@
+use std::env::var;
+use std::net::IpAddr;
+use std::sync::{Arc, LazyLock};
+use std::time::Duration;
+use anyhow::anyhow;
+use log::warn;
+use moka::future::Cache;
+use openidconnect::core::{CoreAuthDisplay, CoreAuthPrompt, CoreClaimName, CoreClient, CoreErrorResponseType, CoreGenderClaim, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreProviderMetadata, CoreRevocableToken, CoreRevocationErrorResponse, CoreTokenIntrospectionResponse, CoreTokenResponse};
+use openidconnect::http::{HeaderMap, HeaderValue};
+use openidconnect::{Client, ClientId, ClientSecret, CsrfToken, EmptyAdditionalClaims, EndpointMaybeSet, EndpointNotSet, EndpointSet, IssuerUrl, Nonce, ProviderMetadata, RedirectUrl, Scope, StandardErrorResponse};
+use openidconnect::url::ParseError;
+use rocket::yansi::Paint;
+use tokio::sync::Mutex;
+use crate::config::{AppConfig, OidcConfig};
+
+pub struct SSO {
+    http_client: reqwest::Client,
+    issuer_url: IssuerUrl,
+    client_id: ClientId,
+    client_secret: Option<ClientSecret>,
+    public_url: String,
+    scopes: Vec<String>,
+    cache: Cache<IpAddr, SSOSessionData>,
+}
+pub struct HttpProxySettings {
+    url: String,
+    disable_cert_check: bool
+}
+
+#[derive(Clone)]
+pub struct SSOSessionData {
+    pub pkce_challenge: String,
+    pub nonce: Nonce,
+    pub csrf_token: CsrfToken,
+    pub return_to: Option<String>
+    // ip: IpAddr,
+}
+pub type SSOState = Option<Arc<Mutex<SSO>>>;
+impl SSO {
+    pub async fn create(config: &AppConfig) -> Self {
+        let oidc_config = config.auth.oidc.as_ref().expect("OIDC config not provided");
+        let referer = config.general.get_public_url().domain().map(|s| s.to_string());
+        let http_client = SSO::setup_http_client(referer, None);
+        let issuer_url = IssuerUrl::new(oidc_config.issuer_url.to_string()).expect("bad issuer url");
+        let client_id = ClientId::new(oidc_config.client_id.to_string());
+        let client_secret = Some(ClientSecret::new(oidc_config.client_secret.to_string()));
+        let cache = Self::setup_cache();
+        Self {
+            http_client,
+            issuer_url,
+            client_id,
+            client_secret,
+            cache,
+            scopes: oidc_config.claims.to_owned(),
+            public_url: config.general.public_url.to_string(),
+        }
+    }
+
+    fn setup_cache() -> Cache<IpAddr, SSOSessionData> {
+        Cache::builder()
+            .time_to_live(Duration::from_secs(120))
+            .max_capacity(100)
+            .build()
+    }
+
+    fn setup_http_client(referer: Option<String>, proxy_settings: Option<HttpProxySettings>) -> reqwest::Client {
+        let mut headers = HeaderMap::new();
+        // TODO: pull from config.
+        // Set referrer as some providers (authentik) block POST w/o referrer
+        if let Some(ref referer) = referer {
+            headers.insert("Referer", referer.parse().expect("bad referer"));
+        }
+        let mut builder = reqwest::ClientBuilder::new()
+            // Following redirects opens the client up to SSRF vulnerabilities.
+            .redirect(reqwest::redirect::Policy::none())
+            .default_headers(headers);
+        if let Some(proxy) = proxy_settings {
+            warn!("DANGER_DEV_PROXY set, requests are being proxied & ignoring certificates");
+            builder = builder
+                .proxy(reqwest::Proxy::https(proxy.url).unwrap())
+                .danger_accept_invalid_certs(proxy.disable_cert_check);
+        };
+        builder.build().expect("Client should build")
+    }
+    pub fn http_client(&self) -> &reqwest::Client {
+        &self.http_client
+    }
+
+    pub async fn create_client(&self) -> Result<OidcClient, anyhow::Error> {
+        let provider_metadata = CoreProviderMetadata::discover_async(
+            /* TODO: pull from config */
+            self.issuer_url.clone(),
+            &self.http_client,
+        ).await.map_err(|e| anyhow!(e.to_string()))?;
+        Ok(CoreClient::from_provider_metadata(
+            provider_metadata,
+            // TODO: pull from config
+            self.client_id.clone(),
+            self.client_secret.clone(),
+        ))
+    }
+
+    pub async fn create_client_redirect(&self) -> Result<OidcClient, anyhow::Error> {
+        let redirect_url = RedirectUrl::new( format!("{}/auth/sso/cb", self.public_url))
+            .map_err(|e: ParseError | anyhow!(e))?;
+        let client = self.create_client().await?;
+        Ok(client.set_redirect_uri(redirect_url))
+    }
+
+    pub fn scopes(&self) -> Vec<Scope> {
+        self.scopes.iter().map(|c| Scope::new(c.to_string())).collect()
+    }
+
+    pub async fn cache_set(&mut self, ip: IpAddr, data: SSOSessionData) {
+        self.cache.insert(ip, data).await;
+    }
+
+    pub async fn cache_take(&mut self, ip: IpAddr) -> Option<SSOSessionData> {
+        self.cache.remove(&ip).await
+    }
+}
+// From https://github.com/IgnisDa/ryot/blob/75a1379f743b412df0e42fc88177d18cd34d48d7/crates/utils/application/src/lib.rs#L141C31-L148C2
+pub type OidcClient<
+    HasAuthUrl = EndpointSet,
+    HasDeviceAuthUrl = EndpointNotSet,
+    HasIntrospectionUrl = EndpointNotSet,
+    HasRevocationUrl = EndpointNotSet,
+    HasTokenUrl = EndpointMaybeSet,
+    HasUserInfoUrl = EndpointMaybeSet,
+> = Client<
+    EmptyAdditionalClaims,
+    CoreAuthDisplay,
+    CoreGenderClaim,
+    CoreJweContentEncryptionAlgorithm,
+    CoreJsonWebKey,
+    CoreAuthPrompt,
+    StandardErrorResponse<CoreErrorResponseType>,
+    CoreTokenResponse,
+    CoreTokenIntrospectionResponse,
+    CoreRevocableToken,
+    CoreRevocationErrorResponse,
+    HasAuthUrl,
+    HasDeviceAuthUrl,
+    HasIntrospectionUrl,
+    HasRevocationUrl,
+    HasTokenUrl,
+    HasUserInfoUrl,
+>;

src/routes/ui/auth.rs

@@ -22,9 +22,17 @@ pub mod register;
 
 pub mod sso;
 
+#[derive(Responder)]
+#[response(status = 302)]
+struct HackyRedirectBecauseRocketBug {
+    inner: String,
+    location: Header<'static>,
+}
+
 #[get("/logout")]
 pub async fn logout(session: Session<'_, SessionData>, user: AuthUser) -> Redirect {
     session.remove().await.unwrap();
     Redirect::to(uri!(login::page(_, Some(true))))
 }
 
+

src/routes/ui/auth/forgot_password.rs

@@ -3,13 +3,13 @@ use rocket::form::{Context, Contextual, Form};
 use rocket_dyn_templates::{context, Template};
 use rocket_session_store::Session;
 use crate::{GlobalMetadata, SessionData};
+use crate::consts::APP_METADATA;
 use crate::util::set_csrf;
 
 #[get("/auth/forgot-password?<return_to>")]
 pub async fn page(
     route: &Route,
     session: Session<'_, SessionData>,
-    meta: &State<GlobalMetadata>,
     return_to: Option<String>,
 ) -> Template {
     // TODO: redirect if already logged in
@@ -19,7 +19,7 @@ pub async fn page(
         csrf_token: csrf_token,
         form: &Context::default(),
         return_to,
-        meta: meta.inner()
+        meta: APP_METADATA.clone()
     })
 }
 

src/routes/ui/auth/login.rs

@@ -6,15 +6,15 @@ use rocket::http::{Header, Status};
 use rocket_dyn_templates::{context, Template};
 use rocket_session_store::Session;
 use crate::{GlobalMetadata, LoginSessionData, SessionData, DB};
-use crate::consts::DISABLE_LOGIN_CHECK;
+use crate::consts::{APP_METADATA, DISABLE_LOGIN_CHECK};
 use crate::models::user::validate_user_form;
+use crate::routes::ui::auth::HackyRedirectBecauseRocketBug;
 use crate::util::{set_csrf, validate_csrf_form};
 
 #[get("/auth/login?<return_to>&<logged_out>")]
 pub async fn page(
     route: &Route,
     session: Session<'_, SessionData>,
-    meta: &State<GlobalMetadata>,
     return_to: Option<String>,
     logged_out: Option<bool>
 ) -> Template {
@@ -26,7 +26,7 @@ pub async fn page(
         form: &Context::default(),
         return_to,
         logged_out,
-        meta: meta.inner()
+        meta: APP_METADATA.clone()
     })
 }
 
@@ -43,20 +43,12 @@ struct LoginForm<'r> {
 }
 
 
-#[derive(Responder)]
-#[response(status = 302)]
-struct HackyRedirectBecauseRocketBug {
-    inner: String,
-    location: Header<'static>,
-}
-
 #[post("/auth/login?<return_to>", data = "<form>")]
 pub async fn handler(
     pool: &State<DB>,
     route: &Route,
     ip_addr: IpAddr,
     session: Session<'_, SessionData>,
-    meta: &State<GlobalMetadata>,
     mut form: Form<Contextual<'_, LoginForm<'_>>>,
     return_to: Option<String>,
 ) -> Result<HackyRedirectBecauseRocketBug, Template> {
@@ -95,7 +87,7 @@ pub async fn handler(
         csrf_token: csrf_token,
         form: &form.context,
         return_to,
-        meta: meta.inner()
+        meta: APP_METADATA.clone()
     };
     Err(Template::render("auth/login", &ctx))
 }

src/routes/ui/auth/register.rs

@@ -2,15 +2,16 @@ use rocket::{get, post, Route, State};
 use rocket_dyn_templates::{context, Template};
 use rocket_session_store::Session;
 use crate::{GlobalMetadata, SessionData};
+use crate::consts::APP_METADATA;
 use crate::util::set_csrf;
 
 #[get("/auth/register")]
-pub async fn page(route: &Route, session: Session<'_, SessionData>, meta: &State<GlobalMetadata>) -> Template {
+pub async fn page(route: &Route, session: Session<'_, SessionData>) -> Template {
     let csrf_token = set_csrf(&session).await;
     Template::render("auth/register", context! {
         route: route.uri.path(),
         csrf_token: csrf_token,
-        meta: meta.inner()
+        meta: APP_METADATA.clone()
     })
 }
 

src/routes/ui/auth/sso.rs

@@ -2,10 +2,10 @@ use std::env::var;
 use std::net::IpAddr;
 use std::sync::{LazyLock, OnceLock};
 use std::time::Duration;
-use anyhow::anyhow;
-use log::warn;
+use anyhow::{anyhow, Error};
+use log::{debug, warn};
 use moka::future::Cache;
-use rocket::{get, post, uri};
+use rocket::{get, post, uri, State};
 use rocket::response::Redirect;
 use rocket_session_store::Session;
 use crate::guards::AuthUser;
@@ -14,60 +14,16 @@ use openidconnect::{reqwest, AccessTokenHash, AsyncHttpClient, AuthenticationFlo
 use openidconnect::core::{CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreClient, CoreGenderClaim, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreProviderMetadata, CoreTokenResponse, CoreUserInfoClaims};
 use openidconnect::http::HeaderValue;
 use reqwest::header::HeaderMap;
-// TODO: not have this lazy somehow, move to OnceLock and have fn to refresh it? (own module?)
-// and/or also move to State<>
+use rocket::http::{Header, Status};
+use rocket_dyn_templates::{context, Template};
+use tokio::sync::MutexGuard;
+use crate::managers::sso::{SSOSessionData, SSOState, SSO};
+use crate::routes::ui::auth::HackyRedirectBecauseRocketBug;
 
-static HTTP_CLIENT: LazyLock<reqwest::Client> = LazyLock::new(|| {
-    let mut headers = HeaderMap::new();
-    // TODO: pull from config.
-    // Set referrer as some providers (authentik) block POST w/o referrer
-    headers.insert("Referer", HeaderValue::from_static("http://localhost:8080"));
-    let mut builder = reqwest::ClientBuilder::new()
-        // Following redirects opens the client up to SSRF vulnerabilities.
-        .redirect(reqwest::redirect::Policy::none())
-        .default_headers(headers);
-    if var("DANGER_DEV_PROXY").is_ok() {
-        warn!("DANGER_DEV_PROXY set, requests are being proxied & ignoring certificates");
-        builder = builder
-            .proxy(reqwest::Proxy::https("https://localhost:8082").unwrap())
-            .danger_accept_invalid_certs(true)
-    };
-    builder.build().expect("Client should build")
-});
-#[derive(Clone)]
-struct SSOSessionData {
-    pkce_challenge: String,
-    nonce: Nonce,
-    csrf_token: CsrfToken
-    // ip: IpAddr,
-}
-static SSO_SESSION_CACHE: LazyLock<Cache<IpAddr, SSOSessionData>> = LazyLock::new(|| Cache::builder()
-    .time_to_live(Duration::from_secs(120))
-    .max_capacity(100)
-    .build());
-#[get("/auth/sso")]
-pub async fn page(ip: IpAddr) -> Redirect {
-    let http_client = HTTP_CLIENT.clone();
-    // FIXME: temp, remove
-    let provider_metadata = CoreProviderMetadata::discover_async(
-        /* TODO: pull from config */
-        IssuerUrl::new(var("SSO_ISSUER_URL").expect("dev: missing sso url")).expect("bad issuer url"),
-        &http_client,
-    ).await.map_err(|e| e.to_string()).expect("discovery failed");
-    let client =
-        CoreClient::from_provider_metadata(
-            provider_metadata,
-            // TODO: pull from config
-            ClientId::new(var("SSO_CLIENT_ID").expect("dev: sso client id missing")),
-            Some(ClientSecret::new(var("SSO_CLIENT_SECRET").expect("dev sso client secret missing")
-                .to_string())),
-        ).set_redirect_uri(RedirectUrl::new("http://localhost:8080/auth/sso/cb".to_string()).unwrap());
-
-    // Generate a PKCE challenge.
-    // TODO: store in hashmap for request ip? leaky bucket?
+async fn page_handler(sso: &State<SSOState>, ip: IpAddr, return_to: Option<String>) -> Result<Redirect, anyhow::Error> {
+    let mut sso = sso.as_ref().ok_or_else(|| anyhow!("SSO is not configured"))?.lock().await;
+    let client = sso.create_client_redirect().await?;
     let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
-
-    // Generate the full authorization URL.
     let (auth_url, csrf_token, nonce) = client
         .authorize_url(
             CoreAuthenticationFlow::AuthorizationCode,
@@ -75,92 +31,83 @@ pub async fn page(ip: IpAddr) -> Redirect {
             Nonce::new_random,
         )
         // Set the desired scopes.
-        // TODO: change scopes
-        .add_scope(Scope::new("email".to_string()))
-        .add_scope(Scope::new("name".to_string()))
+        .add_scopes(sso.scopes())
         // Set the PKCE code challenge.
         .set_pkce_challenge(pkce_challenge)
         .url();
-    SSO_SESSION_CACHE.insert(ip, SSOSessionData {
+    sso.cache_set(ip, SSOSessionData {
         nonce: nonce,
         pkce_challenge: pkce_verifier.into_secret(),
-        csrf_token
+        csrf_token,
+        return_to
     }).await;
-
-    Redirect::to(auth_url.to_string())
-
-    // This is the URL you should redirect the user to, in order to trigger the authorization
-    // process.
+    Ok(Redirect::to(auth_url.to_string()))
+}
+#[get("/auth/sso?<return_to>")]
+pub async fn page(ip: IpAddr, sso: &State<SSOState>, return_to: Option<String>) -> Result<Redirect, (Status, Template)> {
+    page_handler(sso, ip, return_to).await
+        .map_err(|e| (Status::InternalServerError, Template::render("errors/500", context! {
+                error: e.to_string()
+            })))
 }
 
-#[get("/auth/sso/cb?<code>&<state>")]
-pub async fn callback(session: Session<'_, SessionData>, ip: IpAddr, code: String, state: String) -> Result<String, String> {
-    let session_data = SSO_SESSION_CACHE.remove(&ip).await.ok_or_else(|| "no sso session started".to_string())?;
-    // Now you can exchange it for an access token and ID token.
-    if &state != session_data.csrf_token.secret() {
-        return Err(format!("csrf validation failed {}", state));
+async fn callback_handler(sso: &State<SSOState>, ip: IpAddr, code: String, state: String) -> Result<(CoreUserInfoClaims, Option<String>), anyhow::Error> {
+    let mut sso = sso.as_ref().ok_or_else(||anyhow!("SSO is not configured"))?.lock().await;
+    let sess_data = sso.cache_take(ip).await.ok_or_else(|| anyhow!("No valid sso started"))?;
+    if &state != sess_data.csrf_token.secret() {
+        return Err(anyhow!("CSRF verification failed"));
     }
-
-    // FIXME: temp, remove
-    let http_client = HTTP_CLIENT.clone();
-    let provider_metadata = CoreProviderMetadata::discover_async(
-        /* TODO: pull from config */
-        IssuerUrl::new(var("SSO_ISSUER_URL").expect("dev: missing sso url")).expect("bad issuer url"),
-        &http_client,
-    ).await.expect("discovery failed");
-    let client =
-        CoreClient::from_provider_metadata(
-            provider_metadata,
-            // TODO: pull from config
-            ClientId::new(var("SSO_CLIENT_ID").expect("dev: sso client id missing")),
-            Some(ClientSecret::new(var("SSO_CLIENT_SECRET").expect("dev sso client secret missing")
-                .to_string())),
-        ).set_redirect_uri(RedirectUrl::new("http://localhost:8080/auth/sso/cb".to_string()).unwrap());
-
+    let client = sso.create_client_redirect().await?;
     let token_response =
         client
-            .exchange_code(AuthorizationCode::new(code)).expect("bad auth code")
+            .exchange_code(AuthorizationCode::new(code)).map_err(|e| anyhow!("oidc code is invalid"))?
             // Set the PKCE code verifier.
-            .set_pkce_verifier(PkceCodeVerifier::new(session_data.pkce_challenge)) // TODO: somehow have this??
-            .request_async(&http_client).await.expect("token exchange error");
+            .set_pkce_verifier(PkceCodeVerifier::new(sess_data.pkce_challenge)) // TODO: somehow have this??
+            .request_async(sso.http_client()).await
+                .map_err(|e| anyhow!("OIDC Token exchange error"))?;
 
     // Extract the ID token claims after verifying its authenticity and nonce.
     let id_token = token_response
         .id_token()
-        .ok_or_else(|| "Server did not return an ID token".to_string())?;
+        .ok_or_else(|| anyhow!("Server did not return an ID token"))?;
     let id_token_verifier = client.id_token_verifier();
-    let claims = id_token.claims(&id_token_verifier, &session_data.nonce).expect("bad claims"); // TODO: and this?
+    let claims = id_token.claims(&id_token_verifier, &sess_data.nonce).map_err(|e| anyhow!("OIDC Token claims error: {}", e))?;
 
-    // Verify the access token hash to ensure that the access token hasn't been substituted for
-    // another user's.
+    // Verify the access token hash to ensure that the access token hasn't been substituted for another user's.
     if let Some(expected_access_token_hash) = claims.access_token_hash() {
         let actual_access_token_hash = AccessTokenHash::from_token(
             token_response.access_token(),
-            id_token.signing_alg().expect("signing failed (alg)"),
-            id_token.signing_key(&id_token_verifier).expect("signing failed (key)"),
+            id_token.signing_alg().map_err(|e| anyhow!("OIDC token signature error: {}", e))?,
+            id_token.signing_key(&id_token_verifier).map_err(|e| anyhow!("OIDC token signature error: {}", e))?
         ).expect("access token resolve error");
         if actual_access_token_hash != *expected_access_token_hash {
-            return Err("Invalid access token".to_string());
+            return Err(anyhow!("Invalid access token"))
         }
     }
 
-    // The authenticated user's identity is now available. See the IdTokenClaims struct for a
-    // complete listing of the available claims.
-    println!(
-        "User {} with e-mail address {} has authenticated successfully",
-        claims.subject().as_str(),
-        claims.email().map(|email| email.as_str()).unwrap_or("<not provided>"),
-    );
-
     // If available, we can use the user info endpoint to request additional information.
 
     // The user_info request uses the AccessToken returned in the token response. To parse custom
     // claims, use UserInfoClaims directly (with the desired type parameters) rather than using the
     // CoreUserInfoClaims type alias.
     let userinfo: CoreUserInfoClaims = client
-        .user_info(token_response.access_token().to_owned(), None).expect("user info missing")
-        .request_async(&http_client)
+        .user_info(token_response.access_token().to_owned(), None).map_err(|_| anyhow!("could not acquire user data"))?
+        .request_async(sso.http_client())
         .await
-        .map_err(|err| format!("Failed requesting user info: {}", err))?;
-    Ok(format!("user={:?}\nemail={:?}\nname={:?}", userinfo.subject(), userinfo.email(), userinfo.name()))
+        .map_err(|_| anyhow!("could not acquire user data"))?;
+    Ok((userinfo, sess_data.return_to))
+}
+
+#[get("/auth/sso/cb?<code>&<state>")]
+pub async fn callback(session: Session<'_, SessionData>, ip: IpAddr, sso: &State<SSOState>, code: String, state: String) -> Result<HackyRedirectBecauseRocketBug, (Status, Template)> {
+    let (userinfo, return_to) = callback_handler(sso, ip, code, state).await
+        .map_err(|e| (Status::InternalServerError, Template::render("errors/500", context! {
+                error: e.to_string()
+            })))?;
+    debug!("user={:?}\nemail={:?}\nname={:?}", userinfo.subject(), userinfo.email(), userinfo.name());
+    let return_to = return_to.unwrap_or("/".to_string());
+    Ok(HackyRedirectBecauseRocketBug {
+        inner: "Login successful, redirecting...".to_string(),
+        location: Header::new("Location", return_to),
+    })
 }

src/routes/ui/help.rs

@@ -5,10 +5,11 @@ use rocket_session_store::{Session, SessionResult};
 use serde::Serialize;
 use crate::models::user::UserModel;
 use crate::{GlobalMetadata, SessionData};
+use crate::consts::APP_METADATA;
 
 #[get("/help/about")]
-pub fn about(route: &Route, meta: &State<GlobalMetadata>) -> Template {
-    Template::render("about", context! { route: route.uri.path(), meta: meta.inner() })
+pub fn about(route: &Route) -> Template {
+    Template::render("about", context! { route: route.uri.path(), meta: APP_METADATA.clone() })
 }
 
 

src/util.rs

@@ -1,5 +1,6 @@
 use std::fs;
 use std::io::Cursor;
+use std::time::Duration;
 use log::trace;
 use rand::rngs::OsRng;
 use rand::{rng, Rng, TryRngCore};
@@ -9,14 +10,18 @@ use rocket::{form, response, Request, Response};
 use rocket::form::Context;
 use rocket::form::error::Entity;
 use rocket::fs::relative;
+use rocket::http::private::cookie::CookieBuilder;
 use rocket::response::Responder;
 use rocket::serde::Serialize;
 use rocket_dyn_templates::handlebars::Handlebars;
-use rocket_session_store::{Session, SessionError, SessionResult};
-use sqlx::Error;
+use rocket_session_store::{Session, SessionError, SessionResult, SessionStore};
+use rocket_session_store::memory::MemoryStore;
+use sqlx::{migrate, Error, Pool, Postgres};
+use sqlx::postgres::PgPoolOptions;
 use tracing_subscriber::layer::SubscriberExt;
 use tracing_subscriber::util::SubscriberInitExt;
 use uuid::Uuid;
+use crate::consts::{SESSION_COOKIE_NAME, SESSION_LIFETIME_SECONDS};
 use crate::models::user::{UserAuthError,};
 use crate::SessionData;
 use crate::util::ResponseError::DatabaseError;
@@ -31,6 +36,35 @@ pub(crate) fn setup_logger() {
         .init();
 }
 
+pub async fn setup_db() -> Pool<Postgres> {
+    let pool = PgPoolOptions::new()
+        .max_connections(5)
+        .connect(std::env::var("DATABASE_URL").unwrap().as_str())
+        .await
+        .unwrap();
+
+    migrate!("./migrations")
+        .run(&pool)
+        .await.unwrap();
+    pool
+}
+
+pub fn setup_session_store() -> SessionStore<SessionData> {
+    let memory_store: MemoryStore::<SessionData> = MemoryStore::default();
+    SessionStore {
+        store: Box::new(memory_store),
+        name: SESSION_COOKIE_NAME.into(),
+        duration: Duration::from_secs(SESSION_LIFETIME_SECONDS),
+        // The cookie builder is used to set the cookie's path and other options.
+        // Name and value don't matter, they'll be overridden on each request.
+        cookie_builder: CookieBuilder::new("", "")
+            // Most web apps will want to use "/", but if your app is served from
+            // `example.com/myapp/` for example you may want to use "/myapp/" (note the trailing
+            // slash which prevents the cookie from being sent for `example.com/myapp2/`).
+            .path("/")
+    }
+}
+
 pub async fn set_csrf(session: &Session<'_, SessionData>) -> String {
     let token = gen_csrf_token();
     trace!("set_csrf token={}", token);
@@ -72,26 +106,6 @@ pub fn gen_csrf_token() -> String {
         .collect()
 }
 
-// pub(crate) fn setup_template_engine() -> Handlebars<'static> {
-//     let mut hb = Handlebars::new();
-//     #[cfg(debug_assertions)]
-//     hb.set_dev_mode(true);
-//
-//     let templates = fs::read_dir(relative!("templates")).unwrap();
-//     let mut ok = true;
-//     for file in templates {
-//         let file = file.unwrap();
-//         if let Err(e) = hb.register_template_file(file.path().to_str().unwrap(), ) {
-//             error!(template, path = %path.display(),
-//                     "failed to register Handlebars template: {e}");
-//
-//             ok = false;
-//         }
-//     }
-//
-// hb
-// }
-
 #[derive(Debug, Clone, Serialize)]
 pub struct JsonErrorResponse {
     pub(crate) code: String,

templates/errors/500.html.hbs

@@ -0,0 +1,27 @@
+{{#> layouts/default body-class="has-background-white-ter login-bg" }}
+    <br><br>
+    <div class="container py-6" style="width:20%"> <!-- TODO: fix width on mobile -->
+        <h1 class="title is-1 has-text-centered">storage-app</h1>
+        <div class="box is-radiusless">
+            <h4 class="title is-4 has-text-centered">500 Internal Server Error</h4>
+            <p>An internal error occurred while procesing your request</p>
+            <p><b>Error: </b><code>{{ error }}</code></p>
+
+            <br>
+            <!-- Hide go back unless javascript enabled -->
+            <p><span id="backlink" style="display:none"><a href="">Go Back</a> | </span><a href="/">Return home</a></p>
+        </div>
+    </div>
+{{/layouts/default}}
+
+<script>
+    // Enable 'go back' link:
+    const element = document.querySelector('#backlink');
+    element.style.display = "inline"
+    const elementLink = document.querySelector('#backlink a');
+    elementLink.setAttribute('href', document.referrer);
+    elementLink.onclick = function() {
+        history.back();
+        return false;
+    }
+</script>