Compare commits

...

2 Commits

Author SHA1 Message Date
SadlyNotSappho 4ea44b3639 clean up main.rs 2024-03-29 12:01:20 -07:00
SadlyNotSappho bfb63afa7e start working on posts 2024-03-29 11:39:44 -07:00
9 changed files with 830 additions and 578 deletions

16
Cargo.lock generated
View File

@ -597,6 +597,7 @@ version = "0.1.0"
dependencies = [
"base64",
"image",
"markdown",
"rand",
"rand_hc",
"regex",
@ -1095,6 +1096,15 @@ dependencies = [
"tracing-subscriber",
]
[[package]]
name = "markdown"
version = "1.0.0-alpha.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b0f0025e8c0d89b84d6dc63e859475e40e8e82ab1a08be0a93ad5731513a508"
dependencies = [
"unicode-id",
]
[[package]]
name = "matchers"
version = "0.1.0"
@ -2589,6 +2599,12 @@ version = "0.3.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6f2528f27a9eb2b21e69c95319b30bd0efd85d09c379741b0f78ea1d86be2416"
[[package]]
name = "unicode-id"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b1b6def86329695390197b82c1e244a54a131ceb66c996f2088a3876e2ae083f"
[[package]]
name = "unicode-ident"
version = "1.0.12"

View File

@ -8,6 +8,7 @@ edition = "2021"
[dependencies]
base64 = "0.21.7"
image = "0.24.8"
markdown = "1.0.0-alpha.16"
rand = "0.8.5"
rand_hc = "0.3.2"
regex = "1.10.3"

View File

@ -1 +1,3 @@
pub mod tables;
pub mod routes;

View File

@ -1,17 +1,11 @@
use image::io::Reader;
use rocket::fairing::AdHoc;
use rocket::fs::{FileServer, NamedFile};
use rocket::fs::FileServer;
use rocket::http::Status;
use rocket::response::content::{self, RawHtml};
use rocket::response::status;
use rocket::serde::Serialize;
use rocket::{Build, Request, Rocket};
use rocket_db_pools::sqlx::pool::PoolConnection;
use rocket_db_pools::sqlx::Postgres;
use rocket_db_pools::Connection;
use std::fs;
use std::path::Path;
use uuid::Uuid;
#[macro_use]
extern crate rocket;
@ -20,518 +14,8 @@ use rocket_db_pools::{
Database,
};
use rocket::fs::TempFile;
use rocket::http::CookieJar;
use rocket::serde::{json::Json, Deserialize};
use fossil::tables::{Db, Image, LoginStatus, Post, User};
#[get("/login")]
fn login_page() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/login.html").unwrap())
}
#[get("/createuser")]
fn createuser_page() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/createuser.html").unwrap())
}
#[get("/uploadimage")]
fn uploadimage() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/uploadimage.html").unwrap())
}
#[get("/myimages")]
fn myimages() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/myimages.html").unwrap())
}
#[derive(Deserialize)]
#[serde(crate = "rocket::serde")]
struct LoginInfo {
username: String,
password: String,
}
#[post("/createuser", data = "<info>")]
async fn createuser(
mut db: Connection<Db>,
info: Json<LoginInfo>,
cookies: &CookieJar<'_>,
) -> status::Custom<String> {
let token = cookies.get_private("token");
match token.is_some() {
true => status::Custom(
Status::Forbidden,
"You're already logged in. Log out before trying to create a new account.".to_string(),
),
false => match User::get_by_username(&mut db, &info.username).await {
Some(_) => status::Custom(
Status::Forbidden,
"Username already taken. Please try again.".to_string(),
),
None => match User::create(&mut db, &info.username, &info.password).await {
Ok(_) => match User::get_by_username(&mut db, &info.username).await {
Some(user) => match user.set_new_token(&mut db).await {
Ok(t) => {
cookies.add_private(("token", t));
status::Custom(Status::Ok, "Your account has been created and you've been automatically logged in.".to_string())
}
Err(why) => {
eprintln!("{why:?}");
status::Custom(
Status::Created,
"Couldn't log you in. Your account has been created, though."
.to_string(),
)
}
},
None => status::Custom(
Status::InternalServerError,
"Something went really wrong. I don't know what.".to_string(),
),
},
Err(why) => {
format!("Couldn't create user: {}", why);
status::Custom(Status::InternalServerError, format!("{why}"))
}
},
},
}
}
#[derive(Serialize)]
#[serde(crate = "rocket::serde")]
struct GetUser {
username: String,
admin: bool,
make_posts: bool,
comment: bool,
}
#[get("/account")]
async fn account(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
) -> status::Custom<Result<Json<GetUser>, &'static str>> {
let token = cookies.get_private("token");
match token {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => status::Custom(
Status::Ok,
Ok(Json(GetUser {
username: user.username,
admin: user.admin,
make_posts: user.make_posts,
comment: user.comment,
})),
),
None => status::Custom(Status::NotFound, Err("User doesn't exist.")),
},
None => status::Custom(Status::Unauthorized, Err("Not logged in")),
}
}
#[post("/login", data = "<info>")]
async fn login(
mut db: Connection<Db>,
info: Json<LoginInfo>,
cookies: &CookieJar<'_>,
) -> status::Custom<&'static str> {
let token = cookies.get_private("token");
match token {
Some(_) => {
status::Custom(Status::Continue, "already logged in")
}
None => {
match User::get_by_username(&mut db, &info.username).await {
Some(user) => {
if user.password == sha256::digest(&info.password) {
match user.token {
Some(t) => {cookies.add_private(("token", t)); status::Custom(Status::Ok, "Logged in")},
None => {
match user.set_new_token(&mut db).await {
Ok(t) => {
cookies.add_private(("token", t));
status::Custom(Status::Ok, "Logged in")
},
Err(why) => {
eprintln!("{why:?}");
status::Custom(Status::InternalServerError, "Couldn't generate a token for you, therefore you weren't logged in.")
},
}
}
}
} else {
status::Custom(Status::Forbidden, "Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)")
}
}
None =>
status::Custom(Status::Forbidden, "Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)")
}
}
}
}
#[post("/logout")]
async fn logout(cookies: &CookieJar<'_>) -> status::Custom<&'static str> {
match cookies.get_private("token") {
Some(_) => {
cookies.remove_private("token");
status::Custom(Status::Ok, "Logged out.")
}
None => status::Custom(Status::Unauthorized, "Not logged in."),
}
}
#[get("/adminpanel")]
async fn adminpanel(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
) -> status::Custom<RawHtml<String>> {
let token = cookies.get_private("token");
match token {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => match user.admin {
true => status::Custom(
Status::Ok,
RawHtml(
fs::read_to_string("/srv/web/adminpanel.html")
.unwrap()
.replace("{{username}}", &user.username[..]),
),
),
false => status::Custom(
Status::Unauthorized,
RawHtml(fs::read_to_string("/srv/web/invalidperms.html").unwrap()),
),
},
None => status::Custom(
Status::Unauthorized,
RawHtml(
fs::read_to_string("/srv/web/error.html")
.unwrap()
.replace("{{errorcode}}", "401"),
),
),
},
None => status::Custom(
Status::Unauthorized,
RawHtml(fs::read_to_string("/srv/web/invalidperms.html").unwrap()),
),
}
}
// #[derive(Deserialize, Serialize)]
// #[serde(crate = "rocket::serde")]
// struct ApiPermsResult {
// perms: Result<Perms, String>,
// }
#[derive(Deserialize, Serialize)]
#[serde(crate = "rocket::serde")]
struct Perms {
admin: bool,
make_posts: bool,
comment: bool,
}
#[get("/perms/<username>")]
async fn api_perms(
mut db: Connection<Db>,
username: String,
cookies: &CookieJar<'_>,
) -> status::Custom<Json<Result<Perms, &'static str>>> {
match cookies.get_private("token") {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => match user.admin {
true => match User::get_by_username(&mut db, &username).await {
Some(user) => status::Custom(
Status::Ok,
Json(Ok(Perms {
admin: user.admin,
make_posts: user.make_posts,
comment: user.comment,
})),
),
None => status::Custom(Status::NotFound, Json(Err("User doesn't exist"))),
},
false => status::Custom(
Status::Unauthorized,
Json(Err("You don't have the permission to do this")),
),
},
None => status::Custom(Status::Unauthorized, Json(Err("Invalid token"))),
},
None => status::Custom(Status::Unauthorized, Json(Err("Not logged in"))),
}
}
#[derive(Deserialize)]
#[serde(crate = "rocket::serde")]
struct TogglePerms {
perm: String,
value: bool,
username: String,
}
#[post("/toggleperms", data = "<info>")]
async fn toggleperms(
mut db: Connection<Db>,
info: Json<TogglePerms>,
cookies: &CookieJar<'_>,
) -> status::Custom<String> {
match cookies.get_private("token") {
Some(t) => {
match User::get_by_token(&mut db, t).await {
Some(user) => {
match user.admin {
true => match User::get_by_username(&mut db, &info.username).await {
Some(toggled_user) => {
match toggled_user.username == user.username && info.perm == "admin"
{
true => status::Custom(
Status::Forbidden,
"You can't change your own admin status".to_string(),
),
false => {
let admin_username = std::env::var("ADMIN_USERNAME")
.expect("set ADMIN_USERNAME env var");
match toggled_user.username == admin_username {
true => status::Custom(
Status::Forbidden,
"You can't change the system admin's perms."
.to_string(),
),
false => {
match info.perm == "admin"
&& user.username != admin_username
{
true => status::Custom(
Status::Forbidden,
"You can't change other people's admin status."
.to_string(),
),
false => {
match toggled_user.set_role(&mut db,&info.perm,&info.value).await {
Ok(_) => status::Custom(Status::Ok, "Done".to_string()),
Err(why) => status::Custom(Status::InternalServerError, format!(
"Couldn't update the user's role: {why}"
)),
}
}
}
}
}
}
}
}
None => status::Custom(
Status::NotFound,
"The user you're trying to toggle perms for doesn't exist."
.to_string(),
),
},
false => {
status::Custom(Status::Unauthorized, "You aren't an admin.".to_string())
}
}
}
None => status::Custom(Status::Unauthorized, "Invalid login token".to_string()),
}
}
None => status::Custom(Status::Unauthorized, "Not logged in".to_string()),
}
}
#[get("/images/<image>")]
async fn get_image(
image: String,
mut db: Connection<Db>,
) -> Result<NamedFile, status::Custom<&'static str>> {
let mut split = image.split('.').collect::<Vec<&str>>();
let format = split.pop().unwrap();
let image = split.join(".");
match Image::get_by_uuid(&mut db, &image).await {
Ok(_) => match Reader::open(format!("/srv/images/{image}.png")) {
Ok(i) => match i.decode() {
Ok(img) => {
let encoder = match format {
"jpg" => image::ImageFormat::Jpeg,
"jpeg" => image::ImageFormat::Jpeg,
"png" => image::ImageFormat::Png,
_ => {
panic!("invalid format")
}
};
img.save_with_format(format!("/tmp/{image}.{format}"), encoder)
.unwrap();
let file = NamedFile::open(Path::new(&format!("/tmp/{image}.{format}")))
.await
.unwrap();
fs::remove_file(format!("/tmp/{image}.{format}")).unwrap_or(());
Ok(file)
}
Err(why) => Err(match &why.to_string()[..] {
"Format error decoding Png: Invalid PNG signature." => {
status::Custom(Status::NotAcceptable, "That file isn't an image.")
}
_ => status::Custom(Status::InternalServerError, "Unknown decoding error"),
}),
},
Err(_) => Err(status::Custom(
Status::InternalServerError,
"Unknown decoding error",
)),
},
Err(_) => Err(status::Custom(
Status::InternalServerError,
"File not found",
)),
}
}
#[post("/upload", format = "image/png", data = "<file>")]
async fn upload(
mut file: TempFile<'_>,
cookies: &CookieJar<'_>,
mut db: Connection<Db>,
) -> status::Custom<String> {
let uuid = Uuid::new_v4().to_string();
// login & perms check
match User::login_status(&mut db, cookies).await {
LoginStatus::LoggedIn(user) => {
match user.make_posts || user.admin {
// image validation check
true => {
match file.copy_to(format!("/srv/tmpimages/{uuid}.png")).await {
Ok(_) => {
// validate that it is, in fact, an image
match Reader::open(format!("/srv/tmpimages/{uuid}.png")) {
Ok(_) => {
match file.copy_to(format!("/srv/images/{uuid}.png")).await {
Ok(_) => match Image::create(&mut db, &uuid, user).await {
Ok(_) => {
match fs::remove_file(format!(
"/srv/tmpimages/{uuid}.png"
)) {
Ok(_) => status::Custom(Status::Created, uuid),
Err(why) => {
eprintln!("couldn't clear image from tmpimages: {why:?}");
status::Custom(Status::Ok, uuid)
}
}
}
Err(why) => {
eprintln!("{why:?}");
status::Custom(
Status::InternalServerError,
"Couldn't save to DB".to_string(),
)
}
},
Err(_) => status::Custom(
Status::InternalServerError,
"Couldn't copy file to final location".to_string(),
),
}
}
Err(_) => status::Custom(
Status::Forbidden,
"File isn't an image".to_string(),
),
}
}
Err(_) => status::Custom(
Status::InternalServerError,
"Couldn't save temporary file".to_string(),
),
}
}
false => status::Custom(
Status::Unauthorized,
"You don't have the right permissions for that".to_string(),
),
}
}
LoginStatus::InvalidToken => {
status::Custom(Status::Unauthorized, "Invalid login token".to_string())
}
LoginStatus::NotLoggedIn => {
status::Custom(Status::Unauthorized, "Not logged in".to_string())
}
}
}
#[delete("/images/<uuid>")]
pub async fn delete_image(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
uuid: String,
) -> status::Custom<&'static str> {
match User::login_status(&mut db, cookies).await {
LoginStatus::LoggedIn(user) => {
match Image::is_owned_by(&mut db, &uuid, &user.username).await {
Ok(b) => match b {
// yeah this is jank but fuck types i don't want to figure that out
true => delimg(&mut db, uuid).await,
false => match user.admin {
true => delimg(&mut db, uuid).await,
false => status::Custom(Status::Unauthorized, "You don't own that image"),
},
},
Err(_) => status::Custom(Status::NotFound, "Couldn't get image"),
}
}
LoginStatus::InvalidToken => status::Custom(Status::Unauthorized, "Invalid login token"),
LoginStatus::NotLoggedIn => status::Custom(Status::Unauthorized, "Not logged in"),
}
}
async fn delimg(db: &mut Connection<Db>, uuid: String) -> status::Custom<&'static str> {
match Image::delete(db, &uuid).await {
Ok(_) => match fs::remove_file(format!("/srv/images/{uuid}.png")) {
Ok(_) => status::Custom(Status::Ok, "Image deleted"),
Err(why) => {
eprintln!("{why:?}");
status::Custom(
Status::ImATeapot,
"Image deleted from database but not filesystem",
)
}
},
Err(_) => status::Custom(Status::InternalServerError, "Couldn't delete the image"),
}
}
#[get("/images/by-user/<username>")]
pub async fn get_images_by_username(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
username: String,
) -> Result<Json<Vec<String>>, String> {
let token = cookies.get_private("token");
match token {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => match user.admin || user.username == username {
true => match Image::get_by_username(&mut db, &username).await {
Ok(images) => Ok(Json::from(
images.into_iter().map(|i| i.uuid).collect::<Vec<String>>(),
)),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't get that user's images".to_string())
}
},
false => Err("You don't have permission to do this".to_string()),
},
None => Err("Invalid login token".to_string()),
},
None => Err("Not logged in".to_string()),
}
}
use fossil::routes;
use fossil::tables::{Db, Post};
#[catch(default)]
fn default_catcher(status: Status, _: &Request) -> RawHtml<String> {
@ -626,6 +110,13 @@ async fn migrate(rocket: Rocket<Build>) -> Rocket<Build> {
))
.await;
let _ = conn
.execute(sqlx::query(
"ALTER TABLE posts
ADD COLUMN IF NOT EXISTS uuid TEXT NOT NULL UNIQUE,
ADD COLUMN IF NOT EXISTS text_id TEXT NOT NULL UNIQUE",
))
.await;
rocket
}
@ -650,23 +141,26 @@ async fn main() {
.mount(
"/",
routes![
login_page,
login,
logout,
createuser,
createuser_page,
account,
adminpanel,
toggleperms,
get_image,
upload,
uploadimage,
delete_image,
get_images_by_username,
myimages
// gets from /web
routes::web::login_page,
routes::web::uploadimage,
routes::web::createuser_page,
routes::web::myimages,
// user related stuff
routes::users::login,
routes::users::logout,
routes::users::createuser,
routes::users::account,
routes::users::adminpanel,
routes::users::toggleperms,
// image related stuff
routes::images::get_image,
routes::images::upload,
routes::images::delete_image,
routes::images::get_images_by_username,
],
)
.mount("/api", routes![api_perms])
.mount("/api", routes![routes::users::api_perms])
.mount("/css", FileServer::from("/srv/web/css"))
.register("/", catchers![default_catcher])
.launch()

204
src/routes/images.rs Normal file
View File

@ -0,0 +1,204 @@
use crate::tables::{Db, Image, LoginStatus, User};
use image::io::Reader;
use rocket::fs::NamedFile;
use rocket::fs::TempFile;
use rocket::http::CookieJar;
use rocket::http::Status;
use rocket::response::status;
use rocket::serde::json::Json;
use rocket::{delete, get, post};
use rocket_db_pools::Connection;
use std::fs;
use std::path::Path;
use uuid::Uuid;
#[get("/images/<image>")]
pub async fn get_image(
image: String,
mut db: Connection<Db>,
) -> Result<NamedFile, status::Custom<&'static str>> {
let mut split = image.split('.').collect::<Vec<&str>>();
let format = split.pop().unwrap();
let image = split.join(".");
match Image::get_by_uuid(&mut db, &image).await {
Ok(_) => match Reader::open(format!("/srv/images/{image}.png")) {
Ok(i) => match i.decode() {
Ok(img) => {
let encoder = match format {
"jpg" => image::ImageFormat::Jpeg,
"jpeg" => image::ImageFormat::Jpeg,
"png" => image::ImageFormat::Png,
_ => {
panic!("invalid format")
}
};
img.save_with_format(format!("/tmp/{image}.{format}"), encoder)
.unwrap();
let file = NamedFile::open(Path::new(&format!("/tmp/{image}.{format}")))
.await
.unwrap();
fs::remove_file(format!("/tmp/{image}.{format}")).unwrap_or(());
Ok(file)
}
Err(why) => Err(match &why.to_string()[..] {
"Format error decoding Png: Invalid PNG signature." => {
status::Custom(Status::NotAcceptable, "That file isn't an image.")
}
_ => status::Custom(Status::InternalServerError, "Unknown decoding error"),
}),
},
Err(_) => Err(status::Custom(
Status::InternalServerError,
"Unknown decoding error",
)),
},
Err(_) => Err(status::Custom(
Status::InternalServerError,
"File not found",
)),
}
}
#[post("/upload", format = "image/png", data = "<file>")]
pub async fn upload(
mut file: TempFile<'_>,
cookies: &CookieJar<'_>,
mut db: Connection<Db>,
) -> status::Custom<String> {
let uuid = Uuid::new_v4().to_string();
// login & perms check
match User::login_status(&mut db, cookies).await {
LoginStatus::LoggedIn(user) => {
match user.make_posts || user.admin {
// image validation check
true => {
match file.copy_to(format!("/srv/tmpimages/{uuid}.png")).await {
Ok(_) => {
// validate that it is, in fact, an image
match Reader::open(format!("/srv/tmpimages/{uuid}.png")) {
Ok(_) => {
match file.copy_to(format!("/srv/images/{uuid}.png")).await {
Ok(_) => match Image::create(&mut db, &uuid, user).await {
Ok(_) => {
match fs::remove_file(format!(
"/srv/tmpimages/{uuid}.png"
)) {
Ok(_) => status::Custom(Status::Created, uuid),
Err(why) => {
eprintln!("couldn't clear image from tmpimages: {why:?}");
status::Custom(Status::Ok, uuid)
}
}
}
Err(why) => {
eprintln!("{why:?}");
status::Custom(
Status::InternalServerError,
"Couldn't save to DB".to_string(),
)
}
},
Err(_) => status::Custom(
Status::InternalServerError,
"Couldn't copy file to final location".to_string(),
),
}
}
Err(_) => status::Custom(
Status::Forbidden,
"File isn't an image".to_string(),
),
}
}
Err(_) => status::Custom(
Status::InternalServerError,
"Couldn't save temporary file".to_string(),
),
}
}
false => status::Custom(
Status::Unauthorized,
"You don't have the right permissions for that".to_string(),
),
}
}
LoginStatus::InvalidToken => {
status::Custom(Status::Unauthorized, "Invalid login token".to_string())
}
LoginStatus::NotLoggedIn => {
status::Custom(Status::Unauthorized, "Not logged in".to_string())
}
}
}
#[delete("/images/<uuid>")]
pub async fn delete_image(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
uuid: String,
) -> status::Custom<&'static str> {
match User::login_status(&mut db, cookies).await {
LoginStatus::LoggedIn(user) => {
match Image::is_owned_by(&mut db, &uuid, &user.username).await {
Ok(b) => match b {
// yeah this is jank but fuck types i don't want to figure that out
true => delimg(&mut db, uuid).await,
false => match user.admin {
true => delimg(&mut db, uuid).await,
false => status::Custom(Status::Unauthorized, "You don't own that image"),
},
},
Err(_) => status::Custom(Status::NotFound, "Couldn't get image"),
}
}
LoginStatus::InvalidToken => status::Custom(Status::Unauthorized, "Invalid login token"),
LoginStatus::NotLoggedIn => status::Custom(Status::Unauthorized, "Not logged in"),
}
}
pub async fn delimg(db: &mut Connection<Db>, uuid: String) -> status::Custom<&'static str> {
match Image::delete(db, &uuid).await {
Ok(_) => match fs::remove_file(format!("/srv/images/{uuid}.png")) {
Ok(_) => status::Custom(Status::Ok, "Image deleted"),
Err(why) => {
eprintln!("{why:?}");
status::Custom(
Status::ImATeapot,
"Image deleted from database but not filesystem",
)
}
},
Err(_) => status::Custom(Status::InternalServerError, "Couldn't delete the image"),
}
}
#[get("/images/by-user/<username>")]
pub async fn get_images_by_username(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
username: String,
) -> Result<Json<Vec<String>>, String> {
let token = cookies.get_private("token");
match token {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => match user.admin || user.username == username {
true => match Image::get_by_username(&mut db, &username).await {
Ok(images) => Ok(Json::from(
images.into_iter().map(|i| i.uuid).collect::<Vec<String>>(),
)),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't get that user's images".to_string())
}
},
false => Err("You don't have permission to do this".to_string()),
},
None => Err("Invalid login token".to_string()),
},
None => Err("Not logged in".to_string()),
}
}

3
src/routes/mod.rs Normal file
View File

@ -0,0 +1,3 @@
pub mod images;
pub mod users;
pub mod web;

303
src/routes/users.rs Normal file
View File

@ -0,0 +1,303 @@
use rocket::http::Status;
use rocket::response::content::RawHtml;
use rocket::response::status;
use rocket::serde::Serialize;
use rocket_db_pools::Connection;
use std::fs;
use rocket::http::CookieJar;
use rocket::serde::{json::Json, Deserialize};
use crate::tables::{Db, User};
use rocket::{get, post};
#[derive(Deserialize)]
#[serde(crate = "rocket::serde")]
pub struct LoginInfo {
pub username: String,
pub password: String,
}
#[post("/createuser", data = "<info>")]
pub async fn createuser(
mut db: Connection<Db>,
info: Json<LoginInfo>,
cookies: &CookieJar<'_>,
) -> status::Custom<String> {
let token = cookies.get_private("token");
match token.is_some() {
true => status::Custom(
Status::Forbidden,
"You're already logged in. Log out before trying to create a new account.".to_string(),
),
false => match User::get_by_username(&mut db, &info.username).await {
Some(_) => status::Custom(
Status::Forbidden,
"Username already taken. Please try again.".to_string(),
),
None => match User::create(&mut db, &info.username, &info.password).await {
Ok(_) => match User::get_by_username(&mut db, &info.username).await {
Some(user) => match user.set_new_token(&mut db).await {
Ok(t) => {
cookies.add_private(("token", t));
status::Custom(Status::Ok, "Your account has been created and you've been automatically logged in.".to_string())
}
Err(why) => {
eprintln!("{why:?}");
status::Custom(
Status::Created,
"Couldn't log you in. Your account has been created, though."
.to_string(),
)
}
},
None => status::Custom(
Status::InternalServerError,
"Something went really wrong. I don't know what.".to_string(),
),
},
Err(why) => {
format!("Couldn't create user: {}", why);
status::Custom(Status::InternalServerError, format!("{why}"))
}
},
},
}
}
#[derive(Serialize)]
#[serde(crate = "rocket::serde")]
pub struct GetUser {
username: String,
admin: bool,
make_posts: bool,
comment: bool,
}
#[get("/account")]
pub async fn account(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
) -> status::Custom<Result<Json<GetUser>, &'static str>> {
let token = cookies.get_private("token");
match token {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => status::Custom(
Status::Ok,
Ok(Json(GetUser {
username: user.username,
admin: user.admin,
make_posts: user.make_posts,
comment: user.comment,
})),
),
None => status::Custom(Status::NotFound, Err("User doesn't exist.")),
},
None => status::Custom(Status::Unauthorized, Err("Not logged in")),
}
}
#[post("/login", data = "<info>")]
pub async fn login(
mut db: Connection<Db>,
info: Json<LoginInfo>,
cookies: &CookieJar<'_>,
) -> status::Custom<&'static str> {
let token = cookies.get_private("token");
match token {
Some(_) => {
status::Custom(Status::Continue, "already logged in")
}
None => {
match User::get_by_username(&mut db, &info.username).await {
Some(user) => {
if user.password == sha256::digest(&info.password) {
match user.token {
Some(t) => {cookies.add_private(("token", t)); status::Custom(Status::Ok, "Logged in")},
None => {
match user.set_new_token(&mut db).await {
Ok(t) => {
cookies.add_private(("token", t));
status::Custom(Status::Ok, "Logged in")
},
Err(why) => {
eprintln!("{why:?}");
status::Custom(Status::InternalServerError, "Couldn't generate a token for you, therefore you weren't logged in.")
},
}
}
}
} else {
status::Custom(Status::Forbidden, "Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)")
}
}
None =>
status::Custom(Status::Forbidden, "Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)")
}
}
}
}
#[post("/logout")]
pub async fn logout(cookies: &CookieJar<'_>) -> status::Custom<&'static str> {
match cookies.get_private("token") {
Some(_) => {
cookies.remove_private("token");
status::Custom(Status::Ok, "Logged out.")
}
None => status::Custom(Status::Unauthorized, "Not logged in."),
}
}
#[get("/adminpanel")]
pub async fn adminpanel(
mut db: Connection<Db>,
cookies: &CookieJar<'_>,
) -> status::Custom<RawHtml<String>> {
let token = cookies.get_private("token");
match token {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => match user.admin {
true => status::Custom(
Status::Ok,
RawHtml(
fs::read_to_string("/srv/web/adminpanel.html")
.unwrap()
.replace("{{username}}", &user.username[..]),
),
),
false => status::Custom(
Status::Unauthorized,
RawHtml(fs::read_to_string("/srv/web/invalidperms.html").unwrap()),
),
},
None => status::Custom(
Status::Unauthorized,
RawHtml(
fs::read_to_string("/srv/web/error.html")
.unwrap()
.replace("{{errorcode}}", "401"),
),
),
},
None => status::Custom(
Status::Unauthorized,
RawHtml(fs::read_to_string("/srv/web/invalidperms.html").unwrap()),
),
}
}
#[derive(Deserialize, Serialize)]
#[serde(crate = "rocket::serde")]
pub struct Perms {
admin: bool,
make_posts: bool,
comment: bool,
}
#[get("/perms/<username>")]
pub async fn api_perms(
mut db: Connection<Db>,
username: String,
cookies: &CookieJar<'_>,
) -> status::Custom<Json<Result<Perms, &'static str>>> {
match cookies.get_private("token") {
Some(t) => match User::get_by_token(&mut db, t).await {
Some(user) => match user.admin {
true => match User::get_by_username(&mut db, &username).await {
Some(user) => status::Custom(
Status::Ok,
Json(Ok(Perms {
admin: user.admin,
make_posts: user.make_posts,
comment: user.comment,
})),
),
None => status::Custom(Status::NotFound, Json(Err("User doesn't exist"))),
},
false => status::Custom(
Status::Unauthorized,
Json(Err("You don't have the permission to do this")),
),
},
None => status::Custom(Status::Unauthorized, Json(Err("Invalid token"))),
},
None => status::Custom(Status::Unauthorized, Json(Err("Not logged in"))),
}
}
#[derive(Deserialize)]
#[serde(crate = "rocket::serde")]
pub struct TogglePerms {
perm: String,
value: bool,
username: String,
}
#[post("/toggleperms", data = "<info>")]
pub async fn toggleperms(
mut db: Connection<Db>,
info: Json<TogglePerms>,
cookies: &CookieJar<'_>,
) -> status::Custom<String> {
match cookies.get_private("token") {
Some(t) => {
match User::get_by_token(&mut db, t).await {
Some(user) => {
match user.admin {
true => match User::get_by_username(&mut db, &info.username).await {
Some(toggled_user) => {
match toggled_user.username == user.username && info.perm == "admin"
{
true => status::Custom(
Status::Forbidden,
"You can't change your own admin status".to_string(),
),
false => {
let admin_username = std::env::var("ADMIN_USERNAME")
.expect("set ADMIN_USERNAME env var");
match toggled_user.username == admin_username {
true => status::Custom(
Status::Forbidden,
"You can't change the system admin's perms."
.to_string(),
),
false => {
match info.perm == "admin"
&& user.username != admin_username
{
true => status::Custom(
Status::Forbidden,
"You can't change other people's admin status."
.to_string(),
),
false => {
match toggled_user.set_role(&mut db,&info.perm,&info.value).await {
Ok(_) => status::Custom(Status::Ok, "Done".to_string()),
Err(why) => status::Custom(Status::InternalServerError, format!(
"Couldn't update the user's role: {why}"
)),
}
}
}
}
}
}
}
}
None => status::Custom(
Status::NotFound,
"The user you're trying to toggle perms for doesn't exist."
.to_string(),
),
},
false => {
status::Custom(Status::Unauthorized, "You aren't an admin.".to_string())
}
}
}
None => status::Custom(Status::Unauthorized, "Invalid login token".to_string()),
}
}
None => status::Custom(Status::Unauthorized, "Not logged in".to_string()),
}
}

22
src/routes/web.rs Normal file
View File

@ -0,0 +1,22 @@
use rocket::{get, response::content::RawHtml};
use std::fs;
#[get("/login")]
pub fn login_page() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/login.html").unwrap())
}
#[get("/createuser")]
pub fn createuser_page() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/createuser.html").unwrap())
}
#[get("/uploadimage")]
pub fn uploadimage() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/uploadimage.html").unwrap())
}
#[get("/myimages")]
pub fn myimages() -> RawHtml<String> {
RawHtml(fs::read_to_string("/srv/web/myimages.html").unwrap())
}

View File

@ -17,23 +17,34 @@ pub struct Db(PgPool);
#[derive(FromRow)]
pub struct Post {
pub id: i32,
pub uuid: String,
pub text_id: String,
pub title: String,
pub body: String,
pub published: bool,
}
impl Post {
pub async fn create(mut db: Connection<Db>, title: String, body: String, published: bool) {
pub async fn create(
mut db: Connection<Db>,
title: String, /*ex: Why Trans People Deserve All Your Money*/
body: String, /*ex: # Because we're cooler than you */
published: bool,
uuid: String,
text_id: String, /*ex: why-trans-people-deserve-all-your-money */
) {
match db
.fetch_all(
sqlx::query(
r#"
INSERT INTO posts (title, body, published)
VALUES ($1, $2, $3);
INSERT INTO posts (title, body, published, uuid, text_id)
VALUES ($1, $2, $3, $4, $5);
"#,
)
.bind(title)
.bind(body)
.bind(published),
.bind(published)
.bind(uuid)
.bind(text_id),
)
.await
{
@ -50,12 +61,204 @@ impl Post {
.unwrap();
Post {
id: res.get::<i32, _>("id"),
uuid: res.get::<String, _>("uuid"),
text_id: res.get::<String, _>("text_id"),
title: res.get::<String, _>("title"),
body: res.get::<String, _>("body"),
published: res.get::<bool, _>("published"),
}
}
pub async fn get_by_uuid(mut db: Connection<Db>, uuid: String) -> Post {
let res = db
.fetch_one(sqlx::query("SELECT * FROM posts WHERE uuid = $1;").bind(uuid))
.await
.unwrap();
Post {
id: res.get::<i32, _>("id"),
uuid: res.get::<String, _>("uuid"),
text_id: res.get::<String, _>("text_id"),
title: res.get::<String, _>("title"),
body: res.get::<String, _>("body"),
published: res.get::<bool, _>("published"),
}
}
pub async fn get_by_text_id(mut db: Connection<Db>, text_id: String) -> Post {
let res = db
.fetch_one(sqlx::query("SELECT * FROM posts WHERE text_id = $1;").bind(text_id))
.await
.unwrap();
Post {
id: res.get::<i32, _>("id"),
uuid: res.get::<String, _>("uuid"),
text_id: res.get::<String, _>("text_id"),
title: res.get::<String, _>("title"),
body: res.get::<String, _>("body"),
published: res.get::<bool, _>("published"),
}
}
pub async fn edit_body(
mut db: Connection<Db>,
id: i32,
new_body: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET body = $1 WHERE id = $2;")
.bind(new_body)
.bind(id),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_body_by_uuid(
mut db: Connection<Db>,
uuid: String,
new_body: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET body = $1 WHERE uuid = $2;")
.bind(new_body)
.bind(uuid),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_body_by_text_id(
mut db: Connection<Db>,
text_id: String,
new_body: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET body = $1 WHERE text_id = $2;")
.bind(new_body)
.bind(text_id),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_title(
mut db: Connection<Db>,
id: i32,
new_title: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET title = $1 WHERE id = $2;")
.bind(new_title)
.bind(id),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_title_by_uuid(
mut db: Connection<Db>,
uuid: String,
new_title: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET title = $1 WHERE uuid = $2;")
.bind(new_title)
.bind(uuid),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_title_by_text_id(
mut db: Connection<Db>,
text_id: String,
new_title: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET body = $1 WHERE text_id = $2;")
.bind(new_title)
.bind(text_id),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_text_id(
mut db: Connection<Db>,
id: i32,
new_text_id: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET text_id = $1 WHERE id = $2;")
.bind(new_text_id)
.bind(id),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
pub async fn edit_text_id_by_uuid(
mut db: Connection<Db>,
uuid: String,
new_text_id: String,
) -> Result<(), String> {
match db
.execute(
sqlx::query("UPDATE posts SET text_id = $1 WHERE uuid = $2;")
.bind(new_text_id)
.bind(uuid),
)
.await
{
Ok(_) => Ok(()),
Err(why) => {
eprintln!("{why:?}");
Err("Couldn't update post".to_string())
}
}
}
}
#[derive(FromRow, Debug)]
pub struct User {
pub id: i32,
@ -70,11 +273,15 @@ pub struct User {
pub enum LoginStatus {
InvalidToken,
NotLoggedIn,
LoggedIn(User)
LoggedIn(User),
}
impl User {
pub async fn create(db: &mut Connection<Db>, username: &String, password: &String) -> Result<String, String> {
pub async fn create(
db: &mut Connection<Db>,
username: &String,
password: &String,
) -> Result<String, String> {
match Regex::new(r"[^A-Za-z0-9_]") {
Ok(r) => {
match r.captures(username) {
@ -226,17 +433,11 @@ impl User {
pub async fn login_status(db: &mut Connection<Db>, cookies: &CookieJar<'_>) -> LoginStatus {
match cookies.get_private("token") {
Some(t) => {
match User::get_by_token(db, t).await {
Some(user) => {
LoginStatus::LoggedIn(user)
Some(t) => match User::get_by_token(db, t).await {
Some(user) => LoginStatus::LoggedIn(user),
None => LoginStatus::InvalidToken,
},
None => {
LoginStatus::InvalidToken
}
}
},
None => LoginStatus::NotLoggedIn
None => LoginStatus::NotLoggedIn,
}
}
}
@ -262,9 +463,7 @@ impl Image {
)
.await
{
Ok(_) =>
Ok(())
,
Ok(_) => Ok(()),
Err(why) => {
eprintln!("Couldn't create database entry: {why:?}");
Err("Couldn't create image.".to_string())
@ -284,18 +483,23 @@ impl Image {
Err(_) => Err("Couldn't get image.".to_string()),
}
}
pub async fn is_owned_by(db: &mut Connection<Db>, uuid: &String, username: &String) -> Result<bool, String> {
pub async fn is_owned_by(
db: &mut Connection<Db>,
uuid: &String,
username: &String,
) -> Result<bool, String> {
match Image::get_by_uuid(db, uuid).await {
Ok(img) => {
Ok(&img.owner_name == username)
},
Ok(img) => Ok(&img.owner_name == username),
Err(why) => {
eprintln!("{why:?}");
Err("couldn't get image".to_string())
}
}
}
pub async fn get_by_username(db: &mut Connection<Db>, owner_name: &String) -> Result<Vec<Image>, String> {
pub async fn get_by_username(
db: &mut Connection<Db>,
owner_name: &String,
) -> Result<Vec<Image>, String> {
match db
.fetch_all(sqlx::query("SELECT * FROM images WHERE owner_name = $1;").bind(owner_name))
.await
@ -310,16 +514,19 @@ impl Image {
})
}
Ok(res)
},
}
Err(_) => Err("Couldn't get image.".to_string()),
}
}
pub async fn delete(db: &mut Connection<Db>, uuid: &String) -> Result<(), ()> {
match db.execute(sqlx::query("DELETE FROM images WHERE uuid = $1").bind(uuid)).await {
match db
.execute(sqlx::query("DELETE FROM images WHERE uuid = $1").bind(uuid))
.await
{
Ok(rows_gone) => {
eprintln!("Deleted {rows_gone:?} rows.");
Ok(())
},
}
Err(why) => {
eprintln!("Couldn't remove database entry: {why:?}");
Err(())