Compare commits

..

No commits in common. "3a5fb7bcd08d6d85a6f41cdf05c6f184a4fca22e" and "2cd4cf784edfb51ca240059bf2d6fc365b46040d" have entirely different histories.

3 changed files with 83 additions and 145 deletions

View File

@ -24,7 +24,7 @@ use rocket::fs::TempFile;
use rocket::http::CookieJar; use rocket::http::CookieJar;
use rocket::serde::{json::Json, Deserialize}; use rocket::serde::{json::Json, Deserialize};
use fossil::tables::{Db, Image, LoginStatus, Post, User}; use fossil::tables::{Db, Image, Post, User};
#[get("/login")] #[get("/login")]
fn login_page() -> RawHtml<String> { fn login_page() -> RawHtml<String> {
@ -114,46 +114,38 @@ async fn account(mut db: Connection<Db>, cookies: &CookieJar<'_>) -> status::Cus
} }
#[post("/login", data = "<info>")] #[post("/login", data = "<info>")]
async fn login( async fn login(mut db: Connection<Db>, info: Json<LoginInfo>, cookies: &CookieJar<'_>) -> String {
mut db: Connection<Db>,
info: Json<LoginInfo>,
cookies: &CookieJar<'_>,
) -> status::Custom<&'static str> {
let token = cookies.get_private("token"); let token = cookies.get_private("token");
match token { match token {
Some(_) => { Some(_) => {
status::Custom(Status::Continue, "already logged in") "already logged in".to_string()
} }
None => { None => {
match User::get_by_username(&mut db, &info.username).await { match User::get_by_username(&mut db, &info.username).await {
Some(user) => { Some(user) => {
if user.password == sha256::digest(&info.password) { if user.password == sha256::digest(&info.password) {
match user.token { match user.token {
Some(t) => {cookies.add_private(("token", t)); status::Custom(Status::Ok, "Logged in")}, Some(t) => {cookies.add_private(("token", t)); "Logged in".to_string()},
None => { None => {
match user.set_new_token(&mut db).await { match user.set_new_token(&mut db).await {
Ok(t) => { Ok(t) => {
cookies.add_private(("token", t)); cookies.add_private(("token", t));
status::Custom(Status::Ok, "Logged in") "logged in".to_string()
},
Err(why) => {
eprintln!("{why:?}");
status::Custom(Status::InternalServerError, "Couldn't generate a token for you, therefore you weren't logged in.")
}, },
Err(why) => why,
} }
} }
} }
} else { } else {
status::Custom(Status::Forbidden, "Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)") String::from("Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)")
} }
} }
None => None =>
status::Custom(Status::Forbidden, "Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)") String::from("Invalid username or password (to those whining about why it doesn't tell you if the username or password is incorrect, security)"),
} }
} }
} }
} }
#[post("/logout")] #[post("/logout")]
async fn logout(cookies: &CookieJar<'_>) -> status::Custom<&'static str> { async fn logout(cookies: &CookieJar<'_>) -> status::Custom<&'static str> {
match cookies.get_private("token") { match cookies.get_private("token") {
@ -261,29 +253,25 @@ async fn toggleperms(
cookies: &CookieJar<'_>, cookies: &CookieJar<'_>,
) -> status::Custom<String> { ) -> status::Custom<String> {
match cookies.get_private("token") { match cookies.get_private("token") {
Some(t) => { Some(t) => match User::get_by_token(&mut db, t).await {
match User::get_by_token(&mut db, t).await { Some(user) => match user.admin {
Some(user) => { true => match User::get_by_username(&mut db, &info.username).await {
match user.admin { Some(toggled_user) => {
true => match User::get_by_username(&mut db, &info.username).await { match toggled_user.username == user.username && info.perm == "admin" {
Some(toggled_user) => { true => status::Custom(
match toggled_user.username == user.username && info.perm == "admin" Status::Forbidden,
{ "You can't change your own admin status".to_string(),
),
false => {
let admin_username = std::env::var("ADMIN_USERNAME")
.expect("set ADMIN_USERNAME env var");
match toggled_user.username == admin_username {
true => status::Custom( true => status::Custom(
Status::Forbidden, Status::Forbidden,
"You can't change your own admin status".to_string(), "You can't change the system admin's perms.".to_string(),
), ),
false => { false => {
let admin_username = std::env::var("ADMIN_USERNAME") match info.perm == "admin"
.expect("set ADMIN_USERNAME env var");
match toggled_user.username == admin_username {
true => status::Custom(
Status::Forbidden,
"You can't change the system admin's perms."
.to_string(),
),
false => {
match info.perm == "admin"
&& user.username != admin_username && user.username != admin_username
{ {
true => status::Custom( true => status::Custom(
@ -300,34 +288,26 @@ async fn toggleperms(
} }
} }
} }
}
}
} }
} }
} }
None => status::Custom(
Status::NotFound,
"The user you're trying to toggle perms for doesn't exist."
.to_string(),
),
},
false => {
status::Custom(Status::Unauthorized, "You aren't an admin.".to_string())
} }
} }
} None => status::Custom(
None => status::Custom(Status::Unauthorized, "Invalid login token".to_string()), Status::NotFound,
} "The user you're trying to toggle perms for doesn't exist.".to_string(),
} ),
},
false => status::Custom(Status::Unauthorized, "You aren't an admin.".to_string()),
},
None => status::Custom(Status::Unauthorized, "Invalid login token".to_string()),
},
None => status::Custom(Status::Unauthorized, "Not logged in".to_string()), None => status::Custom(Status::Unauthorized, "Not logged in".to_string()),
} }
} }
#[get("/images/<image>")] #[get("/images/<image>")]
async fn get_image( async fn get_image(image: String, mut db: Connection<Db>) -> Result<NamedFile, Status> {
image: String,
mut db: Connection<Db>,
) -> Result<NamedFile, status::Custom<&'static str>> {
let mut split = image.split('.').collect::<Vec<&str>>(); let mut split = image.split('.').collect::<Vec<&str>>();
let format = split.pop().unwrap(); let format = split.pop().unwrap();
let image = split.join("."); let image = split.join(".");
@ -355,94 +335,76 @@ async fn get_image(
Ok(file) Ok(file)
} }
Err(why) => Err(match &why.to_string()[..] { Err(why) => Err(match &why.to_string()[..] {
"Format error decoding Png: Invalid PNG signature." => { "Format error decoding Png: Invalid PNG signature." => Status::NotAcceptable,
status::Custom(Status::NotAcceptable, "That file isn't an image.") _ => Status::InternalServerError,
}
_ => status::Custom(Status::InternalServerError, "Unknown decoding error"),
}), }),
}, },
Err(_) => Err(status::Custom( Err(_) => Err(Status::NotFound),
Status::InternalServerError,
"Unknown decoding error",
)),
}, },
Err(_) => Err(status::Custom( Err(_) => Err(Status::ImATeapot),
Status::InternalServerError,
"File not found",
)),
} }
} }
#[post("/upload", format = "image/png", data = "<file>")] #[post("/upload", format = "image/png", data = "<file>")]
async fn upload( async fn upload(mut file: TempFile<'_>, cookies: &CookieJar<'_>, mut db: Connection<Db>) -> String {
mut file: TempFile<'_>,
cookies: &CookieJar<'_>,
mut db: Connection<Db>,
) -> status::Custom<String> {
let uuid = Uuid::new_v4().to_string(); let uuid = Uuid::new_v4().to_string();
match file.copy_to(format!("/srv/tmpimages/{uuid}.png")).await {
// login & perms check Ok(_) => {
match User::login_status(&mut db, cookies).await { // validate that it is, in fact, an image
LoginStatus::LoggedIn(user) => { match Reader::open(format!("/srv/tmpimages/{uuid}.png")) {
match user.make_posts || user.admin { Ok(_) => {
// image validation check match cookies.get_private("token") {
true => { Some(t) => {
match file.copy_to(format!("/srv/tmpimages/{uuid}.png")).await { match User::get_by_token(&mut db, t).await {
Ok(_) => { Some(user) => {
// validate that it is, in fact, an image if user.make_posts == true || user.admin == true {
match Reader::open(format!("/srv/tmpimages/{uuid}.png")) { // upload to db
Ok(_) => { match Image::create(&mut db, &uuid, user).await {
match file.copy_to(format!("/srv/images/{uuid}.png")).await {
Ok(_) => match Image::create(&mut db, &uuid, user).await {
Ok(_) => { Ok(_) => {
match fs::remove_file(format!( // move image
"/srv/tmpimages/{uuid}.png" match file
)) { .copy_to(format!("/srv/images/{uuid}.png"))
Ok(_) => status::Custom(Status::Created, uuid), .await
{
Ok(_) => {
match fs::remove_file(format!(
"/srv/tmpimages/{uuid}.png"
)) {
Ok(_) => uuid,
Err(why) => {
eprintln!("{why:?}");
"couldn't delete old file"
.to_string()
}
}
}
Err(why) => { Err(why) => {
eprintln!("couldn't clear image from tmpimages: {why:?}"); eprintln!("{why:?}");
status::Custom(Status::Ok, uuid) "couldn't save file to final destination"
.to_string()
} }
} }
} }
Err(why) => { Err(_) => "Couldn't save to DB".to_string(),
eprintln!("{why:?}"); }
status::Custom( } else {
Status::InternalServerError, "Invalid perms".to_string()
"Couldn't save to DB".to_string(),
)
}
},
Err(_) => status::Custom(
Status::InternalServerError,
"Couldn't copy file to final location".to_string(),
),
} }
} }
Err(_) => status::Custom( None => "Invalid login token".to_string(),
Status::Forbidden,
"File isn't an image".to_string(),
),
} }
} }
Err(_) => status::Custom( None => "Not logged in".to_string(),
Status::InternalServerError,
"Couldn't save temporary file".to_string(),
),
} }
} }
false => status::Custom( Err(why) => {
Status::Unauthorized, // isn't an image, or something else went wrong
"You don't have the right permissions for that".to_string(), eprintln!("{why:?}");
), "error".to_string()
}
} }
} }
LoginStatus::InvalidToken => { Err(why) => why.to_string(),
status::Custom(Status::Unauthorized, "Invalid login token".to_string())
}
LoginStatus::NotLoggedIn => {
status::Custom(Status::Unauthorized, "Not logged in".to_string())
}
} }
} }

View File

@ -1,7 +1,7 @@
use base64::{engine::general_purpose, Engine}; use base64::{engine::general_purpose, Engine};
use rand::{RngCore, SeedableRng}; use rand::{RngCore, SeedableRng};
use regex::Regex; use regex::Regex;
use rocket::http::{Cookie, CookieJar}; use rocket::http::Cookie;
use rocket_db_pools::sqlx::Executor; use rocket_db_pools::sqlx::Executor;
use rocket_db_pools::Connection; use rocket_db_pools::Connection;
use rocket_db_pools::{ use rocket_db_pools::{
@ -67,12 +67,6 @@ pub struct User {
pub comment: bool, pub comment: bool,
} }
pub enum LoginStatus {
InvalidToken,
NotLoggedIn,
LoggedIn(User)
}
impl User { impl User {
pub async fn create(db: &mut Connection<Db>, username: &String, password: &String) -> Result<String, String> { pub async fn create(db: &mut Connection<Db>, username: &String, password: &String) -> Result<String, String> {
match Regex::new(r"[^A-Za-z0-9_]") { match Regex::new(r"[^A-Za-z0-9_]") {
@ -223,22 +217,6 @@ impl User {
} }
} }
} }
pub async fn login_status(db: &mut Connection<Db>, cookies: &CookieJar<'_>) -> LoginStatus {
match cookies.get_private("token") {
Some(t) => {
match User::get_by_token(db, t).await {
Some(user) => {
LoginStatus::LoggedIn(user)
},
None => {
LoginStatus::InvalidToken
}
}
},
None => LoginStatus::NotLoggedIn
}
}
} }
pub struct Image { pub struct Image {

View File

@ -32,8 +32,6 @@
}, },
body: input.files[0] body: input.files[0]
}) })
// TODO: if status is 200, not 201, alert the user to tell the admins to clear tmpimages
alert(await token.text()); alert(await token.text());
}); });