studio/tuwunel
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Split login case bodies into handlers.

Browse Source 
Signed-off-by: Jason Volk <jason@zemos.net>
This commit is contained in:
Jason Volk
2025-06-08 21:15:17 +00:00
parent 3056b60159
commit 2a2486182a
4 changed files with 175 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
src/api/client/session/appservice.rs Normal file
View File

@@ -0,0 +1,48 @@
use ruma::{
OwnedUserId, UserId,
api::client::{
session::login::v3::{ApplicationService, Request},
uiaa,
},
};
use tuwunel_core::{Err, Result, err};
use tuwunel_service::Services;
use crate::Ruma;
pub(super) async fn handle_login(
services: &Services,
body: &Ruma<Request>,
info: &ApplicationService,
) -> Result<OwnedUserId> {
#[allow(deprecated)]
let ApplicationService { identifier, user } = info;
let Some(ref info) = body.appservice_info else {
return Err!(Request(MissingToken("Missing appservice token.")));
};
let user_id = if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
UserId::parse_with_server_name(user_id, &services.config.server_name)
} else if let Some(user) = user {
UserId::parse_with_server_name(user, &services.config.server_name)
} else {
return Err!(Request(Unknown(debug_warn!(
?body.login_info,
"Valid identifier or username was not provided (invalid or unsupported login type?)"
))));
}
.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
if !services.globals.user_is_local(&user_id) {
return Err!(Request(Unknown("User ID does not belong to this homeserver")));
}
let emergency_mode_enabled = services.config.emergency_password.is_some();
if !info.is_user_match(&user_id) && !emergency_mode_enabled {
return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
}
Ok(user_id)
}

171
src/api/client/session/mod.rs
View File

@@ -1,3 +1,4 @@
mod appservice;
mod ldap; mod ldap;
mod logout; mod logout;
mod password; mod password;
@@ -5,24 +6,17 @@ mod token;
use axum::extract::State; use axum::extract::State;
use axum_client_ip::InsecureClientIp; use axum_client_ip::InsecureClientIp;
use futures::FutureExt; use ruma::api::client::session::{
use ruma::{ get_login_types::{
UserId, self,
api::client::{ v3::{ApplicationServiceLoginType, LoginType, PasswordLoginType, TokenLoginType},
session::{ },
get_login_types::{ login::{
self, self,
v3::{ApplicationServiceLoginType, PasswordLoginType, TokenLoginType}, v3::{DiscoveryInfo, HomeserverInfo, LoginInfo},
},
login::{
self,
v3::{DiscoveryInfo, HomeserverInfo},
},
},
uiaa,
}, },
}; };
use tuwunel_core::{Err, Result, debug, err, info, utils, utils::stream::ReadyExt}; use tuwunel_core::{Err, Result, info, utils, utils::stream::ReadyExt};
use self::{ldap::ldap_login, password::password_login}; use self::{ldap::ldap_login, password::password_login};
pub(crate) use self::{ pub(crate) use self::{
@@ -43,10 +37,10 @@ pub(crate) async fn get_login_types_route(
_body: Ruma<get_login_types::v3::Request>, _body: Ruma<get_login_types::v3::Request>,
) -> Result<get_login_types::v3::Response> { ) -> Result<get_login_types::v3::Response> {
Ok(get_login_types::v3::Response::new(vec![ Ok(get_login_types::v3::Response::new(vec![
get_login_types::v3::LoginType::Password(PasswordLoginType::default()), LoginType::Password(PasswordLoginType::default()),
get_login_types::v3::LoginType::ApplicationService(ApplicationServiceLoginType::default()), LoginType::ApplicationService(ApplicationServiceLoginType::default()),
get_login_types::v3::LoginType::Token(TokenLoginType { LoginType::Token(TokenLoginType {
get_login_token: services.server.config.login_via_existing_session, get_login_token: services.config.login_via_existing_session,
}), }),
])) ]))
} }
@@ -65,137 +59,44 @@ pub(crate) async fn get_login_types_route(
/// Note: You can use [`GET /// Note: You can use [`GET
/// /_matrix/client/r0/login`](fn.get_supported_versions_route.html) to see /// /_matrix/client/r0/login`](fn.get_supported_versions_route.html) to see
/// supported login types. /// supported login types.
#[tracing::instrument(skip_all, fields(%client), name = "login")] #[tracing::instrument(name = "login", skip_all, fields(%client, ?body.login_info))]
pub(crate) async fn login_route( pub(crate) async fn login_route(
State(services): State<crate::State>, State(services): State<crate::State>,
InsecureClientIp(client): InsecureClientIp, InsecureClientIp(client): InsecureClientIp,
body: Ruma<login::v3::Request>, body: Ruma<login::v3::Request>,
) -> Result<login::v3::Response> { ) -> Result<login::v3::Response> {
let emergency_mode_enabled = services.config.emergency_password.is_some();
// Validate login method // Validate login method
// TODO: Other login methods
let user_id = match &body.login_info { let user_id = match &body.login_info {
#[allow(deprecated)] | LoginInfo::Password(info) => password::handle_login(&services, &body, info).await?,
| login::v3::LoginInfo::Password(login::v3::Password { | LoginInfo::Token(info) => token::handle_login(&services, &body, info).await?,
identifier, | LoginInfo::ApplicationService(info) =>
password, appservice::handle_login(&services, &body, info).await?,
user,
..
}) => {
debug!("Got password login type");
let user_id =
if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
UserId::parse_with_server_name(user_id, &services.config.server_name)
} else if let Some(user) = user {
UserId::parse_with_server_name(user, &services.config.server_name)
} else {
return Err!(Request(Unknown(
debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
)));
}
.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
let lowercased_user_id = UserId::parse_with_server_name(
user_id.localpart().to_lowercase(),
&services.config.server_name,
)?;
if !services.globals.user_is_local(&user_id)
|| !services
.globals
.user_is_local(&lowercased_user_id)
{
return Err!(Request(Unknown("User ID does not belong to this homeserver")));
}
if cfg!(feature = "ldap") && services.config.ldap.enable {
ldap_login(&services, &user_id, &lowercased_user_id, password)
.boxed()
.await?
} else {
password_login(&services, &user_id, &lowercased_user_id, password)
.boxed()
.await?
}
},
| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
debug!("Got token login type");
if !services.server.config.login_via_existing_session {
return Err!(Request(Unknown("Token login is not enabled.")));
}
services
.users
.find_from_login_token(token)
.await?
},
#[allow(deprecated)]
| login::v3::LoginInfo::ApplicationService(login::v3::ApplicationService {
identifier,
user,
}) => {
debug!("Got appservice login type");
let Some(ref info) = body.appservice_info else {
return Err!(Request(MissingToken("Missing appservice token.")));
};
let user_id =
if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
UserId::parse_with_server_name(user_id, &services.config.server_name)
} else if let Some(user) = user {
UserId::parse_with_server_name(user, &services.config.server_name)
} else {
return Err!(Request(Unknown(
debug_warn!(?body.login_info, "Valid identifier or username was not provided (invalid or unsupported login type?)")
)));
}
.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
if !services.globals.user_is_local(&user_id) {
return Err!(Request(Unknown("User ID does not belong to this homeserver")));
}
if !info.is_user_match(&user_id) && !emergency_mode_enabled {
return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
}
user_id
},
| _ => { | _ => {
debug!("/login json_body: {:?}", &body.json_body); return Err!(Request(Unknown(debug_warn!(
return Err!(Request(Unknown( ?body.login_info,
debug_warn!(?body.login_info, "Invalid or unsupported login type") ?body.json_body,
))); "Invalid or unsupported login type",
))));
}, },
}; };
// Generate a new token for the device
let token = utils::random_string(TOKEN_LENGTH);
// Generate new device id if the user didn't specify one // Generate new device id if the user didn't specify one
let device_id = body let device_id = body
.device_id .device_id
.clone() .clone()
.unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into()); .unwrap_or_else(|| utils::random_string(DEVICE_ID_LENGTH).into());
// Generate a new token for the device
let token = utils::random_string(TOKEN_LENGTH);
// Determine if device_id was provided and exists in the db for this user // Determine if device_id was provided and exists in the db for this user
let device_exists = if body.device_id.is_some() { let device_exists = services
services .users
.users .all_device_ids(&user_id)
.all_device_ids(&user_id) .ready_any(|v| v == device_id)
.ready_any(|v| v == device_id) .await;
.await
} else {
false
};
if device_exists { if !device_exists {
services
.users
.set_token(&user_id, &device_id, &token)
.await?;
} else {
services services
.users .users
.create_device( .create_device(
@@ -206,11 +107,15 @@ pub(crate) async fn login_route(
Some(client.to_string()), Some(client.to_string()),
) )
.await?; .await?;
} else {
services
.users
.set_token(&user_id, &device_id, &token)
.await?;
} }
// send client well-known if specified so the client knows to reconfigure itself // send client well-known if specified so the client knows to reconfigure itself
let client_discovery_info: Option<DiscoveryInfo> = services let client_discovery_info: Option<DiscoveryInfo> = services
.server
.config .config
.well_known .well_known
.client .client

56
src/api/client/session/password.rs
View File

@@ -1,8 +1,60 @@
use futures::TryFutureExt; use futures::{FutureExt, TryFutureExt};
use ruma::{OwnedUserId, UserId}; use ruma::{
OwnedUserId, UserId,
api::client::{
session::login::v3::{Password, Request},
uiaa,
},
};
use tuwunel_core::{Err, Result, debug_error, err, utils::hash}; use tuwunel_core::{Err, Result, debug_error, err, utils::hash};
use tuwunel_service::Services; use tuwunel_service::Services;
use super::ldap_login;
use crate::Ruma;
pub(super) async fn handle_login(
services: &Services,
body: &Ruma<Request>,
info: &Password,
) -> Result<OwnedUserId> {
#[allow(deprecated)]
let Password { identifier, password, user, .. } = info;
let user_id = if let Some(uiaa::UserIdentifier::UserIdOrLocalpart(user_id)) = identifier {
UserId::parse_with_server_name(user_id, &services.config.server_name)
} else if let Some(user) = user {
UserId::parse_with_server_name(user, &services.config.server_name)
} else {
return Err!(Request(Unknown(debug_warn!(
?body.login_info,
"Valid identifier or username was not provided (invalid or unsupported login type?)"
))));
}
.map_err(|e| err!(Request(InvalidUsername(warn!("Username is invalid: {e}")))))?;
let lowercased_user_id = UserId::parse_with_server_name(
user_id.localpart().to_lowercase(),
&services.config.server_name,
)?;
let user_is_remote = !services.globals.user_is_local(&user_id)
|| !services
.globals
.user_is_local(&lowercased_user_id);
if user_is_remote {
return Err!(Request(Unknown("User ID does not belong to this homeserver")));
}
if cfg!(feature = "ldap") && services.config.ldap.enable {
ldap_login(services, &user_id, &lowercased_user_id, password)
.boxed()
.await
} else {
password_login(services, &user_id, &lowercased_user_id, password).await
}
}
/// Authenticates the given user by its ID and its password. /// Authenticates the given user by its ID and its password.
/// ///
/// Returns the user ID if successful, and an error otherwise. /// Returns the user ID if successful, and an error otherwise.

47
src/api/client/session/token.rs
View File

@@ -2,13 +2,36 @@ use std::time::Duration;
use axum::extract::State; use axum::extract::State;
use axum_client_ip::InsecureClientIp; use axum_client_ip::InsecureClientIp;
use ruma::api::client::{session::get_login_token, uiaa}; use ruma::{
use tuwunel_core::{Err, Error, Result, utils}; OwnedUserId,
use tuwunel_service::uiaa::SESSION_ID_LENGTH; api::client::{
session::{
get_login_token,
login::v3::{Request, Token},
},
uiaa,
},
};
use tuwunel_core::{Err, Result, utils::random_string};
use tuwunel_service::{Services, uiaa::SESSION_ID_LENGTH};
use super::TOKEN_LENGTH; use super::TOKEN_LENGTH;
use crate::Ruma; use crate::Ruma;
pub(super) async fn handle_login(
services: &Services,
_body: &Ruma<Request>,
info: &Token,
) -> Result<OwnedUserId> {
let Token { token } = info;
if !services.config.login_via_existing_session {
return Err!(Request(Unknown("Token login is not enabled.")));
}
services.users.find_from_login_token(token).await
}
/// # `POST /_matrix/client/v1/login/get_token` /// # `POST /_matrix/client/v1/login/get_token`
/// ///
/// Allows a logged-in user to get a short-lived token which can be used /// Allows a logged-in user to get a short-lived token which can be used
@@ -21,7 +44,7 @@ pub(crate) async fn login_token_route(
InsecureClientIp(client): InsecureClientIp, InsecureClientIp(client): InsecureClientIp,
body: Ruma<get_login_token::v1::Request>, body: Ruma<get_login_token::v1::Request>,
) -> Result<get_login_token::v1::Response> { ) -> Result<get_login_token::v1::Response> {
if !services.server.config.login_via_existing_session { if !services.config.login_via_existing_session {
return Err!(Request(Forbidden("Login via an existing session is not enabled"))); return Err!(Request(Forbidden("Login via an existing session is not enabled")));
} }
@@ -29,8 +52,10 @@ pub(crate) async fn login_token_route(
// TODO: How do we make only UIA sessions that have not been used before valid? // TODO: How do we make only UIA sessions that have not been used before valid?
let (sender_user, sender_device) = body.sender(); let (sender_user, sender_device) = body.sender();
let password_flow = uiaa::AuthFlow { stages: vec![uiaa::AuthType::Password] };
let mut uiaainfo = uiaa::UiaaInfo { let mut uiaainfo = uiaa::UiaaInfo {
flows: vec![uiaa::AuthFlow { stages: vec![uiaa::AuthType::Password] }], flows: vec![password_flow],
completed: Vec::new(), completed: Vec::new(),
params: Box::default(), params: Box::default(),
session: None, session: None,
@@ -45,27 +70,25 @@ pub(crate) async fn login_token_route(
.await?; .await?;
if !worked { if !worked {
return Err(Error::Uiaa(uiaainfo)); return Err!(Uiaa(uiaainfo));
} }
// Success! // Success!
}, },
| _ => match body.json_body.as_ref() { | _ => match body.json_body.as_ref() {
| Some(json) => { | Some(json) => {
uiaainfo.session = Some(utils::random_string(SESSION_ID_LENGTH)); uiaainfo.session = Some(random_string(SESSION_ID_LENGTH));
services services
.uiaa .uiaa
.create(sender_user, sender_device, &uiaainfo, json); .create(sender_user, sender_device, &uiaainfo, json);
return Err(Error::Uiaa(uiaainfo)); return Err!(Uiaa(uiaainfo));
},
| _ => {
return Err!(Request(NotJson("No JSON body was sent when required.")));
}, },
| _ => return Err!(Request(NotJson("No JSON body was sent when required."))),
}, },
} }
let login_token = utils::random_string(TOKEN_LENGTH); let login_token = random_string(TOKEN_LENGTH);
let expires_in = services let expires_in = services
.users .users
.create_login_token(sender_user, &login_token); .create_login_token(sender_user, &login_token);