Refactor authentication to more easily support oauth (stadust#171)

* refactor: split `password_hash` field from `AuthenticatedUser`

Replace it with a `AuthenticationMethod` field. For now, this enum only
contains the `Legacy` variant, indicating that the given user is using
the current (but soon to be legacy) account system. Later, other
authentication methods such as OAuth will add their own variants here.

When matching in on `auth_method`, introduce unreachable `_ => ...` arms
that will return sensible default-errors for functions that that only
operate on legacy accounts (e.g. when doing oauth, you won't be able to
change your password).

Signed-off-by: stadust <[email protected]>

* refactor: hide `register` endpoint behind `legacy_accounts` feature

Once we support oauth accounts, we want to disable legacy accounts.
However, for testing purposes, as well as for people wanting to run
pointercrate clones, it is still desirable to use the legacy account
system. Thus, hide it behind a cargo feature.

Note that this cargo flag only disables the creation of new legacy
accounts. Pre-existing legacy accounts will continue to be able to log
in.

Signed-off-by: stadust <[email protected]>

* test: run with all features

Feature flags are meant to be additive, so running tests only with all
features enabled should not loose any coverage.

Signed-off-by: stadust <[email protected]>

* test: Add action for building all feature permutations

While runnings tests with only with `--all-features` is fine, we need to
make sure that all combinations of features actually build. Use
`cargo-all-features` for that. I don't expect us to ever have
sufficiently many feature for the combinatorial explosion of testing all
permutations to get bad.

Signed-off-by: stadust <[email protected]>

---------

Signed-off-by: stadust <[email protected]>

Author: stadust

.github/workflows/check_all_features.yml

@@ -0,0 +1,62 @@
+name: Check all feature permutations
+on: pull_request
+
+jobs:
+  # Label of the container job
+  container-job:
+    # Containers must run in Linux based operating systems
+    runs-on: ubuntu-latest
+
+    # Service containers to run with `container-job`
+    services:
+      # Label used to access the service container
+      postgres:
+        # Docker Hub image
+        image: postgres
+        # Provide the password for postgres
+        env:
+          POSTGRES_USER: pointercrate
+          POSTGRES_PASSWORD: postgres
+          POSTGRES_DB: postgres
+        ports:
+          - 5432:5432
+        # Set health checks to wait until postgres has started
+        options: >-
+          --health-cmd pg_isready
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      # Downloads a copy of the code in your repository before running CI tests
+      - name: Check out repository code
+        uses: actions/checkout@v3
+
+      - name: Install rust toolchain
+        uses: actions-rs/toolchain@v1
+        with:
+          profile: minimal
+          toolchain: stable
+          override: true
+          components: llvm-tools-preview
+
+      - name: Install sqlx-cli and cargo-all-features
+        uses: actions-rs/cargo@v1
+        with:
+          command: install
+          args: sqlx-cli cargo-all-features
+
+      - name: Load pointercrate schema
+        uses: actions-rs/cargo@v1
+        with:
+          command: sqlx
+          args: migrate run
+        env:
+          DATABASE_URL: postgresql://pointercrate:postgres@localhost/postgres
+
+      - name: Check
+        uses: actions-rs/cargo@v1
+        with:
+          command: check-all-features
+        env:
+          DATABASE_URL: postgresql://pointercrate:postgres@localhost/postgres

.github/workflows/test.yml

@@ -62,6 +62,7 @@ jobs:
         uses: actions-rs/cargo@v1
         with:
           command: test
+          args: --all-features
         env:
           DATABASE_URL: postgresql://pointercrate:postgres@localhost/postgres
           RUST_BACKTRACE: 1

pointercrate-example/Cargo.toml

@@ -17,5 +17,5 @@ pointercrate-demonlist-api = { version = "0.1.0", path = "../pointercrate-demonl
 pointercrate-demonlist-pages = { version = "0.1.0", path = "../pointercrate-demonlist-pages" }
 pointercrate-user = { version = "0.1.0", path = "../pointercrate-user" }
 pointercrate-user-api = { version = "0.1.0", path = "../pointercrate-user-api" }
-pointercrate-user-pages = { version = "0.1.0", path = "../pointercrate-user-pages" }
+pointercrate-user-pages = { version = "0.1.0", path = "../pointercrate-user-pages", features = ["legacy_accounts"] }
 rocket = "0.5.1"

pointercrate-test/Cargo.toml

@@ -13,7 +13,7 @@ pointercrate-core = {path = "../pointercrate-core"}
 pointercrate-core-api = {path = "../pointercrate-core-api"}
 pointercrate-user = {path = "../pointercrate-user"}
 pointercrate-user-api = {path = "../pointercrate-user-api"}
-pointercrate-user-pages = {path = "../pointercrate-user-pages"}
+pointercrate-user-pages = {path = "../pointercrate-user-pages", features = ["legacy_accounts"]}
 serde = "1.0.209"
 sqlx = { version = "0.8", default-features = false, features = [ "runtime-tokio-native-tls", "macros", "postgres", "chrono", "migrate" ] }
 rocket = "0.5.1"

pointercrate-user-api/Cargo.toml

@@ -19,3 +19,6 @@ base64 = "0.22.1"
 nonzero_ext = "0.3.0"
 serde_urlencoded = "0.7.0"
 governor = "0.6.0"
+
+[features]
+legacy_accounts = ["pointercrate-user/legacy_accounts"]

pointercrate-user-api/src/endpoints/auth.rs

@@ -2,20 +2,25 @@ use crate::{
     auth::{BasicAuth, TokenAuth},
     ratelimits::UserRatelimits,
 };
-use pointercrate_core::{etag::Taggable, pool::PointercratePool};
+use pointercrate_core::etag::Taggable;
+#[cfg(feature = "legacy_accounts")]
+use pointercrate_core::pool::PointercratePool;
 use pointercrate_core_api::{
     error::Result,
     etag::{Precondition, Tagged},
     response::Response2,
 };
-use pointercrate_user::{error::UserError, AuthenticatedUser, PatchMe, Registration, User};
+#[cfg(feature = "legacy_accounts")]
+use pointercrate_user::{AuthenticatedUser, Registration};
+use pointercrate_user::{error::UserError, PatchMe, User};
 use rocket::{
     http::Status,
     serde::json::{serde_json, Json},
     State,
 };
 use std::net::IpAddr;
 
+#[cfg(feature = "legacy_accounts")]
 #[rocket::post("/register", data = "<body>")]
 pub async fn register(
     ip: IpAddr, body: Json<Registration>, ratelimits: &State<UserRatelimits>, pool: &State<PointercratePool>,

pointercrate-user-api/src/lib.rs

@@ -7,22 +7,26 @@ mod endpoints;
 mod pages;
 mod ratelimits;
 
+#[allow(unused_mut)]
 pub fn setup(rocket: Rocket<Build>) -> Rocket<Build> {
     let ratelimits = UserRatelimits::new();
 
+    let mut auth_routes = rocket::routes![
+        endpoints::auth::login,
+        endpoints::auth::invalidate,
+        endpoints::auth::get_me,
+        endpoints::auth::patch_me,
+        endpoints::auth::delete_me,
+    ];
+    let mut page_routes = rocket::routes![pages::login_page, pages::account_page, pages::login];
+    #[cfg(feature = "legacy_accounts")]
+    auth_routes.extend(rocket::routes![endpoints::auth::register]);
+    #[cfg(feature = "legacy_accounts")]
+    page_routes.extend(rocket::routes![pages::register]);
+
     rocket
         .manage(ratelimits)
-        .mount(
-            "/api/v1/auth/",
-            rocket::routes![
-                endpoints::auth::register,
-                endpoints::auth::login,
-                endpoints::auth::invalidate,
-                endpoints::auth::get_me,
-                endpoints::auth::patch_me,
-                endpoints::auth::delete_me,
-            ],
-        )
+        .mount("/api/v1/auth/", auth_routes)
         .mount(
             "/api/v1/users/",
             rocket::routes![
@@ -32,8 +36,5 @@ pub fn setup(rocket: Rocket<Build>) -> Rocket<Build> {
                 endpoints::user::delete_user
             ],
         )
-        .mount(
-            "/",
-            rocket::routes![pages::login_page, pages::account_page, pages::login, pages::register],
-        )
+        .mount("/", page_routes)
 }

pointercrate-user-api/src/pages.rs

@@ -2,15 +2,20 @@ use crate::{
     auth::{BasicAuth, TokenAuth},
     ratelimits::UserRatelimits,
 };
-use pointercrate_core::{permission::PermissionsManager, pool::PointercratePool};
+use pointercrate_core::permission::PermissionsManager;
+#[cfg(feature = "legacy_accounts")]
+use pointercrate_core::pool::PointercratePool;
 use pointercrate_core_api::response::Page;
 use pointercrate_core_pages::head::HeadLike;
-use pointercrate_user::{error::UserError, AuthenticatedUser, Registration, User};
+use pointercrate_user::error::UserError;
+#[cfg(feature = "legacy_accounts")]
+use pointercrate_user::{AuthenticatedUser, Registration, User};
 use pointercrate_user_pages::account::AccountPageConfig;
+#[cfg(feature = "legacy_accounts")]
+use rocket::serde::json::Json;
 use rocket::{
     http::{Cookie, CookieJar, SameSite, Status},
     response::Redirect,
-    serde::json::Json,
     State,
 };
 use std::net::IpAddr;
@@ -43,6 +48,7 @@ pub async fn login(
     Ok(Status::NoContent)
 }
 
+#[cfg(feature = "legacy_accounts")]
 #[rocket::post("/register", data = "<registration>")]
 pub async fn register(
     ip: IpAddr, ratelimits: &State<UserRatelimits>, cookies: &CookieJar<'_>, registration: Json<Registration>,

pointercrate-user-pages/Cargo.toml

@@ -12,3 +12,6 @@ pointercrate-core = {path = "../pointercrate-core"}
 pointercrate-user = {path = "../pointercrate-user"}
 pointercrate-core-pages = {path = "../pointercrate-core-pages"}
 async-trait = "0.1.81"
+
+[features]
+legacy_accounts = ["pointercrate-user/legacy_accounts"]

pointercrate-user/Cargo.toml

@@ -19,3 +19,6 @@ lazy_static = "1.5.0"
 bcrypt = "0.15.1"
 url = "2.5.2"
 serde_json = "1.0.127"
+
+[features]
+legacy_accounts = []

pointercrate-user/src/auth/get.rs

@@ -10,6 +10,8 @@ use log::{debug, info};
 use pointercrate_core::error::CoreError;
 use sqlx::{Error, PgConnection};
 
+use super::AuthenticationMethod;
+
 impl AuthenticatedUser {
     pub async fn basic_auth(username: &str, password: &str, connection: &mut PgConnection) -> Result<AuthenticatedUser> {
         info!("We are expected to perform basic authentication");
@@ -59,7 +61,9 @@ impl AuthenticatedUser {
             Err(err) => Err(err.into()),
             Ok(row) => Ok(AuthenticatedUser {
                 user: construct_from_row!(row),
-                password_hash: row.password_hash,
+                auth_method: AuthenticationMethod:: Legacy {
+                    password_hash: row.password_hash,
+                }
             }),
         }
     }
@@ -77,7 +81,9 @@ impl AuthenticatedUser {
             Err(err) => Err(err.into()),
             Ok(row) => Ok(AuthenticatedUser {
                 user: construct_from_row!(row),
-                password_hash: row.password_hash,
+                auth_method: AuthenticationMethod:: Legacy {
+                    password_hash: row.password_hash,
+                }
             }),
         }
     }

pointercrate-user/src/auth/mod.rs

@@ -5,7 +5,9 @@
 //! * Deletion of own account
 //! * Modification of own account
 
-pub use self::{patch::PatchMe, post::Registration};
+#[cfg(feature = "legacy_accounts")]
+pub use self::post::Registration;
+pub use self::patch::PatchMe;
 use crate::{
     error::{Result, UserError},
     User,
@@ -26,7 +28,11 @@ mod post;
 
 pub struct AuthenticatedUser {
     user: User,
-    password_hash: String,
+    auth_method: AuthenticationMethod,
+}
+
+pub enum AuthenticationMethod {
+    Legacy { password_hash: String },
 }
 
 #[derive(Debug, Deserialize, Serialize, Copy, Clone)]
@@ -147,31 +153,41 @@ impl AuthenticatedUser {
     }
 
     fn password_salt(&self) -> Vec<u8> {
-        let raw_parts: Vec<_> = self.password_hash.split('$').filter(|s| !s.is_empty()).collect();
+        match &self.auth_method {
+            AuthenticationMethod::Legacy { password_hash } => {
+                let raw_parts: Vec<_> = password_hash.split('$').filter(|s| !s.is_empty()).collect();
 
-        match &raw_parts[..] {
-            [_, _, hash] => b64::decode(&hash[..22]),
-            _ => unreachable!(),
+                match &raw_parts[..] {
+                    [_, _, hash] => b64::decode(&hash[..22]),
+                    _ => unreachable!(),
+                }
+            },
+            _ => Vec::new(),
         }
     }
 
     pub fn verify_password(self, password: &str) -> Result<Self> {
-        debug!("Verifying a password!");
+        match &self.auth_method {
+            AuthenticationMethod::Legacy { password_hash } => {
+                debug!("Verifying a password!");
 
-        let valid = bcrypt::verify(password, &self.password_hash).map_err(|err| {
-            warn!("Password verification FAILED for account {}: {}", self.user, err);
+                let valid = bcrypt::verify(password, password_hash).map_err(|err| {
+                    warn!("Password verification FAILED for account {}: {}", self.user, err);
 
-            UserError::Core(CoreError::Unauthorized)
-        })?;
+                    UserError::Core(CoreError::Unauthorized)
+                })?;
 
-        if valid {
-            debug!("Password correct, proceeding");
+                if valid {
+                    debug!("Password correct, proceeding");
 
-            Ok(self)
-        } else {
-            warn!("Potentially malicious log-in attempt to account {}", self.user);
+                    Ok(self)
+                } else {
+                    warn!("Potentially malicious log-in attempt to account {}", self.user);
 
-            Err(CoreError::Unauthorized.into())
+                    Err(CoreError::Unauthorized.into())
+                }
+            },
+            _ => Err(CoreError::Unauthorized.into()),
         }
     }
 }
@@ -180,6 +196,8 @@ impl AuthenticatedUser {
 mod tests {
     use crate::{AuthenticatedUser, User};
 
+    use super::AuthenticationMethod;
+
     fn patrick() -> AuthenticatedUser {
         AuthenticatedUser {
             user: User {
@@ -189,7 +207,9 @@ mod tests {
                 display_name: None,
                 youtube_channel: None,
             },
-            password_hash: bcrypt::hash("bad password", bcrypt::DEFAULT_COST).unwrap(),
+            auth_method: AuthenticationMethod::Legacy {
+                password_hash: bcrypt::hash("bad password", bcrypt::DEFAULT_COST).unwrap(),
+            },
         }
     }
 
@@ -202,7 +222,9 @@ mod tests {
                 display_name: None,
                 youtube_channel: None,
             },
-            password_hash: bcrypt::hash("bad password", bcrypt::DEFAULT_COST).unwrap(),
+            auth_method: AuthenticationMethod::Legacy {
+                password_hash: bcrypt::hash("bad password", bcrypt::DEFAULT_COST).unwrap(),
+            },
         }
     }