mirror of
https://forgejo.ellis.link/continuwuation/continuwuity/
synced 2026-07-05 18:02:54 +00:00
Compare commits
63 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 46e2607aeb | |||
| 90758944ca | |||
| e3aa13d2f6 | |||
| 5a0e9303ee | |||
| 32b018a676 | |||
| 8a652cdd2f | |||
| d0e885fb1c | |||
| e95e653379 | |||
| 3057a44de4 | |||
| 37f26dc430 | |||
| 1442cfcb4f | |||
| 3f263714c3 | |||
| 30684724b5 | |||
| df8bcdd92d | |||
| 560c959ee7 | |||
| ee4b2f5b8d | |||
| 1a766d52d4 | |||
| 0c34700a96 | |||
| 9ef401f13e | |||
| bfe45facad | |||
| 866742ecc5 | |||
| 7a7e3b4697 | |||
| 27267eec69 | |||
| 6f3985d837 | |||
| d42836dabf | |||
| 05dc9d08e1 | |||
| 0daf876e9b | |||
| 77ae59fde7 | |||
| b865f0d56e | |||
| 9e9eb19331 | |||
| 4f333ed173 | |||
| 1840549332 | |||
| ca50d52469 | |||
| 80493f3e36 | |||
| e39c3e3aee | |||
| 25144ecceb | |||
| c2c841b8c7 | |||
| 9f10657406 | |||
| a8c49a3034 | |||
| 35f3b44e46 | |||
| 2ffbead621 | |||
| 772553ec79 | |||
| 732dd623ee | |||
| 0974481066 | |||
| 5ac3ef7372 | |||
| 53a0ca9ae5 | |||
| b5956368bc | |||
| e143da969a | |||
| 7631250278 | |||
| 0932c929c3 | |||
| 8f4e95b4b9 | |||
| e84d1f02af | |||
| 772a326ac1 | |||
| 6276a632cc | |||
| bb48bd50bb | |||
| 3fb7586875 | |||
| e8cfde49ae | |||
| 7af4b392b3 | |||
| 2bdc498f18 | |||
| 9dfd143cc6 | |||
| 721ebbf340 | |||
| 0a5d136a32 | |||
| 0ece17b6a0 |
@@ -71,7 +71,7 @@ runs:
|
||||
|
||||
- name: Install timelord-cli and git-warp-time
|
||||
if: steps.check-binaries.outputs.need-install == 'true'
|
||||
uses: https://github.com/taiki-e/install-action@e49978b799e49ff429d162b7a30601a569ab6538 # v2
|
||||
uses: https://github.com/taiki-e/install-action@15449e3094499af05d8d964a1c884208e4b8b595 # v2
|
||||
with:
|
||||
tool: git-warp-time,timelord-cli@3.0.1
|
||||
|
||||
|
||||
@@ -54,7 +54,7 @@ jobs:
|
||||
fi
|
||||
|
||||
- name: Checkout repository with full history
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ github.ref_name }}
|
||||
|
||||
@@ -30,7 +30,7 @@ jobs:
|
||||
echo "Fedora version: $VERSION"
|
||||
|
||||
- name: Checkout repository with full history
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
ref: ${{ github.ref_name }}
|
||||
|
||||
@@ -15,7 +15,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
ref: ${{ github.event.pull_request.head.sha }}
|
||||
fetch-depth: 0
|
||||
|
||||
@@ -21,7 +21,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Sync repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
fetch-depth: 0
|
||||
|
||||
@@ -41,7 +41,7 @@ jobs:
|
||||
DOCKER_MIRROR_TOKEN: ${{ secrets.DOCKER_MIRROR_TOKEN }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
@@ -55,7 +55,7 @@ jobs:
|
||||
# repositories: continuwuity
|
||||
|
||||
- name: Install regsync
|
||||
uses: https://github.com/regclient/actions/regsync-installer@c70ad64367908075211b10dcd2ab9fad4bfa1816 # main
|
||||
uses: https://github.com/regclient/actions/regsync-installer@14f9d37db17b5dc41fefd1ffdd1af4b9e2490560 # main
|
||||
|
||||
- name: Check what images need mirroring
|
||||
run: |
|
||||
|
||||
@@ -17,7 +17,7 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
@@ -48,7 +48,7 @@ jobs:
|
||||
rust: ${{ steps.filter.outputs.rust }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
@@ -70,7 +70,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
|
||||
@@ -46,7 +46,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: Prepare Docker build environment
|
||||
@@ -100,7 +100,7 @@ jobs:
|
||||
needs: build-release
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: Create multi-platform manifest
|
||||
@@ -133,7 +133,7 @@ jobs:
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: Prepare max-perf Docker build environment
|
||||
@@ -187,7 +187,7 @@ jobs:
|
||||
needs: build-maxperf
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: false
|
||||
- name: Create max-perf manifest
|
||||
|
||||
@@ -43,11 +43,11 @@ jobs:
|
||||
name: Renovate
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: ghcr.io/renovatebot/renovate:43.214.6@sha256:fd228b92f067204e444ddea1ec2fefb007592f9a46845e966f9334d5bd4bb52c
|
||||
image: ghcr.io/renovatebot/renovate:43.222.1@sha256:b9af3f59f3f4d92b2c41e9f4ca3ffe92400503f20158d0bd67d07a3fdbe781d2
|
||||
options: --tmpfs /tmp:exec
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
show-progress: false
|
||||
|
||||
|
||||
@@ -14,7 +14,7 @@ jobs:
|
||||
update-flake-hashes:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
persist-credentials: true
|
||||
token: ${{ secrets.FORGEJO_TOKEN }}
|
||||
|
||||
Generated
+174
-162
@@ -47,9 +47,9 @@ checksum = "cc7bb162ec39d46ab1ca8c77bf72e890535becd1751bb45f64c597edb4c8c6b3"
|
||||
|
||||
[[package]]
|
||||
name = "alloc-stdlib"
|
||||
version = "0.2.2"
|
||||
version = "0.2.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "94fb8275041c72129eb51b7d0322c29b8387a0386127718b096429201a5d6ece"
|
||||
checksum = "0e76a019e91224d279006ff972f1e984179a6e9feb050adba6ce8274aef23195"
|
||||
dependencies = [
|
||||
"alloc-no-stdlib",
|
||||
]
|
||||
@@ -461,15 +461,15 @@ dependencies = [
|
||||
"quote",
|
||||
"regex",
|
||||
"rustc-hash",
|
||||
"shlex",
|
||||
"shlex 1.3.0",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "bitflags"
|
||||
version = "2.11.1"
|
||||
version = "2.13.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
|
||||
checksum = "b4388bee8683e3d04af747c73422af53102d2bd24d9eadb6cbc100baef4b43f8"
|
||||
|
||||
[[package]]
|
||||
name = "blake2"
|
||||
@@ -491,9 +491,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "block-buffer"
|
||||
version = "0.12.0"
|
||||
version = "0.12.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "cdd35008169921d80bc60d3d0ab416eecb028c4cd653352907921d95084790be"
|
||||
checksum = "d2f6c7dbe95a6ed67ad9f18e57daf93a2f034c524b99fd2b76d18fdfeb6660aa"
|
||||
dependencies = [
|
||||
"hybrid-array",
|
||||
]
|
||||
@@ -509,9 +509,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "brotli"
|
||||
version = "8.0.2"
|
||||
version = "8.0.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "4bd8b9603c7aa97359dbd97ecf258968c95f3adddd6db2f7e7a5bef101c84560"
|
||||
checksum = "5cc91aac060a7a1e25823bdccbfb6af1875b88f17c6daac97894eed8207166b3"
|
||||
dependencies = [
|
||||
"alloc-no-stdlib",
|
||||
"alloc-stdlib",
|
||||
@@ -520,9 +520,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "brotli-decompressor"
|
||||
version = "5.0.0"
|
||||
version = "5.0.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "874bb8112abecc98cbd6d81ea4fa7e94fb9449648c93cc89aa40c81c24d7de03"
|
||||
checksum = "3a32acac15fe1967bc3986b2a6347dffc965602354ea6f450ad07e8bfd253583"
|
||||
dependencies = [
|
||||
"alloc-no-stdlib",
|
||||
"alloc-stdlib",
|
||||
@@ -566,9 +566,9 @@ checksum = "1e748733b7cbc798e1434b6ac524f0c1ff2ab456fe201501e6497c8417a4fc33"
|
||||
|
||||
[[package]]
|
||||
name = "bytesize"
|
||||
version = "2.3.1"
|
||||
version = "2.4.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "6bd91ee7b2422bcb158d90ef4d14f75ef67f340943fc4149891dcce8f8b972a3"
|
||||
checksum = "49e78e506b9d7633710dab98996f22f95f3d0f488e8f1aa162830556ed9fc14d"
|
||||
|
||||
[[package]]
|
||||
name = "bzip2-sys"
|
||||
@@ -625,14 +625,14 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "cc"
|
||||
version = "1.2.62"
|
||||
version = "1.2.64"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a1dce859f0832a7d088c4f1119888ab94ef4b5d6795d1ce05afb7fe159d79f98"
|
||||
checksum = "dad887fd958be91b5098c0248def011f4523ab786cd411be668777e55063501f"
|
||||
dependencies = [
|
||||
"find-msvc-tools",
|
||||
"jobserver",
|
||||
"libc",
|
||||
"shlex",
|
||||
"shlex 2.0.1",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -754,9 +754,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "cmov"
|
||||
version = "0.5.3"
|
||||
version = "0.5.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3f88a43d011fc4a6876cb7344703e297c71dda42494fee094d5f7c76bf13f746"
|
||||
checksum = "0c9ea0ac24bc397ab3c98583a3c9ba74fa56b09a4449bbe172b9b1ddb016027a"
|
||||
|
||||
[[package]]
|
||||
name = "color_quant"
|
||||
@@ -1066,7 +1066,7 @@ dependencies = [
|
||||
"either",
|
||||
"futures",
|
||||
"governor",
|
||||
"hickory-resolver 0.25.2",
|
||||
"hickory-resolver",
|
||||
"http",
|
||||
"image",
|
||||
"ipaddress",
|
||||
@@ -1088,6 +1088,7 @@ dependencies = [
|
||||
"serde",
|
||||
"serde-saphyr",
|
||||
"serde_json",
|
||||
"serde_urlencoded",
|
||||
"sha2 0.11.0",
|
||||
"termimad",
|
||||
"tokio",
|
||||
@@ -1107,18 +1108,29 @@ dependencies = [
|
||||
"axum",
|
||||
"axum-extra",
|
||||
"base64 0.22.1",
|
||||
"conduwuit_api",
|
||||
"conduwuit_build_metadata",
|
||||
"conduwuit_core",
|
||||
"conduwuit_database",
|
||||
"conduwuit_service",
|
||||
"form_urlencoded",
|
||||
"futures",
|
||||
"lettre",
|
||||
"memory-serve",
|
||||
"rand 0.10.1",
|
||||
"recaptcha-verify",
|
||||
"reqwest 0.12.28",
|
||||
"ruma",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"serde_urlencoded",
|
||||
"thiserror",
|
||||
"tower-http",
|
||||
"tower-sec-fetch",
|
||||
"tower-sessions",
|
||||
"tower-sessions-core",
|
||||
"tracing",
|
||||
"url",
|
||||
"validator",
|
||||
]
|
||||
|
||||
@@ -1535,7 +1547,7 @@ version = "0.5.8"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
|
||||
dependencies = [
|
||||
"powerfmt",
|
||||
"serde_core",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -1577,7 +1589,7 @@ version = "0.11.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f1dd6dbb5841937940781866fa1281a1ff7bd3bf827091440879f9994983d5c2"
|
||||
dependencies = [
|
||||
"block-buffer 0.12.0",
|
||||
"block-buffer 0.12.1",
|
||||
"crypto-common 0.2.2",
|
||||
"ctutils",
|
||||
]
|
||||
@@ -1594,9 +1606,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "displaydoc"
|
||||
version = "0.2.5"
|
||||
version = "0.2.6"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
|
||||
checksum = "1ac70aa55017e108007fbaf5aa0f54b021c98f92ff8af59d42eda9da96e3dd4f"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
@@ -1694,18 +1706,6 @@ dependencies = [
|
||||
"encoding_rs",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "enum-as-inner"
|
||||
version = "0.6.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "a1e6a265c649f3f5979b601d26f1d05ada116434c87741c9493cb56218f76cbc"
|
||||
dependencies = [
|
||||
"heck",
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
"syn",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "equivalent"
|
||||
version = "1.0.2"
|
||||
@@ -1719,7 +1719,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"windows-sys 0.52.0",
|
||||
"windows-sys 0.61.2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -2061,9 +2061,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "h2"
|
||||
version = "0.4.14"
|
||||
version = "0.4.15"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "171fefbc92fe4a4de27e0698d6a5b392d6a0e333506bc49133760b3bcf948733"
|
||||
checksum = "6cb093c84e8bd9b188d4c4a8cb6579fc016968d14c99882163cd3ff402a4f155"
|
||||
dependencies = [
|
||||
"atomic-waker",
|
||||
"bytes",
|
||||
@@ -2205,7 +2205,7 @@ dependencies = [
|
||||
"futures-channel",
|
||||
"futures-io",
|
||||
"futures-util",
|
||||
"hickory-proto 0.26.1",
|
||||
"hickory-proto",
|
||||
"idna",
|
||||
"ipnet",
|
||||
"jni",
|
||||
@@ -2217,32 +2217,6 @@ dependencies = [
|
||||
"url",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hickory-proto"
|
||||
version = "0.25.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f8a6fe56c0038198998a6f217ca4e7ef3a5e51f46163bd6dd60b5c71ca6c6502"
|
||||
dependencies = [
|
||||
"async-trait",
|
||||
"cfg-if",
|
||||
"data-encoding",
|
||||
"enum-as-inner",
|
||||
"futures-channel",
|
||||
"futures-io",
|
||||
"futures-util",
|
||||
"idna",
|
||||
"ipnet",
|
||||
"once_cell",
|
||||
"rand 0.9.4",
|
||||
"ring",
|
||||
"serde",
|
||||
"thiserror",
|
||||
"tinyvec",
|
||||
"tokio",
|
||||
"tracing",
|
||||
"url",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hickory-proto"
|
||||
version = "0.26.1"
|
||||
@@ -2257,34 +2231,13 @@ dependencies = [
|
||||
"prefix-trie",
|
||||
"rand 0.10.1",
|
||||
"ring",
|
||||
"serde",
|
||||
"thiserror",
|
||||
"tinyvec",
|
||||
"tracing",
|
||||
"url",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hickory-resolver"
|
||||
version = "0.25.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "dc62a9a99b0bfb44d2ab95a7208ac952d31060efc16241c87eaf36406fecf87a"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"futures-util",
|
||||
"hickory-proto 0.25.2",
|
||||
"ipconfig",
|
||||
"moka",
|
||||
"once_cell",
|
||||
"parking_lot",
|
||||
"rand 0.9.4",
|
||||
"resolv-conf",
|
||||
"serde",
|
||||
"smallvec",
|
||||
"thiserror",
|
||||
"tokio",
|
||||
"tracing",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "hickory-resolver"
|
||||
version = "0.26.1"
|
||||
@@ -2294,7 +2247,7 @@ dependencies = [
|
||||
"cfg-if",
|
||||
"futures-util",
|
||||
"hickory-net",
|
||||
"hickory-proto 0.26.1",
|
||||
"hickory-proto",
|
||||
"ipconfig",
|
||||
"ipnet",
|
||||
"jni",
|
||||
@@ -2304,6 +2257,7 @@ dependencies = [
|
||||
"parking_lot",
|
||||
"rand 0.10.1",
|
||||
"resolv-conf",
|
||||
"serde",
|
||||
"smallvec",
|
||||
"system-configuration",
|
||||
"thiserror",
|
||||
@@ -2347,9 +2301,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "http"
|
||||
version = "1.4.1"
|
||||
version = "1.4.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8be7462df143984c4598a256ef469b251d7d7f9e271135073e78fc535414f3d0"
|
||||
checksum = "6970f50e31d6fc17d3fa27329444bfa74e196cf62e95052a3f6fee181dba6425"
|
||||
dependencies = [
|
||||
"bytes",
|
||||
"itoa",
|
||||
@@ -2769,13 +2723,12 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "js-sys"
|
||||
version = "0.3.99"
|
||||
version = "0.3.102"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "142bc4740e452c1e57ade0cbc129f139c9093e354346f0872ef985f4f5cf5f11"
|
||||
checksum = "03d04c30968dffe80775bd4d7fb676131cd04a1fb46d2686dbffbaec2d9dfd31"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"futures-util",
|
||||
"once_cell",
|
||||
"wasm-bindgen",
|
||||
]
|
||||
|
||||
@@ -2900,9 +2853,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "libz-sys"
|
||||
version = "1.1.28"
|
||||
version = "1.1.29"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "fc3a226e576f50782b3305c5ccf458698f92798987f551c6a02efe8276721e22"
|
||||
checksum = "85bc9657773828b90eeb625adff10eeac83cc21bbfd8e23a03eaa8a33c9e28d9"
|
||||
dependencies = [
|
||||
"cc",
|
||||
"pkg-config",
|
||||
@@ -2911,9 +2864,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "link-section"
|
||||
version = "0.18.1"
|
||||
version = "0.18.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "014e440054ce8170890229eeef5bcda955305e056ec713de40ed366944483f09"
|
||||
checksum = "c2b1dd6fe32e55c0fc0ea9493aa57459ca3cf4ff3c857c7d0302290150da6e4f"
|
||||
|
||||
[[package]]
|
||||
name = "linked-hash-map"
|
||||
@@ -3050,9 +3003,9 @@ checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
|
||||
|
||||
[[package]]
|
||||
name = "memchr"
|
||||
version = "2.8.0"
|
||||
version = "2.8.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
|
||||
checksum = "88904434abc2901f197fe8cc55f0445e7ded921dba5911dad2e2b39b48e663c4"
|
||||
|
||||
[[package]]
|
||||
name = "memory-serve"
|
||||
@@ -3129,9 +3082,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "mio"
|
||||
version = "1.2.0"
|
||||
version = "1.2.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "50b7e5b27aa02a74bac8c3f23f448f8d87ff11f92d3aac1a6ed369ee08cc56c1"
|
||||
checksum = "02bd0af71c67b473010cbbc60715ee815645a4dc942899111f494b4b737d6fda"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"log",
|
||||
@@ -3227,7 +3180,7 @@ version = "0.50.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
|
||||
dependencies = [
|
||||
"windows-sys 0.60.2",
|
||||
"windows-sys 0.61.2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -3839,7 +3792,7 @@ version = "3.5.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
|
||||
dependencies = [
|
||||
"toml_edit 0.25.11+spec-1.1.0",
|
||||
"toml_edit 0.25.12+spec-1.1.0",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -3888,9 +3841,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "prost"
|
||||
version = "0.14.3"
|
||||
version = "0.14.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "d2ea70524a2f82d518bce41317d0fae74151505651af45faf1ffbd6fd33f0568"
|
||||
checksum = "528ac67416ff8646872a3c02cad9cc4ee5dc9f9540c9b10771855c95cb2e5ae1"
|
||||
dependencies = [
|
||||
"bytes",
|
||||
"prost-derive",
|
||||
@@ -3898,9 +3851,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "prost-derive"
|
||||
version = "0.14.3"
|
||||
version = "0.14.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "27c6023962132f4b30eb4c172c91ce92d933da334c59c23cddee82358ddafb0b"
|
||||
checksum = "b570b25f7617e43d59005d0990ccb79e950a423952cea19671b7a876da390adf"
|
||||
dependencies = [
|
||||
"anyhow",
|
||||
"itertools 0.14.0",
|
||||
@@ -3911,9 +3864,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "prost-types"
|
||||
version = "0.14.3"
|
||||
version = "0.14.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8991c4cbdb8bc5b11f0b074ffe286c30e523de90fee5ba8132f1399f23cb3dd7"
|
||||
checksum = "f94967dc7688f3054c7fac87473ffae4cc4c3904800e2d9f5b857246d8963b0a"
|
||||
dependencies = [
|
||||
"prost",
|
||||
]
|
||||
@@ -4118,9 +4071,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "regex"
|
||||
version = "1.12.3"
|
||||
version = "1.12.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "e10754a14b9137dd7b1e3e5b0493cc9171fdd105e0ab477f51b72e7f3ac0e276"
|
||||
checksum = "f1292b7759ae1cb9ec195452d1390a074f0cd8541ab7a5a8c31cd6db45d4a6ba"
|
||||
dependencies = [
|
||||
"aho-corasick",
|
||||
"memchr",
|
||||
@@ -4141,9 +4094,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "regex-syntax"
|
||||
version = "0.8.10"
|
||||
version = "0.8.11"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "dc897dd8d9e8bd1ed8cdad82b5966c3e0ecae09fb1907d58efaa013543185d0a"
|
||||
checksum = "d6f6ff9a378485b298a5286656da665ba74413d36db0979633275d2e708145d4"
|
||||
|
||||
[[package]]
|
||||
name = "reqwest"
|
||||
@@ -4196,7 +4149,7 @@ dependencies = [
|
||||
"h2",
|
||||
"h3",
|
||||
"h3-quinn",
|
||||
"hickory-resolver 0.26.1",
|
||||
"hickory-resolver",
|
||||
"http",
|
||||
"http-body",
|
||||
"http-body-util",
|
||||
@@ -4515,7 +4468,7 @@ dependencies = [
|
||||
"errno",
|
||||
"libc",
|
||||
"linux-raw-sys",
|
||||
"windows-sys 0.52.0",
|
||||
"windows-sys 0.61.2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -4536,9 +4489,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "rustls-native-certs"
|
||||
version = "0.8.3"
|
||||
version = "0.8.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
|
||||
checksum = "dab5152771c58876a2146916e53e35057e1a4dfa2b9df0f0305b07f611fdea4d"
|
||||
dependencies = [
|
||||
"openssl-probe",
|
||||
"rustls-pki-types",
|
||||
@@ -4574,7 +4527,7 @@ dependencies = [
|
||||
"security-framework",
|
||||
"security-framework-sys",
|
||||
"webpki-root-certs",
|
||||
"windows-sys 0.52.0",
|
||||
"windows-sys 0.61.2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -4847,7 +4800,7 @@ checksum = "dcc7fe48e34d02a97bc8e6253b8b91e5a47fe2c47eaacb5149cefbb69922eaf0"
|
||||
dependencies = [
|
||||
"ahash",
|
||||
"annotate-snippets",
|
||||
"base64 0.21.7",
|
||||
"base64 0.22.1",
|
||||
"encoding_rs_io",
|
||||
"getrandom 0.3.4",
|
||||
"granit-parser",
|
||||
@@ -5027,6 +4980,12 @@ version = "1.3.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
|
||||
|
||||
[[package]]
|
||||
name = "shlex"
|
||||
version = "2.0.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "f8fadd59c855ef2080decdef8ff161eb6661b86933c9d82e5ba29dc602a55aba"
|
||||
|
||||
[[package]]
|
||||
name = "signal-hook"
|
||||
version = "0.3.18"
|
||||
@@ -5113,21 +5072,21 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "smallvec"
|
||||
version = "1.15.1"
|
||||
version = "1.15.2"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "67b1b7a3b5fe4f1376887184045fcf45c69e92af734b7aaddc05fb777b6fbd03"
|
||||
checksum = "8ed6a63f02c8539c91a8685a86f4099661ba3da017932f6ebbea6de3f0fa7c90"
|
||||
dependencies = [
|
||||
"serde",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "socket2"
|
||||
version = "0.6.3"
|
||||
version = "0.6.4"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3a766e1110788c36f4fa1c2b71b387a7815aa65f88ce0229841826633d93723e"
|
||||
checksum = "52d1cfed4120b4d927bf7c0f86d2087a4a7d6027c906d9f9d525a80573b9be51"
|
||||
dependencies = [
|
||||
"libc",
|
||||
"windows-sys 0.60.2",
|
||||
"windows-sys 0.61.2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -5352,12 +5311,11 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "time"
|
||||
version = "0.3.47"
|
||||
version = "0.3.49"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
|
||||
checksum = "711a53c2d47bbd818258c498c8dbfe186a2526c631495cfe7e078567f86b8469"
|
||||
dependencies = [
|
||||
"deranged",
|
||||
"itoa",
|
||||
"num-conv",
|
||||
"powerfmt",
|
||||
"serde_core",
|
||||
@@ -5367,15 +5325,15 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "time-core"
|
||||
version = "0.1.8"
|
||||
version = "0.1.9"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
|
||||
checksum = "9e1c906769ad99c88eaa54e728060edef082f8e358ff32030cb7c7d315e81109"
|
||||
|
||||
[[package]]
|
||||
name = "time-macros"
|
||||
version = "0.2.27"
|
||||
version = "0.2.29"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
|
||||
checksum = "71c652a3727a9cbb9a02f707f530b618ce00d0ccd762009c8c23bd191df3c17d"
|
||||
dependencies = [
|
||||
"num-conv",
|
||||
"time-core",
|
||||
@@ -5563,9 +5521,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "toml_edit"
|
||||
version = "0.25.11+spec-1.1.0"
|
||||
version = "0.25.12+spec-1.1.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "0b59c4d22ed448339746c59b905d24568fcbb3ab65a500494f7b8c3e97739f2b"
|
||||
checksum = "d2153edc6955a6c354fad8f5efd38b6a8769bdccf9fe50f8e1329f81b0baa5d7"
|
||||
dependencies = [
|
||||
"indexmap",
|
||||
"toml_datetime 1.1.1+spec-1.1.0",
|
||||
@@ -5664,6 +5622,22 @@ dependencies = [
|
||||
"tracing",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tower-cookies"
|
||||
version = "0.11.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "151b5a3e3c45df17466454bb74e9ecedecc955269bdedbf4d150dfa393b55a36"
|
||||
dependencies = [
|
||||
"axum-core",
|
||||
"cookie",
|
||||
"futures-util",
|
||||
"http",
|
||||
"parking_lot",
|
||||
"pin-project-lite",
|
||||
"tower-layer",
|
||||
"tower-service",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tower-http"
|
||||
version = "0.6.11"
|
||||
@@ -5712,6 +5686,44 @@ version = "0.3.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "8df9b6e13f2d32c91b9bd719c00d1958837bc7dec474d94952798cc8e69eeec3"
|
||||
|
||||
[[package]]
|
||||
name = "tower-sessions"
|
||||
version = "0.15.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "518dca34b74a17cadfcee06e616a09d2bd0c3984eff1769e1e76d58df978fc78"
|
||||
dependencies = [
|
||||
"async-trait",
|
||||
"http",
|
||||
"time",
|
||||
"tokio",
|
||||
"tower-cookies",
|
||||
"tower-layer",
|
||||
"tower-service",
|
||||
"tower-sessions-core",
|
||||
"tracing",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tower-sessions-core"
|
||||
version = "0.15.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "568531ec3dfcf3ffe493de1958ae5662a0284ac5d767476ecdb6a34ff8c6b06c"
|
||||
dependencies = [
|
||||
"async-trait",
|
||||
"axum-core",
|
||||
"base64 0.22.1",
|
||||
"futures",
|
||||
"http",
|
||||
"parking_lot",
|
||||
"rand 0.9.4",
|
||||
"serde",
|
||||
"serde_json",
|
||||
"thiserror",
|
||||
"time",
|
||||
"tokio",
|
||||
"tracing",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "tracing"
|
||||
version = "0.1.44"
|
||||
@@ -5820,9 +5832,9 @@ checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
|
||||
|
||||
[[package]]
|
||||
name = "typenum"
|
||||
version = "1.20.0"
|
||||
version = "1.20.1"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
|
||||
checksum = "b6f5e870be6c3b371b77fe0ee0bafb859fa4964b4404c27de1d380043c4dda20"
|
||||
|
||||
[[package]]
|
||||
name = "typewit"
|
||||
@@ -5862,9 +5874,9 @@ checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-segmentation"
|
||||
version = "1.13.2"
|
||||
version = "1.13.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c"
|
||||
checksum = "c6f5d3c3b1bf09027a88a6bc961fc00497d651009560b5463668dc81b0fa87a8"
|
||||
|
||||
[[package]]
|
||||
name = "unicode-width"
|
||||
@@ -5923,9 +5935,9 @@ checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be"
|
||||
|
||||
[[package]]
|
||||
name = "uuid"
|
||||
version = "1.23.1"
|
||||
version = "1.23.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "ddd74a9687298c6858e9b88ec8935ec45d22e8fd5e6394fa1bd4e99a87789c76"
|
||||
checksum = "144d6b123cef80b301b8f72a9e2ca4370ddec21950d0a103dd22c437006d2db7"
|
||||
dependencies = [
|
||||
"getrandom 0.4.2",
|
||||
"js-sys",
|
||||
@@ -6008,9 +6020,9 @@ checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
|
||||
|
||||
[[package]]
|
||||
name = "wasip2"
|
||||
version = "1.0.3+wasi-0.2.9"
|
||||
version = "1.0.4+wasi-0.2.12"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6"
|
||||
checksum = "b67efb37e106e55ce722a510d6b5f9c17f083e5fc79afc2badeb12cc313d9487"
|
||||
dependencies = [
|
||||
"wit-bindgen 0.57.1",
|
||||
]
|
||||
@@ -6026,9 +6038,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "wasm-bindgen"
|
||||
version = "0.2.122"
|
||||
version = "0.2.125"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "3ed04576f974d2b2fba0f38c51dbc5518011e38c36bf1143164be765528fd409"
|
||||
checksum = "8ddb3f79143bced6de84270411622a2699cee572fc0875aeaf1e7867cf9fca1a"
|
||||
dependencies = [
|
||||
"cfg-if",
|
||||
"once_cell",
|
||||
@@ -6039,9 +6051,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "wasm-bindgen-futures"
|
||||
version = "0.4.72"
|
||||
version = "0.4.75"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9473dbd2991ae90b6291c3c32c30c6187ac49aa32f9905d1cce280ec1e110b0f"
|
||||
checksum = "503b14d284f2c8dac03b819967e155ea753f573586193b2b2c95990cb5d69280"
|
||||
dependencies = [
|
||||
"js-sys",
|
||||
"wasm-bindgen",
|
||||
@@ -6049,9 +6061,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "wasm-bindgen-macro"
|
||||
version = "0.2.122"
|
||||
version = "0.2.125"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "916151b09da36bd82f6615cbf3a419e2f0ba23a03c6160e8e92eb6bd4aa1dec6"
|
||||
checksum = "4e21a184b13fb19e157296e2c46056aec9092264fab83e4ba59e68c61b323c3d"
|
||||
dependencies = [
|
||||
"quote",
|
||||
"wasm-bindgen-macro-support",
|
||||
@@ -6059,9 +6071,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "wasm-bindgen-macro-support"
|
||||
version = "0.2.122"
|
||||
version = "0.2.125"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "299047362ccbfce148b67ab7e73349f77748e00c8296f9542adfad2ad82c5c5e"
|
||||
checksum = "fecefd9c35bd935a20fc3fc344b5f29138961e4f47fb03297d88f2587afb5ebd"
|
||||
dependencies = [
|
||||
"bumpalo",
|
||||
"proc-macro2",
|
||||
@@ -6072,9 +6084,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "wasm-bindgen-shared"
|
||||
version = "0.2.122"
|
||||
version = "0.2.125"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "9a929b2c61f11ba3e9bc35b50c1f25cb38e0e892c0c231ae2b8cf78d5dad4437"
|
||||
checksum = "23939e44bb9a5d7576fa2b563dc2e136628f1224e88a8deed09e04858b77871f"
|
||||
dependencies = [
|
||||
"unicode-ident",
|
||||
]
|
||||
@@ -6128,9 +6140,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "web-sys"
|
||||
version = "0.3.99"
|
||||
version = "0.3.102"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "6d621441cfc37b84979402712047321980c178f299193a3589d05b99e8763436"
|
||||
checksum = "a6430a72df5eb332242960fe84b3002a241163998241eb596d4f739b9757061d"
|
||||
dependencies = [
|
||||
"js-sys",
|
||||
"wasm-bindgen",
|
||||
@@ -6207,7 +6219,7 @@ version = "0.1.11"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
|
||||
dependencies = [
|
||||
"windows-sys 0.52.0",
|
||||
"windows-sys 0.61.2",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
@@ -6555,9 +6567,9 @@ checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
|
||||
|
||||
[[package]]
|
||||
name = "yoke"
|
||||
version = "0.8.2"
|
||||
version = "0.8.3"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "abe8c5fda708d9ca3df187cae8bfb9ceda00dd96231bed36e445a1a48e66f9ca"
|
||||
checksum = "709fe23a0424b6a435d82152b1bd3fdfb0833487d5fa90d05d42762a9891fef5"
|
||||
dependencies = [
|
||||
"stable_deref_trait",
|
||||
"yoke-derive",
|
||||
@@ -6578,18 +6590,18 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "zerocopy"
|
||||
version = "0.8.48"
|
||||
version = "0.8.52"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "eed437bf9d6692032087e337407a86f04cd8d6a16a37199ed57949d415bd68e9"
|
||||
checksum = "ce1022995ff5ff5d841ad7d994facc23098cd40152f2c1d11cd607c6f530653f"
|
||||
dependencies = [
|
||||
"zerocopy-derive",
|
||||
]
|
||||
|
||||
[[package]]
|
||||
name = "zerocopy-derive"
|
||||
version = "0.8.48"
|
||||
version = "0.8.52"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "70e3cd084b1788766f53af483dd21f93881ff30d7320490ec3ef7526d203bad4"
|
||||
checksum = "1ae7f38b72ec2a254e2b87ef277cf2cd4fb97cbebf944faa6f33354da0867930"
|
||||
dependencies = [
|
||||
"proc-macro2",
|
||||
"quote",
|
||||
@@ -6619,9 +6631,9 @@ dependencies = [
|
||||
|
||||
[[package]]
|
||||
name = "zeroize"
|
||||
version = "1.8.2"
|
||||
version = "1.9.0"
|
||||
source = "registry+https://github.com/rust-lang/crates.io-index"
|
||||
checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
|
||||
checksum = "e13c156562582aa81c60cb29407084cdb54c4164760106ab78e6c5b0858cf64e"
|
||||
|
||||
[[package]]
|
||||
name = "zerotrie"
|
||||
|
||||
+4
-1
@@ -296,7 +296,7 @@ default-features = false
|
||||
features = ["env", "toml"]
|
||||
|
||||
[workspace.dependencies.hickory-resolver]
|
||||
version = "0.25.2"
|
||||
version = "0.26.0"
|
||||
default-features = false
|
||||
features = [
|
||||
"serde",
|
||||
@@ -559,6 +559,9 @@ features = ["std"]
|
||||
[workspace.dependencies.nonzero_ext]
|
||||
version = "0.3.0"
|
||||
|
||||
[workspace.dependencies.serde_urlencoded]
|
||||
version = "0.7.1"
|
||||
|
||||
#
|
||||
# Patches
|
||||
#
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
Users may now be forbidden from deactivating their own accounts with the new `allow_deactivation` config option. Contributed by @ginger.
|
||||
@@ -0,0 +1 @@
|
||||
Added support for authenticating clients using the new OAuth 2.0 login API. Contributed by @ginger.
|
||||
@@ -0,0 +1 @@
|
||||
Added example configuration using caddy-docker-proxy in the livekit setup section of the docs. Contributed by @Cease
|
||||
@@ -0,0 +1 @@
|
||||
Fixed admin commands being ignored when they had leading whitespace before admin commands. Contributed by @kitvonsnookerz.
|
||||
+37
-9
@@ -521,17 +521,15 @@
|
||||
#
|
||||
#recaptcha_private_site_key =
|
||||
|
||||
# Policy documents, such as terms and conditions or a privacy policy,
|
||||
# which users must agree to when registering an account.
|
||||
# Controls whether users are allowed to deactivate their own accounts
|
||||
# through the account management panel or their Matrix clients. Server
|
||||
# admins can always deactivate users using the relevant admin commands.
|
||||
#
|
||||
# Example:
|
||||
# ```ignore
|
||||
# [global.registration_terms.privacy_policy]
|
||||
# en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
|
||||
# es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
|
||||
# ```
|
||||
# Note that, in some jurisdictions, you may be legally required to honor
|
||||
# users who request to deactivate their accounts if you set this option
|
||||
# to `false`.
|
||||
#
|
||||
#registration_terms = {}
|
||||
#allow_deactivation = true
|
||||
|
||||
# Controls whether encrypted rooms and events are allowed.
|
||||
#
|
||||
@@ -1987,3 +1985,33 @@
|
||||
# `require_email_for_registration`.
|
||||
#
|
||||
#require_email_for_token_registration = false
|
||||
|
||||
#[global.registration_terms]
|
||||
|
||||
# The language code to provide to clients along with the policy documents.
|
||||
#
|
||||
#language = "en"
|
||||
|
||||
# Policy documents, such as terms and conditions or a privacy policy,
|
||||
# which users must agree to when registering an account.
|
||||
#
|
||||
# Example:
|
||||
# ```ignore
|
||||
# [global.registration_terms.documents]
|
||||
# privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
|
||||
# ```
|
||||
#
|
||||
#documents =
|
||||
|
||||
#[global.oauth]
|
||||
|
||||
# The compatibility mode to use for OAuth.
|
||||
#
|
||||
# - "disabled": OAuth will be unavailable. Users will only be able to log
|
||||
# in using legacy authentication.
|
||||
# - "hybrid": OAuth and legacy authentication will both be available. Some
|
||||
# clients may only use one or the other.
|
||||
# - "exclusive": Only OAuth will be available. Clients which require
|
||||
# legacy authentication will be unable to log in.
|
||||
#
|
||||
#compatibility_mode = "hybrid"
|
||||
|
||||
+1
-1
@@ -50,7 +50,7 @@ EOF
|
||||
|
||||
# Developer tool versions
|
||||
# renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
|
||||
ENV BINSTALL_VERSION=1.19.1
|
||||
ENV BINSTALL_VERSION=1.20.0
|
||||
# renovate: datasource=github-releases depName=psastras/sbom-rs
|
||||
ENV CARGO_SBOM_VERSION=0.9.1
|
||||
# renovate: datasource=crate depName=lddtree
|
||||
|
||||
@@ -18,7 +18,7 @@ RUN --mount=type=cache,target=/etc/apk/cache apk add \
|
||||
|
||||
# Developer tool versions
|
||||
# renovate: datasource=github-releases depName=cargo-bins/cargo-binstall
|
||||
ENV BINSTALL_VERSION=1.19.1
|
||||
ENV BINSTALL_VERSION=1.20.0
|
||||
# renovate: datasource=github-releases depName=psastras/sbom-rs
|
||||
ENV CARGO_SBOM_VERSION=0.9.1
|
||||
# renovate: datasource=crate depName=lddtree
|
||||
|
||||
@@ -187,6 +187,75 @@ ### 4. Configure your Reverse Proxy
|
||||
```
|
||||
|
||||
</details>
|
||||
<details>
|
||||
<summary>Example docker compose file with caddy-docker-proxy labels</summary>
|
||||
```yaml
|
||||
# This setup assumes all containers share the same bridge network
|
||||
services:
|
||||
lk-jwt-service:
|
||||
image: ghcr.io/element-hq/lk-jwt-service:latest
|
||||
container_name: lk-jwt-service
|
||||
# lk-jwt-service environment config here..
|
||||
labels:
|
||||
caddy: livekit.example.com
|
||||
caddy.@lk-jwt-service.path: "/sfu/get* /healthz* /get_token*"
|
||||
caddy.reverse_proxy: "@lk-jwt-service {{upstreams 8081}}"
|
||||
|
||||
|
||||
livekit:
|
||||
image: livekit/livekit-server:latest
|
||||
container_name: livekit
|
||||
command: --config /etc/livekit.yaml
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
caddy: livekit.example.com
|
||||
caddy.reverse_proxy: "{{upstreams 7880}}"
|
||||
volumes:
|
||||
- ./livekit.yaml:/etc/livekit.yaml:ro
|
||||
ports:
|
||||
- "127.0.0.1:7880:7880/tcp"
|
||||
- "7881:7881/tcp"
|
||||
- "50100-50200:50100-50200/udp"
|
||||
|
||||
|
||||
caddy:
|
||||
image: lucaslorentz/caddy-docker-proxy:ci-alpine
|
||||
ports:
|
||||
- 80:80
|
||||
- 443:443
|
||||
environment:
|
||||
- CADDY_INGRESS_NETWORKS=caddy
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
- ./data:/data
|
||||
restart: unless-stopped
|
||||
labels:
|
||||
# If you already configured `[global.well_known]` with Continuwuity,
|
||||
# comment out the *_respond labels and add this line
|
||||
# caddy.reverse_proxy: /.well-known/matrix/* homeserver:8008
|
||||
caddy.1_respond: /.well-known/matrix/server {"m.server":"matrix.example.com:443"}
|
||||
caddy.2_respond: /.well-known/matrix/client {"m.server":{"base_url":"https://matrix.example.com"},"m.homeserver":{"base_url":"https://matrix.example.com"},"org.matrix.msc4143.rtc_foci":[{"type":"livekit","livekit_service_url":"https://livekit.example.com"}]}
|
||||
|
||||
# If you are having problems with continuwuity serving headers uncomment
|
||||
# the header section below.
|
||||
|
||||
# caddy: example.com
|
||||
# caddy.0_header: "*"
|
||||
# caddy.0_header.Access-Control-Allow-Origin: "*"
|
||||
# caddy.0_header.Access-Control-Allow-Methods: "GET, POST, OPTIONS"
|
||||
# caddy.0_header.Access-Control-Allow-Headers: "Authorization"
|
||||
# caddy.0_header.Content-Type: "application/json"
|
||||
|
||||
homeserver:
|
||||
image: forgejo.ellis.link/continuwuation/continuwuity:latest
|
||||
restart: unless-stopped
|
||||
# add additional environment, volume, and network config here...
|
||||
labels:
|
||||
caddy: matrix.example.com
|
||||
caddy.reverse_proxy: "{{upstreams 8008}}"
|
||||
|
||||
```
|
||||
</details>
|
||||
|
||||
|
||||
### 6. Start Everything
|
||||
|
||||
Generated
+18
-18
@@ -3,11 +3,11 @@
|
||||
"advisory-db": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1779575509,
|
||||
"narHash": "sha256-wXKYURZz76ZC5lbuDA1oVQA/MxSB3pSJ1raF1HG0oIc=",
|
||||
"lastModified": 1781566179,
|
||||
"narHash": "sha256-Tqv8I586fYzWpEW/Smq/JqESFa3DVVzVWsnAMtvhy/I=",
|
||||
"owner": "rustsec",
|
||||
"repo": "advisory-db",
|
||||
"rev": "831c50f4a4304068f125e603add6a8839f08b3eb",
|
||||
"rev": "74e084413d979d52d2f93b1d93b1ab7b9ee648f5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -18,11 +18,11 @@
|
||||
},
|
||||
"crane": {
|
||||
"locked": {
|
||||
"lastModified": 1779130139,
|
||||
"narHash": "sha256-BLrtr42azquO7MdGFU5a7KiMl3YpFlTeIXqy1fT5GlQ=",
|
||||
"lastModified": 1780532242,
|
||||
"narHash": "sha256-D+BsdpxmtUwtqGoY0IXPhHgTlmqgcZKCEo1oMyn7ep0=",
|
||||
"owner": "ipetkov",
|
||||
"repo": "crane",
|
||||
"rev": "edb38893982a3338972bb4a2ec7ce7c29ba10fd9",
|
||||
"rev": "59a82a1222dd3b2080b5cc52a1a2e8d5f1b77f37",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -39,11 +39,11 @@
|
||||
"rust-analyzer-src": "rust-analyzer-src"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1779612045,
|
||||
"narHash": "sha256-+7lfNVnmXJDkiRYHd5NoNwYoyUcc0LcXPaIJqjO7VWM=",
|
||||
"lastModified": 1781527054,
|
||||
"narHash": "sha256-1fX9ev2Fh5QoKQ41G9dYutjo5j/jywu6tZse5Eb1Ck4=",
|
||||
"owner": "nix-community",
|
||||
"repo": "fenix",
|
||||
"rev": "d7be747f0a65af378de515fc3cee131bf99a008f",
|
||||
"rev": "8c2e51dffefc040a21975da7abf6f252c8c9b783",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -89,11 +89,11 @@
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1779508470,
|
||||
"narHash": "sha256-Ap9KJX+5xHIn3bPIpfNgT6MEXdAECECwo4/rmlQD74M=",
|
||||
"lastModified": 1781074563,
|
||||
"narHash": "sha256-md8WlXOlfnIeHeOScMTTHFyf2d6iaTwPl2apR5EQ3P4=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "29916453413845e54a65b8a1cf996842300cd299",
|
||||
"rev": "9ae611a455b90cf061d8f332b977e387bda8e1ca",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -132,11 +132,11 @@
|
||||
"rust-analyzer-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1779569060,
|
||||
"narHash": "sha256-NSnk5D+3KEfRdbgPijs33N2RAKSG6A74SwfnynLcouo=",
|
||||
"lastModified": 1781453968,
|
||||
"narHash": "sha256-+V3nK4pCngbmgyVGXY6Kkrlevp4ocPkJJLf2aqwkDNA=",
|
||||
"owner": "rust-lang",
|
||||
"repo": "rust-analyzer",
|
||||
"rev": "987ea33645ab1c709b1df6823038abcb2fe8973e",
|
||||
"rev": "cc272809a173c2c11d0e479d639c811c1eacf049",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
@@ -153,11 +153,11 @@
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1775636079,
|
||||
"narHash": "sha256-pc20NRoMdiar8oPQceQT47UUZMBTiMdUuWrYu2obUP0=",
|
||||
"lastModified": 1780220602,
|
||||
"narHash": "sha256-eynAfOmbmxJnkp7YewvCEbShNnnYJ9gLLqkzsYtBPeM=",
|
||||
"owner": "numtide",
|
||||
"repo": "treefmt-nix",
|
||||
"rev": "790751ff7fd3801feeaf96d7dc416a8d581265ba",
|
||||
"rev": "db947814a175b7ca6ded66e21383d938df01c227",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
||||
Generated
+174
-125
@@ -125,13 +125,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@rsbuild/core": {
|
||||
"version": "2.0.11",
|
||||
"resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.11.tgz",
|
||||
"integrity": "sha512-Mpp/viUSkVdSWJkFipdZxM2nUztrBwSnMm6Q86bPzLHtHnXqQ3VFpSMlA4wWRyySNddP6s6efKiVpx0ZOCf7Gg==",
|
||||
"version": "2.0.15",
|
||||
"resolved": "https://registry.npmjs.org/@rsbuild/core/-/core-2.0.15.tgz",
|
||||
"integrity": "sha512-O8vmMhZu1YImO6jOqt/K/vlJSvkq7UtSq5YM1DIlcEd9LW8Gf6/dkQ1B2KPI6F+hSMFBnTTTumdcIowSLCw97g==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@rspack/core": "~2.0.6",
|
||||
"@rspack/core": "~2.0.8",
|
||||
"@swc/helpers": "^0.5.23"
|
||||
},
|
||||
"bin": {
|
||||
@@ -169,28 +169,28 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@rspack/binding": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.6.tgz",
|
||||
"integrity": "sha512-z5EO9mPlmYNpHAlRGub0Chr6D+Klgy+tX36n7tCm7VRGRlwTmTU9wSENrYbHcCpFbegtrE0s30rDeTBeOu+JiQ==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding/-/binding-2.0.8.tgz",
|
||||
"integrity": "sha512-3uZ+y8aQxq33ty2srMxg2Nu0XuBI6vVrG50rkDaXqwWqOohfgGUSfFuQK7EnSUNy4aFUQlCG6NHialQHJov0wg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"optionalDependencies": {
|
||||
"@rspack/binding-darwin-arm64": "2.0.6",
|
||||
"@rspack/binding-darwin-x64": "2.0.6",
|
||||
"@rspack/binding-linux-arm64-gnu": "2.0.6",
|
||||
"@rspack/binding-linux-arm64-musl": "2.0.6",
|
||||
"@rspack/binding-linux-x64-gnu": "2.0.6",
|
||||
"@rspack/binding-linux-x64-musl": "2.0.6",
|
||||
"@rspack/binding-wasm32-wasi": "2.0.6",
|
||||
"@rspack/binding-win32-arm64-msvc": "2.0.6",
|
||||
"@rspack/binding-win32-ia32-msvc": "2.0.6",
|
||||
"@rspack/binding-win32-x64-msvc": "2.0.6"
|
||||
"@rspack/binding-darwin-arm64": "2.0.8",
|
||||
"@rspack/binding-darwin-x64": "2.0.8",
|
||||
"@rspack/binding-linux-arm64-gnu": "2.0.8",
|
||||
"@rspack/binding-linux-arm64-musl": "2.0.8",
|
||||
"@rspack/binding-linux-x64-gnu": "2.0.8",
|
||||
"@rspack/binding-linux-x64-musl": "2.0.8",
|
||||
"@rspack/binding-wasm32-wasi": "2.0.8",
|
||||
"@rspack/binding-win32-arm64-msvc": "2.0.8",
|
||||
"@rspack/binding-win32-ia32-msvc": "2.0.8",
|
||||
"@rspack/binding-win32-x64-msvc": "2.0.8"
|
||||
}
|
||||
},
|
||||
"node_modules/@rspack/binding-darwin-arm64": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.6.tgz",
|
||||
"integrity": "sha512-0giCKiWlBfcM4i2scv1j2k9HlSecO9Ybhaa5wsMUyvcFeKr9HbNHh7C2eDFlC6zaI85IUdY71TXF/g/Tcxr9MA==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-arm64/-/binding-darwin-arm64-2.0.8.tgz",
|
||||
"integrity": "sha512-vCgbgH7B7qom+uID+RCZsTCOYFb9wC4/4+1U6rMfytrXGVJ72eNQs2tbdjOl0lb18CT3N/n+VkWynUiLk84GwA==",
|
||||
"cpu": [
|
||||
"arm64"
|
||||
],
|
||||
@@ -202,9 +202,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-darwin-x64": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.6.tgz",
|
||||
"integrity": "sha512-/mMo2IpI02aOKMlHbVbZue3TJxFqHGX+ibVTdEO+6bzRSuHs7+R9KM5U3XH2YxcWJy5Sid1X1T1pJAjsXcE3rA==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-darwin-x64/-/binding-darwin-x64-2.0.8.tgz",
|
||||
"integrity": "sha512-satPm2PD4B7jDTVlVAdvMVdUszwLvWUEnUDzLb77mvVkezKNDZmuhb+e8s+FfKs8hJpNbZ9VAejuA2rr8o985w==",
|
||||
"cpu": [
|
||||
"x64"
|
||||
],
|
||||
@@ -216,9 +216,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-linux-arm64-gnu": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.6.tgz",
|
||||
"integrity": "sha512-H6ACzeM1KBxYDEF8YAim3501Jb1aCsSG79Gjm1M4pwJ5OJPK2ydiJEa438ugXmh0962eKYMHI2yZY0sQq8txaw==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-2.0.8.tgz",
|
||||
"integrity": "sha512-pSI+npPQE/uDtiboqvcOIRJbEV2+B+H1xffmko/gw50la92oTUW60kVULFwsb6L0+GVCzIcwX3yq60GtYIn+Ug==",
|
||||
"cpu": [
|
||||
"arm64"
|
||||
],
|
||||
@@ -233,9 +233,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-linux-arm64-musl": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.6.tgz",
|
||||
"integrity": "sha512-QTFmBg0n+L397Wi8CIjbd5pe/hxpHnqCDaG1A7e2NWX8Fj9zulAoKLiKflQa1ELEhAY4Foq88aX75+Ilt2tHcw==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-arm64-musl/-/binding-linux-arm64-musl-2.0.8.tgz",
|
||||
"integrity": "sha512-igjJ43yxWQ72GZqjDDZSSHax9/Vg+6rLMmOvFglTJUkQpB4Tyvu/YjW+WRjYj2xRw6blOjLxUSJWASvuSqqlvg==",
|
||||
"cpu": [
|
||||
"arm64"
|
||||
],
|
||||
@@ -250,9 +250,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-linux-x64-gnu": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.6.tgz",
|
||||
"integrity": "sha512-rerCAz022zf0ewxI+7n3SrqLEaxCL+MXRxKjK5FLUGFa8UkIrivq+VUP/1OB6JLh2Bucebc7Y9WoWHvtk22mLA==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-gnu/-/binding-linux-x64-gnu-2.0.8.tgz",
|
||||
"integrity": "sha512-zrkoEOnqj1hOEBO5T2I/2Ts2HSJsYFh1qXwMpK4dMJFGGNWDfNeUa6/LF5uq3VINF3JUl7RL47AgrucoSZJXPA==",
|
||||
"cpu": [
|
||||
"x64"
|
||||
],
|
||||
@@ -267,9 +267,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-linux-x64-musl": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.6.tgz",
|
||||
"integrity": "sha512-96IgOFXQjX6Wbxd+DCYJFy2r/VMu1OoHifW4Cr3kGTYDKoQOIMLwb0ieu/ILp2dGWFMZo5S8odiByAmNICAOIA==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-linux-x64-musl/-/binding-linux-x64-musl-2.0.8.tgz",
|
||||
"integrity": "sha512-6CtDaGZjNDvJd9TBp7a9zABbrPORO21W96+3ZcGBn0YNUPUk4ARxIxrTTpeJ/1F41QDM8AYIkGDdqEYMqTYBsA==",
|
||||
"cpu": [
|
||||
"x64"
|
||||
],
|
||||
@@ -284,9 +284,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-wasm32-wasi": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.6.tgz",
|
||||
"integrity": "sha512-0aWiF+qmdb0csp1x+MaR2o1pscoquLaEbLTVdKjmoTRs6sguMemtB1ObnVTahAUL73P66WePuNpFAJ81zNdqzQ==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-wasm32-wasi/-/binding-wasm32-wasi-2.0.8.tgz",
|
||||
"integrity": "sha512-Yf4SiqTUroT5Ju+te0YAY2xxKOb35tECsO21v7hYyGa705wrgoAK/MmF7enOvs9GR1iZIqgiLD/wxsIxl8GjJw==",
|
||||
"cpu": [
|
||||
"wasm32"
|
||||
],
|
||||
@@ -300,9 +300,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@rspack/binding-win32-arm64-msvc": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.6.tgz",
|
||||
"integrity": "sha512-BX638A1MXsjc2E3tUskVh3X/WBIHjLKK+lo395v7MmEL9u2BA6l3F6RyW+YaJOt5aEOOv83iA7iCZsviVZ49Uw==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-2.0.8.tgz",
|
||||
"integrity": "sha512-8NCuiQsAhXrwRBy57QZoypqrws/zLBkaQVGiB8hksr6v++8hNigNjqpQARLbd0iyMuHsQQ++8+auGk6xlDXmzw==",
|
||||
"cpu": [
|
||||
"arm64"
|
||||
],
|
||||
@@ -314,9 +314,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-win32-ia32-msvc": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.6.tgz",
|
||||
"integrity": "sha512-DCK/+MlN35uvH7tp4j0hbg8wIs9MHArMIrNZXtiD8xP6DNw2wrXcGC1VaxxR5apyWpqXAfIL/KsXBiWS3ygCvg==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-ia32-msvc/-/binding-win32-ia32-msvc-2.0.8.tgz",
|
||||
"integrity": "sha512-bxiekytbX7V9KFAra+HkwtNWC6pYfHEBBZFpiT0xUs3mCFOmAAFVBsBSQsoCP9AdCEXoMAvNdnrHNw3iov4OZw==",
|
||||
"cpu": [
|
||||
"ia32"
|
||||
],
|
||||
@@ -328,9 +328,9 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/binding-win32-x64-msvc": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.6.tgz",
|
||||
"integrity": "sha512-TxutgzdEX9BkAU/5liKxdQmggJ23INz7EZDWtzSJO6C2SiSYzTJdyPQDIJi1ddkM5TX/drzH184gAJMVOQefng==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/binding-win32-x64-msvc/-/binding-win32-x64-msvc-2.0.8.tgz",
|
||||
"integrity": "sha512-7zPs8YCe/ZVJTwd+5lpB0CP0tkn2pONf/T1ycmVY76u21Nrwt8mXQGc/2yH2eWP4B7fikYBr3hGr7mpR2fajqQ==",
|
||||
"cpu": [
|
||||
"x64"
|
||||
],
|
||||
@@ -342,13 +342,13 @@
|
||||
]
|
||||
},
|
||||
"node_modules/@rspack/core": {
|
||||
"version": "2.0.6",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.6.tgz",
|
||||
"integrity": "sha512-ronRqH1T2dYdMFVOQbGvDNxYaLugQK8qhNYYtS2DbOvPKQYvdIYWDenL9k/WV+hLoknnPWMn2ME2cKJcK3Po+g==",
|
||||
"version": "2.0.8",
|
||||
"resolved": "https://registry.npmjs.org/@rspack/core/-/core-2.0.8.tgz",
|
||||
"integrity": "sha512-+NLGJf8gZxihDmMFzjlly3toc2SMjeDmuvz0/Cai9AMdV4F+Pqcnt2BA9V4e3SY2jmhJQtPwgyyLtR1RiJO77g==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@rspack/binding": "2.0.6"
|
||||
"@rspack/binding": "2.0.8"
|
||||
},
|
||||
"engines": {
|
||||
"node": "^20.19.0 || >=22.12.0"
|
||||
@@ -474,14 +474,14 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/core": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/core/-/core-4.1.0.tgz",
|
||||
"integrity": "sha512-jLJtSJeuFffqX6/inRE1zqU5aFv2hrszvYgq3OjbAgFRZiWv7abKMDdQzYxuSDfmUPQozZvI/kuy6VMTvnvqTQ==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/core/-/core-4.2.0.tgz",
|
||||
"integrity": "sha512-Hc87Ab1Ld/vEbZRCbwx344I5v+4RU8CVToUTRkqXL1+TjbuOp9U5Xa0M23V4GEWHxVn+yO5otb+HkQVm3ptWQQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/primitive": "4.1.0",
|
||||
"@shikijs/types": "4.1.0",
|
||||
"@shikijs/primitive": "4.2.0",
|
||||
"@shikijs/types": "4.2.0",
|
||||
"@shikijs/vscode-textmate": "^10.0.2",
|
||||
"@types/hast": "^3.0.4",
|
||||
"hast-util-to-html": "^9.0.5"
|
||||
@@ -491,13 +491,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/engine-javascript": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/engine-javascript/-/engine-javascript-4.1.0.tgz",
|
||||
"integrity": "sha512-YquhawCUgaBfhsS72e2Y/dI59gCBNPHu3fEO/tvLaXrTssxZrY5ddjtNLTwndrMgPo8b3IscE+xoICDzpTmlFQ==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/engine-javascript/-/engine-javascript-4.2.0.tgz",
|
||||
"integrity": "sha512-fjETeq1k5ffyXqRgS6+3hpvqseLalp1kjNfRbXpUgWR8FpZ1CmQfiNHovc5lncYjt/Vg5JK/WJEmLahjwMa0og==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/types": "4.1.0",
|
||||
"@shikijs/types": "4.2.0",
|
||||
"@shikijs/vscode-textmate": "^10.0.2",
|
||||
"oniguruma-to-es": "^4.3.6"
|
||||
},
|
||||
@@ -506,13 +506,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/engine-oniguruma": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-4.1.0.tgz",
|
||||
"integrity": "sha512-axLpjVs45YBvvINa+dJF+NPW+KtFkNXsFr4SDw2BMj9GdeMnGxVB9PQb2xXlJYovslt/nz6giedAyOANkfc7hg==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/engine-oniguruma/-/engine-oniguruma-4.2.0.tgz",
|
||||
"integrity": "sha512-hTorK1dffPkpbMUk6Z+828PgRo7d07HbnizoP0hNPFjhxMHctj0Px/qoHeGMYafc6ju+u9iMldN4JbVzNQM++g==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/types": "4.1.0",
|
||||
"@shikijs/types": "4.2.0",
|
||||
"@shikijs/vscode-textmate": "^10.0.2"
|
||||
},
|
||||
"engines": {
|
||||
@@ -520,26 +520,26 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/langs": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-4.1.0.tgz",
|
||||
"integrity": "sha512-nwOMruEkbgdZfQ/b8CgpNBVOpvG1k0N5tbmgiFeqsan401+x3ILqlzZJowSla4Agmq4hG2Uf2wh5jLTEhR8VSg==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/langs/-/langs-4.2.0.tgz",
|
||||
"integrity": "sha512-bwrVRlJ0wUhZxAbVdvBbv2TTC9yLsh4C/IO5Ofz0T8MQntgDvyVnkbjw9vi50r1kx7RCIJdnJnjZAwmAsXFLZQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/types": "4.1.0"
|
||||
"@shikijs/types": "4.2.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=20"
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/primitive": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/primitive/-/primitive-4.1.0.tgz",
|
||||
"integrity": "sha512-zx2/2Uwj2q9X3KSyYREEhXO23xBw5WUhP4orK2lE4r+t9JGITmEe0JH+wPmJhqHpOT2bRRs6lAL945+LDvOAGw==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/primitive/-/primitive-4.2.0.tgz",
|
||||
"integrity": "sha512-NOq+DtUkVBJtZMVXL5A0vI0Xk8nvDYaXetFHSJFlOqjDZIVhIPRYFdGkSoElDqNuegikcc3A76SNUa8dTqtAYA==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/types": "4.1.0",
|
||||
"@shikijs/types": "4.2.0",
|
||||
"@shikijs/vscode-textmate": "^10.0.2",
|
||||
"@types/hast": "^3.0.4"
|
||||
},
|
||||
@@ -548,16 +548,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/rehype": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/rehype/-/rehype-4.1.0.tgz",
|
||||
"integrity": "sha512-HQwltCcO2/UiFz44/8whyji4rP1VghLu++MgvQn+lQA8/gvuycGkay8DH8o8VAOvLBDKGOkBEw7cC1Cm33GObQ==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/rehype/-/rehype-4.2.0.tgz",
|
||||
"integrity": "sha512-ST3EWye/dwF1gWskczJNBnwFtDzEQ9ceytXZtyc/GfwR5V0qJrkoSGZO55O3SAKDDsXkTDcsfwd9pVe7ROlAHg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/types": "4.1.0",
|
||||
"@shikijs/types": "4.2.0",
|
||||
"@types/hast": "^3.0.4",
|
||||
"hast-util-to-string": "^3.0.1",
|
||||
"shiki": "4.1.0",
|
||||
"shiki": "4.2.0",
|
||||
"unified": "^11.0.5",
|
||||
"unist-util-visit": "^5.1.0"
|
||||
},
|
||||
@@ -566,22 +566,22 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/themes": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-4.1.0.tgz",
|
||||
"integrity": "sha512-emCcTnUM7yO2wltYbaxm+yLvcCI4+h8XBKc4KmJ7EZUXoSGjcCHifkI//R4OFit9ewpg7H2/9tjOuXrT2v/Knw==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/themes/-/themes-4.2.0.tgz",
|
||||
"integrity": "sha512-RX8IHYeLv8Cu2W6ruc3RxUqWn0IYCqSrMBzi/uRGAmfyDNOnNO5BF/Px7o97n4XTpmFTo5GbRaazuOWj+2ak2w==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/types": "4.1.0"
|
||||
"@shikijs/types": "4.2.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=20"
|
||||
}
|
||||
},
|
||||
"node_modules/@shikijs/types": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/types/-/types-4.1.0.tgz",
|
||||
"integrity": "sha512-3EQWX54fMpniOrDblzAhiwiJwpiTMW6+B9DWyUd9ska483tbayFYuw47UxwuPknI31bKnySfVQ/QW+jFL4rFdA==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/@shikijs/types/-/types-4.2.0.tgz",
|
||||
"integrity": "sha512-VT/MKtlpOhEPZloSH3Pb9WCZEBDoQVMa9jedp5UAwmJOar1DVc9DRODAxmYPW9M93IK4ryuqRejFfmlvlVDemw==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
@@ -668,9 +668,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/@types/mdx": {
|
||||
"version": "2.0.13",
|
||||
"resolved": "https://registry.npmjs.org/@types/mdx/-/mdx-2.0.13.tgz",
|
||||
"integrity": "sha512-+OWZQfAYyio6YkJb3HLxDrvnx6SWWDbC0zVPfBRzUk0/nqoDyf6dNxQi3eArPe8rJ473nobTMQ/8Zk+LxJ+Yuw==",
|
||||
"version": "2.0.14",
|
||||
"resolved": "https://registry.npmjs.org/@types/mdx/-/mdx-2.0.14.tgz",
|
||||
"integrity": "sha512-T48PeuJtvLosNTPVhfnIp3i/n3a4g4Bad7YCq5k64D4u7NwDrAotikQ+5+sjtUvBmxCMlbo3dVL+C2dP0rWHzg==",
|
||||
"dev": true,
|
||||
"license": "MIT"
|
||||
},
|
||||
@@ -682,9 +682,9 @@
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/@types/react": {
|
||||
"version": "19.2.15",
|
||||
"resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.15.tgz",
|
||||
"integrity": "sha512-eRwcGNHve+E8qtEQSSRl6urh+rFop4v8gm6O8rGv25CodbvFdLjA1vVQ1KkiFE0w0UPOnb8tDiFKL5lp0rtY5Q==",
|
||||
"version": "19.2.17",
|
||||
"resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.17.tgz",
|
||||
"integrity": "sha512-MXfmqaVPEVgkBT/aY0aGCkRWWtByiYQXo3xdQ8r5RzuFrPiRn8Gar2tQdXSUQ2GKV3bkXckek89V8wQBY2Q/Aw==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"peer": true,
|
||||
@@ -723,9 +723,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/acorn": {
|
||||
"version": "8.16.0",
|
||||
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
|
||||
"integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==",
|
||||
"version": "8.17.0",
|
||||
"resolved": "https://registry.npmjs.org/acorn/-/acorn-8.17.0.tgz",
|
||||
"integrity": "sha512-xRQbDb9BnwDafYNn6Vwl839DYVjqXYb1XVGtWAZ1kcDc6iwAL4hg3B1dZlRiuENFeO2H53gFG3in621AdERVAg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"bin": {
|
||||
@@ -1821,6 +1821,53 @@
|
||||
"url": "https://opencollective.com/unified"
|
||||
}
|
||||
},
|
||||
"node_modules/mdast-util-to-markdown-cjk-friendly": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/mdast-util-to-markdown-cjk-friendly/-/mdast-util-to-markdown-cjk-friendly-1.0.0.tgz",
|
||||
"integrity": "sha512-BoaAm8mlJ+LAYz0Qs532Y3ciTuQYgBUPZcSFbvC/ZKmEMAKgulw84YvQK1gI34t/vL2euSfuaWlqczkTBgamkw==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"mdast-util-to-markdown": "^2.1.2",
|
||||
"micromark-extension-cjk-friendly-util": "3.0.1",
|
||||
"micromark-util-symbol": "^2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=18"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"@types/mdast": "*"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"@types/mdast": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/mdast-util-to-markdown-cjk-friendly-gfm-strikethrough": {
|
||||
"version": "1.0.0",
|
||||
"resolved": "https://registry.npmjs.org/mdast-util-to-markdown-cjk-friendly-gfm-strikethrough/-/mdast-util-to-markdown-cjk-friendly-gfm-strikethrough-1.0.0.tgz",
|
||||
"integrity": "sha512-1ePVfB4P/vz3xSsm6H3D32r6VYGErxclnuLLFK02/2ReF+UdEKm7caulK6Vm0LBIp5gPRtB2Z1OYDznCkX3k2w==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"mdast-util-gfm-strikethrough": "^2.0.0",
|
||||
"mdast-util-to-markdown": "^2.1.2",
|
||||
"micromark-extension-cjk-friendly-util": "3.0.1",
|
||||
"micromark-util-symbol": "^2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=18"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"@types/mdast": "*"
|
||||
},
|
||||
"peerDependenciesMeta": {
|
||||
"@types/mdast": {
|
||||
"optional": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"node_modules/mdast-util-to-string": {
|
||||
"version": "4.0.0",
|
||||
"resolved": "https://registry.npmjs.org/mdast-util-to-string/-/mdast-util-to-string-4.0.0.tgz",
|
||||
@@ -2742,9 +2789,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/property-information": {
|
||||
"version": "7.1.0",
|
||||
"resolved": "https://registry.npmjs.org/property-information/-/property-information-7.1.0.tgz",
|
||||
"integrity": "sha512-TwEZ+X+yCJmYfL7TPUOcvBZ4QfoT5YenQiJuX//0th53DE6w0xxLEtfK3iyryQFddXuvkIk51EEgrJQ0WJkOmQ==",
|
||||
"version": "7.2.0",
|
||||
"resolved": "https://registry.npmjs.org/property-information/-/property-information-7.2.0.tgz",
|
||||
"integrity": "sha512-IAtzIB6sUiWaJYrX9smp3V46pBGbBeLFRGdh25kg1334VcBlD8HzhPeNIWQH9zhGmo2itIe25EHt9dQP7G5hmg==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"funding": {
|
||||
@@ -2753,9 +2800,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/react": {
|
||||
"version": "19.2.6",
|
||||
"resolved": "https://registry.npmjs.org/react/-/react-19.2.6.tgz",
|
||||
"integrity": "sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q==",
|
||||
"version": "19.2.7",
|
||||
"resolved": "https://registry.npmjs.org/react/-/react-19.2.7.tgz",
|
||||
"integrity": "sha512-HNe9WslTbXmFK8o8cmwgAeJFSBvt1bPdHCVKtaaV+WlAN36mpT4hcRpwbf3fY56ar2oIXzsBpOAiIRHAdY0OlQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"engines": {
|
||||
@@ -2763,16 +2810,16 @@
|
||||
}
|
||||
},
|
||||
"node_modules/react-dom": {
|
||||
"version": "19.2.6",
|
||||
"resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.6.tgz",
|
||||
"integrity": "sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g==",
|
||||
"version": "19.2.7",
|
||||
"resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.7.tgz",
|
||||
"integrity": "sha512-t0BRVXvbiE/o20Hfw669rLbMCDWtYZLvmJigy2f0MxsXF+71pxhR3xOkspmsO8h3ZlNzyibAmtCa3l4lYKk6gQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"scheduler": "^0.27.0"
|
||||
},
|
||||
"peerDependencies": {
|
||||
"react": "^19.2.6"
|
||||
"react": "^19.2.7"
|
||||
}
|
||||
},
|
||||
"node_modules/react-lazy-with-preload": {
|
||||
@@ -2822,9 +2869,9 @@
|
||||
}
|
||||
},
|
||||
"node_modules/react-router": {
|
||||
"version": "7.15.1",
|
||||
"resolved": "https://registry.npmjs.org/react-router/-/react-router-7.15.1.tgz",
|
||||
"integrity": "sha512-R8rl9HhgikFYoPJymnUtPXWbnDb3oget6lQnfIoupbt61aT9aOhRkDsY2XRhZRyX1Z/8a5sL74fXmFNm3NRK5A==",
|
||||
"version": "7.17.0",
|
||||
"resolved": "https://registry.npmjs.org/react-router/-/react-router-7.17.0.tgz",
|
||||
"integrity": "sha512-FDELK7rTMlCHO5+reyXsPlmfr7N1F91lPHsWYfMEGQm/KQ+F4JFM8jGoeQDmDvdTs93Fw9aSilH+uKRb4/jXvQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
@@ -2845,13 +2892,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/react-router-dom": {
|
||||
"version": "7.15.1",
|
||||
"resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.15.1.tgz",
|
||||
"integrity": "sha512-AzF62gjY6U9rkMq4RfP/r2EVtQ7DMfNMjyOp/flLTCrtRylLiK4wT4pSq6O8rOXZ2eXdZYJPEYe+ifomiv+Igg==",
|
||||
"version": "7.17.0",
|
||||
"resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.17.0.tgz",
|
||||
"integrity": "sha512-fyU2yjGups/hE6Xz0I5ZYbVL8Gx29eCjgpHaRaTaVU+OOAdfRX05KsvyRm0GO8YQwOkhpU3MurW1jyMUJn+zSw==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"react-router": "7.15.1"
|
||||
"react-router": "7.17.0"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">=20.0.0"
|
||||
@@ -3011,12 +3058,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/remark-cjk-friendly": {
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/remark-cjk-friendly/-/remark-cjk-friendly-2.0.1.tgz",
|
||||
"integrity": "sha512-6WwkoQyZf/4j5k53zdFYrR8Ca+UVn992jXdLUSBDZR4eBpFhKyVxmA4gUHra/5fesjGIxrDhHesNr/sVoiiysA==",
|
||||
"version": "2.1.0",
|
||||
"resolved": "https://registry.npmjs.org/remark-cjk-friendly/-/remark-cjk-friendly-2.1.0.tgz",
|
||||
"integrity": "sha512-ZWGDfTJNLEZ1gap+pd33K13ZhRAWgVDqxKA7JIlBs5IDu+qvbiWl/pEbeuxzRrWyrrkeFFoTnvNw00iW9mBcow==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"mdast-util-to-markdown-cjk-friendly": "1.0.0",
|
||||
"micromark-extension-cjk-friendly": "2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
@@ -3033,12 +3081,13 @@
|
||||
}
|
||||
},
|
||||
"node_modules/remark-cjk-friendly-gfm-strikethrough": {
|
||||
"version": "2.0.1",
|
||||
"resolved": "https://registry.npmjs.org/remark-cjk-friendly-gfm-strikethrough/-/remark-cjk-friendly-gfm-strikethrough-2.0.1.tgz",
|
||||
"integrity": "sha512-pWKj25O2eLXIL1aBupayl1fKhco+Brw8qWUWJPVB9EBzbQNd7nGLj0nLmJpggWsGLR5j5y40PIdjxby9IEYTuA==",
|
||||
"version": "2.1.0",
|
||||
"resolved": "https://registry.npmjs.org/remark-cjk-friendly-gfm-strikethrough/-/remark-cjk-friendly-gfm-strikethrough-2.1.0.tgz",
|
||||
"integrity": "sha512-3Kyq2hjY7V7eU8MbVbWW6QQLN81pjJcIvKHvPxr8hZZmcq/9wqm3MJ3iUG34Ch9QTM4WHN+a1JVAVC1fSi5mig==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"mdast-util-to-markdown-cjk-friendly-gfm-strikethrough": "1.0.0",
|
||||
"micromark-extension-cjk-friendly-gfm-strikethrough": "2.0.1"
|
||||
},
|
||||
"engines": {
|
||||
@@ -3164,18 +3213,18 @@
|
||||
"license": "MIT"
|
||||
},
|
||||
"node_modules/shiki": {
|
||||
"version": "4.1.0",
|
||||
"resolved": "https://registry.npmjs.org/shiki/-/shiki-4.1.0.tgz",
|
||||
"integrity": "sha512-l/ABZPUR5v70jI10EzqfMS/I96vjSGv2y0ihUV+WYFzv0EfvW4s54m0Lg8wCrrL+2IkwBzFTuxkZjPf8b2NX9Q==",
|
||||
"version": "4.2.0",
|
||||
"resolved": "https://registry.npmjs.org/shiki/-/shiki-4.2.0.tgz",
|
||||
"integrity": "sha512-hjNax6o/ylDy9lefQEaSDtzaT3iVNtZ3WmpQnbuQNoG4xvnSKf2kSKbihZVO4JRG1TTMejs7CmNRYlWgAL66pQ==",
|
||||
"dev": true,
|
||||
"license": "MIT",
|
||||
"dependencies": {
|
||||
"@shikijs/core": "4.1.0",
|
||||
"@shikijs/engine-javascript": "4.1.0",
|
||||
"@shikijs/engine-oniguruma": "4.1.0",
|
||||
"@shikijs/langs": "4.1.0",
|
||||
"@shikijs/themes": "4.1.0",
|
||||
"@shikijs/types": "4.1.0",
|
||||
"@shikijs/core": "4.2.0",
|
||||
"@shikijs/engine-javascript": "4.2.0",
|
||||
"@shikijs/engine-oniguruma": "4.2.0",
|
||||
"@shikijs/langs": "4.2.0",
|
||||
"@shikijs/themes": "4.2.0",
|
||||
"@shikijs/types": "4.2.0",
|
||||
"@shikijs/vscode-textmate": "^10.0.2",
|
||||
"@types/hast": "^3.0.4"
|
||||
},
|
||||
|
||||
+1
-1
@@ -16,7 +16,7 @@
|
||||
};
|
||||
|
||||
#[derive(Debug, Parser)]
|
||||
#[command(name = conduwuit_core::name(), version = conduwuit_core::version())]
|
||||
#[command(name = conduwuit_core::BRANDING, version = conduwuit_core::version())]
|
||||
pub enum AdminCommand {
|
||||
#[command(subcommand)]
|
||||
/// Commands for managing appservices
|
||||
|
||||
@@ -30,14 +30,37 @@ pub(super) async fn issue_token(&self, expires: super::TokenExpires) -> Result {
|
||||
.issue_token(self.sender_or_service_user().into(), expires);
|
||||
|
||||
self.write_str(&format!(
|
||||
"New registration token issued: `{token}`. {}.",
|
||||
"New registration token issued: `{token}` . {}.",
|
||||
if let Some(expires) = info.expires {
|
||||
format!("{expires}")
|
||||
} else {
|
||||
"Never expires".to_owned()
|
||||
}
|
||||
))
|
||||
.await
|
||||
.await?;
|
||||
|
||||
if self
|
||||
.services
|
||||
.config
|
||||
.oauth
|
||||
.compatibility_mode
|
||||
.oauth_available()
|
||||
{
|
||||
self.write_str(&format!(
|
||||
"\nInvite link using this token: {}",
|
||||
self.services
|
||||
.config
|
||||
.get_client_domain()
|
||||
.join(&format!(
|
||||
"{}/account/register/?flow=trusted&token={token}",
|
||||
conduwuit::ROUTE_PREFIX
|
||||
))
|
||||
.unwrap()
|
||||
))
|
||||
.await?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[admin_command]
|
||||
|
||||
+13
-149
@@ -1,13 +1,10 @@
|
||||
use std::{
|
||||
collections::{BTreeMap, HashSet},
|
||||
fmt::Write as _,
|
||||
};
|
||||
use std::collections::{BTreeMap, HashSet};
|
||||
|
||||
use api::client::{
|
||||
full_user_deactivate, leave_room, recreate_push_rules_and_return, remote_leave_room,
|
||||
};
|
||||
use conduwuit::{
|
||||
Err, Result, debug_warn, error, info,
|
||||
Err, Result, debug_warn, info,
|
||||
matrix::{Event, pdu::PartialPdu},
|
||||
utils::{self, ReadyExt},
|
||||
warn,
|
||||
@@ -53,130 +50,22 @@ pub(super) async fn list_users(&self) -> Result {
|
||||
#[admin_command]
|
||||
pub(super) async fn create_user(&self, username: String, password: Option<String>) -> Result {
|
||||
// Validate user id
|
||||
let user_id = parse_local_user_id(self.services, &username)?;
|
||||
|
||||
if let Err(e) = user_id.validate_strict() {
|
||||
if self.services.config.emergency_password.is_none() {
|
||||
return Err!("Username {user_id} contains disallowed characters or spaces: {e}");
|
||||
}
|
||||
}
|
||||
|
||||
if self.services.users.exists(&user_id).await {
|
||||
return Err!("User {user_id} already exists");
|
||||
}
|
||||
|
||||
let password = password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH));
|
||||
|
||||
// Create user
|
||||
self.services
|
||||
.users
|
||||
.create(&user_id, Some(HashedPassword::new(&password)?))
|
||||
.await?;
|
||||
|
||||
// Default to pretty displayname
|
||||
let mut displayname = user_id.localpart().to_owned();
|
||||
|
||||
// If `new_user_displayname_suffix` is set, registration will push whatever
|
||||
// content is set to the user's display name with a space before it
|
||||
if !self
|
||||
let user_id = self
|
||||
.services
|
||||
.server
|
||||
.config
|
||||
.new_user_displayname_suffix
|
||||
.is_empty()
|
||||
{
|
||||
write!(displayname, " {}", self.services.server.config.new_user_displayname_suffix)?;
|
||||
}
|
||||
.users
|
||||
.determine_registration_user_id(Some(username), None, None)
|
||||
.await?;
|
||||
|
||||
let password = HashedPassword::new(
|
||||
&password.unwrap_or_else(|| utils::random_string(AUTO_GEN_PASSWORD_LENGTH)),
|
||||
)?;
|
||||
|
||||
self.services
|
||||
.users
|
||||
.set_displayname(&user_id, Some(displayname));
|
||||
.create_local_account(&user_id, password, None)
|
||||
.await;
|
||||
|
||||
// Initial account data
|
||||
self.services
|
||||
.account_data
|
||||
.update(
|
||||
None,
|
||||
&user_id,
|
||||
ruma::events::GlobalAccountDataEventType::PushRules
|
||||
.to_string()
|
||||
.into(),
|
||||
&serde_json::to_value(ruma::events::push_rules::PushRulesEvent::new(
|
||||
ruma::events::push_rules::PushRulesEventContent::new(
|
||||
ruma::push::Ruleset::server_default(&user_id),
|
||||
),
|
||||
))
|
||||
.unwrap(),
|
||||
)
|
||||
.await?;
|
||||
|
||||
if !self.services.server.config.auto_join_rooms.is_empty() {
|
||||
for room in &self.services.server.config.auto_join_rooms {
|
||||
let Ok(room_id) = self.services.rooms.alias.resolve(room).await else {
|
||||
error!(
|
||||
%user_id,
|
||||
"Failed to resolve room alias to room ID when attempting to auto join {room}, skipping"
|
||||
);
|
||||
continue;
|
||||
};
|
||||
|
||||
if !self
|
||||
.services
|
||||
.rooms
|
||||
.state_cache
|
||||
.server_in_room(self.services.globals.server_name(), &room_id)
|
||||
.await
|
||||
{
|
||||
warn!(
|
||||
"Skipping room {room} to automatically join as we have never joined before."
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
||||
if let Some(room_server_name) = room.server_name() {
|
||||
match self
|
||||
.services
|
||||
.rooms
|
||||
.membership
|
||||
.join_room(
|
||||
&user_id,
|
||||
&room_id,
|
||||
Some("Automatically joining this room upon registration".to_owned()),
|
||||
&[
|
||||
self.services.globals.server_name().to_owned(),
|
||||
room_server_name.to_owned(),
|
||||
],
|
||||
)
|
||||
.await
|
||||
{
|
||||
| Ok(_response) => {
|
||||
info!("Automatically joined room {room} for user {user_id}");
|
||||
},
|
||||
| Err(e) => {
|
||||
// don't return this error so we don't fail registrations
|
||||
error!(
|
||||
"Failed to automatically join room {room} for user {user_id}: {e}"
|
||||
);
|
||||
self.services
|
||||
.admin
|
||||
.send_text(&format!(
|
||||
"Failed to automatically join room {room} for user {user_id}: \
|
||||
{e}"
|
||||
))
|
||||
.await;
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// we dont add a device since we're not the user, just the creator
|
||||
|
||||
// Make the first user to register an administrator and disable first-run mode.
|
||||
self.services.firstrun.empower_first_user(&user_id).await?;
|
||||
|
||||
self.write_str(&format!("Created user with user_id: {user_id} and password: `{password}`"))
|
||||
.await
|
||||
self.write_str(&format!("Created user {user_id}")).await
|
||||
}
|
||||
|
||||
#[admin_command]
|
||||
@@ -302,31 +191,6 @@ pub(super) async fn reset_password(
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[admin_command]
|
||||
pub(super) async fn issue_password_reset_link(&self, username: String) -> Result {
|
||||
use conduwuit_service::password_reset::{PASSWORD_RESET_PATH, RESET_TOKEN_QUERY_PARAM};
|
||||
|
||||
self.bail_restricted()?;
|
||||
|
||||
let mut reset_url = self
|
||||
.services
|
||||
.config
|
||||
.get_client_domain()
|
||||
.join(PASSWORD_RESET_PATH)
|
||||
.unwrap();
|
||||
|
||||
let user_id = parse_local_user_id(self.services, &username)?;
|
||||
let token = self.services.password_reset.issue_token(user_id).await?;
|
||||
reset_url
|
||||
.query_pairs_mut()
|
||||
.append_pair(RESET_TOKEN_QUERY_PARAM, &token.token);
|
||||
|
||||
self.write_str(&format!("Password reset link issued for {username}: {reset_url}"))
|
||||
.await?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
#[admin_command]
|
||||
pub(super) async fn deactivate_all(&self, no_leave_rooms: bool, force: bool) -> Result {
|
||||
if self.body.len() < 2
|
||||
|
||||
@@ -29,12 +29,6 @@ pub enum UserCommand {
|
||||
password: Option<String>,
|
||||
},
|
||||
|
||||
/// Issue a self-service password reset link for a user.
|
||||
IssuePasswordResetLink {
|
||||
/// Username of the user who may use the link
|
||||
username: String,
|
||||
},
|
||||
|
||||
/// Get a user's associated email address.
|
||||
GetEmail {
|
||||
user_id: String,
|
||||
|
||||
@@ -24,7 +24,7 @@
|
||||
power_levels::RoomPowerLevelsEventContent,
|
||||
},
|
||||
};
|
||||
use service::{mailer::messages, uiaa::Identity, users::HashedPassword};
|
||||
use service::{mailer::messages, uiaa::UiaaInitiator, users::HashedPassword};
|
||||
|
||||
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
|
||||
use crate::{Ruma, router::ClientIdentity};
|
||||
@@ -49,39 +49,16 @@ pub(crate) async fn get_register_available_route(
|
||||
ClientIp(client): ClientIp,
|
||||
body: Ruma<get_username_availability::v3::Request>,
|
||||
) -> Result<get_username_availability::v3::Response> {
|
||||
// Validate user id
|
||||
let user_id =
|
||||
match UserId::parse_with_server_name(&body.username, services.globals.server_name()) {
|
||||
| Ok(user_id) => {
|
||||
if let Err(e) = user_id.validate_strict() {
|
||||
return Err!(Request(InvalidUsername(debug_warn!(
|
||||
"Username {} contains disallowed characters or spaces: {e}",
|
||||
body.username
|
||||
))));
|
||||
}
|
||||
|
||||
user_id
|
||||
},
|
||||
| Err(e) => {
|
||||
return Err!(Request(InvalidUsername(debug_warn!(
|
||||
"Username {} is not valid: {e}",
|
||||
body.username
|
||||
))));
|
||||
},
|
||||
};
|
||||
|
||||
// Check if username is creative enough
|
||||
if services.users.exists(&user_id).await {
|
||||
return Err!(Request(UserInUse("User ID is not available.")));
|
||||
}
|
||||
|
||||
if let Some(ClientIdentity::Appservice { appservice_info, .. }) = &body.identity
|
||||
&& !appservice_info.is_user_match(&user_id)
|
||||
{
|
||||
return Err!(Request(Exclusive("Username is not in an appservice namespace.")));
|
||||
} else if services.appservice.is_exclusive_user_id(&user_id).await {
|
||||
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
|
||||
}
|
||||
let _ = services
|
||||
.users
|
||||
.determine_registration_user_id(
|
||||
Some(body.username.clone()),
|
||||
None,
|
||||
body.identity
|
||||
.as_ref()
|
||||
.and_then(ClientIdentity::appservice_info),
|
||||
)
|
||||
.await?;
|
||||
|
||||
Ok(get_username_availability::v3::Response::new(true))
|
||||
}
|
||||
@@ -109,12 +86,7 @@ pub(crate) async fn change_password_route(
|
||||
ClientIp(client): ClientIp,
|
||||
body: Ruma<change_password::v3::Request>,
|
||||
) -> Result<change_password::v3::Response> {
|
||||
let identity = if let Some(user_id) = body
|
||||
.identity
|
||||
.as_ref()
|
||||
.map(ClientIdentity::expect_sender_user)
|
||||
.transpose()?
|
||||
{
|
||||
let identity = if let Some(identity) = body.identity.as_ref() {
|
||||
// A signed-in user is trying to change their password, prompt them for their
|
||||
// existing one
|
||||
|
||||
@@ -124,7 +96,10 @@ pub(crate) async fn change_password_route(
|
||||
&body.auth,
|
||||
vec![AuthFlow::new(vec![AuthType::Password])],
|
||||
Box::default(),
|
||||
Some(Identity::from_user_id(user_id)),
|
||||
Some(UiaaInitiator::new(
|
||||
identity.expect_sender_user()?,
|
||||
identity.sender_device(),
|
||||
)),
|
||||
)
|
||||
.await?
|
||||
} else {
|
||||
@@ -280,16 +255,24 @@ pub(crate) async fn deactivate_route(
|
||||
) -> Result<deactivate::v3::Response> {
|
||||
// Authentication for this endpoint is technically optional,
|
||||
// but we require the user to be logged in
|
||||
let sender_user = body
|
||||
let identity = body
|
||||
.identity
|
||||
.as_ref()
|
||||
.map(ClientIdentity::expect_sender_user)
|
||||
.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))??;
|
||||
.ok_or_else(|| err!(Request(MissingToken("Missing access token."))))?;
|
||||
|
||||
let sender_user = identity.expect_sender_user()?;
|
||||
|
||||
if !services.config.allow_deactivation {
|
||||
return Err!(Request(Unauthorized(
|
||||
"You may not deactivate your own account. Contact your server's administrator for \
|
||||
assistance."
|
||||
)));
|
||||
}
|
||||
|
||||
// Prompt the user to confirm with their password using UIAA
|
||||
let _ = services
|
||||
.uiaa
|
||||
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
|
||||
.authenticate_password(&body.auth, sender_user, identity.sender_device(), None)
|
||||
.await?;
|
||||
|
||||
// Remove profile pictures and display name
|
||||
|
||||
@@ -1,17 +1,15 @@
|
||||
use std::{collections::HashMap, fmt::Write};
|
||||
use std::collections::HashMap;
|
||||
|
||||
use axum::extract::State;
|
||||
use axum_client_ip::ClientIp;
|
||||
use conduwuit::{
|
||||
Err, Result, debug_info, error, info,
|
||||
Err, Result, debug_info, info,
|
||||
utils::{self},
|
||||
warn,
|
||||
};
|
||||
use conduwuit_service::Services;
|
||||
use futures::{FutureExt, StreamExt};
|
||||
use futures::StreamExt;
|
||||
use lettre::{Address, message::Mailbox};
|
||||
use ruma::{
|
||||
OwnedUserId, UserId,
|
||||
api::client::{
|
||||
account::{
|
||||
register::{self, LoginType, RegistrationKind},
|
||||
@@ -20,11 +18,6 @@
|
||||
uiaa::{AuthFlow, AuthType},
|
||||
},
|
||||
assign,
|
||||
events::{
|
||||
GlobalAccountDataEventType, push_rules::PushRulesEvent,
|
||||
room::message::RoomMessageEventContent,
|
||||
},
|
||||
push,
|
||||
};
|
||||
use serde_json::value::RawValue;
|
||||
use service::{mailer::messages, users::HashedPassword};
|
||||
@@ -32,8 +25,6 @@
|
||||
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
|
||||
use crate::Ruma;
|
||||
|
||||
const RANDOM_USER_ID_LENGTH: usize = 10;
|
||||
|
||||
/// # `POST /_matrix/client/v3/register`
|
||||
///
|
||||
/// Register an account on this homeserver.
|
||||
@@ -52,8 +43,6 @@ pub(crate) async fn register_route(
|
||||
return Err!(Request(GuestAccessForbidden("Guests may not register on this server.")));
|
||||
}
|
||||
|
||||
let emergency_mode_enabled = services.config.emergency_password.is_some();
|
||||
|
||||
// Allow registration if it's enabled in the config file or if this is the first
|
||||
// run (so the first user account can be created)
|
||||
let allow_registration =
|
||||
@@ -71,99 +60,59 @@ pub(crate) async fn register_route(
|
||||
)));
|
||||
}
|
||||
|
||||
let identity = if body.identity.is_some() {
|
||||
// Appservices can skip auth
|
||||
None
|
||||
let user_id = if body.body.login_type == Some(LoginType::ApplicationService) {
|
||||
let Some(appservice_info) = &body.identity else {
|
||||
return Err!(Request(Forbidden(
|
||||
"Only appservices can use the appservice login type."
|
||||
)));
|
||||
};
|
||||
|
||||
let user_id = services
|
||||
.users
|
||||
.determine_registration_user_id(body.username.clone(), None, Some(appservice_info))
|
||||
.await?;
|
||||
|
||||
services.users.create(&user_id, None).await?;
|
||||
|
||||
user_id
|
||||
} else {
|
||||
// Perform UIAA to determine the user's identity
|
||||
let (flows, params) = create_registration_uiaa_session(&services).await?;
|
||||
|
||||
Some(
|
||||
services
|
||||
.uiaa
|
||||
.authenticate(&body.auth, flows, params, None)
|
||||
.await?,
|
||||
)
|
||||
};
|
||||
|
||||
// If the user didn't supply a username but did supply an email, use
|
||||
// the email's user as their initial localpart to avoid falling back to
|
||||
// a randomly generated localpart
|
||||
let supplied_username = body.username.clone().or_else(|| {
|
||||
if let Some(identity) = &identity
|
||||
&& let Some(email) = &identity.email
|
||||
{
|
||||
Some(email.user().to_owned())
|
||||
} else {
|
||||
None
|
||||
}
|
||||
});
|
||||
|
||||
let user_id =
|
||||
determine_registration_user_id(&services, supplied_username, emergency_mode_enabled)
|
||||
let identity = services
|
||||
.uiaa
|
||||
.authenticate(&body.auth, flows, params, None)
|
||||
.await?;
|
||||
|
||||
if body.body.login_type == Some(LoginType::ApplicationService) {
|
||||
// For appservice logins, make sure that the user ID is in the appservice's
|
||||
// namespace
|
||||
let password = if let Some(password) = &body.password {
|
||||
HashedPassword::new(password)?
|
||||
} else {
|
||||
return Err!(Request(InvalidParam("A password must be provided.")));
|
||||
};
|
||||
|
||||
match body.identity {
|
||||
| Some(ref info) =>
|
||||
if !info.is_user_match(&user_id) && !emergency_mode_enabled {
|
||||
return Err!(Request(Exclusive(
|
||||
"Username is not in an appservice namespace."
|
||||
)));
|
||||
},
|
||||
| _ => {
|
||||
return Err!(Request(MissingToken("Missing appservice token.")));
|
||||
},
|
||||
}
|
||||
} else if services.appservice.is_exclusive_user_id(&user_id).await && !emergency_mode_enabled
|
||||
{
|
||||
// For non-appservice logins, ban user IDs which are in an appservice's
|
||||
// namespace (unless emergency mode is enabled)
|
||||
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
|
||||
}
|
||||
let user_id = services
|
||||
.users
|
||||
.determine_registration_user_id(body.username.clone(), identity.email.as_ref(), None)
|
||||
.await?;
|
||||
|
||||
let password = if body.identity.is_some() {
|
||||
None
|
||||
} else if let Some(password) = body.password.as_deref() {
|
||||
Some(HashedPassword::new(password)?)
|
||||
} else {
|
||||
return Err!(Request(InvalidParam("A password must be provided")));
|
||||
services
|
||||
.users
|
||||
.create_local_account(&user_id, password, identity.email)
|
||||
.await;
|
||||
|
||||
user_id
|
||||
};
|
||||
|
||||
// Create user
|
||||
services.users.create(&user_id, password).await?;
|
||||
|
||||
// Set an initial display name
|
||||
let mut displayname = user_id.localpart().to_owned();
|
||||
|
||||
// Apply the new user displayname suffix, if it's set
|
||||
if !services.globals.new_user_displayname_suffix().is_empty() && body.identity.is_none() {
|
||||
write!(displayname, " {}", services.server.config.new_user_displayname_suffix)?;
|
||||
}
|
||||
|
||||
services
|
||||
.users
|
||||
.set_displayname(&user_id, Some(displayname.clone()));
|
||||
|
||||
// Initial account data
|
||||
services
|
||||
.account_data
|
||||
.update(
|
||||
None,
|
||||
&user_id,
|
||||
GlobalAccountDataEventType::PushRules.to_string().into(),
|
||||
&serde_json::to_value(PushRulesEvent::new(
|
||||
push::Ruleset::server_default(&user_id).into(),
|
||||
))
|
||||
.expect("should be able to serialize push rules"),
|
||||
)
|
||||
.await?;
|
||||
|
||||
// Generate new device id if the user didn't specify one
|
||||
let (token, device) = if !body.inhibit_login {
|
||||
// If UIAA is disabled, we can't create a device. In that case only appservices
|
||||
// can reach this point in the first place, so we return an error for them.
|
||||
if !services.config.oauth.compatibility_mode.uiaa_available() {
|
||||
return Err!(Request(AppserviceLoginUnsupported(
|
||||
"User-interactive appservice registration is not available on this server."
|
||||
)));
|
||||
}
|
||||
|
||||
// Generate new device id if the user didn't specify one
|
||||
let device_id = body
|
||||
.device_id
|
||||
.clone()
|
||||
@@ -179,6 +128,7 @@ pub(crate) async fn register_route(
|
||||
&user_id,
|
||||
&device_id,
|
||||
&new_token,
|
||||
None,
|
||||
body.initial_device_display_name.clone(),
|
||||
Some(client.to_string()),
|
||||
)
|
||||
@@ -189,118 +139,7 @@ pub(crate) async fn register_route(
|
||||
(None, None)
|
||||
};
|
||||
|
||||
debug_info!(%user_id, ?device, "User account was created");
|
||||
|
||||
// If the user registered with an email, associate it with their account.
|
||||
if let Some(identity) = identity
|
||||
&& let Some(email) = identity.email
|
||||
{
|
||||
// This may fail if the email is already in use, but we already check for that
|
||||
// in `/requestToken`, so ignoring the error is acceptable here in the rare case
|
||||
// that an email is sniped by another user between the `/requestToken` request
|
||||
// and the `/register` request.
|
||||
let _ = services
|
||||
.threepid
|
||||
.associate_localpart_email(user_id.localpart(), &email)
|
||||
.await;
|
||||
}
|
||||
|
||||
let device_display_name = body.initial_device_display_name.as_deref().unwrap_or("");
|
||||
|
||||
if body.identity.is_none() {
|
||||
if !device_display_name.is_empty() {
|
||||
let notice = format!(
|
||||
"New user \"{user_id}\" registered on this server from IP {client} and device \
|
||||
display name \"{device_display_name}\""
|
||||
);
|
||||
|
||||
info!("{notice}");
|
||||
if services.server.config.admin_room_notices {
|
||||
services.admin.notice(¬ice).await;
|
||||
}
|
||||
} else {
|
||||
let notice = format!("New user \"{user_id}\" registered on this server.");
|
||||
|
||||
info!("{notice}");
|
||||
if services.server.config.admin_room_notices {
|
||||
services.admin.notice(¬ice).await;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Make the first user to register an administrator and disable first-run mode.
|
||||
let was_first_user = services.firstrun.empower_first_user(&user_id).await?;
|
||||
|
||||
// If the registering user was not the first and we're suspending users on
|
||||
// register, suspend them.
|
||||
if !was_first_user && services.config.suspend_on_register {
|
||||
// Note that we can still do auto joins for suspended users
|
||||
services
|
||||
.users
|
||||
.suspend_account(&user_id, &services.globals.server_user)
|
||||
.await;
|
||||
// And send an @room notice to the admin room, to prompt admins to review the
|
||||
// new user and ideally unsuspend them if deemed appropriate.
|
||||
if services.server.config.admin_room_notices {
|
||||
services
|
||||
.admin
|
||||
.send_loud_message(RoomMessageEventContent::text_plain(format!(
|
||||
"User {user_id} has been suspended as they are not the first user on this \
|
||||
server. Please review and unsuspend them if appropriate."
|
||||
)))
|
||||
.await
|
||||
.ok();
|
||||
}
|
||||
}
|
||||
|
||||
if body.identity.is_none() && !services.server.config.auto_join_rooms.is_empty() {
|
||||
for room in &services.server.config.auto_join_rooms {
|
||||
let Ok(room_id) = services.rooms.alias.resolve(room).await else {
|
||||
error!(
|
||||
"Failed to resolve room alias to room ID when attempting to auto join \
|
||||
{room}, skipping"
|
||||
);
|
||||
continue;
|
||||
};
|
||||
|
||||
if !services
|
||||
.rooms
|
||||
.state_cache
|
||||
.server_in_room(services.globals.server_name(), &room_id)
|
||||
.await
|
||||
{
|
||||
warn!(
|
||||
"Skipping room {room} to automatically join as we have never joined before."
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
||||
if let Some(room_server_name) = room.server_name() {
|
||||
match services
|
||||
.rooms
|
||||
.membership
|
||||
.join_room(
|
||||
&user_id,
|
||||
&room_id,
|
||||
Some("Automatically joining this room upon registration".to_owned()),
|
||||
&[services.globals.server_name().to_owned(), room_server_name.to_owned()],
|
||||
)
|
||||
.boxed()
|
||||
.await
|
||||
{
|
||||
| Err(e) => {
|
||||
// don't return this error so we don't fail registrations
|
||||
error!(
|
||||
"Failed to automatically join room {room} for user {user_id}: {e}"
|
||||
);
|
||||
},
|
||||
| _ => {
|
||||
info!("Automatically joined room {room} for user {user_id}");
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
debug_info!(%user_id, ?device, "New account created via legacy registration");
|
||||
|
||||
Ok(assign!(register::v3::Response::new(user_id), {
|
||||
access_token: token,
|
||||
@@ -372,21 +211,21 @@ async fn create_registration_uiaa_session(
|
||||
|
||||
// Require all users to agree to the terms and conditions, if configured
|
||||
let terms = &services.config.registration_terms;
|
||||
if !terms.is_empty() {
|
||||
let mut terms =
|
||||
serde_json::to_value(terms.clone()).expect("failed to serialize terms");
|
||||
if !terms.documents.is_empty() {
|
||||
let mut terms_map = HashMap::new();
|
||||
|
||||
// Insert a dummy `version` field
|
||||
for (_, documents) in terms.as_object_mut().unwrap() {
|
||||
let documents = documents.as_object_mut().unwrap();
|
||||
|
||||
documents.insert("version".to_owned(), "latest".into());
|
||||
for (id, document) in &terms.documents {
|
||||
terms_map.insert(id.to_owned(), serde_json::json!({
|
||||
terms.language.clone(): serde_json::to_value(document).expect("should be able to serialize document")
|
||||
}));
|
||||
}
|
||||
|
||||
terms_map.insert("version".to_owned(), "latest".into());
|
||||
|
||||
params.insert(
|
||||
AuthType::Terms.as_str().to_owned(),
|
||||
serde_json::json!({
|
||||
"policies": terms,
|
||||
"policies": terms_map,
|
||||
}),
|
||||
);
|
||||
|
||||
@@ -419,81 +258,6 @@ async fn create_registration_uiaa_session(
|
||||
Ok((flows, params))
|
||||
}
|
||||
|
||||
async fn determine_registration_user_id(
|
||||
services: &Services,
|
||||
supplied_username: Option<String>,
|
||||
emergency_mode_enabled: bool,
|
||||
) -> Result<OwnedUserId> {
|
||||
if let Some(supplied_username) = supplied_username {
|
||||
// The user gets to pick their username. Do some validation to make sure it's
|
||||
// acceptable.
|
||||
|
||||
// Don't allow registration with forbidden usernames.
|
||||
if services
|
||||
.globals
|
||||
.forbidden_usernames()
|
||||
.is_match(&supplied_username)
|
||||
&& !emergency_mode_enabled
|
||||
{
|
||||
return Err!(Request(Forbidden("Username is forbidden")));
|
||||
}
|
||||
|
||||
// Create and validate the user ID
|
||||
let user_id = match UserId::parse_with_server_name(
|
||||
&supplied_username,
|
||||
services.globals.server_name(),
|
||||
) {
|
||||
| Ok(user_id) => {
|
||||
if let Err(e) = user_id.validate_strict() {
|
||||
// Unless we are in emergency mode, we should follow synapse's behaviour on
|
||||
// not allowing things like spaces and UTF-8 characters in usernames
|
||||
if !emergency_mode_enabled {
|
||||
return Err!(Request(InvalidUsername(debug_warn!(
|
||||
"Username {supplied_username} contains disallowed characters or \
|
||||
spaces: {e}"
|
||||
))));
|
||||
}
|
||||
}
|
||||
|
||||
// Don't allow registration with user IDs that aren't local
|
||||
if !services.globals.user_is_local(&user_id) {
|
||||
return Err!(Request(InvalidUsername(
|
||||
"Username {supplied_username} is not local to this server"
|
||||
)));
|
||||
}
|
||||
|
||||
user_id
|
||||
},
|
||||
| Err(e) => {
|
||||
return Err!(Request(InvalidUsername(debug_warn!(
|
||||
"Username {supplied_username} is not valid: {e}"
|
||||
))));
|
||||
},
|
||||
};
|
||||
|
||||
if services.users.exists(&user_id).await {
|
||||
return Err!(Request(UserInUse("User ID is not available.")));
|
||||
}
|
||||
|
||||
Ok(user_id)
|
||||
} else {
|
||||
// The user didn't specify a username. Generate a username for
|
||||
// them.
|
||||
|
||||
loop {
|
||||
let user_id = UserId::parse_with_server_name(
|
||||
utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
|
||||
services.globals.server_name(),
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
if !services.users.exists(&user_id).await {
|
||||
break Ok(user_id);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// # `POST /_matrix/client/v3/register/email/requestToken`
|
||||
///
|
||||
/// Requests a validation email for the purpose of registering a new account.
|
||||
|
||||
@@ -11,7 +11,7 @@
|
||||
},
|
||||
thirdparty::{Medium, ThirdPartyIdentifierInit},
|
||||
};
|
||||
use service::{mailer::messages, uiaa::Identity};
|
||||
use service::mailer::messages;
|
||||
|
||||
use crate::{Ruma, router::ClientIdentity};
|
||||
|
||||
@@ -124,15 +124,18 @@ pub(crate) async fn add_3pid_route(
|
||||
.uiaa
|
||||
.authenticate_password(
|
||||
&body.auth,
|
||||
Some(Identity::from_user_id(body.identity.expect_sender_user()?)),
|
||||
body.identity.expect_sender_user()?,
|
||||
body.identity.sender_device(),
|
||||
None,
|
||||
)
|
||||
.await?;
|
||||
|
||||
let email = services
|
||||
.threepid
|
||||
.consume_valid_session(&body.sid, &body.client_secret)
|
||||
.get_valid_session(&body.sid, &body.client_secret)
|
||||
.await
|
||||
.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?;
|
||||
.map_err(|message| err!(Request(ThreepidAuthFailed("{message}"))))?
|
||||
.consume();
|
||||
|
||||
services
|
||||
.threepid
|
||||
|
||||
@@ -8,7 +8,6 @@
|
||||
self, delete_device, delete_devices, get_device, get_devices, update_device,
|
||||
},
|
||||
};
|
||||
use service::uiaa::Identity;
|
||||
|
||||
use crate::{Ruma, client::DEVICE_ID_LENGTH};
|
||||
|
||||
@@ -95,6 +94,7 @@ pub(crate) async fn update_device_route(
|
||||
&device_id,
|
||||
&appservice.registration.as_token,
|
||||
None,
|
||||
None,
|
||||
Some(client.to_string()),
|
||||
)
|
||||
.await?;
|
||||
@@ -119,14 +119,13 @@ pub(crate) async fn delete_device_route(
|
||||
body: Ruma<delete_device::v3::Request>,
|
||||
) -> Result<delete_device::v3::Response> {
|
||||
let sender_user = body.identity.expect_sender_user()?;
|
||||
let appservice = body.identity.appservice_info();
|
||||
|
||||
// Appservices get to skip UIAA for this endpoint
|
||||
if appservice.is_none() {
|
||||
if let Some(sender_device) = body.identity.sender_device() {
|
||||
// Prompt the user to confirm with their password using UIAA
|
||||
let _ = services
|
||||
.uiaa
|
||||
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
|
||||
.authenticate_password(&body.auth, sender_user, Some(sender_device), None)
|
||||
.await?;
|
||||
}
|
||||
|
||||
@@ -155,14 +154,13 @@ pub(crate) async fn delete_devices_route(
|
||||
body: Ruma<delete_devices::v3::Request>,
|
||||
) -> Result<delete_devices::v3::Response> {
|
||||
let sender_user = body.identity.expect_sender_user()?;
|
||||
let appservice = body.identity.appservice_info();
|
||||
|
||||
// Appservices get to skip UIAA for this endpoint
|
||||
if appservice.is_none() {
|
||||
if let Some(sender_device) = body.identity.sender_device() {
|
||||
// Prompt the user to confirm with their password using UIAA
|
||||
let _ = services
|
||||
.uiaa
|
||||
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
|
||||
.authenticate_password(&body.auth, sender_user, Some(sender_device), None)
|
||||
.await?;
|
||||
}
|
||||
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
serde::Raw,
|
||||
};
|
||||
use serde_json::json;
|
||||
use service::uiaa::Identity;
|
||||
use service::oauth::OAuthTicket;
|
||||
|
||||
use crate::Ruma;
|
||||
|
||||
@@ -205,7 +205,12 @@ pub(crate) async fn upload_signing_keys_route(
|
||||
{
|
||||
let _ = services
|
||||
.uiaa
|
||||
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
|
||||
.authenticate_password(
|
||||
&body.auth,
|
||||
sender_user,
|
||||
body.identity.sender_device(),
|
||||
Some(OAuthTicket::CrossSigningReset),
|
||||
)
|
||||
.await?;
|
||||
}
|
||||
|
||||
|
||||
@@ -16,6 +16,7 @@
|
||||
pub(super) mod membership;
|
||||
pub(super) mod message;
|
||||
pub(super) mod mutual_rooms;
|
||||
pub(super) mod oauth;
|
||||
pub(super) mod openid;
|
||||
pub(super) mod presence;
|
||||
pub(super) mod profile;
|
||||
@@ -61,6 +62,7 @@
|
||||
pub use membership::{leave_all_rooms, leave_room, remote_leave_room};
|
||||
pub(super) use message::*;
|
||||
pub(super) use mutual_rooms::*;
|
||||
pub(super) use oauth::*;
|
||||
pub(super) use openid::*;
|
||||
pub(super) use presence::*;
|
||||
pub(super) use profile::*;
|
||||
@@ -73,6 +75,7 @@
|
||||
pub(super) use room::*;
|
||||
pub(super) use search::*;
|
||||
pub(super) use send::*;
|
||||
pub use session::handle_login;
|
||||
pub(super) use session::*;
|
||||
pub(super) use space::*;
|
||||
pub(super) use state::*;
|
||||
|
||||
@@ -0,0 +1,56 @@
|
||||
use axum::{
|
||||
Json, Router,
|
||||
extract::{Request, State},
|
||||
middleware::{self, Next},
|
||||
response::{IntoResponse, Response},
|
||||
routing::method_routing::{get, post},
|
||||
};
|
||||
use const_str::concat;
|
||||
use http::StatusCode;
|
||||
use serde_json::json;
|
||||
pub(crate) use server_metadata::*;
|
||||
|
||||
mod register_client;
|
||||
mod server_metadata;
|
||||
mod token;
|
||||
|
||||
const BASE_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/oauth2/");
|
||||
const AUTH_CODE_PATH: &str = "grant/authorization_code";
|
||||
const JWKS_URI_PATH: &str = "client/keys.json";
|
||||
const CLIENT_REGISTER_PATH: &str = "client/register";
|
||||
const TOKEN_REVOKE_PATH: &str = "client/revoke";
|
||||
const TOKEN_PATH: &str = "grant/token";
|
||||
const ACCOUNT_MANAGEMENT_PATH: &str = concat!(conduwuit_core::ROUTE_PREFIX, "/account/deeplink");
|
||||
|
||||
pub(crate) fn router(state: crate::State) -> Router<crate::State> {
|
||||
Router::new()
|
||||
.nest(BASE_PATH, oauth_router())
|
||||
.route(
|
||||
"/.well-known/openid-configuration",
|
||||
get(
|
||||
// TODO(unspecced): used by old versions of the matrix-js-sdk
|
||||
async |State(services): State<crate::State>| {
|
||||
Json(authorization_server_metadata(&services).await)
|
||||
},
|
||||
),
|
||||
)
|
||||
.layer(middleware::from_fn_with_state(
|
||||
state,
|
||||
async |State(state): State<crate::State>, request: Request, next: Next| -> Response {
|
||||
if state.config.oauth.compatibility_mode.oauth_available() {
|
||||
next.run(request).await
|
||||
} else {
|
||||
(StatusCode::NOT_FOUND, "OAuth is unavailable on this server").into_response()
|
||||
}
|
||||
},
|
||||
))
|
||||
}
|
||||
|
||||
fn oauth_router() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route(concat!("/", CLIENT_REGISTER_PATH), post(register_client::register_client_route))
|
||||
// TODO(unspecced): used by old versions of the matrix-js-sdk
|
||||
.route(concat!("/", JWKS_URI_PATH), get(async || Json(json!({"keys": []}))))
|
||||
.route(concat!("/", TOKEN_PATH), post(token::token_route))
|
||||
.route(concat!("/", TOKEN_REVOKE_PATH), post(token::revoke_token_route))
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
use axum::{
|
||||
Json,
|
||||
extract::State,
|
||||
response::{IntoResponse, Response},
|
||||
};
|
||||
use http::StatusCode;
|
||||
use serde::Serialize;
|
||||
use service::oauth::client_metadata::ClientMetadata;
|
||||
|
||||
#[derive(Serialize)]
|
||||
struct RegisteredClient {
|
||||
client_id: String,
|
||||
#[serde(flatten)]
|
||||
metadata: ClientMetadata,
|
||||
}
|
||||
|
||||
pub(crate) async fn register_client_route(
|
||||
State(services): State<crate::State>,
|
||||
Json(metadata): Json<ClientMetadata>,
|
||||
) -> Result<Response, Response> {
|
||||
let client_id = services
|
||||
.oauth
|
||||
.register_client(&metadata)
|
||||
.await
|
||||
.map_err(|err| (StatusCode::BAD_REQUEST, Json(err)).into_response())?;
|
||||
|
||||
Ok(Json(RegisteredClient { client_id, metadata }).into_response())
|
||||
}
|
||||
@@ -0,0 +1,62 @@
|
||||
use axum::extract::State;
|
||||
use conduwuit::{Err, Result};
|
||||
use ruma::{
|
||||
api::client::discovery::get_authorization_server_metadata::{
|
||||
self, v1::AccountManagementAction,
|
||||
},
|
||||
serde::Raw,
|
||||
};
|
||||
use serde_json::{Value, json};
|
||||
use service::Services;
|
||||
|
||||
use crate::{
|
||||
Ruma,
|
||||
client::oauth::{
|
||||
ACCOUNT_MANAGEMENT_PATH, AUTH_CODE_PATH, CLIENT_REGISTER_PATH, JWKS_URI_PATH, TOKEN_PATH,
|
||||
TOKEN_REVOKE_PATH,
|
||||
},
|
||||
};
|
||||
|
||||
pub(crate) async fn get_authorization_server_metadata_route(
|
||||
State(services): State<crate::State>,
|
||||
_body: Ruma<get_authorization_server_metadata::v1::Request>,
|
||||
) -> Result<get_authorization_server_metadata::v1::Response> {
|
||||
if !services.config.oauth.compatibility_mode.oauth_available() {
|
||||
return Err!(Request(Unrecognized("OAuth is unavailable on this server")));
|
||||
}
|
||||
|
||||
let metadata = Raw::new(&authorization_server_metadata(&services).await).unwrap();
|
||||
|
||||
Ok(get_authorization_server_metadata::v1::Response::new(metadata.cast_unchecked()))
|
||||
}
|
||||
|
||||
pub(crate) async fn authorization_server_metadata(services: &Services) -> Value {
|
||||
let endpoint_base = services
|
||||
.config
|
||||
.get_client_domain()
|
||||
.join(super::BASE_PATH)
|
||||
.unwrap();
|
||||
|
||||
json!({
|
||||
"account_management_uri": endpoint_base.join(ACCOUNT_MANAGEMENT_PATH).unwrap(),
|
||||
"account_management_actions_supported": [
|
||||
AccountManagementAction::AccountDeactivate,
|
||||
AccountManagementAction::CrossSigningReset,
|
||||
AccountManagementAction::DeviceDelete,
|
||||
AccountManagementAction::DeviceView,
|
||||
AccountManagementAction::DevicesList,
|
||||
AccountManagementAction::Profile,
|
||||
],
|
||||
"authorization_endpoint": endpoint_base.join(AUTH_CODE_PATH).unwrap(),
|
||||
"code_challenge_methods_supported": ["S256"],
|
||||
"grant_types_supported": ["authorization_code", "refresh_token"],
|
||||
"issuer": services.config.get_client_domain(),
|
||||
"jwks_uri": endpoint_base.join(JWKS_URI_PATH).unwrap(),
|
||||
"prompt_values_supported": ["create"],
|
||||
"registration_endpoint": endpoint_base.join(CLIENT_REGISTER_PATH).unwrap(),
|
||||
"response_modes_supported": ["query", "fragment"],
|
||||
"response_types_supported": ["code"],
|
||||
"revocation_endpoint": endpoint_base.join(TOKEN_REVOKE_PATH).unwrap(),
|
||||
"token_endpoint": endpoint_base.join(TOKEN_PATH).unwrap(),
|
||||
})
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
use axum::{Form, Json, extract::State, response::IntoResponse};
|
||||
use http::StatusCode;
|
||||
use service::oauth::grant::{RevokeTokenRequest, TokenRequest};
|
||||
|
||||
pub(crate) async fn token_route(
|
||||
State(services): State<crate::State>,
|
||||
Form(request): Form<TokenRequest>,
|
||||
) -> impl IntoResponse {
|
||||
match services.oauth.issue_token(request).await {
|
||||
| Ok(response) => Ok(Json(response)),
|
||||
| Err(err) => Err((StatusCode::BAD_REQUEST, Json(err))),
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) async fn revoke_token_route(
|
||||
State(services): State<crate::State>,
|
||||
Form(request): Form<RevokeTokenRequest>,
|
||||
) -> impl IntoResponse {
|
||||
match services.oauth.revoke_token(request.token).await {
|
||||
| Ok(()) => Ok(StatusCode::OK),
|
||||
| Err(err) => Err((StatusCode::BAD_REQUEST, Json(err))),
|
||||
}
|
||||
}
|
||||
+31
-20
@@ -21,7 +21,7 @@
|
||||
},
|
||||
login::{
|
||||
self,
|
||||
v3::{DiscoveryInfo, HomeserverInfo},
|
||||
v3::{DiscoveryInfo, HomeserverInfo, LoginInfo},
|
||||
},
|
||||
logout, logout_all,
|
||||
},
|
||||
@@ -29,7 +29,6 @@
|
||||
},
|
||||
assign,
|
||||
};
|
||||
use service::uiaa::Identity;
|
||||
|
||||
use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
|
||||
use crate::Ruma;
|
||||
@@ -44,6 +43,12 @@ pub(crate) async fn get_login_types_route(
|
||||
ClientIp(client): ClientIp,
|
||||
_body: Ruma<get_login_types::v3::Request>,
|
||||
) -> Result<get_login_types::v3::Response> {
|
||||
if !services.config.oauth.compatibility_mode.uiaa_available() {
|
||||
return Err!(Request(Unrecognized(
|
||||
"User-interactive authentication is not available on this server."
|
||||
)));
|
||||
}
|
||||
|
||||
Ok(get_login_types::v3::Response::new(vec![
|
||||
get_login_types::v3::LoginType::Password(PasswordLoginType::default()),
|
||||
get_login_types::v3::LoginType::ApplicationService(ApplicationServiceLoginType::default()),
|
||||
@@ -53,7 +58,7 @@ pub(crate) async fn get_login_types_route(
|
||||
]))
|
||||
}
|
||||
|
||||
pub(crate) async fn handle_login(
|
||||
pub async fn handle_login(
|
||||
services: &Services,
|
||||
identifier: Option<&UserIdentifier>,
|
||||
password: &str,
|
||||
@@ -87,10 +92,6 @@ pub(crate) async fn handle_login(
|
||||
return Err!(Request(InvalidParam("User ID does not belong to this homeserver")));
|
||||
}
|
||||
|
||||
if services.users.is_locked(&user_id).await? {
|
||||
return Err!(Request(UserLocked("This account has been locked.")));
|
||||
}
|
||||
|
||||
if services.users.is_login_disabled(&user_id).await {
|
||||
warn!(%user_id, "user attempted to log in with a login-disabled account");
|
||||
return Err!(Request(Forbidden("This account is not permitted to log in.")));
|
||||
@@ -119,19 +120,29 @@ pub(crate) async fn login_route(
|
||||
ClientIp(client): ClientIp,
|
||||
body: Ruma<login::v3::Request>,
|
||||
) -> Result<login::v3::Response> {
|
||||
if !services.config.oauth.compatibility_mode.uiaa_available() {
|
||||
return match body.login_info {
|
||||
| LoginInfo::ApplicationService(_) => {
|
||||
Err!(Request(AppserviceLoginUnsupported(
|
||||
"User-interactive appservice login is not available on this server."
|
||||
)))
|
||||
},
|
||||
| _ => {
|
||||
Err!(Request(Unrecognized(
|
||||
"User-interactive authentication is not available on this server."
|
||||
)))
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
let emergency_mode_enabled = services.config.emergency_password.is_some();
|
||||
|
||||
// Validate login method
|
||||
// TODO: Other login methods
|
||||
let user_id = match &body.login_info {
|
||||
#[allow(deprecated)]
|
||||
| login::v3::LoginInfo::Password(login::v3::Password {
|
||||
identifier,
|
||||
password,
|
||||
user,
|
||||
..
|
||||
}) => handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
|
||||
| login::v3::LoginInfo::Token(login::v3::Token { token, .. }) => {
|
||||
| LoginInfo::Password(login::v3::Password { identifier, password, user, .. }) =>
|
||||
handle_login(&services, identifier.as_ref(), password, user.as_ref()).await?,
|
||||
| LoginInfo::Token(login::v3::Token { token, .. }) => {
|
||||
debug!("Got token login type");
|
||||
if !services.server.config.login_via_existing_session {
|
||||
return Err!(Request(Unknown("Token login is not enabled.")));
|
||||
@@ -139,7 +150,7 @@ pub(crate) async fn login_route(
|
||||
services.users.find_from_login_token(token).await?
|
||||
},
|
||||
#[allow(deprecated)]
|
||||
| login::v3::LoginInfo::ApplicationService(login::v3::ApplicationService {
|
||||
| LoginInfo::ApplicationService(login::v3::ApplicationService {
|
||||
identifier,
|
||||
user,
|
||||
..
|
||||
@@ -173,7 +184,6 @@ pub(crate) async fn login_route(
|
||||
user_id
|
||||
},
|
||||
| _ => {
|
||||
debug!("/login json_body: {:?}", &body.json_body);
|
||||
return Err!(Request(Unknown(
|
||||
debug_warn!(?body.login_info, "Invalid or unsupported login type")
|
||||
)));
|
||||
@@ -203,7 +213,7 @@ pub(crate) async fn login_route(
|
||||
if device_exists {
|
||||
services
|
||||
.users
|
||||
.set_token(&user_id, &device_id, &token)
|
||||
.set_token(&user_id, &device_id, &token, None)
|
||||
.await?;
|
||||
} else {
|
||||
services
|
||||
@@ -212,6 +222,7 @@ pub(crate) async fn login_route(
|
||||
&user_id,
|
||||
&device_id,
|
||||
&token,
|
||||
None,
|
||||
body.initial_device_display_name.clone(),
|
||||
Some(client.to_string()),
|
||||
)
|
||||
@@ -250,7 +261,7 @@ pub(crate) async fn login_token_route(
|
||||
ClientIp(client): ClientIp,
|
||||
body: Ruma<get_login_token::v1::Request>,
|
||||
) -> Result<get_login_token::v1::Response> {
|
||||
if !services.server.config.login_via_existing_session {
|
||||
if !services.config.login_via_existing_session {
|
||||
return Err!(Request(Forbidden("Login via an existing session is not enabled")));
|
||||
}
|
||||
|
||||
@@ -259,7 +270,7 @@ pub(crate) async fn login_token_route(
|
||||
// Prompt the user to confirm with their password using UIAA
|
||||
let _ = services
|
||||
.uiaa
|
||||
.authenticate_password(&body.auth, Some(Identity::from_user_id(sender_user)))
|
||||
.authenticate_password(&body.auth, sender_user, body.identity.sender_device(), None)
|
||||
.await?;
|
||||
|
||||
let login_token = utils::random_string(TOKEN_LENGTH);
|
||||
|
||||
@@ -69,7 +69,6 @@ pub(crate) async fn sync_events_v5_route(
|
||||
ClientIp(client_ip): ClientIp,
|
||||
body: Ruma<sync_events::v5::Request>,
|
||||
) -> Result<sync_events::v5::Response> {
|
||||
debug_assert!(DEFAULT_BUMP_TYPES.is_sorted(), "DEFAULT_BUMP_TYPES is not sorted");
|
||||
let sender_user = body.identity.expect_sender_user()?;
|
||||
let sender_device = body.identity.expect_sender_device()?;
|
||||
|
||||
|
||||
@@ -35,8 +35,8 @@ pub(crate) async fn get_supported_versions_route(
|
||||
/// `/_matrix/federation/v1/version`
|
||||
pub(crate) async fn conduwuit_server_version() -> Result<impl IntoResponse> {
|
||||
Ok(Json(serde_json::json!({
|
||||
"name": conduwuit::version::name(),
|
||||
"version": conduwuit::version::version(),
|
||||
"name": conduwuit::BRANDING,
|
||||
"version": conduwuit::version(),
|
||||
})))
|
||||
}
|
||||
|
||||
|
||||
@@ -3,8 +3,7 @@
|
||||
use ruma::{
|
||||
api::client::discovery::{
|
||||
discover_homeserver::{self, HomeserverInfo},
|
||||
discover_policy_server,
|
||||
discover_support::{self, Contact, ContactRole},
|
||||
discover_policy_server, discover_support,
|
||||
},
|
||||
assign,
|
||||
};
|
||||
@@ -67,46 +66,7 @@ pub(crate) async fn well_known_support(
|
||||
.as_ref()
|
||||
.map(ToString::to_string);
|
||||
|
||||
let email_address = services.config.well_known.support_email.clone();
|
||||
let matrix_id = services.config.well_known.support_mxid.clone();
|
||||
let pgp_key = services.config.well_known.support_pgp_key.clone();
|
||||
|
||||
// TODO: support defining multiple contacts in the config
|
||||
let mut contacts: Vec<Contact> = vec![];
|
||||
|
||||
let role = services
|
||||
.config
|
||||
.well_known
|
||||
.support_role
|
||||
.clone()
|
||||
.unwrap_or(ContactRole::Admin);
|
||||
|
||||
// Add configured contact if at least one contact method is specified
|
||||
let configured_contact = match (matrix_id, email_address) {
|
||||
| (Some(matrix_id), email_address) =>
|
||||
Some(assign!(Contact::with_matrix_id(role, matrix_id), { email_address })),
|
||||
| (None, Some(email_address)) => Some(Contact::with_email_address(role, email_address)),
|
||||
| (None, None) => None,
|
||||
};
|
||||
|
||||
if let Some(mut configured_contact) = configured_contact {
|
||||
configured_contact.pgp_key = pgp_key;
|
||||
|
||||
contacts.push(configured_contact);
|
||||
}
|
||||
|
||||
// Try to add admin users as contacts if no contacts are configured
|
||||
if contacts.is_empty() {
|
||||
let admin_users = services.admin.get_admins().await;
|
||||
|
||||
for user_id in &admin_users {
|
||||
if *user_id == services.globals.server_user {
|
||||
continue;
|
||||
}
|
||||
|
||||
contacts.push(Contact::with_matrix_id(ContactRole::Admin, user_id.to_owned()));
|
||||
}
|
||||
}
|
||||
let contacts = services.admin.get_support_contacts().await;
|
||||
|
||||
if contacts.is_empty() && support_page.is_none() {
|
||||
// No admin room, no configured contacts, and no support page
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
#![type_length_limit = "16384"] //TODO: reduce me
|
||||
#![recursion_limit = "256"] // My Giant Async Function
|
||||
#![allow(clippy::toplevel_ref_arg)]
|
||||
|
||||
extern crate conduwuit_core as conduwuit;
|
||||
|
||||
+5
-3
@@ -10,7 +10,7 @@
|
||||
response::{IntoResponse, Redirect},
|
||||
routing::{any, get, post},
|
||||
};
|
||||
use conduwuit::{Server, err};
|
||||
use conduwuit::err;
|
||||
pub(super) use conduwuit_service::state::State;
|
||||
use http::{Uri, uri};
|
||||
|
||||
@@ -18,8 +18,8 @@
|
||||
pub(super) use self::{args::Args as Ruma, auth::ClientIdentity, response::RumaResponse};
|
||||
use crate::{admin, client, server};
|
||||
|
||||
pub fn build(router: Router<State>, server: &Server) -> Router<State> {
|
||||
let config = &server.config;
|
||||
pub fn build(router: Router<State>, state: State) -> Router<State> {
|
||||
let config = &state.server.config;
|
||||
let mut router = router
|
||||
.ruma_route(&client::appservice_ping)
|
||||
.ruma_route(&client::get_supported_versions_route)
|
||||
@@ -186,6 +186,8 @@ pub fn build(router: Router<State>, server: &Server) -> Router<State> {
|
||||
.ruma_route(&client::well_known_policy_server)
|
||||
.ruma_route(&client::get_rtc_transports)
|
||||
.ruma_route(&client::room_initial_sync_route)
|
||||
.ruma_route(&client::get_authorization_server_metadata_route)
|
||||
.merge(client::oauth::router(state))
|
||||
.route("/_conduwuit/server_version", get(client::conduwuit_server_version))
|
||||
.route("/_continuwuity/server_version", get(client::conduwuit_server_version))
|
||||
.ruma_route(&admin::rooms::ban::ban_room)
|
||||
|
||||
+25
-4
@@ -1,6 +1,7 @@
|
||||
use std::any::{Any, TypeId};
|
||||
|
||||
use conduwuit::{Err, Result, err};
|
||||
use conduwuit::{Err, Error, Result, err};
|
||||
use http::StatusCode;
|
||||
use ruma::{
|
||||
DeviceId, OwnedDeviceId, OwnedServerName, OwnedUserId, UserId,
|
||||
api::{
|
||||
@@ -10,12 +11,15 @@
|
||||
AuthScheme, NoAccessToken, NoAuthentication,
|
||||
},
|
||||
client,
|
||||
error::{ErrorKind, UnknownTokenErrorData},
|
||||
federation::authentication::ServerSignatures,
|
||||
},
|
||||
assign,
|
||||
};
|
||||
use service::{
|
||||
Services,
|
||||
server_keys::{PubKeyMap, PubKeys},
|
||||
users::AccessTokenStatus,
|
||||
};
|
||||
|
||||
use crate::{router::args::AuthQueryParams, service::appservice::RegistrationInfo};
|
||||
@@ -162,7 +166,20 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
query: AuthQueryParams,
|
||||
route: TypeId,
|
||||
) -> Result<Self::Identity> {
|
||||
if let Ok((sender_user, sender_device)) = services.users.find_from_token(&output).await {
|
||||
if let Some((sender_user, sender_device, status)) =
|
||||
services.users.find_from_token(&output).await
|
||||
{
|
||||
// If the token is expired we return a soft logout
|
||||
if matches!(status, AccessTokenStatus::Expired) {
|
||||
return Err(Error::Request(
|
||||
ErrorKind::UnknownToken(
|
||||
assign!(UnknownTokenErrorData::new(), { soft_logout: true }),
|
||||
),
|
||||
"This token has expired".into(),
|
||||
StatusCode::UNAUTHORIZED,
|
||||
));
|
||||
}
|
||||
|
||||
// Locked users can only use /logout and /logout/all
|
||||
if services
|
||||
.users
|
||||
@@ -173,7 +190,7 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
if !(route == TypeId::of::<client::session::logout::v3::Request>()
|
||||
|| route == TypeId::of::<client::session::logout_all::v3::Request>())
|
||||
{
|
||||
return Err!(Request(Unauthorized("Your account is locked.")));
|
||||
return Err!(Request(UserLocked("Your account is locked.")));
|
||||
}
|
||||
}
|
||||
|
||||
@@ -224,7 +241,11 @@ async fn verify<B: AsRef<[u8]> + Sync>(
|
||||
appservice_info: Box::new(appservice_info),
|
||||
})
|
||||
} else {
|
||||
Err!(Request(Unauthorized("Invalid access token.")))
|
||||
Err(Error::Request(
|
||||
ErrorKind::UnknownToken(UnknownTokenErrorData::new()),
|
||||
"Invalid token".into(),
|
||||
StatusCode::UNAUTHORIZED,
|
||||
))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -11,8 +11,8 @@ pub(crate) async fn get_server_version_route(
|
||||
) -> Result<get_server_version::v1::Response> {
|
||||
Ok(assign!(get_server_version::v1::Response::new(), {
|
||||
server: Some(assign!(get_server_version::v1::Server::new(), {
|
||||
name: Some(conduwuit::version::name().into()),
|
||||
version: Some(conduwuit::version::version().into()),
|
||||
name: Some(conduwuit::BRANDING.into()),
|
||||
version: Some(conduwuit::version().into()),
|
||||
})),
|
||||
}))
|
||||
}
|
||||
|
||||
+81
-13
@@ -4,7 +4,7 @@
|
||||
pub mod proxy;
|
||||
|
||||
use std::{
|
||||
collections::{BTreeMap, BTreeSet, HashMap},
|
||||
collections::{BTreeMap, BTreeSet},
|
||||
net::{IpAddr, Ipv4Addr, Ipv6Addr, SocketAddr},
|
||||
path::PathBuf,
|
||||
};
|
||||
@@ -655,19 +655,25 @@ pub struct Config {
|
||||
/// even if `recaptcha_site_key` is set.
|
||||
pub recaptcha_private_site_key: Option<String>,
|
||||
|
||||
/// Policy documents, such as terms and conditions or a privacy policy,
|
||||
/// which users must agree to when registering an account.
|
||||
///
|
||||
/// Example:
|
||||
/// ```ignore
|
||||
/// [global.registration_terms.privacy_policy]
|
||||
/// en = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
|
||||
/// es = { name = "Política de Privacidad", url = "https://homeserver.example/es/privacy_policy.html" }
|
||||
/// ```
|
||||
///
|
||||
/// default: {}
|
||||
/// display: nested
|
||||
#[serde(default)]
|
||||
pub registration_terms: HashMap<String, HashMap<String, TermsDocument>>,
|
||||
pub registration_terms: RegistrationTerms,
|
||||
|
||||
/// display: nested
|
||||
#[serde(default)]
|
||||
pub oauth: OauthConfig,
|
||||
|
||||
/// Controls whether users are allowed to deactivate their own accounts
|
||||
/// through the account management panel or their Matrix clients. Server
|
||||
/// admins can always deactivate users using the relevant admin commands.
|
||||
///
|
||||
/// Note that, in some jurisdictions, you may be legally required to honor
|
||||
/// users who request to deactivate their accounts if you set this option
|
||||
/// to `false`.
|
||||
///
|
||||
/// default: true
|
||||
#[serde(default = "true_fn")]
|
||||
pub allow_deactivation: bool,
|
||||
|
||||
/// Controls whether encrypted rooms and events are allowed.
|
||||
#[serde(default = "true_fn")]
|
||||
@@ -2351,6 +2357,29 @@ pub struct SmtpConfig {
|
||||
pub require_email_for_token_registration: bool,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Default, Deserialize, Serialize)]
|
||||
#[config_example_generator(
|
||||
filename = "conduwuit-example.toml",
|
||||
section = "global.registration_terms",
|
||||
optional = "true"
|
||||
)]
|
||||
pub struct RegistrationTerms {
|
||||
/// The language code to provide to clients along with the policy documents.
|
||||
///
|
||||
/// default: "en"
|
||||
#[serde(default = "default_terms_language")]
|
||||
pub language: String,
|
||||
/// Policy documents, such as terms and conditions or a privacy policy,
|
||||
/// which users must agree to when registering an account.
|
||||
///
|
||||
/// Example:
|
||||
/// ```ignore
|
||||
/// [global.registration_terms.documents]
|
||||
/// privacy_policy = { name = "Privacy Policy", url = "https://homeserver.example/en/privacy_policy.html" }
|
||||
/// ```
|
||||
pub documents: BTreeMap<String, TermsDocument>,
|
||||
}
|
||||
|
||||
/// A policy document for use with a m.login.terms stage.
|
||||
#[derive(Clone, Debug, Deserialize, Serialize)]
|
||||
pub struct TermsDocument {
|
||||
@@ -2358,6 +2387,43 @@ pub struct TermsDocument {
|
||||
pub url: String,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Default, Deserialize)]
|
||||
#[config_example_generator(
|
||||
filename = "conduwuit-example.toml",
|
||||
section = "global.oauth",
|
||||
optional = "true"
|
||||
)]
|
||||
pub struct OauthConfig {
|
||||
/// The compatibility mode to use for OAuth.
|
||||
///
|
||||
/// - "disabled": OAuth will be unavailable. Users will only be able to log
|
||||
/// in using legacy authentication.
|
||||
/// - "hybrid": OAuth and legacy authentication will both be available. Some
|
||||
/// clients may only use one or the other.
|
||||
/// - "exclusive": Only OAuth will be available. Clients which require
|
||||
/// legacy authentication will be unable to log in.
|
||||
///
|
||||
/// default: "hybrid"
|
||||
pub compatibility_mode: OAuthMode,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Default, Deserialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
pub enum OAuthMode {
|
||||
Disabled,
|
||||
#[default]
|
||||
Hybrid,
|
||||
Exclusive,
|
||||
}
|
||||
|
||||
impl OAuthMode {
|
||||
#[must_use]
|
||||
pub fn uiaa_available(&self) -> bool { matches!(self, Self::Disabled | Self::Hybrid) }
|
||||
|
||||
#[must_use]
|
||||
pub fn oauth_available(&self) -> bool { matches!(self, Self::Hybrid | Self::Exclusive) }
|
||||
}
|
||||
|
||||
const DEPRECATED_KEYS: &[&str] = &[
|
||||
"cache_capacity",
|
||||
"conduit_cache_capacity_modifier",
|
||||
@@ -2738,3 +2804,5 @@ fn default_client_response_timeout() -> u64 { 120 }
|
||||
fn default_client_shutdown_timeout() -> u64 { 15 }
|
||||
|
||||
fn default_sender_shutdown_timeout() -> u64 { 5 }
|
||||
|
||||
fn default_terms_language() -> String { "en".to_owned() }
|
||||
|
||||
@@ -161,6 +161,7 @@ pub fn message(&self) -> String {
|
||||
match self {
|
||||
| Self::Federation(origin, error) => format!("Answer from {origin}: {error}"),
|
||||
| Self::Ruma(error) => response::ruma_error_message(error),
|
||||
| Self::Request(_, message, _) => message.clone().into_owned(),
|
||||
| _ => format!("{self}"),
|
||||
}
|
||||
}
|
||||
|
||||
@@ -73,11 +73,8 @@ pub(super) fn bad_request_code(kind: &ErrorKind) -> StatusCode {
|
||||
// 413
|
||||
| TooLarge => StatusCode::PAYLOAD_TOO_LARGE,
|
||||
|
||||
// 405
|
||||
| Unrecognized => StatusCode::METHOD_NOT_ALLOWED,
|
||||
|
||||
// 404
|
||||
| NotFound => StatusCode::NOT_FOUND,
|
||||
| Unrecognized | NotFound => StatusCode::NOT_FOUND,
|
||||
|
||||
// 403
|
||||
| GuestAccessForbidden
|
||||
|
||||
@@ -7,19 +7,16 @@
|
||||
|
||||
use std::sync::OnceLock;
|
||||
|
||||
static BRANDING: &str = "continuwuity";
|
||||
static WEBSITE: &str = "https://continuwuity.org";
|
||||
static SEMANTIC: &str = env!("CARGO_PKG_VERSION");
|
||||
pub const BRANDING: &str = "continuwuity";
|
||||
pub const ROUTE_PREFIX: &str = "/_continuwuity";
|
||||
pub const WEBSITE: &str = "https://continuwuity.org";
|
||||
pub const SEMANTIC: &str = env!("CARGO_PKG_VERSION");
|
||||
|
||||
static VERSION: OnceLock<String> = OnceLock::new();
|
||||
static VERSION_UA: OnceLock<String> = OnceLock::new();
|
||||
static USER_AGENT: OnceLock<String> = OnceLock::new();
|
||||
static USER_AGENT_MEDIA: OnceLock<String> = OnceLock::new();
|
||||
|
||||
#[inline]
|
||||
#[must_use]
|
||||
pub fn name() -> &'static str { BRANDING }
|
||||
|
||||
#[inline]
|
||||
pub fn version() -> &'static str { VERSION.get_or_init(init_version) }
|
||||
|
||||
@@ -32,10 +29,10 @@ pub fn user_agent() -> &'static str { USER_AGENT.get_or_init(init_user_agent) }
|
||||
#[inline]
|
||||
pub fn user_agent_media() -> &'static str { USER_AGENT_MEDIA.get_or_init(init_user_agent_media) }
|
||||
|
||||
fn init_user_agent() -> String { format!("{}/{} (bot; +{WEBSITE})", name(), version_ua()) }
|
||||
fn init_user_agent() -> String { format!("{BRANDING}/{} (bot; +{WEBSITE})", version_ua()) }
|
||||
|
||||
fn init_user_agent_media() -> String {
|
||||
format!("{}/{} (embedbot; facebookexternalhit/1.1; +{WEBSITE})", name(), version_ua())
|
||||
format!("{BRANDING}/{} (embedbot; facebookexternalhit/1.1; +{WEBSITE})", version_ua())
|
||||
}
|
||||
|
||||
fn init_version_ua() -> String {
|
||||
|
||||
@@ -21,6 +21,7 @@ pub fn versions() -> Vec<String> {
|
||||
"v1.12".to_owned(),
|
||||
"v1.13".to_owned(),
|
||||
"v1.14".to_owned(),
|
||||
"v1.15".to_owned(),
|
||||
]
|
||||
}
|
||||
|
||||
|
||||
+1
-4
@@ -34,10 +34,7 @@ macro_rules! mod_dtor {
|
||||
pub use conduwuit_build_metadata as build_metadata;
|
||||
pub use config::Config;
|
||||
pub use error::Error;
|
||||
pub use info::{
|
||||
version,
|
||||
version::{name, version},
|
||||
};
|
||||
pub use info::version::*;
|
||||
pub use matrix::{Event, EventTypeExt, Pdu, PduCount, PduEvent, PduId, pdu, state_res};
|
||||
pub use parking_lot::{Mutex as SyncMutex, RwLock as SyncRwLock};
|
||||
pub use server::Server;
|
||||
|
||||
+16
-10
@@ -61,17 +61,23 @@ pub fn format(ts: SystemTime, str: &str) -> String {
|
||||
pub fn pretty(d: Duration) -> String {
|
||||
use Unit::*;
|
||||
|
||||
let fmt = |w, f, u| format!("{w}.{f} {u}");
|
||||
let gen64 = |w, f, u| fmt(w, (f * 100.0) as u32, u);
|
||||
let gen128 = |w, f, u| gen64(u64::try_from(w).expect("u128 to u64"), f, u);
|
||||
let fmt = |w, u| {
|
||||
if w == 1 {
|
||||
format!("{w} {u}")
|
||||
} else {
|
||||
format!("{w} {u}s")
|
||||
}
|
||||
};
|
||||
let gen64 = |w, u| fmt(w, u);
|
||||
let gen128 = |w, u| gen64(u64::try_from(w).expect("u128 to u64"), u);
|
||||
match whole_and_frac(d) {
|
||||
| (Days(whole), frac) => gen64(whole, frac, "days"),
|
||||
| (Hours(whole), frac) => gen64(whole, frac, "hours"),
|
||||
| (Mins(whole), frac) => gen64(whole, frac, "minutes"),
|
||||
| (Secs(whole), frac) => gen64(whole, frac, "seconds"),
|
||||
| (Millis(whole), frac) => gen128(whole, frac, "milliseconds"),
|
||||
| (Micros(whole), frac) => gen128(whole, frac, "microseconds"),
|
||||
| (Nanos(whole), frac) => gen128(whole, frac, "nanoseconds"),
|
||||
| (Days(whole), _) => gen64(whole, "day"),
|
||||
| (Hours(whole), _) => gen64(whole, "hour"),
|
||||
| (Mins(whole), _) => gen64(whole, "minute"),
|
||||
| (Secs(whole), _) => gen64(whole, "second"),
|
||||
| (Millis(whole), _) => gen128(whole, "millisecond"),
|
||||
| (Micros(whole), _) => gen128(whole, "microsecond"),
|
||||
| (Nanos(whole), _) => gen128(whole, "nanosecond"),
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -49,6 +49,10 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
|
||||
name: "bannedroomids",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "clientid_clientmetadata",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "disabledroomids",
|
||||
..descriptor::RANDOM_SMALL
|
||||
@@ -157,6 +161,10 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
|
||||
name: "referencedevents",
|
||||
..descriptor::RANDOM
|
||||
},
|
||||
Descriptor {
|
||||
name: "refreshtoken_refreshtokeninfo",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "registrationtoken_info",
|
||||
..descriptor::RANDOM_SMALL
|
||||
@@ -371,6 +379,14 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
|
||||
name: "userdevicetxnid_response",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "userdeviceid_oauthsessioninfo",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "userdeviceid_tokenexpires",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "userfilterid_filter",
|
||||
..descriptor::RANDOM_SMALL
|
||||
@@ -475,4 +491,8 @@ pub(super) fn open_list(db: &Arc<Engine>, maps: &[Descriptor]) -> Result<Maps> {
|
||||
name: "userroomid_invitesender",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
Descriptor {
|
||||
name: "websessionid_session",
|
||||
..descriptor::RANDOM_SMALL
|
||||
},
|
||||
];
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
#[clap(
|
||||
about,
|
||||
long_about = None,
|
||||
name = conduwuit_core::name(),
|
||||
name = conduwuit_core::BRANDING,
|
||||
version = conduwuit_core::version(),
|
||||
)]
|
||||
pub struct Args {
|
||||
|
||||
+1
-1
@@ -110,7 +110,7 @@ pub(crate) fn init(
|
||||
.with_batch_exporter(exporter)
|
||||
.build();
|
||||
|
||||
let tracer = provider.tracer(conduwuit_core::name());
|
||||
let tracer = provider.tracer(conduwuit_core::BRANDING);
|
||||
|
||||
let telemetry = tracing_opentelemetry::layer().with_tracer(tracer);
|
||||
|
||||
|
||||
+1
-1
@@ -47,7 +47,7 @@ fn options(config: &Config) -> ClientOptions {
|
||||
traces_sample_rate: config.sentry_traces_sample_rate,
|
||||
debug: cfg!(debug_assertions),
|
||||
release: release_name(),
|
||||
user_agent: conduwuit_core::version::user_agent().into(),
|
||||
user_agent: conduwuit_core::user_agent().into(),
|
||||
attach_stacktrace: config.sentry_attach_stacktrace,
|
||||
before_send: Some(Arc::new(before_send)),
|
||||
before_breadcrumb: Some(Arc::new(before_breadcrumb)),
|
||||
|
||||
@@ -112,7 +112,9 @@ fn handle_result(method: &Method, uri: &Uri, result: Response) -> Result<Respons
|
||||
}
|
||||
|
||||
if status == StatusCode::METHOD_NOT_ALLOWED {
|
||||
return Ok(err!(Request(Unrecognized("Method Not Allowed"))).into_response());
|
||||
return Ok(
|
||||
err!(Request(Unrecognized("Method not allowed"), METHOD_NOT_ALLOWED)).into_response()
|
||||
);
|
||||
}
|
||||
|
||||
Ok(result)
|
||||
|
||||
@@ -9,8 +9,8 @@
|
||||
pub(crate) fn build(services: &Arc<Services>) -> (Router, Guard) {
|
||||
let router = Router::<state::State>::new();
|
||||
let (state, guard) = state::create(services.clone());
|
||||
let router = conduwuit_api::router::build(router, &services.server)
|
||||
.merge(conduwuit_web::build())
|
||||
let router = conduwuit_api::router::build(router, state)
|
||||
.merge(conduwuit_web::build(services))
|
||||
.fallback(not_found)
|
||||
.with_state(state);
|
||||
|
||||
|
||||
@@ -119,6 +119,7 @@ recaptcha-verify = { version = "0.2.0", default-features = false }
|
||||
reqwest_recaptcha = { package = "reqwest", version = "0.12.28", default-features = false, features = ["rustls-tls-native-roots-no-provider"] } # As long as recaptcha-verify's reqwest is outdated
|
||||
yansi.workspace = true
|
||||
lettre.workspace = true
|
||||
serde_urlencoded.workspace = true
|
||||
|
||||
[target.'cfg(all(unix, target_os = "linux"))'.dependencies]
|
||||
sd-notify.workspace = true
|
||||
|
||||
@@ -18,6 +18,8 @@
|
||||
use loole::{Receiver, Sender};
|
||||
use ruma::{
|
||||
OwnedEventId, OwnedMxcUri, OwnedRoomId, OwnedUserId, RoomId, UInt, UserId,
|
||||
api::client::discovery::discover_support::{Contact, ContactRole},
|
||||
assign,
|
||||
events::{
|
||||
Mentions,
|
||||
room::message::{
|
||||
@@ -28,7 +30,7 @@
|
||||
use tokio::sync::RwLock;
|
||||
|
||||
use crate::{
|
||||
Dep, account_data, globals,
|
||||
Dep, account_data, config, globals,
|
||||
media::{MXC_LENGTH, mxc::Mxc},
|
||||
rooms::{self, state::RoomMutexGuard},
|
||||
};
|
||||
@@ -44,6 +46,7 @@ pub struct Service {
|
||||
|
||||
struct Services {
|
||||
server: Arc<Server>,
|
||||
config: Dep<config::Service>,
|
||||
globals: Dep<globals::Service>,
|
||||
alias: Dep<rooms::alias::Service>,
|
||||
timeline: Dep<rooms::timeline::Service>,
|
||||
@@ -115,6 +118,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
Ok(Arc::new(Self {
|
||||
services: Services {
|
||||
server: args.server.clone(),
|
||||
config: args.depend::<config::Service>("config"),
|
||||
globals: args.depend::<globals::Service>("globals"),
|
||||
alias: args.depend::<rooms::alias::Service>("rooms::alias"),
|
||||
timeline: args.depend::<rooms::timeline::Service>("rooms::timeline"),
|
||||
@@ -549,6 +553,8 @@ pub async fn is_admin_command<E>(
|
||||
return None;
|
||||
}
|
||||
|
||||
// Trim leading spaces from commands
|
||||
let trimmed_body: &str = body.trim_start();
|
||||
if let Some(room_id) = event.room_id()
|
||||
&& self.is_admin_room(room_id).await
|
||||
{
|
||||
@@ -556,7 +562,9 @@ pub async fn is_admin_command<E>(
|
||||
|
||||
// Ignore messages which aren't admin commands
|
||||
let server_user = &self.services.globals.server_user;
|
||||
if !(body.starts_with("!admin") || body.starts_with(server_user.as_str())) {
|
||||
if !(trimmed_body.starts_with("!admin")
|
||||
|| trimmed_body.starts_with(server_user.as_str()))
|
||||
{
|
||||
return None;
|
||||
}
|
||||
|
||||
@@ -572,8 +580,8 @@ pub async fn is_admin_command<E>(
|
||||
// This is a message outside the admin room
|
||||
|
||||
// Is it an escaped admin command? i.e. `\!admin --help`
|
||||
let is_public_escape =
|
||||
body.starts_with('\\') && body.trim_start_matches('\\').starts_with("!admin");
|
||||
let is_public_escape = trimmed_body.starts_with('\\')
|
||||
&& trimmed_body.trim_start_matches('\\').starts_with("!admin");
|
||||
|
||||
// Ignore the message if it's not
|
||||
if !is_public_escape {
|
||||
@@ -619,4 +627,52 @@ pub(super) fn set_services(&self, services: Option<&Arc<crate::Services>>) {
|
||||
let weak = services.map(Arc::downgrade);
|
||||
*receiver = weak;
|
||||
}
|
||||
|
||||
/// Get the server's configured support contacts.
|
||||
pub async fn get_support_contacts(&self) -> Vec<Contact> {
|
||||
let email_address = self.services.config.well_known.support_email.clone();
|
||||
let matrix_id = self.services.config.well_known.support_mxid.clone();
|
||||
let pgp_key = self.services.config.well_known.support_pgp_key.clone();
|
||||
|
||||
// TODO: support defining multiple contacts in the config
|
||||
let mut contacts: Vec<Contact> = vec![];
|
||||
|
||||
let role = self
|
||||
.services
|
||||
.config
|
||||
.well_known
|
||||
.support_role
|
||||
.clone()
|
||||
.unwrap_or(ContactRole::Admin);
|
||||
|
||||
// Add configured contact if at least one contact method is specified
|
||||
let configured_contact = match (matrix_id, email_address) {
|
||||
| (Some(matrix_id), email_address) =>
|
||||
Some(assign!(Contact::with_matrix_id(role, matrix_id), { email_address })),
|
||||
| (None, Some(email_address)) =>
|
||||
Some(Contact::with_email_address(role, email_address)),
|
||||
| (None, None) => None,
|
||||
};
|
||||
|
||||
if let Some(mut configured_contact) = configured_contact {
|
||||
configured_contact.pgp_key = pgp_key;
|
||||
|
||||
contacts.push(configured_contact);
|
||||
}
|
||||
|
||||
// Try to add admin users as contacts if no contacts are configured
|
||||
if contacts.is_empty() {
|
||||
let admin_users = self.get_admins().await;
|
||||
|
||||
for user_id in &admin_users {
|
||||
if *user_id == self.services.globals.server_user {
|
||||
continue;
|
||||
}
|
||||
|
||||
contacts.push(Contact::with_matrix_id(ContactRole::Admin, user_id.to_owned()));
|
||||
}
|
||||
}
|
||||
|
||||
contacts
|
||||
}
|
||||
}
|
||||
|
||||
@@ -67,7 +67,7 @@ async fn worker(self: Arc<Self>) -> Result {
|
||||
for (id, registration) in appservices {
|
||||
// During startup, resolve any token collisions in favour of appservices
|
||||
// by logging out conflicting user devices
|
||||
if let Ok((user_id, device_id)) = self
|
||||
if let Some((user_id, device_id, _)) = self
|
||||
.services
|
||||
.users
|
||||
.find_from_token(®istration.as_token)
|
||||
@@ -158,7 +158,7 @@ pub async fn register_appservice(
|
||||
.users
|
||||
.find_from_token(®istration.as_token)
|
||||
.await
|
||||
.is_ok()
|
||||
.is_some()
|
||||
{
|
||||
return Err(err!(Request(InvalidParam(
|
||||
"Cannot register appservice: The provided token is already in use by a user \
|
||||
|
||||
@@ -39,7 +39,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
let url_preview_user_agent = config
|
||||
.url_preview_user_agent
|
||||
.clone()
|
||||
.unwrap_or_else(|| conduwuit::version::user_agent_media().to_owned());
|
||||
.unwrap_or_else(|| conduwuit::user_agent_media().to_owned());
|
||||
|
||||
Ok(Arc::new(Self {
|
||||
default: base(config)?
|
||||
@@ -149,7 +149,7 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
|
||||
.timeout(Duration::from_secs(config.request_total_timeout))
|
||||
.pool_idle_timeout(Duration::from_secs(config.request_idle_timeout))
|
||||
.pool_max_idle_per_host(config.request_idle_per_host.into())
|
||||
.user_agent(conduwuit::version::user_agent())
|
||||
.user_agent(conduwuit::user_agent())
|
||||
.redirect(redirect::Policy::limited(6))
|
||||
.danger_accept_invalid_certs(config.allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure)
|
||||
.connection_verbose(cfg!(debug_assertions));
|
||||
|
||||
@@ -6,7 +6,7 @@
|
||||
use askama::Template;
|
||||
use async_trait::async_trait;
|
||||
use conduwuit::{Result, info, utils::ReadyExt};
|
||||
use futures::{FutureExt, StreamExt};
|
||||
use futures::StreamExt;
|
||||
use ruma::{UserId, events::room::message::RoomMessageEventContent};
|
||||
|
||||
use crate::{
|
||||
@@ -120,7 +120,7 @@ fn disable_first_run(&self) -> bool {
|
||||
///
|
||||
/// Returns Ok(true) if the specified user was the first user, and Ok(false)
|
||||
/// if they were not.
|
||||
pub async fn empower_first_user(&self, user: &UserId) -> Result<bool> {
|
||||
pub async fn empower_first_user(&self, user: &UserId) -> bool {
|
||||
#[derive(Template)]
|
||||
#[template(path = "welcome.md")]
|
||||
struct WelcomeMessage<'a> {
|
||||
@@ -130,10 +130,14 @@ struct WelcomeMessage<'a> {
|
||||
|
||||
// If first run mode isn't active, do nothing.
|
||||
if !self.disable_first_run() {
|
||||
return Ok(false);
|
||||
return false;
|
||||
}
|
||||
|
||||
self.services.admin.make_user_admin(user).boxed().await?;
|
||||
self.services
|
||||
.admin
|
||||
.make_user_admin(user)
|
||||
.await
|
||||
.expect("should have been able to empower the first user");
|
||||
|
||||
// Send the welcome message
|
||||
let welcome_message = WelcomeMessage {
|
||||
@@ -146,11 +150,12 @@ struct WelcomeMessage<'a> {
|
||||
self.services
|
||||
.admin
|
||||
.send_loud_message(RoomMessageEventContent::text_markdown(welcome_message))
|
||||
.await?;
|
||||
.await
|
||||
.expect("should have been able to send welcome message");
|
||||
|
||||
info!("{user} has been invited to the admin room as the first user.");
|
||||
|
||||
Ok(true)
|
||||
true
|
||||
}
|
||||
|
||||
/// Get the single-use registration token which may be used to create the
|
||||
@@ -181,7 +186,7 @@ pub fn print_first_run_banner(&self) {
|
||||
eprintln!(
|
||||
"Welcome to {} {}!",
|
||||
"Continuwuity".bold().bright_magenta(),
|
||||
conduwuit::version::version().bold()
|
||||
conduwuit::version().bold()
|
||||
);
|
||||
eprintln!();
|
||||
eprintln!(
|
||||
|
||||
@@ -92,8 +92,8 @@ pub async fn send<Template: MessageTemplate>(
|
||||
|
||||
let message = MessageBuilder::new()
|
||||
.from(self.sender.clone())
|
||||
.to(recipient)
|
||||
.subject(subject)
|
||||
.to(recipient.clone())
|
||||
.subject(subject.clone())
|
||||
.date_now()
|
||||
.header(ContentType::TEXT_PLAIN)
|
||||
.body(body)
|
||||
@@ -104,6 +104,8 @@ pub async fn send<Template: MessageTemplate>(
|
||||
.await
|
||||
.map_err(|err: TransportError| err!("Failed to send message: {err}"))?;
|
||||
|
||||
info!(recipient = recipient.to_string(), ?subject, "Email sent");
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
+1
-1
@@ -27,7 +27,7 @@
|
||||
pub mod mailer;
|
||||
pub mod media;
|
||||
pub mod moderation;
|
||||
pub mod password_reset;
|
||||
pub mod oauth;
|
||||
pub mod presence;
|
||||
pub mod pusher;
|
||||
pub mod registration_tokens;
|
||||
|
||||
@@ -0,0 +1,196 @@
|
||||
use std::{collections::BTreeSet, hash::Hash};
|
||||
|
||||
use itertools::Itertools;
|
||||
use serde::{Deserialize, Deserializer, Serialize};
|
||||
use url::Url;
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Deserialize, Serialize)]
|
||||
#[non_exhaustive]
|
||||
pub struct ClientMetadata {
|
||||
#[serde(default)]
|
||||
pub application_type: ApplicationType,
|
||||
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub client_name: Option<String>,
|
||||
|
||||
pub client_uri: Url,
|
||||
|
||||
#[serde(default, deserialize_with = "btreeset_skip_err")]
|
||||
pub grant_types: BTreeSet<GrantType>,
|
||||
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub logo_uri: Option<Url>,
|
||||
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub policy_uri: Option<Url>,
|
||||
|
||||
#[serde(default)]
|
||||
pub redirect_uris: Vec<Url>,
|
||||
|
||||
#[serde(default, deserialize_with = "btreeset_skip_err")]
|
||||
pub response_types: BTreeSet<ResponseType>,
|
||||
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub token_endpoint_auth_method: Option<String>,
|
||||
|
||||
#[serde(default, skip_serializing_if = "Option::is_none")]
|
||||
pub tos_uri: Option<Url>,
|
||||
}
|
||||
|
||||
impl ClientMetadata {
|
||||
pub(super) const ACCEPTABLE_LOCALHOSTS: [&str; 3] = ["localhost", "127.0.0.1", "[::1]"];
|
||||
|
||||
pub(super) fn validate(&self) -> Result<(), &'static str> {
|
||||
let Some(client_domain) = self.client_uri.domain() else {
|
||||
return Err("Client URI must have a domain.");
|
||||
};
|
||||
|
||||
if self.client_uri.scheme() != "https" {
|
||||
return Err("Client URI must be HTTPS.");
|
||||
}
|
||||
|
||||
if !self.client_uri.username().is_empty() || self.client_uri.password().is_some() {
|
||||
return Err("Client URI must not include credentials.");
|
||||
}
|
||||
|
||||
for uri in [&self.logo_uri, &self.policy_uri, &self.tos_uri]
|
||||
.iter()
|
||||
.filter_map(|uri| uri.as_ref())
|
||||
{
|
||||
if uri.scheme() != "https" {
|
||||
return Err("All metadata URIs must be HTTPS.");
|
||||
}
|
||||
|
||||
if !uri.username().is_empty() || uri.password().is_some() {
|
||||
return Err("All metadata URIs must not include credentials.");
|
||||
}
|
||||
|
||||
if !uri
|
||||
.domain()
|
||||
.is_some_and(|domain| is_subdomain(domain, client_domain))
|
||||
{
|
||||
return Err("All metadata URIs must be subdomains of the client URI.");
|
||||
}
|
||||
}
|
||||
|
||||
for uri in &self.redirect_uris {
|
||||
match uri.scheme() {
|
||||
| "https" => {
|
||||
// HTTPS URIs are okay for native and web clients
|
||||
|
||||
if !uri.username().is_empty() || uri.password().is_some() {
|
||||
return Err("HTTPS redirect URIs must not contain credentials.");
|
||||
}
|
||||
},
|
||||
| "http" if self.application_type == ApplicationType::Native => {
|
||||
if uri
|
||||
.host_str()
|
||||
.is_none_or(|host| !Self::ACCEPTABLE_LOCALHOSTS.contains(&host))
|
||||
{
|
||||
return Err("HTTP redirect URIs for native applications must only \
|
||||
refer to localhost.");
|
||||
}
|
||||
|
||||
if uri.port().is_some() {
|
||||
return Err("HTTP redirect URIs for native applications do not need to \
|
||||
specify a port. All ports will be accepted during \
|
||||
authorization.");
|
||||
}
|
||||
},
|
||||
| private_scheme if self.application_type == ApplicationType::Native => {
|
||||
let rdns_client_uri = client_domain.split('.').rev().join(".");
|
||||
|
||||
if !private_scheme.starts_with(&rdns_client_uri) {
|
||||
return Err("Private-use scheme URIs for native applications must \
|
||||
begin with the application's client URI domain in \
|
||||
reverse-DNS notation.");
|
||||
}
|
||||
|
||||
if uri.has_authority() {
|
||||
return Err("Private-use scheme URIs for native applications must not \
|
||||
have an authority.");
|
||||
}
|
||||
},
|
||||
| _ =>
|
||||
return Err("A redirect URI's scheme is not valid for this application type."),
|
||||
}
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Default, PartialEq, Eq, Deserialize, Serialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
pub enum ApplicationType {
|
||||
#[default]
|
||||
Web,
|
||||
Native,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Deserialize, Serialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
pub enum GrantType {
|
||||
AuthorizationCode,
|
||||
RefreshToken,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq, Eq, Hash, PartialOrd, Ord, Deserialize, Serialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
#[non_exhaustive]
|
||||
pub enum ResponseType {
|
||||
Code,
|
||||
}
|
||||
|
||||
/// Deserialize a BTreeSet from a sequence, skipping items which fail to
|
||||
/// deserialize. This is used as a deserialize helper for ClientMetadata to
|
||||
/// ignore unknown enum variants in a few fields.
|
||||
fn btreeset_skip_err<'de, D, V>(de: D) -> Result<BTreeSet<V>, D::Error>
|
||||
where
|
||||
D: Deserializer<'de>,
|
||||
V: Deserialize<'de> + Hash + Eq + Ord,
|
||||
{
|
||||
use std::marker::PhantomData;
|
||||
|
||||
use serde::de::{SeqAccess, Visitor};
|
||||
|
||||
struct BTreeSetVisitor<V> {
|
||||
item: PhantomData<V>,
|
||||
}
|
||||
|
||||
impl<'de, V> Visitor<'de> for BTreeSetVisitor<V>
|
||||
where
|
||||
V: Deserialize<'de> + Hash + Eq + Ord,
|
||||
{
|
||||
type Value = BTreeSet<V>;
|
||||
|
||||
fn expecting(&self, formatter: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
write!(formatter, "a sequence")
|
||||
}
|
||||
|
||||
fn visit_seq<A>(self, mut seq: A) -> Result<Self::Value, A::Error>
|
||||
where
|
||||
A: SeqAccess<'de>,
|
||||
{
|
||||
let mut set = BTreeSet::new();
|
||||
|
||||
while let Some(element) = seq.next_element().transpose() {
|
||||
if let Ok(element) = element {
|
||||
set.insert(element);
|
||||
}
|
||||
}
|
||||
|
||||
Ok(set)
|
||||
}
|
||||
}
|
||||
|
||||
de.deserialize_seq(BTreeSetVisitor { item: PhantomData })
|
||||
}
|
||||
|
||||
fn is_subdomain(subdomain: &str, domain: &str) -> bool {
|
||||
if subdomain == domain {
|
||||
return true;
|
||||
}
|
||||
|
||||
subdomain.ends_with(&format!(".{domain}"))
|
||||
}
|
||||
@@ -0,0 +1,211 @@
|
||||
use std::{
|
||||
borrow::Cow,
|
||||
collections::BTreeSet,
|
||||
error::Error,
|
||||
fmt::{Debug, Display},
|
||||
hash::Hash,
|
||||
mem::discriminant,
|
||||
};
|
||||
|
||||
use regex::Regex;
|
||||
use ruma::OwnedDeviceId;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use url::Url;
|
||||
|
||||
use super::client_metadata::ResponseType;
|
||||
|
||||
#[derive(Debug, Clone, Deserialize, Serialize)]
|
||||
pub struct AuthorizationCodeQuery {
|
||||
pub response_type: ResponseType,
|
||||
pub client_id: String,
|
||||
pub redirect_uri: Url,
|
||||
pub scope: RawScopes,
|
||||
pub state: String,
|
||||
#[serde(default)]
|
||||
pub response_mode: ResponseMode,
|
||||
pub code_challenge: String,
|
||||
pub code_challenge_method: CodeChallengeMethod,
|
||||
#[serde(default)]
|
||||
pub prompt: Option<Prompt>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Default, Deserialize, Serialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
#[non_exhaustive]
|
||||
pub enum ResponseMode {
|
||||
#[default]
|
||||
// default for `code` response type, see https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#:~:text=Client%2E-,For,encoding%2E,-See
|
||||
Query,
|
||||
Fragment,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Deserialize, Serialize)]
|
||||
#[non_exhaustive]
|
||||
pub enum CodeChallengeMethod {
|
||||
S256,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Deserialize, Serialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
#[non_exhaustive]
|
||||
pub enum Prompt {
|
||||
Create,
|
||||
#[serde(other)]
|
||||
Unknown,
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Deserialize, Serialize, PartialOrd, Ord)]
|
||||
pub enum Scope {
|
||||
Device(OwnedDeviceId),
|
||||
ClientApi,
|
||||
}
|
||||
|
||||
impl PartialEq for Scope {
|
||||
fn eq(&self, other: &Self) -> bool { discriminant(self) == discriminant(other) }
|
||||
}
|
||||
|
||||
impl Eq for Scope {}
|
||||
|
||||
impl Hash for Scope {
|
||||
fn hash<H: std::hash::Hasher>(&self, state: &mut H) { discriminant(self).hash(state); }
|
||||
}
|
||||
|
||||
impl Display for Scope {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
let urn = match self {
|
||||
| Self::ClientApi => "urn:matrix:client:api:*".to_owned(),
|
||||
| Self::Device(device_id) => format!("urn:matrix:client:device:{device_id}"),
|
||||
};
|
||||
|
||||
f.write_str(&urn)
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Clone, Deserialize, Serialize)]
|
||||
pub struct RawScopes(String);
|
||||
|
||||
impl RawScopes {
|
||||
pub fn to_scopes(&self) -> Result<BTreeSet<Scope>, String> {
|
||||
let client_api_token_regex =
|
||||
Regex::new(r"urn:matrix:(client|org.matrix.msc2967.client):api:\*").unwrap();
|
||||
let device_token_regex = Regex::new(
|
||||
r"urn:matrix:(client|org.matrix.msc2967.client):device:([a-zA-Z0-9-._~]{5,})",
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
let mut scopes = BTreeSet::new();
|
||||
|
||||
for token in self.0.split(' ') {
|
||||
let scope_was_new = {
|
||||
if client_api_token_regex.is_match(token) {
|
||||
scopes.insert(Scope::ClientApi)
|
||||
} else if let Some(captures) = device_token_regex.captures(token) {
|
||||
scopes.insert(Scope::Device(captures.get(2).unwrap().as_str().into()))
|
||||
} else if token == "openid" {
|
||||
// TODO(unspecced): Element sets this scope but doesn't use it for anything
|
||||
true
|
||||
} else {
|
||||
return Err(format!("Invalid scope: {token}"));
|
||||
}
|
||||
};
|
||||
|
||||
if !scope_was_new {
|
||||
return Err("Scope was specified more than once".to_owned());
|
||||
}
|
||||
}
|
||||
|
||||
Ok(scopes)
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize, Debug, Clone)]
|
||||
pub struct OAuthError {
|
||||
pub error: ErrorCode,
|
||||
pub error_description: Cow<'static, str>,
|
||||
}
|
||||
|
||||
impl OAuthError {
|
||||
#[must_use]
|
||||
pub const fn invalid_request(error_description: &'static str) -> Self {
|
||||
Self {
|
||||
error: ErrorCode::InvalidRequest,
|
||||
error_description: Cow::Borrowed(error_description),
|
||||
}
|
||||
}
|
||||
|
||||
#[must_use]
|
||||
pub const fn invalid_grant(error_description: &'static str) -> Self {
|
||||
Self {
|
||||
error: ErrorCode::InvalidGrant,
|
||||
error_description: Cow::Borrowed(error_description),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Display for OAuthError {
|
||||
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
||||
write!(f, "OAuth error {:?}: {}", self.error, self.error_description)
|
||||
}
|
||||
}
|
||||
|
||||
impl Error for OAuthError {}
|
||||
|
||||
#[derive(Serialize, Debug, Clone, Copy, PartialEq, Eq)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
pub enum ErrorCode {
|
||||
InvalidRequest,
|
||||
AccessDenied,
|
||||
InvalidScope,
|
||||
InvalidGrant,
|
||||
InvalidClientMetadata,
|
||||
}
|
||||
|
||||
#[derive(Serialize)]
|
||||
pub struct AuthorizationCodeResponse {
|
||||
pub state: String,
|
||||
pub code: String,
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
#[serde(tag = "grant_type", rename_all = "snake_case")]
|
||||
pub enum TokenRequest {
|
||||
AuthorizationCode {
|
||||
code: String,
|
||||
redirect_uri: Url,
|
||||
client_id: String,
|
||||
code_verifier: String,
|
||||
},
|
||||
RefreshToken {
|
||||
client_id: String,
|
||||
refresh_token: String,
|
||||
},
|
||||
}
|
||||
|
||||
impl TokenRequest {
|
||||
#[must_use]
|
||||
pub fn client_id(&self) -> &str {
|
||||
match self {
|
||||
| Self::AuthorizationCode { client_id, .. }
|
||||
| Self::RefreshToken { client_id, .. } => client_id,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Serialize)]
|
||||
pub struct TokenResponse {
|
||||
pub access_token: String,
|
||||
pub token_type: TokenType,
|
||||
pub expires_in: u64,
|
||||
pub refresh_token: String,
|
||||
pub scope: String,
|
||||
}
|
||||
|
||||
#[derive(Serialize)]
|
||||
pub enum TokenType {
|
||||
Bearer,
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
pub struct RevokeTokenRequest {
|
||||
pub token: String,
|
||||
}
|
||||
@@ -0,0 +1,528 @@
|
||||
use std::{
|
||||
collections::{BTreeSet, HashMap},
|
||||
sync::{Arc, Mutex},
|
||||
time::{Duration, SystemTime},
|
||||
};
|
||||
|
||||
use base64::Engine;
|
||||
use conduwuit::{
|
||||
Result, info,
|
||||
utils::{self, hash::sha256},
|
||||
};
|
||||
use database::{Deserialized, Json, Map};
|
||||
use itertools::Itertools;
|
||||
use lru_cache::LruCache;
|
||||
use ruma::{DeviceId, OwnedDeviceId, OwnedUserId, UserId};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use url::Url;
|
||||
|
||||
use crate::{
|
||||
Dep,
|
||||
oauth::{
|
||||
client_metadata::{ApplicationType, ClientMetadata, ResponseType},
|
||||
grant::{
|
||||
AuthorizationCodeQuery, AuthorizationCodeResponse, CodeChallengeMethod, ErrorCode,
|
||||
OAuthError, ResponseMode, Scope, TokenRequest, TokenResponse, TokenType,
|
||||
},
|
||||
},
|
||||
users,
|
||||
};
|
||||
|
||||
pub mod client_metadata;
|
||||
pub mod grant;
|
||||
|
||||
pub struct Service {
|
||||
services: Services,
|
||||
db: Data,
|
||||
tickets: Mutex<HashMap<String, HashMap<OAuthTicket, SystemTime>>>,
|
||||
pending_code_grants: tokio::sync::Mutex<LruCache<String, PendingCodeGrant>>,
|
||||
}
|
||||
|
||||
struct Data {
|
||||
clientid_clientmetadata: Arc<Map>,
|
||||
userdeviceid_oauthsessioninfo: Arc<Map>,
|
||||
refreshtoken_refreshtokeninfo: Arc<Map>,
|
||||
}
|
||||
|
||||
struct Services {
|
||||
users: Dep<users::Service>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
pub struct SessionInfo {
|
||||
pub client_id: String,
|
||||
pub scopes: BTreeSet<Scope>,
|
||||
current_refresh_token: String,
|
||||
}
|
||||
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
struct RefreshTokenInfo {
|
||||
client_id: String,
|
||||
user_id: OwnedUserId,
|
||||
device_id: OwnedDeviceId,
|
||||
}
|
||||
|
||||
struct PendingCodeGrant {
|
||||
authorizing_user: OwnedUserId,
|
||||
requested_scopes: BTreeSet<Scope>,
|
||||
client_name: Option<String>,
|
||||
expected_client_id: String,
|
||||
expected_redirect_uri: Url,
|
||||
code_challenge: String,
|
||||
requested_at: SystemTime,
|
||||
}
|
||||
|
||||
impl PendingCodeGrant {
|
||||
const MAX_AGE: Duration = Duration::from_mins(1);
|
||||
const RANDOM_CODE_LENGTH: usize = 32;
|
||||
|
||||
#[must_use]
|
||||
pub(crate) fn generate_code() -> String { utils::random_string(Self::RANDOM_CODE_LENGTH) }
|
||||
|
||||
#[must_use]
|
||||
pub(crate) fn is_valid_for(&self, client_id: &str) -> bool {
|
||||
let now = SystemTime::now();
|
||||
|
||||
self.expected_client_id == client_id
|
||||
&& now
|
||||
.duration_since(self.requested_at)
|
||||
.is_ok_and(|age| age < Self::MAX_AGE)
|
||||
}
|
||||
}
|
||||
|
||||
/// A time-limited grant for a client to perform some sensitive action.
|
||||
#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
|
||||
pub enum OAuthTicket {
|
||||
CrossSigningReset,
|
||||
}
|
||||
|
||||
impl OAuthTicket {
|
||||
const MAX_AGE: Duration = Duration::from_mins(10);
|
||||
|
||||
#[must_use]
|
||||
pub fn ticket_issue_path(&self) -> &'static str {
|
||||
match self {
|
||||
| Self::CrossSigningReset => "/account/cross_signing_reset",
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl crate::Service for Service {
|
||||
fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
Ok(Arc::new(Self {
|
||||
services: Services {
|
||||
users: args.depend::<users::Service>("users"),
|
||||
},
|
||||
db: Data {
|
||||
clientid_clientmetadata: args.db["clientid_clientmetadata"].clone(),
|
||||
userdeviceid_oauthsessioninfo: args.db["userdeviceid_oauthsessioninfo"].clone(),
|
||||
refreshtoken_refreshtokeninfo: args.db["refreshtoken_refreshtokeninfo"].clone(),
|
||||
},
|
||||
tickets: Mutex::default(),
|
||||
pending_code_grants: tokio::sync::Mutex::new(LruCache::new(
|
||||
Self::MAX_PENDING_CODE_GRANTS,
|
||||
)),
|
||||
}))
|
||||
}
|
||||
|
||||
fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
|
||||
}
|
||||
|
||||
impl Service {
|
||||
const ACCESS_TOKEN_MAX_AGE: Duration = Duration::from_hours(1);
|
||||
// Maximum number of pending code grants which will be held in memory at once,
|
||||
// to prevent unbounded memory use if someone decides to repeatedly reload the
|
||||
// grant page.
|
||||
const MAX_PENDING_CODE_GRANTS: usize = 100;
|
||||
const RANDOM_TOKEN_LENGTH: usize = 32;
|
||||
|
||||
fn generate_token() -> String { utils::random_string(Self::RANDOM_TOKEN_LENGTH) }
|
||||
|
||||
pub async fn register_client(&self, metadata: &ClientMetadata) -> Result<String, OAuthError> {
|
||||
metadata.validate().map_err(|error| OAuthError {
|
||||
error: ErrorCode::InvalidClientMetadata,
|
||||
error_description: error.into(),
|
||||
})?;
|
||||
|
||||
let client_id = base64::prelude::BASE64_STANDARD
|
||||
.encode(sha256::hash(serde_json::to_string(metadata).unwrap().as_bytes()));
|
||||
|
||||
if self
|
||||
.db
|
||||
.clientid_clientmetadata
|
||||
.exists(&client_id)
|
||||
.await
|
||||
.is_err()
|
||||
{
|
||||
self.db
|
||||
.clientid_clientmetadata
|
||||
.raw_put(&client_id, Json(metadata.clone()));
|
||||
}
|
||||
|
||||
Ok(client_id)
|
||||
}
|
||||
|
||||
pub async fn get_client_metadata(&self, client_id: &str) -> Option<ClientMetadata> {
|
||||
self.db
|
||||
.clientid_clientmetadata
|
||||
.get(client_id)
|
||||
.await
|
||||
.deserialized()
|
||||
.ok()
|
||||
}
|
||||
|
||||
pub async fn get_session_info_for_device(
|
||||
&self,
|
||||
user_id: &UserId,
|
||||
device_id: &DeviceId,
|
||||
) -> Option<SessionInfo> {
|
||||
self.db
|
||||
.userdeviceid_oauthsessioninfo
|
||||
.qry(&(user_id, device_id))
|
||||
.await
|
||||
.deserialized::<SessionInfo>()
|
||||
.ok()
|
||||
}
|
||||
|
||||
pub async fn request_authorization_code(
|
||||
&self,
|
||||
authorizing_user: OwnedUserId,
|
||||
query: AuthorizationCodeQuery,
|
||||
) -> Result<String, String> {
|
||||
let Some(client_metadata) = self.get_client_metadata(&query.client_id).await else {
|
||||
return Err("Invalid client ID".to_owned());
|
||||
};
|
||||
|
||||
if !(client_metadata
|
||||
.response_types
|
||||
.contains(&query.response_type)
|
||||
&& matches!(query.response_type, ResponseType::Code))
|
||||
{
|
||||
return Err("Invalid response type".to_owned());
|
||||
}
|
||||
|
||||
if !matches!(query.code_challenge_method, CodeChallengeMethod::S256) {
|
||||
return Err("Invalid code challenge type".to_owned());
|
||||
}
|
||||
|
||||
{
|
||||
let mut stripped_uri = query.redirect_uri.clone();
|
||||
|
||||
if client_metadata.application_type == ApplicationType::Native
|
||||
&& query
|
||||
.redirect_uri
|
||||
.host_str()
|
||||
.is_some_and(|host| ClientMetadata::ACCEPTABLE_LOCALHOSTS.contains(&host))
|
||||
{
|
||||
// Remove the port from localhost redirect URIs for native applications when
|
||||
// checking if it's valid
|
||||
stripped_uri.set_port(None).unwrap();
|
||||
}
|
||||
|
||||
if !client_metadata.redirect_uris.contains(&stripped_uri) {
|
||||
return Err("Invalid redirect URI".to_owned());
|
||||
}
|
||||
}
|
||||
|
||||
let requested_scopes = query.scope.to_scopes()?;
|
||||
|
||||
let redirect_uri_query_separator = match query.response_mode {
|
||||
| ResponseMode::Fragment => '#',
|
||||
| ResponseMode::Query => '?',
|
||||
};
|
||||
|
||||
let code = PendingCodeGrant::generate_code();
|
||||
|
||||
info!(
|
||||
client_id = &query.client_id,
|
||||
client_name = &client_metadata.client_name,
|
||||
?requested_scopes,
|
||||
?authorizing_user,
|
||||
"Issuing oauth authorization code"
|
||||
);
|
||||
|
||||
let redirect_uri = format!(
|
||||
"{}{}{}",
|
||||
query.redirect_uri,
|
||||
redirect_uri_query_separator,
|
||||
serde_urlencoded::to_string(AuthorizationCodeResponse {
|
||||
state: query.state,
|
||||
code: code.clone(),
|
||||
})
|
||||
.unwrap(),
|
||||
);
|
||||
|
||||
let pending_grant = PendingCodeGrant {
|
||||
authorizing_user,
|
||||
requested_scopes,
|
||||
client_name: client_metadata.client_name,
|
||||
expected_client_id: query.client_id,
|
||||
expected_redirect_uri: query.redirect_uri,
|
||||
code_challenge: query.code_challenge,
|
||||
requested_at: SystemTime::now(),
|
||||
};
|
||||
|
||||
self.pending_code_grants
|
||||
.lock()
|
||||
.await
|
||||
.insert(code, pending_grant);
|
||||
|
||||
Ok(redirect_uri)
|
||||
}
|
||||
|
||||
pub async fn issue_token(&self, request: TokenRequest) -> Result<TokenResponse, OAuthError> {
|
||||
match request {
|
||||
| TokenRequest::AuthorizationCode {
|
||||
code,
|
||||
redirect_uri,
|
||||
client_id,
|
||||
code_verifier,
|
||||
} => {
|
||||
let mut pending_grants = self.pending_code_grants.lock().await;
|
||||
|
||||
let Some(pending_grant) = pending_grants
|
||||
.remove(&code)
|
||||
.filter(|grant| grant.is_valid_for(&client_id))
|
||||
else {
|
||||
return Err(OAuthError::invalid_grant("Invalid authorization code"));
|
||||
};
|
||||
|
||||
if redirect_uri != pending_grant.expected_redirect_uri {
|
||||
return Err(OAuthError::invalid_grant("Invalid redirect URI"));
|
||||
}
|
||||
|
||||
let expected_code_challenge =
|
||||
base64::prelude::BASE64_URL_SAFE_NO_PAD.encode(sha256::hash(&code_verifier));
|
||||
if expected_code_challenge != pending_grant.code_challenge {
|
||||
return Err(OAuthError::invalid_grant("Invalid code challenge"));
|
||||
}
|
||||
|
||||
self.create_session(
|
||||
pending_grant.authorizing_user,
|
||||
pending_grant.requested_scopes,
|
||||
pending_grant.client_name,
|
||||
client_id,
|
||||
)
|
||||
.await
|
||||
},
|
||||
| TokenRequest::RefreshToken { client_id, refresh_token } =>
|
||||
self.refresh_session(client_id, refresh_token).await,
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn revoke_token(&self, token: String) -> Result<(), OAuthError> {
|
||||
let (user_id, device_id) = if let Ok(refresh_token_info) = self
|
||||
.db
|
||||
.refreshtoken_refreshtokeninfo
|
||||
.get(&token)
|
||||
.await
|
||||
.deserialized::<RefreshTokenInfo>()
|
||||
{
|
||||
(refresh_token_info.user_id, refresh_token_info.device_id)
|
||||
} else if let Some((user_id, device_id, _)) =
|
||||
self.services.users.find_from_token(&token).await
|
||||
{
|
||||
(user_id, device_id)
|
||||
} else {
|
||||
return Err(OAuthError::invalid_grant("Invalid access or refersh token"));
|
||||
};
|
||||
|
||||
// This will also call [`Self::remove_session`]
|
||||
self.services
|
||||
.users
|
||||
.remove_device(&user_id, &device_id)
|
||||
.await;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
async fn create_session(
|
||||
&self,
|
||||
authorizing_user: OwnedUserId,
|
||||
requested_scopes: BTreeSet<Scope>,
|
||||
client_name: Option<String>,
|
||||
client_id: String,
|
||||
) -> Result<TokenResponse, OAuthError> {
|
||||
let access_token = Self::generate_token();
|
||||
let refresh_token = Self::generate_token();
|
||||
|
||||
let device_id = requested_scopes
|
||||
.iter()
|
||||
.find_map(|scope| {
|
||||
if let Scope::Device(device_id) = scope {
|
||||
Some(device_id)
|
||||
} else {
|
||||
None
|
||||
}
|
||||
})
|
||||
.ok_or_else(|| OAuthError::invalid_grant("No device ID scope supplied"))?;
|
||||
|
||||
if self
|
||||
.services
|
||||
.users
|
||||
.get_device_metadata(&authorizing_user, device_id)
|
||||
.await
|
||||
.is_ok()
|
||||
{
|
||||
return Err(OAuthError {
|
||||
error: ErrorCode::InvalidScope,
|
||||
error_description: "A device with the supplied ID already exists for this user"
|
||||
.into(),
|
||||
});
|
||||
}
|
||||
|
||||
self.services
|
||||
.users
|
||||
.create_device(
|
||||
&authorizing_user,
|
||||
device_id,
|
||||
&access_token,
|
||||
Some(Self::ACCESS_TOKEN_MAX_AGE),
|
||||
client_name,
|
||||
None,
|
||||
)
|
||||
.await
|
||||
// This can only panic if the authorizing user suffered a spontaneous existence
|
||||
// failure during authentication, which should(?) be impossible(?)
|
||||
.expect("failed to create device");
|
||||
|
||||
self.db.userdeviceid_oauthsessioninfo.put(
|
||||
(&authorizing_user, device_id),
|
||||
Json(SessionInfo {
|
||||
client_id: client_id.clone(),
|
||||
current_refresh_token: refresh_token.clone(),
|
||||
scopes: requested_scopes.clone(),
|
||||
}),
|
||||
);
|
||||
|
||||
self.db.refreshtoken_refreshtokeninfo.raw_put(
|
||||
&refresh_token,
|
||||
Json(RefreshTokenInfo {
|
||||
client_id: client_id.clone(),
|
||||
user_id: authorizing_user.clone(),
|
||||
device_id: device_id.to_owned(),
|
||||
}),
|
||||
);
|
||||
|
||||
info!(
|
||||
?client_id,
|
||||
?authorizing_user,
|
||||
?device_id,
|
||||
?requested_scopes,
|
||||
"Created new oauth session"
|
||||
);
|
||||
|
||||
Ok(TokenResponse {
|
||||
access_token,
|
||||
token_type: TokenType::Bearer,
|
||||
expires_in: Self::ACCESS_TOKEN_MAX_AGE.as_secs(),
|
||||
scope: requested_scopes.iter().join(" "),
|
||||
refresh_token,
|
||||
})
|
||||
}
|
||||
|
||||
async fn refresh_session(
|
||||
&self,
|
||||
client_id: String,
|
||||
refresh_token: String,
|
||||
) -> Result<TokenResponse, OAuthError> {
|
||||
let Some(refresh_token_info) = self
|
||||
.db
|
||||
.refreshtoken_refreshtokeninfo
|
||||
.get(&refresh_token)
|
||||
.await
|
||||
.deserialized::<RefreshTokenInfo>()
|
||||
.ok()
|
||||
else {
|
||||
return Err(OAuthError::invalid_grant("Invalid refresh token"));
|
||||
};
|
||||
|
||||
assert_eq!(&client_id, &refresh_token_info.client_id, "refresh token client id mismatch");
|
||||
|
||||
let mut session_info = self
|
||||
.get_session_info_for_device(
|
||||
&refresh_token_info.user_id,
|
||||
&refresh_token_info.device_id,
|
||||
)
|
||||
.await
|
||||
.expect("session info should exist");
|
||||
|
||||
assert_eq!(&client_id, &session_info.client_id, "session info client id mismatch");
|
||||
|
||||
let new_access_token = Self::generate_token();
|
||||
let new_refresh_token = Self::generate_token();
|
||||
let scope = session_info.scopes.iter().join(" ");
|
||||
session_info
|
||||
.current_refresh_token
|
||||
.clone_from(&new_refresh_token);
|
||||
|
||||
self.services
|
||||
.users
|
||||
.set_token(
|
||||
&refresh_token_info.user_id,
|
||||
&refresh_token_info.device_id,
|
||||
&new_access_token,
|
||||
Some(Self::ACCESS_TOKEN_MAX_AGE),
|
||||
)
|
||||
.await
|
||||
.expect("should be able to set token");
|
||||
|
||||
self.db.userdeviceid_oauthsessioninfo.put(
|
||||
(&refresh_token_info.user_id, &refresh_token_info.device_id),
|
||||
Json(session_info),
|
||||
);
|
||||
|
||||
self.db.refreshtoken_refreshtokeninfo.remove(&refresh_token);
|
||||
drop(refresh_token);
|
||||
self.db
|
||||
.refreshtoken_refreshtokeninfo
|
||||
.raw_put(&new_refresh_token, Json(refresh_token_info));
|
||||
|
||||
Ok(TokenResponse {
|
||||
access_token: new_access_token,
|
||||
token_type: TokenType::Bearer,
|
||||
expires_in: Self::ACCESS_TOKEN_MAX_AGE.as_secs(),
|
||||
scope,
|
||||
refresh_token: new_refresh_token,
|
||||
})
|
||||
}
|
||||
|
||||
pub async fn remove_session(&self, user_id: &UserId, device_id: &DeviceId) {
|
||||
let session_info = self.get_session_info_for_device(user_id, device_id).await;
|
||||
|
||||
if let Some(session_info) = session_info {
|
||||
self.db
|
||||
.refreshtoken_refreshtokeninfo
|
||||
.remove(&session_info.current_refresh_token);
|
||||
self.db
|
||||
.userdeviceid_oauthsessioninfo
|
||||
.del((user_id, device_id));
|
||||
info!(?user_id, ?device_id, "Removed OAuth session");
|
||||
}
|
||||
}
|
||||
|
||||
/// Issue a ticket for `localpart` to perform some action.
|
||||
pub fn issue_ticket(&self, localpart: String, ticket: OAuthTicket) {
|
||||
self.tickets
|
||||
.lock()
|
||||
.unwrap()
|
||||
.entry(localpart)
|
||||
.or_default()
|
||||
.insert(ticket, SystemTime::now());
|
||||
}
|
||||
|
||||
/// Try to consume an unexpired ticket for `localpart`.
|
||||
pub fn try_consume_ticket(&self, localpart: &str, ticket: OAuthTicket) -> bool {
|
||||
let now = SystemTime::now();
|
||||
|
||||
self.tickets
|
||||
.lock()
|
||||
.unwrap()
|
||||
.get_mut(localpart)
|
||||
.and_then(|tickets| tickets.remove(&ticket))
|
||||
.is_some_and(|issued| {
|
||||
now.duration_since(issued)
|
||||
.is_ok_and(|duration| duration < OAuthTicket::MAX_AGE)
|
||||
})
|
||||
}
|
||||
}
|
||||
@@ -1,68 +0,0 @@
|
||||
use std::{
|
||||
sync::Arc,
|
||||
time::{Duration, SystemTime},
|
||||
};
|
||||
|
||||
use conduwuit::utils::{ReadyExt, stream::TryExpect};
|
||||
use database::{Database, Deserialized, Json, Map};
|
||||
use ruma::{OwnedUserId, UserId};
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
pub(super) struct Data {
|
||||
passwordresettoken_info: Arc<Map>,
|
||||
}
|
||||
|
||||
#[derive(Debug, Serialize, Deserialize)]
|
||||
pub struct ResetTokenInfo {
|
||||
pub user: OwnedUserId,
|
||||
pub issued_at: SystemTime,
|
||||
}
|
||||
|
||||
impl ResetTokenInfo {
|
||||
// one hour
|
||||
const MAX_TOKEN_AGE: Duration = Duration::from_hours(1);
|
||||
|
||||
pub fn is_valid(&self) -> bool {
|
||||
let now = SystemTime::now();
|
||||
|
||||
now.duration_since(self.issued_at)
|
||||
.is_ok_and(|duration| duration < Self::MAX_TOKEN_AGE)
|
||||
}
|
||||
}
|
||||
|
||||
impl Data {
|
||||
pub(super) fn new(db: &Arc<Database>) -> Self {
|
||||
Self {
|
||||
passwordresettoken_info: db["passwordresettoken_info"].clone(),
|
||||
}
|
||||
}
|
||||
|
||||
/// Associate a reset token with its info in the database.
|
||||
pub(super) fn save_token(&self, token: &str, info: &ResetTokenInfo) {
|
||||
self.passwordresettoken_info.raw_put(token, Json(info));
|
||||
}
|
||||
|
||||
/// Lookup the info for a reset token.
|
||||
pub(super) async fn lookup_token_info(&self, token: &str) -> Option<ResetTokenInfo> {
|
||||
self.passwordresettoken_info
|
||||
.get(token)
|
||||
.await
|
||||
.deserialized()
|
||||
.ok()
|
||||
}
|
||||
|
||||
/// Find a user's existing reset token, if any.
|
||||
pub(super) async fn find_token_for_user(
|
||||
&self,
|
||||
user: &UserId,
|
||||
) -> Option<(String, ResetTokenInfo)> {
|
||||
self.passwordresettoken_info
|
||||
.stream::<'_, String, ResetTokenInfo>()
|
||||
.expect_ok()
|
||||
.ready_find(|(_, info)| info.user == user)
|
||||
.await
|
||||
}
|
||||
|
||||
/// Remove a reset token.
|
||||
pub(super) fn remove_token(&self, token: &str) { self.passwordresettoken_info.remove(token); }
|
||||
}
|
||||
@@ -1,111 +0,0 @@
|
||||
mod data;
|
||||
|
||||
use std::{sync::Arc, time::SystemTime};
|
||||
|
||||
use conduwuit::{Err, Result, utils};
|
||||
use data::{Data, ResetTokenInfo};
|
||||
use ruma::OwnedUserId;
|
||||
|
||||
use crate::{
|
||||
Dep, globals,
|
||||
users::{self, HashedPassword},
|
||||
};
|
||||
|
||||
pub const PASSWORD_RESET_PATH: &str = "/_continuwuity/account/reset_password";
|
||||
pub const RESET_TOKEN_QUERY_PARAM: &str = "token";
|
||||
const RESET_TOKEN_LENGTH: usize = 32;
|
||||
|
||||
pub struct Service {
|
||||
db: Data,
|
||||
services: Services,
|
||||
}
|
||||
|
||||
struct Services {
|
||||
users: Dep<users::Service>,
|
||||
globals: Dep<globals::Service>,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub struct ValidResetToken {
|
||||
pub token: String,
|
||||
pub info: ResetTokenInfo,
|
||||
}
|
||||
|
||||
impl crate::Service for Service {
|
||||
fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
Ok(Arc::new(Self {
|
||||
db: Data::new(args.db),
|
||||
services: Services {
|
||||
users: args.depend::<users::Service>("users"),
|
||||
globals: args.depend::<globals::Service>("globals"),
|
||||
},
|
||||
}))
|
||||
}
|
||||
|
||||
fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
|
||||
}
|
||||
|
||||
impl Service {
|
||||
/// Generate a random string suitable to be used as a password reset token.
|
||||
#[must_use]
|
||||
pub fn generate_token_string() -> String { utils::random_string(RESET_TOKEN_LENGTH) }
|
||||
|
||||
/// Issue a password reset token for `user`, who must be a local user with
|
||||
/// the `password` origin.
|
||||
pub async fn issue_token(&self, user_id: OwnedUserId) -> Result<ValidResetToken> {
|
||||
if !self.services.globals.user_is_local(&user_id) {
|
||||
return Err!("Cannot issue a password reset token for remote user {user_id}");
|
||||
}
|
||||
|
||||
if user_id == self.services.globals.server_user {
|
||||
return Err!("Cannot issue a password reset token for the server user");
|
||||
}
|
||||
|
||||
if self.services.users.is_deactivated(&user_id).await? {
|
||||
return Err!("Cannot issue a password reset token for deactivated user {user_id}");
|
||||
}
|
||||
|
||||
if let Some((existing_token, _)) = self.db.find_token_for_user(&user_id).await {
|
||||
self.db.remove_token(&existing_token);
|
||||
}
|
||||
|
||||
let token = Self::generate_token_string();
|
||||
let info = ResetTokenInfo {
|
||||
user: user_id,
|
||||
issued_at: SystemTime::now(),
|
||||
};
|
||||
|
||||
self.db.save_token(&token, &info);
|
||||
|
||||
Ok(ValidResetToken { token, info })
|
||||
}
|
||||
|
||||
/// Check if `token` represents a valid, non-expired password reset token.
|
||||
pub async fn check_token(&self, token: &str) -> Option<ValidResetToken> {
|
||||
self.db.lookup_token_info(token).await.and_then(|info| {
|
||||
if info.is_valid() {
|
||||
Some(ValidResetToken { token: token.to_owned(), info })
|
||||
} else {
|
||||
self.db.remove_token(token);
|
||||
None
|
||||
}
|
||||
})
|
||||
}
|
||||
|
||||
/// Consume the supplied valid token, using it to change its user's password
|
||||
/// to `new_password`.
|
||||
pub async fn consume_token(
|
||||
&self,
|
||||
ValidResetToken { token, info }: ValidResetToken,
|
||||
new_password: &str,
|
||||
) -> Result<()> {
|
||||
if info.is_valid() {
|
||||
self.db.remove_token(&token);
|
||||
self.services
|
||||
.users
|
||||
.set_password(&info.user, Some(HashedPassword::new(new_password)?));
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
@@ -10,6 +10,7 @@
|
||||
stream::{iter, once},
|
||||
};
|
||||
use ruma::OwnedUserId;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::{Dep, config, firstrun};
|
||||
|
||||
@@ -27,7 +28,7 @@ struct Services {
|
||||
}
|
||||
|
||||
/// A validated registration token which may be used to create an account.
|
||||
#[derive(Debug)]
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
pub struct ValidToken {
|
||||
pub token: String,
|
||||
pub source: ValidTokenSource,
|
||||
@@ -44,7 +45,7 @@ fn eq(&self, other: &str) -> bool { self.token == other }
|
||||
}
|
||||
|
||||
/// The source of a valid database token.
|
||||
#[derive(Debug)]
|
||||
#[derive(Debug, Deserialize, Serialize)]
|
||||
pub enum ValidTokenSource {
|
||||
/// The static token set in the homeserver's config file.
|
||||
Config,
|
||||
|
||||
@@ -5,7 +5,10 @@
|
||||
|
||||
use conduwuit::{Err, Result, debug, debug_info, err, error, trace};
|
||||
use futures::{FutureExt, TryFutureExt};
|
||||
use hickory_resolver::ResolveError;
|
||||
use hickory_resolver::{
|
||||
net::{DnsError, NetError},
|
||||
proto::rr::rdata::SRV,
|
||||
};
|
||||
use ipaddress::IPAddress;
|
||||
use ruma::ServerName;
|
||||
|
||||
@@ -289,7 +292,7 @@ async fn query_and_cache_override(
|
||||
| Err(e) => Self::handle_resolve_error(&e, hostname),
|
||||
| Ok(override_ip) => {
|
||||
self.cache.set_override(untername, &CachedOverride {
|
||||
ips: override_ip.into_iter().take(MAX_IPS).collect(),
|
||||
ips: override_ip.iter().take(MAX_IPS).collect(),
|
||||
port,
|
||||
expire: CachedOverride::default_expire(),
|
||||
overriding: (hostname != untername)
|
||||
@@ -315,10 +318,16 @@ async fn query_srv_record(&self, hostname: &'_ str) -> Result<Option<FedDest>> {
|
||||
match self.resolver.resolver.srv_lookup(hostname).await {
|
||||
| Err(e) => Self::handle_resolve_error(&e, hostname)?,
|
||||
| Ok(result) => {
|
||||
return Ok(result.iter().next().map(|result| {
|
||||
return Ok(result.answers().iter().next().map(|result| {
|
||||
let data = result.try_borrow::<SRV>().expect("should be SRV response");
|
||||
|
||||
FedDest::Named(
|
||||
result.target().to_string().trim_end_matches('.').to_owned(),
|
||||
format!(":{}", result.port())
|
||||
data.data()
|
||||
.target
|
||||
.to_string()
|
||||
.trim_end_matches('.')
|
||||
.to_owned(),
|
||||
format!(":{}", data.data().port)
|
||||
.as_str()
|
||||
.try_into()
|
||||
.unwrap_or_else(|_| FedDest::default_port()),
|
||||
@@ -331,31 +340,24 @@ async fn query_srv_record(&self, hostname: &'_ str) -> Result<Option<FedDest>> {
|
||||
Ok(None)
|
||||
}
|
||||
|
||||
fn handle_resolve_error(e: &ResolveError, host: &'_ str) -> Result<()> {
|
||||
use hickory_resolver::{ResolveErrorKind::Proto, proto::ProtoErrorKind};
|
||||
fn handle_resolve_error(err: &NetError, host: &'_ str) -> Result<()> {
|
||||
match err {
|
||||
| NetError::NoConnections => {
|
||||
error!(
|
||||
"Your DNS server is overloaded and has ran out of connections. It is \
|
||||
strongly recommended you remediate this issue to ensure proper federation \
|
||||
connectivity."
|
||||
);
|
||||
|
||||
match e.kind() {
|
||||
| Proto(e) => match e.kind() {
|
||||
| ProtoErrorKind::NoRecordsFound { .. } => {
|
||||
// Raise to debug_warn if we can find out the result wasn't from cache
|
||||
debug!(%host, "No DNS records found: {e}");
|
||||
Ok(())
|
||||
},
|
||||
| ProtoErrorKind::Timeout => {
|
||||
Err!(warn!(%host, "DNS {e}"))
|
||||
},
|
||||
| ProtoErrorKind::NoConnections => {
|
||||
error!(
|
||||
"Your DNS server is overloaded and has ran out of connections. It is \
|
||||
strongly recommended you remediate this issue to ensure proper \
|
||||
federation connectivity."
|
||||
);
|
||||
|
||||
Err!(error!(%host, "DNS error: {e}"))
|
||||
},
|
||||
| _ => Err!(error!(%host, "DNS error: {e}")),
|
||||
Err!(error!(%host, "DNS error: {err}"))
|
||||
},
|
||||
| _ => Err!(error!(%host, "DNS error: {e}")),
|
||||
| NetError::Timeout => Err!(error!(%host, "DNS query timed out")),
|
||||
| NetError::Dns(DnsError::NoRecordsFound(..)) => {
|
||||
// Raise to debug_warn if we can find out the result wasn't from cache
|
||||
debug!(%host, "No DNS records found: {err}");
|
||||
Ok(())
|
||||
},
|
||||
| _ => Err!(error!(%host, "DNS error: {err}")),
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
+19
-10
@@ -2,7 +2,10 @@
|
||||
|
||||
use conduwuit::{Result, Server, err};
|
||||
use futures::FutureExt;
|
||||
use hickory_resolver::{TokioResolver, lookup_ip::LookupIp};
|
||||
use hickory_resolver::{
|
||||
TokioResolver, config::ConnectionConfig, lookup_ip::LookupIp,
|
||||
net::runtime::TokioRuntimeProvider,
|
||||
};
|
||||
use reqwest::dns::{Addrs, Name, Resolve, Resolving};
|
||||
|
||||
use super::cache::{Cache, CachedOverride};
|
||||
@@ -28,7 +31,7 @@ pub(super) fn build(server: &Arc<Server>, cache: Arc<Cache>) -> Result<Arc<Self>
|
||||
let (sys_conf, mut opts) = hickory_resolver::system_conf::read_system_conf()
|
||||
.map_err(|e| err!(error!("Failed to configure DNS resolver from system: {e}")))?;
|
||||
|
||||
let mut conf = hickory_resolver::config::ResolverConfig::new();
|
||||
let mut conf = hickory_resolver::config::ResolverConfig::default();
|
||||
|
||||
if let Some(domain) = sys_conf.domain() {
|
||||
conf.set_domain(domain.clone());
|
||||
@@ -42,7 +45,7 @@ pub(super) fn build(server: &Arc<Server>, cache: Arc<Cache>) -> Result<Arc<Self>
|
||||
let mut ns = sys_conf.clone();
|
||||
|
||||
if config.query_over_tcp_only {
|
||||
ns.protocol = hickory_resolver::proto::xfer::Protocol::Tcp;
|
||||
ns.connections = vec![ConnectionConfig::tcp()];
|
||||
}
|
||||
|
||||
ns.trust_negative_responses = !config.query_all_nameservers;
|
||||
@@ -50,7 +53,7 @@ pub(super) fn build(server: &Arc<Server>, cache: Arc<Cache>) -> Result<Arc<Self>
|
||||
conf.add_name_server(ns);
|
||||
}
|
||||
|
||||
opts.cache_size = config.dns_cache_entries as usize;
|
||||
opts.cache_size = u64::from(config.dns_cache_entries);
|
||||
opts.preserve_intermediates = true;
|
||||
opts.negative_min_ttl = Some(Duration::from_secs(config.dns_min_ttl_nxdomain));
|
||||
opts.negative_max_ttl = Some(Duration::from_hours(720));
|
||||
@@ -70,11 +73,10 @@ pub(super) fn build(server: &Arc<Server>, cache: Arc<Cache>) -> Result<Arc<Self>
|
||||
| _ => hickory_resolver::config::LookupIpStrategy::Ipv4thenIpv6,
|
||||
};
|
||||
|
||||
let rt_prov = hickory_resolver::proto::runtime::TokioRuntimeProvider::new();
|
||||
let conn_prov = hickory_resolver::name_server::TokioConnectionProvider::new(rt_prov);
|
||||
let mut builder = TokioResolver::builder_with_config(conf, conn_prov);
|
||||
let runtime_provider = TokioRuntimeProvider::new();
|
||||
let mut builder = TokioResolver::builder_with_config(conf, runtime_provider);
|
||||
*builder.options_mut() = opts;
|
||||
let resolver = Arc::new(builder.build());
|
||||
let resolver = Arc::new(builder.build().expect("failed to build resolver :("));
|
||||
|
||||
Ok(Arc::new(Self {
|
||||
resolver: resolver.clone(),
|
||||
@@ -139,8 +141,15 @@ async fn resolve_to_reqwest(
|
||||
use std::{io, io::ErrorKind::Interrupted};
|
||||
|
||||
let handle_shutdown = || Box::new(io::Error::new(Interrupted, "Server shutting down"));
|
||||
let handle_results =
|
||||
|results: LookupIp| Box::new(results.into_iter().map(|ip| SocketAddr::new(ip, 0)));
|
||||
let handle_results = |results: LookupIp| {
|
||||
Box::new(
|
||||
results
|
||||
.iter()
|
||||
.collect::<Vec<_>>()
|
||||
.into_iter()
|
||||
.map(|ip| SocketAddr::new(ip, 0)),
|
||||
)
|
||||
};
|
||||
|
||||
tokio::select! {
|
||||
results = resolver.lookup_ip(name.as_str()) => Ok(handle_results(results?)),
|
||||
|
||||
@@ -11,8 +11,8 @@
|
||||
account_data, admin, announcements, antispam, appservice, client, config, emergency,
|
||||
federation, firstrun, globals, key_backups, mailer,
|
||||
manager::Manager,
|
||||
media, moderation, password_reset, presence, pusher, registration_tokens, resolver, rooms,
|
||||
sending, server_keys,
|
||||
media, moderation, oauth, presence, pusher, registration_tokens, resolver, rooms, sending,
|
||||
server_keys,
|
||||
service::{self, Args, Map, Service},
|
||||
sync, threepid, transactions, uiaa, users,
|
||||
};
|
||||
@@ -27,7 +27,7 @@ pub struct Services {
|
||||
pub globals: Arc<globals::Service>,
|
||||
pub key_backups: Arc<key_backups::Service>,
|
||||
pub media: Arc<media::Service>,
|
||||
pub password_reset: Arc<password_reset::Service>,
|
||||
pub oauth: Arc<oauth::Service>,
|
||||
pub mailer: Arc<mailer::Service>,
|
||||
pub presence: Arc<presence::Service>,
|
||||
pub pusher: Arc<pusher::Service>,
|
||||
@@ -84,7 +84,7 @@ macro_rules! build {
|
||||
globals: build!(globals::Service),
|
||||
key_backups: build!(key_backups::Service),
|
||||
media: build!(media::Service),
|
||||
password_reset: build!(password_reset::Service),
|
||||
oauth: build!(oauth::Service),
|
||||
mailer: build!(mailer::Service),
|
||||
presence: build!(presence::Service),
|
||||
pusher: build!(pusher::Service),
|
||||
|
||||
@@ -9,8 +9,9 @@
|
||||
ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId,
|
||||
api::error::{ErrorKind, LimitExceededErrorData},
|
||||
};
|
||||
use tokio::sync::MutexGuard;
|
||||
|
||||
mod session;
|
||||
pub mod session;
|
||||
|
||||
use crate::{
|
||||
Args, Dep, config,
|
||||
@@ -26,6 +27,7 @@ pub struct Service {
|
||||
ratelimiter: DefaultKeyedRateLimiter<Address>,
|
||||
}
|
||||
|
||||
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
|
||||
pub enum EmailRequirement {
|
||||
/// Users may change their email, but cannot remove it entirely.
|
||||
Required,
|
||||
@@ -219,13 +221,12 @@ pub async fn try_validate_session(
|
||||
Ok(())
|
||||
}
|
||||
|
||||
/// Consume a validated validation session, removing it from the database
|
||||
/// and returning the newly validated email address.
|
||||
pub async fn consume_valid_session(
|
||||
/// Get a validated validation session.
|
||||
pub async fn get_valid_session(
|
||||
&self,
|
||||
session_id: &SessionId,
|
||||
client_secret: &ClientSecret,
|
||||
) -> Result<Address, Cow<'static, str>> {
|
||||
) -> Result<ValidSession<'_>, Cow<'static, str>> {
|
||||
let mut sessions = self.sessions.lock().await;
|
||||
|
||||
let Some(session) = sessions.get_session(session_id) else {
|
||||
@@ -235,9 +236,13 @@ pub async fn consume_valid_session(
|
||||
if session.client_secret == client_secret
|
||||
&& matches!(session.validation_state, ValidationState::Validated)
|
||||
{
|
||||
let session = sessions.remove_session(session_id);
|
||||
let email = session.email.clone();
|
||||
|
||||
Ok(session.email)
|
||||
Ok(ValidSession {
|
||||
email,
|
||||
session_id: session_id.to_owned(),
|
||||
sessions,
|
||||
})
|
||||
} else {
|
||||
Err("This email address has not been validated. Did you use the link that was sent \
|
||||
to you?"
|
||||
@@ -313,3 +318,20 @@ pub async fn get_localpart_for_email(&self, email: &Address) -> Option<String> {
|
||||
.ok()
|
||||
}
|
||||
}
|
||||
|
||||
pub struct ValidSession<'lock> {
|
||||
pub email: Address,
|
||||
session_id: OwnedSessionId,
|
||||
sessions: MutexGuard<'lock, ValidationSessions>,
|
||||
}
|
||||
|
||||
impl ValidSession<'_> {
|
||||
/// Consume this session, removing it from the database and releasing the
|
||||
/// lock it holds.
|
||||
#[must_use]
|
||||
pub fn consume(mut self) -> Address {
|
||||
self.sessions.remove_session(&self.session_id);
|
||||
|
||||
self.email
|
||||
}
|
||||
}
|
||||
|
||||
@@ -8,14 +8,14 @@
|
||||
use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, SessionId};
|
||||
|
||||
#[derive(Default)]
|
||||
pub(super) struct ValidationSessions {
|
||||
pub struct ValidationSessions {
|
||||
sessions: HashMap<OwnedSessionId, ValidationSession>,
|
||||
client_secrets: HashMap<OwnedClientSecret, OwnedSessionId>,
|
||||
}
|
||||
|
||||
/// A pending or completed email validation session.
|
||||
#[derive(Debug)]
|
||||
pub(crate) struct ValidationSession {
|
||||
pub struct ValidationSession {
|
||||
/// The session's ID
|
||||
pub session_id: OwnedSessionId,
|
||||
/// The client's supplied client secret
|
||||
@@ -28,7 +28,7 @@ pub(crate) struct ValidationSession {
|
||||
|
||||
/// The state of an email validation session.
|
||||
#[derive(Debug)]
|
||||
pub(crate) enum ValidationState {
|
||||
pub enum ValidationState {
|
||||
/// The session is waiting for this validation token to be provided
|
||||
Pending(ValidationToken),
|
||||
/// The session has been validated
|
||||
@@ -36,7 +36,7 @@ pub(crate) enum ValidationState {
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug)]
|
||||
pub(crate) struct ValidationToken {
|
||||
pub struct ValidationToken {
|
||||
pub token: String,
|
||||
pub issued_at: SystemTime,
|
||||
}
|
||||
@@ -69,7 +69,7 @@ impl ValidationSessions {
|
||||
const RANDOM_SID_LENGTH: usize = 16;
|
||||
|
||||
#[must_use]
|
||||
pub(super) fn generate_session_id() -> OwnedSessionId {
|
||||
pub fn generate_session_id() -> OwnedSessionId {
|
||||
SessionId::parse(utils::random_string(Self::RANDOM_SID_LENGTH)).unwrap()
|
||||
}
|
||||
|
||||
|
||||
+303
-151
@@ -7,7 +7,7 @@
|
||||
use conduwuit::{Err, Error, Result, error, utils};
|
||||
use lettre::Address;
|
||||
use ruma::{
|
||||
UserId,
|
||||
DeviceId, UserId,
|
||||
api::{
|
||||
client::uiaa::{
|
||||
AuthData, AuthFlow, AuthType, EmailIdentity, EmailUserIdentifier,
|
||||
@@ -16,11 +16,19 @@
|
||||
},
|
||||
error::{ErrorKind, StandardErrorBody},
|
||||
},
|
||||
assign,
|
||||
};
|
||||
use serde_json::{
|
||||
json,
|
||||
value::{RawValue, to_raw_value},
|
||||
};
|
||||
use serde_json::value::RawValue;
|
||||
use tokio::sync::Mutex;
|
||||
|
||||
use crate::{Dep, config, globals, registration_tokens, threepid, users};
|
||||
use crate::{
|
||||
Dep, config, globals,
|
||||
oauth::{self, OAuthTicket},
|
||||
registration_tokens, threepid, users,
|
||||
};
|
||||
|
||||
pub struct Service {
|
||||
services: Services,
|
||||
@@ -33,6 +41,7 @@ struct Services {
|
||||
config: Dep<config::Service>,
|
||||
registration_tokens: Dep<registration_tokens::Service>,
|
||||
threepid: Dep<threepid::Service>,
|
||||
oauth: Dep<oauth::Service>,
|
||||
}
|
||||
|
||||
impl crate::Service for Service {
|
||||
@@ -45,6 +54,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
registration_tokens: args
|
||||
.depend::<registration_tokens::Service>("registration_tokens"),
|
||||
threepid: args.depend::<threepid::Service>("threepid"),
|
||||
oauth: args.depend::<oauth::Service>("oauth"),
|
||||
},
|
||||
uiaa_sessions: Mutex::new(HashMap::new()),
|
||||
}))
|
||||
@@ -54,8 +64,56 @@ fn name(&self) -> &str { crate::service::make_name(std::module_path!()) }
|
||||
}
|
||||
|
||||
struct UiaaSession {
|
||||
session_metadata: UiaaSessionMetadata,
|
||||
info: UiaaInfo,
|
||||
identity: Identity,
|
||||
}
|
||||
|
||||
#[derive(Clone)]
|
||||
enum UiaaSessionMetadata {
|
||||
Legacy {
|
||||
identity: Identity,
|
||||
},
|
||||
OAuth {
|
||||
localpart: String,
|
||||
ticket: OAuthTicket,
|
||||
},
|
||||
}
|
||||
|
||||
impl UiaaSessionMetadata {
|
||||
fn into_identity(self) -> Identity {
|
||||
match self {
|
||||
| Self::Legacy { identity } => identity,
|
||||
| Self::OAuth { localpart, .. } =>
|
||||
assign!(Identity::default(), { localpart: Some(localpart) }),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Information about the user which is initiating this UIAA session.
|
||||
pub struct UiaaInitiator<'a> {
|
||||
user_id: &'a UserId,
|
||||
device_id: Option<&'a DeviceId>,
|
||||
oauth_ticket: Option<OAuthTicket>,
|
||||
}
|
||||
|
||||
impl<'a> UiaaInitiator<'a> {
|
||||
#[must_use]
|
||||
pub fn new(user_id: &'a UserId, device_id: Option<&'a DeviceId>) -> Self {
|
||||
Self { user_id, device_id, oauth_ticket: None }
|
||||
}
|
||||
|
||||
#[must_use]
|
||||
pub fn with_oauth_ticket(
|
||||
user_id: &'a UserId,
|
||||
device_id: Option<&'a DeviceId>,
|
||||
oauth_ticket: OAuthTicket,
|
||||
) -> Self {
|
||||
Self {
|
||||
user_id,
|
||||
device_id,
|
||||
oauth_ticket: Some(oauth_ticket),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Information about the authenticated user's identity.
|
||||
@@ -106,7 +164,7 @@ impl Identity {
|
||||
/// Create an Identity with the localpart of the provided user ID
|
||||
/// and all other fields set to None.
|
||||
#[must_use]
|
||||
pub fn from_user_id(user_id: &UserId) -> Self {
|
||||
fn from_user_id(user_id: &UserId) -> Self {
|
||||
Self {
|
||||
localpart: Some(user_id.localpart().to_owned()),
|
||||
..Default::default()
|
||||
@@ -124,11 +182,11 @@ pub async fn authenticate(
|
||||
auth: &Option<AuthData>,
|
||||
flows: Vec<AuthFlow>,
|
||||
params: Box<RawValue>,
|
||||
identity: Option<Identity>,
|
||||
initiator: Option<UiaaInitiator<'_>>,
|
||||
) -> Result<Identity> {
|
||||
match auth.as_ref() {
|
||||
| None => {
|
||||
let info = self.create_session(flows, params, identity).await;
|
||||
let info = self.create_session(flows, params, initiator).await?;
|
||||
|
||||
Err(Error::Uiaa(info))
|
||||
},
|
||||
@@ -140,8 +198,8 @@ pub async fn authenticate(
|
||||
// session if they want to start the UIAA exchange with existing
|
||||
// authentication data. If that happens, we create a new session
|
||||
// here.
|
||||
self.create_session(flows, params, identity)
|
||||
.await
|
||||
self.create_session(flows, params, initiator)
|
||||
.await?
|
||||
.session
|
||||
.unwrap()
|
||||
.into()
|
||||
@@ -161,13 +219,15 @@ pub async fn authenticate(
|
||||
pub async fn authenticate_password(
|
||||
&self,
|
||||
auth: &Option<AuthData>,
|
||||
identity: Option<Identity>,
|
||||
user_id: &UserId,
|
||||
device_id: Option<&DeviceId>,
|
||||
oauth_ticket: Option<OAuthTicket>,
|
||||
) -> Result<Identity> {
|
||||
self.authenticate(
|
||||
auth,
|
||||
vec![AuthFlow::new(vec![AuthType::Password])],
|
||||
Box::default(),
|
||||
identity,
|
||||
Some(UiaaInitiator { user_id, device_id, oauth_ticket }),
|
||||
)
|
||||
.await
|
||||
}
|
||||
@@ -183,20 +243,88 @@ async fn create_session(
|
||||
&self,
|
||||
flows: Vec<AuthFlow>,
|
||||
params: Box<RawValue>,
|
||||
identity: Option<Identity>,
|
||||
) -> UiaaInfo {
|
||||
initiator: Option<UiaaInitiator<'_>>,
|
||||
) -> Result<UiaaInfo> {
|
||||
let mut uiaa_sessions = self.uiaa_sessions.lock().await;
|
||||
|
||||
let session_id = utils::random_string(Self::SESSION_ID_LENGTH);
|
||||
let mut info = assign::assign!(UiaaInfo::new(flows), {params: Some(params)});
|
||||
info.session = Some(session_id.clone());
|
||||
|
||||
uiaa_sessions.insert(session_id, UiaaSession {
|
||||
info: info.clone(),
|
||||
identity: identity.unwrap_or_default(),
|
||||
});
|
||||
let mut info = assign!(UiaaInfo::new(flows), { params: Some(params), session: Some(session_id.clone()) });
|
||||
|
||||
info
|
||||
let session_metadata = if let Some(initiator) = initiator {
|
||||
let is_oauth = if let Some(device_id) = initiator.device_id {
|
||||
self.services
|
||||
.oauth
|
||||
.get_session_info_for_device(initiator.user_id, device_id)
|
||||
.await
|
||||
.is_some()
|
||||
} else {
|
||||
// Appservices never have oauth sessions
|
||||
false
|
||||
};
|
||||
|
||||
if is_oauth {
|
||||
if let Some(oauth_ticket) = initiator.oauth_ticket {
|
||||
let ticket_url = self
|
||||
.services
|
||||
.config
|
||||
.get_client_domain()
|
||||
.join(&format!(
|
||||
"{}{}",
|
||||
conduwuit_core::ROUTE_PREFIX,
|
||||
oauth_ticket.ticket_issue_path()
|
||||
))
|
||||
.unwrap();
|
||||
|
||||
info.flows = vec![AuthFlow::new(vec![AuthType::OAuth])];
|
||||
info.params = Some(
|
||||
to_raw_value(&json!({
|
||||
AuthType::OAuth.as_str(): {
|
||||
"url": ticket_url,
|
||||
},
|
||||
// TODO(compat): This is necessary for older versions of matrix-rust-sdk
|
||||
"org.matrix.cross_signing_reset": {
|
||||
"url": ticket_url,
|
||||
}
|
||||
}))
|
||||
.unwrap(),
|
||||
);
|
||||
|
||||
UiaaSessionMetadata::OAuth {
|
||||
localpart: initiator.user_id.localpart().to_owned(),
|
||||
ticket: oauth_ticket,
|
||||
}
|
||||
} else {
|
||||
return Err!(Request(Forbidden(
|
||||
"Clients authorized with OAuth cannot use this route."
|
||||
)));
|
||||
}
|
||||
} else {
|
||||
UiaaSessionMetadata::Legacy {
|
||||
identity: Identity::from_user_id(initiator.user_id),
|
||||
}
|
||||
}
|
||||
} else {
|
||||
UiaaSessionMetadata::Legacy { identity: Identity::default() }
|
||||
};
|
||||
|
||||
// Legacy sessions aren't available if OAuth is required
|
||||
if matches!(&session_metadata, UiaaSessionMetadata::Legacy { .. })
|
||||
&& !self
|
||||
.services
|
||||
.config
|
||||
.oauth
|
||||
.compatibility_mode
|
||||
.uiaa_available()
|
||||
{
|
||||
return Err!(Request(Unrecognized(
|
||||
"User-interactive authentication is unavailable on this server"
|
||||
)));
|
||||
}
|
||||
|
||||
uiaa_sessions.insert(session_id, UiaaSession { session_metadata, info: info.clone() });
|
||||
|
||||
Ok(info)
|
||||
}
|
||||
|
||||
/// Proceed with UIAA authentication given a client's authorization data.
|
||||
@@ -225,7 +353,7 @@ async fn continue_session(
|
||||
}
|
||||
|
||||
let completed = {
|
||||
let UiaaSession { info, identity } = session.get_mut();
|
||||
let UiaaSession { session_metadata, info } = session.get_mut();
|
||||
|
||||
let auth_type = auth.auth_type().expect("auth type should be set");
|
||||
|
||||
@@ -258,12 +386,12 @@ async fn continue_session(
|
||||
|
||||
// If the provided stage hasn't already been completed, check it for completion
|
||||
if !completed_stages.contains(auth_type.as_str()) {
|
||||
match self.check_stage(auth, identity.clone()).await {
|
||||
| Ok((completed_stage, updated_identity)) => {
|
||||
match self.check_stage(auth, session_metadata.clone()).await {
|
||||
| Ok((completed_stage, updated_metadata)) => {
|
||||
info.auth_error = None;
|
||||
completed_stages.insert(completed_stage.to_string());
|
||||
info.completed.push(completed_stage);
|
||||
*identity = updated_identity;
|
||||
*session_metadata = updated_metadata;
|
||||
},
|
||||
| Err(error) => {
|
||||
info.auth_error = Some(error);
|
||||
@@ -279,9 +407,9 @@ async fn continue_session(
|
||||
|
||||
if completed {
|
||||
// This session is complete, remove it and return success
|
||||
let (_, UiaaSession { identity, .. }) = session.remove_entry();
|
||||
let (_, UiaaSession { session_metadata, .. }) = session.remove_entry();
|
||||
|
||||
Ok(Ok(identity))
|
||||
Ok(Ok(session_metadata.into_identity()))
|
||||
} else {
|
||||
// The client needs to try again, return the updated session
|
||||
Ok(Err(session.get().info.clone()))
|
||||
@@ -295,152 +423,176 @@ async fn continue_session(
|
||||
async fn check_stage(
|
||||
&self,
|
||||
auth: &AuthData,
|
||||
mut identity: Identity,
|
||||
) -> Result<(AuthType, Identity), StandardErrorBody> {
|
||||
// Note: This function takes ownership of `identity` because mutations to the
|
||||
// identity must not be applied unless checking the stage succeeds. The
|
||||
// updated identity is returned as part of the Ok value, and
|
||||
// `continue_session` handles saving it to `uiaa_sessions`.
|
||||
mut session_metadata: UiaaSessionMetadata,
|
||||
) -> Result<(AuthType, UiaaSessionMetadata), StandardErrorBody> {
|
||||
// Note: This function takes ownership of `session_metadata` because mutations
|
||||
// to the identity (if it's a legacy session) must not be applied unless
|
||||
// checking the stage succeeds. The updated identity is returned as part of
|
||||
// the Ok value, and `continue_session` handles saving it to `uiaa_sessions`.
|
||||
//
|
||||
// This also means it's fine to mutate `identity` at any point in this function,
|
||||
// because those mutations won't be saved unless the function returns Ok.
|
||||
|
||||
match auth {
|
||||
| AuthData::Dummy(_) => Ok(AuthType::Dummy),
|
||||
| AuthData::EmailIdentity(EmailIdentity {
|
||||
thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
|
||||
..
|
||||
}) => {
|
||||
match self
|
||||
.services
|
||||
.threepid
|
||||
.consume_valid_session(sid, client_secret)
|
||||
.await
|
||||
{
|
||||
| Ok(email) => {
|
||||
if let Some(localpart) =
|
||||
self.services.threepid.get_localpart_for_email(&email).await
|
||||
{
|
||||
identity.try_set_localpart(localpart)?;
|
||||
}
|
||||
let completed_auth_type = match &mut session_metadata {
|
||||
| UiaaSessionMetadata::OAuth { localpart, ticket } => {
|
||||
// m.oauth is the only valid stage for oauth sessions
|
||||
assert!(
|
||||
matches!(auth, AuthData::OAuth(_)),
|
||||
"got non-oauth auth data for oauth session"
|
||||
);
|
||||
|
||||
identity.try_set_email(email)?;
|
||||
|
||||
Ok(AuthType::EmailIdentity)
|
||||
},
|
||||
| Err(message) => Err(StandardErrorBody::new(
|
||||
ErrorKind::ThreepidAuthFailed,
|
||||
message.into_owned(),
|
||||
)),
|
||||
if self.services.oauth.try_consume_ticket(localpart, *ticket) {
|
||||
Ok(AuthType::OAuth)
|
||||
} else {
|
||||
Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"No OAuth ticket available".to_owned(),
|
||||
))
|
||||
}
|
||||
},
|
||||
#[allow(clippy::useless_let_if_seq)]
|
||||
| AuthData::Password(Password { identifier, password, .. }) => {
|
||||
let user_id_or_localpart = match identifier {
|
||||
| UserIdentifier::Matrix(MatrixUserIdentifier { user, .. }) =>
|
||||
user.to_owned(),
|
||||
| UserIdentifier::Email(EmailUserIdentifier { address, .. }) => {
|
||||
let Ok(email) = Address::try_from(address.to_owned()) else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::InvalidParam,
|
||||
"Email is malformed".to_owned(),
|
||||
));
|
||||
};
|
||||
| UiaaSessionMetadata::Legacy { identity } => match auth {
|
||||
| AuthData::Dummy(_) => Ok(AuthType::Dummy),
|
||||
| AuthData::EmailIdentity(EmailIdentity {
|
||||
thirdparty_id_creds: ThirdpartyIdCredentials { client_secret, sid, .. },
|
||||
..
|
||||
}) => {
|
||||
match self
|
||||
.services
|
||||
.threepid
|
||||
.get_valid_session(sid, client_secret)
|
||||
.await
|
||||
{
|
||||
| Ok(session) => {
|
||||
let email = session.consume();
|
||||
|
||||
if let Some(localpart) =
|
||||
self.services.threepid.get_localpart_for_email(&email).await
|
||||
{
|
||||
identity.try_set_localpart(localpart)?;
|
||||
}
|
||||
|
||||
if let Some(localpart) =
|
||||
self.services.threepid.get_localpart_for_email(&email).await
|
||||
{
|
||||
identity.try_set_email(email)?;
|
||||
|
||||
localpart
|
||||
} else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"Invalid identifier or password".to_owned(),
|
||||
));
|
||||
}
|
||||
},
|
||||
| _ =>
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::Unrecognized,
|
||||
"Identifier type not recognized".to_owned(),
|
||||
Ok(AuthType::EmailIdentity)
|
||||
},
|
||||
| Err(message) => Err(StandardErrorBody::new(
|
||||
ErrorKind::ThreepidAuthFailed,
|
||||
message.into_owned(),
|
||||
)),
|
||||
};
|
||||
}
|
||||
},
|
||||
#[allow(clippy::useless_let_if_seq)]
|
||||
| AuthData::Password(Password { identifier, password, .. }) => {
|
||||
let user_id_or_localpart = match identifier {
|
||||
| UserIdentifier::Matrix(MatrixUserIdentifier { user, .. }) =>
|
||||
user.to_owned(),
|
||||
| UserIdentifier::Email(EmailUserIdentifier { address, .. }) => {
|
||||
let Ok(email) = Address::try_from(address.to_owned()) else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::InvalidParam,
|
||||
"Email is malformed".to_owned(),
|
||||
));
|
||||
};
|
||||
|
||||
let Ok(user_id) = UserId::parse_with_server_name(
|
||||
user_id_or_localpart,
|
||||
self.services.globals.server_name(),
|
||||
) else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::InvalidParam,
|
||||
"User ID is malformed".to_owned(),
|
||||
));
|
||||
};
|
||||
if let Some(localpart) =
|
||||
self.services.threepid.get_localpart_for_email(&email).await
|
||||
{
|
||||
identity.try_set_email(email)?;
|
||||
|
||||
if self
|
||||
.services
|
||||
.users
|
||||
.check_password(&user_id, password)
|
||||
.await
|
||||
.is_ok()
|
||||
{
|
||||
identity.try_set_localpart(user_id.localpart().to_owned())?;
|
||||
localpart
|
||||
} else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"Invalid identifier or password".to_owned(),
|
||||
));
|
||||
}
|
||||
},
|
||||
| _ =>
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::Unrecognized,
|
||||
"Identifier type not recognized".to_owned(),
|
||||
)),
|
||||
};
|
||||
|
||||
Ok(AuthType::Password)
|
||||
} else {
|
||||
Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"Invalid identifier or password".to_owned(),
|
||||
))
|
||||
}
|
||||
},
|
||||
| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
|
||||
let Some(ref private_site_key) = self.services.config.recaptcha_private_site_key
|
||||
else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"ReCaptcha is not configured".to_owned(),
|
||||
));
|
||||
};
|
||||
let Ok(user_id) = UserId::parse_with_server_name(
|
||||
user_id_or_localpart,
|
||||
self.services.globals.server_name(),
|
||||
) else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::InvalidParam,
|
||||
"User ID is malformed".to_owned(),
|
||||
));
|
||||
};
|
||||
|
||||
match recaptcha_verify::verify_v3(private_site_key, response, None).await {
|
||||
| Ok(()) => Ok(AuthType::ReCaptcha),
|
||||
| Err(e) => {
|
||||
error!("ReCaptcha verification failed: {e:?}");
|
||||
if self
|
||||
.services
|
||||
.users
|
||||
.check_password(&user_id, password)
|
||||
.await
|
||||
.is_ok()
|
||||
{
|
||||
identity.try_set_localpart(user_id.localpart().to_owned())?;
|
||||
|
||||
Ok(AuthType::Password)
|
||||
} else {
|
||||
Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"ReCaptcha verification failed".to_owned(),
|
||||
"Invalid identifier or password".to_owned(),
|
||||
))
|
||||
},
|
||||
}
|
||||
},
|
||||
| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
|
||||
let token = token.trim().to_owned();
|
||||
}
|
||||
},
|
||||
| AuthData::ReCaptcha(ReCaptcha { response, .. }) => {
|
||||
let Some(ref private_site_key) =
|
||||
self.services.config.recaptcha_private_site_key
|
||||
else {
|
||||
return Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"ReCaptcha is not configured".to_owned(),
|
||||
));
|
||||
};
|
||||
|
||||
if let Some(valid_token) = self
|
||||
.services
|
||||
.registration_tokens
|
||||
.validate_token(token)
|
||||
.await
|
||||
{
|
||||
self.services
|
||||
match recaptcha_verify::verify_v3(private_site_key, response, None).await {
|
||||
| Ok(()) => Ok(AuthType::ReCaptcha),
|
||||
| Err(e) => {
|
||||
error!("ReCaptcha verification failed: {e:?}");
|
||||
Err(StandardErrorBody::new(
|
||||
ErrorKind::CaptchaInvalid,
|
||||
"ReCaptcha verification failed".to_owned(),
|
||||
))
|
||||
},
|
||||
}
|
||||
},
|
||||
| AuthData::RegistrationToken(RegistrationToken { token, .. }) => {
|
||||
let token = token.trim().to_owned();
|
||||
|
||||
if let Some(valid_token) = self
|
||||
.services
|
||||
.registration_tokens
|
||||
.mark_token_as_used(valid_token);
|
||||
.validate_token(token)
|
||||
.await
|
||||
{
|
||||
self.services
|
||||
.registration_tokens
|
||||
.mark_token_as_used(valid_token);
|
||||
|
||||
Ok(AuthType::RegistrationToken)
|
||||
} else {
|
||||
Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"Invalid registration token".to_owned(),
|
||||
))
|
||||
}
|
||||
Ok(AuthType::RegistrationToken)
|
||||
} else {
|
||||
Err(StandardErrorBody::new(
|
||||
ErrorKind::Forbidden,
|
||||
"Invalid registration token".to_owned(),
|
||||
))
|
||||
}
|
||||
},
|
||||
| AuthData::Terms(_) => Ok(AuthType::Terms),
|
||||
| unknown => {
|
||||
// We already checked that the stage type is one that exists in the flow,
|
||||
// so we can only get here if we ourselves served a flow with a stage that we
|
||||
// don't understand.
|
||||
panic!("tried to check an unsupported stage type: {unknown:?}");
|
||||
},
|
||||
},
|
||||
| AuthData::Terms(_) => Ok(AuthType::Terms),
|
||||
| _ => Err(StandardErrorBody::new(
|
||||
ErrorKind::Unrecognized,
|
||||
"Unsupported stage type".into(),
|
||||
)),
|
||||
}
|
||||
.map(|auth_type| (auth_type, identity))
|
||||
}?;
|
||||
|
||||
Ok((completed_auth_type, session_metadata))
|
||||
}
|
||||
}
|
||||
|
||||
@@ -54,6 +54,7 @@ pub async fn set_dehydrated_device(&self, user_id: &UserId, request: Request) ->
|
||||
user_id,
|
||||
&request.device_id,
|
||||
"",
|
||||
None,
|
||||
request.initial_device_display_name.clone(),
|
||||
None,
|
||||
)
|
||||
@@ -138,7 +139,6 @@ pub async fn get_dehydrated_device_id(&self, user_id: &UserId) -> Result<OwnedDe
|
||||
level = "debug",
|
||||
skip_all,
|
||||
fields(%user_id),
|
||||
ret,
|
||||
)]
|
||||
pub async fn get_dehydrated_device(&self, user_id: &UserId) -> Result<DehydratedDevice> {
|
||||
self.db
|
||||
|
||||
+334
-17
@@ -1,13 +1,21 @@
|
||||
pub(super) mod dehydrated_device;
|
||||
|
||||
use std::{collections::BTreeMap, mem, net::IpAddr, sync::Arc};
|
||||
use std::{
|
||||
collections::BTreeMap,
|
||||
mem,
|
||||
net::IpAddr,
|
||||
sync::Arc,
|
||||
time::{Duration, SystemTime},
|
||||
};
|
||||
|
||||
use conduwuit::{
|
||||
Err, Error, Result, Server, debug_error, debug_warn, err, trace,
|
||||
Err, Error, Result, debug_error, debug_warn, err, info, trace,
|
||||
utils::{self, ReadyExt, stream::TryIgnore, string::Unquoted},
|
||||
warn,
|
||||
};
|
||||
use database::{Deserialized, Ignore, Interfix, Json, Map};
|
||||
use futures::{Stream, StreamExt, TryFutureExt};
|
||||
use futures::{FutureExt, Stream, StreamExt, TryFutureExt};
|
||||
use lettre::Address;
|
||||
use ruma::{
|
||||
DeviceId, MilliSecondsSinceUnixEpoch, OneTimeKeyAlgorithm, OneTimeKeyId, OneTimeKeyName,
|
||||
OwnedDeviceId, OwnedKeyId, OwnedMxcUri, OwnedOneTimeKeyId, OwnedUserId, RoomId, UInt, UserId,
|
||||
@@ -18,15 +26,24 @@
|
||||
encryption::{CrossSigningKey, DeviceKeys, OneTimeKey},
|
||||
events::{
|
||||
AnyToDeviceEvent, GlobalAccountDataEventType, ignored_user_list::IgnoredUserListEvent,
|
||||
push_rules::PushRulesEvent, room::message::RoomMessageEventContent,
|
||||
},
|
||||
push::Ruleset,
|
||||
serde::Raw,
|
||||
uint,
|
||||
};
|
||||
use ruminuwuity::invite_permission_config::{FilterLevel, InvitePermissionConfigEvent};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use serde_json::json;
|
||||
use tracing::error;
|
||||
|
||||
use crate::{Dep, account_data, admin, appservice, globals, rooms};
|
||||
use crate::{
|
||||
Dep, account_data, admin,
|
||||
appservice::{self, RegistrationInfo},
|
||||
config, firstrun, globals, oauth,
|
||||
rooms::{self, alias, membership},
|
||||
threepid,
|
||||
};
|
||||
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
pub struct UserSuspension {
|
||||
@@ -41,6 +58,7 @@ pub struct UserSuspension {
|
||||
/// A password hash. This is only for use when setting a user's password,
|
||||
/// if the hash needs to be kept around for a while without keeping the password
|
||||
/// in memory.
|
||||
#[derive(Serialize, Deserialize)]
|
||||
pub struct HashedPassword(String);
|
||||
|
||||
impl HashedPassword {
|
||||
@@ -51,19 +69,30 @@ pub fn new(password: &str) -> Result<Self> {
|
||||
}
|
||||
}
|
||||
|
||||
/// The status of an access token.
|
||||
pub enum AccessTokenStatus {
|
||||
Valid,
|
||||
Expired,
|
||||
}
|
||||
|
||||
pub struct Service {
|
||||
services: Services,
|
||||
db: Data,
|
||||
}
|
||||
|
||||
struct Services {
|
||||
server: Arc<Server>,
|
||||
account_data: Dep<account_data::Service>,
|
||||
admin: Dep<admin::Service>,
|
||||
alias: Dep<alias::Service>,
|
||||
appservice: Dep<appservice::Service>,
|
||||
config: Dep<config::Service>,
|
||||
firstrun: Dep<firstrun::Service>,
|
||||
globals: Dep<globals::Service>,
|
||||
membership: Dep<membership::Service>,
|
||||
oauth: Dep<oauth::Service>,
|
||||
state_accessor: Dep<rooms::state_accessor::Service>,
|
||||
state_cache: Dep<rooms::state_cache::Service>,
|
||||
threepid: Dep<threepid::Service>,
|
||||
}
|
||||
|
||||
struct Data {
|
||||
@@ -75,6 +104,7 @@ struct Data {
|
||||
logintoken_expiresatuserid: Arc<Map>,
|
||||
todeviceid_events: Arc<Map>,
|
||||
token_userdeviceid: Arc<Map>,
|
||||
userdeviceid_tokenexpires: Arc<Map>,
|
||||
userdeviceid_metadata: Arc<Map>,
|
||||
userdeviceid_token: Arc<Map>,
|
||||
userfilterid_filter: Arc<Map>,
|
||||
@@ -97,14 +127,19 @@ impl crate::Service for Service {
|
||||
fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
Ok(Arc::new(Self {
|
||||
services: Services {
|
||||
server: args.server.clone(),
|
||||
account_data: args.depend::<account_data::Service>("account_data"),
|
||||
admin: args.depend::<admin::Service>("admin"),
|
||||
alias: args.depend::<alias::Service>("alias"),
|
||||
appservice: args.depend::<appservice::Service>("appservice"),
|
||||
config: args.depend::<config::Service>("config"),
|
||||
firstrun: args.depend::<firstrun::Service>("firstrun"),
|
||||
globals: args.depend::<globals::Service>("globals"),
|
||||
membership: args.depend::<membership::Service>("membership"),
|
||||
oauth: args.depend::<oauth::Service>("oauth"),
|
||||
state_accessor: args
|
||||
.depend::<rooms::state_accessor::Service>("rooms::state_accessor"),
|
||||
state_cache: args.depend::<rooms::state_cache::Service>("rooms::state_cache"),
|
||||
threepid: args.depend::<threepid::Service>("threepid"),
|
||||
},
|
||||
db: Data {
|
||||
keychangeid_userid: args.db["keychangeid_userid"].clone(),
|
||||
@@ -131,6 +166,7 @@ fn build(args: crate::Args<'_>) -> Result<Arc<Self>> {
|
||||
userid_selfsigningkeyid: args.db["userid_selfsigningkeyid"].clone(),
|
||||
userid_usersigningkeyid: args.db["userid_usersigningkeyid"].clone(),
|
||||
useridprofilekey_value: args.db["useridprofilekey_value"].clone(),
|
||||
userdeviceid_tokenexpires: args.db["userdeviceid_tokenexpires"].clone(),
|
||||
},
|
||||
}))
|
||||
}
|
||||
@@ -192,12 +228,239 @@ pub async fn create(&self, user_id: &UserId, password: Option<HashedPassword>) -
|
||||
Ok(())
|
||||
}
|
||||
|
||||
// /// Create a new account for a local human or bot user.
|
||||
// pub async fn create_local_account(
|
||||
// &self,
|
||||
// username: String,
|
||||
// password:
|
||||
// )
|
||||
/// Create a new account for a local human or bot user.
|
||||
pub async fn create_local_account(
|
||||
&self,
|
||||
user_id: &UserId,
|
||||
password: HashedPassword,
|
||||
email: Option<Address>,
|
||||
) {
|
||||
self.create(user_id, Some(password))
|
||||
.await
|
||||
.expect("should be able to save a new local user. what happened?");
|
||||
|
||||
// Set an initial display name
|
||||
{
|
||||
let mut displayname = user_id.localpart().to_owned();
|
||||
|
||||
let suffix = &self.services.config.new_user_displayname_suffix;
|
||||
if !suffix.is_empty() {
|
||||
displayname.push(' ');
|
||||
displayname.push_str(suffix);
|
||||
}
|
||||
|
||||
self.set_displayname(user_id, Some(displayname));
|
||||
};
|
||||
|
||||
// Set default push rules
|
||||
self.services
|
||||
.account_data
|
||||
.update(
|
||||
None,
|
||||
user_id,
|
||||
GlobalAccountDataEventType::PushRules.to_string().into(),
|
||||
&serde_json::to_value(PushRulesEvent::new(
|
||||
Ruleset::server_default(user_id).into(),
|
||||
))
|
||||
.expect("should be able to serialize push rules"),
|
||||
)
|
||||
.await
|
||||
.expect("should be able to update account data");
|
||||
|
||||
// If the user registered with an email, associate it with their account.
|
||||
if let Some(email) = email {
|
||||
// This may fail if the email is already in use, but we should have already
|
||||
// checked that when we sent the validation email, so ignoring the error is
|
||||
// acceptable here in the rare case that an email is sniped by another user
|
||||
// between the validation email being sent and the account being created.
|
||||
let _ = self
|
||||
.services
|
||||
.threepid
|
||||
.associate_localpart_email(user_id.localpart(), &email)
|
||||
.await;
|
||||
}
|
||||
|
||||
// Attempt to empower the first user and disable first-run mode.
|
||||
let was_first_user = self.services.firstrun.empower_first_user(user_id).await;
|
||||
|
||||
// If the registering user was not the first and we're suspending users on
|
||||
// register, suspend them.
|
||||
if !was_first_user && self.services.config.suspend_on_register {
|
||||
// Note that we can still do auto joins for suspended users
|
||||
self.suspend_account(user_id, &self.services.globals.server_user)
|
||||
.await;
|
||||
|
||||
// And send an @room notice to the admin room, to prompt admins to review the
|
||||
// new user and ideally unsuspend them if deemed appropriate.
|
||||
if self.services.config.admin_room_notices {
|
||||
self.services
|
||||
.admin
|
||||
.send_loud_message(RoomMessageEventContent::text_plain(format!(
|
||||
"User {user_id} has been suspended as they are not the first user on \
|
||||
this server. Please review and unsuspend them if appropriate."
|
||||
)))
|
||||
.await
|
||||
.ok();
|
||||
}
|
||||
}
|
||||
|
||||
// Autojoin the user to the configured autojoin rooms
|
||||
for room in &self.services.config.auto_join_rooms {
|
||||
let Ok(room_id) = self.services.alias.resolve(room).await else {
|
||||
error!(
|
||||
"Failed to resolve room alias to room ID when attempting to auto join \
|
||||
{room}, skipping"
|
||||
);
|
||||
continue;
|
||||
};
|
||||
|
||||
if !self
|
||||
.services
|
||||
.state_cache
|
||||
.server_in_room(self.services.globals.server_name(), &room_id)
|
||||
.await
|
||||
{
|
||||
warn!(
|
||||
"Skipping room {room} to automatically join as we have never joined before."
|
||||
);
|
||||
continue;
|
||||
}
|
||||
|
||||
if let Some(room_server_name) = room.server_name() {
|
||||
match self
|
||||
.services
|
||||
.membership
|
||||
.join_room(
|
||||
user_id,
|
||||
&room_id,
|
||||
Some("Automatically joining this room upon registration".to_owned()),
|
||||
&[
|
||||
self.services.globals.server_name().to_owned(),
|
||||
room_server_name.to_owned(),
|
||||
],
|
||||
)
|
||||
.boxed()
|
||||
.await
|
||||
{
|
||||
| Err(e) => {
|
||||
// don't return this error so we don't fail registrations
|
||||
error!(
|
||||
"Failed to automatically join room {room} for user {user_id}: {e}"
|
||||
);
|
||||
},
|
||||
| _ => {
|
||||
info!("Automatically joined room {room} for user {user_id}");
|
||||
},
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
info!("Created new user account for {user_id}");
|
||||
}
|
||||
|
||||
pub async fn determine_registration_user_id(
|
||||
&self,
|
||||
supplied_username: Option<String>,
|
||||
email: Option<&Address>,
|
||||
appservice_info: Option<&RegistrationInfo>,
|
||||
) -> Result<OwnedUserId> {
|
||||
const RANDOM_USER_ID_LENGTH: usize = 10;
|
||||
|
||||
let emergency_mode_enabled = self.services.config.emergency_password.is_some();
|
||||
|
||||
let supplied_username = supplied_username.or_else(|| {
|
||||
// If the user didn't supply a username but did supply an email, use
|
||||
// the email's user part to avoid falling back to a random username
|
||||
email.map(|address| address.user().to_owned())
|
||||
});
|
||||
|
||||
if let Some(supplied_username) = supplied_username {
|
||||
// The user gets to pick their username. Do some validation to make sure it's
|
||||
// acceptable.
|
||||
|
||||
// Don't allow registration with forbidden usernames.
|
||||
if self
|
||||
.services
|
||||
.globals
|
||||
.forbidden_usernames()
|
||||
.is_match(&supplied_username)
|
||||
&& !emergency_mode_enabled
|
||||
{
|
||||
return Err!(Request(Forbidden("Username is forbidden")));
|
||||
}
|
||||
|
||||
// Create and validate the user ID
|
||||
let user_id = match UserId::parse_with_server_name(
|
||||
&supplied_username,
|
||||
self.services.globals.server_name(),
|
||||
) {
|
||||
| Ok(user_id) => {
|
||||
if let Err(e) = user_id.validate_strict() {
|
||||
// Unless we are in emergency mode, we should follow synapse's behaviour
|
||||
// on not allowing things like spaces and UTF-8 characters in
|
||||
// usernames
|
||||
if !emergency_mode_enabled {
|
||||
return Err!(Request(InvalidUsername(debug_warn!(
|
||||
"Username {supplied_username} contains disallowed characters or \
|
||||
spaces: {e}"
|
||||
))));
|
||||
}
|
||||
}
|
||||
|
||||
// Don't allow registration with user IDs that aren't local
|
||||
if !self.services.globals.user_is_local(&user_id) {
|
||||
return Err!(Request(InvalidUsername(
|
||||
"Username {supplied_username} is not local to this server"
|
||||
)));
|
||||
}
|
||||
|
||||
user_id
|
||||
},
|
||||
| Err(e) => {
|
||||
return Err!(Request(InvalidUsername(debug_warn!(
|
||||
"Username {supplied_username} is not valid: {e}"
|
||||
))));
|
||||
},
|
||||
};
|
||||
|
||||
if self.exists(&user_id).await {
|
||||
return Err!(Request(UserInUse("User ID is not available.")));
|
||||
}
|
||||
|
||||
// Check that the user ID is/is not in an appservice's namespace
|
||||
if let Some(appservice_info) = appservice_info {
|
||||
if !appservice_info.is_user_match(&user_id) && !emergency_mode_enabled {
|
||||
return Err!(Request(Exclusive(
|
||||
"Username is not in this appservice's namespace."
|
||||
)));
|
||||
}
|
||||
} else if self
|
||||
.services
|
||||
.appservice
|
||||
.is_exclusive_user_id(&user_id)
|
||||
.await && !emergency_mode_enabled
|
||||
{
|
||||
return Err!(Request(Exclusive("Username is reserved by an appservice.")));
|
||||
}
|
||||
|
||||
Ok(user_id)
|
||||
} else {
|
||||
// The user didn't specify a username. Generate a username for
|
||||
// them.
|
||||
|
||||
loop {
|
||||
let user_id = UserId::parse_with_server_name(
|
||||
utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
|
||||
self.services.globals.server_name(),
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
if !self.exists(&user_id).await {
|
||||
break Ok(user_id);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// Deactivate account
|
||||
pub async fn deactivate_account(&self, user_id: &UserId) -> Result<()> {
|
||||
@@ -337,8 +600,42 @@ pub async fn is_active_local(&self, user_id: &UserId) -> bool {
|
||||
pub async fn count(&self) -> usize { self.db.userid_password.count().await }
|
||||
|
||||
/// Find out which user an access token belongs to.
|
||||
pub async fn find_from_token(&self, token: &str) -> Result<(OwnedUserId, OwnedDeviceId)> {
|
||||
self.db.token_userdeviceid.get(token).await.deserialized()
|
||||
pub async fn find_from_token(
|
||||
&self,
|
||||
token: &str,
|
||||
) -> Option<(OwnedUserId, OwnedDeviceId, AccessTokenStatus)> {
|
||||
let user = self
|
||||
.db
|
||||
.token_userdeviceid
|
||||
.get(token)
|
||||
.await
|
||||
.deserialized()
|
||||
.ok();
|
||||
|
||||
// Check if the token has expired
|
||||
if let Some((user_id, device_id)) = user {
|
||||
if let Some(expires) = self
|
||||
.db
|
||||
.userdeviceid_tokenexpires
|
||||
.qry(&(&user_id, &device_id))
|
||||
.await
|
||||
.deserialized::<u64>()
|
||||
.ok()
|
||||
.map(Duration::from_secs)
|
||||
{
|
||||
let expires_at = SystemTime::UNIX_EPOCH
|
||||
.checked_add(expires)
|
||||
.expect("expiry time should not overflow SystemTime");
|
||||
|
||||
if SystemTime::now() > expires_at {
|
||||
return Some((user_id, device_id, AccessTokenStatus::Expired));
|
||||
}
|
||||
}
|
||||
|
||||
Some((user_id, device_id, AccessTokenStatus::Valid))
|
||||
} else {
|
||||
None
|
||||
}
|
||||
}
|
||||
|
||||
/// Returns an iterator over all users on this homeserver.
|
||||
@@ -434,6 +731,7 @@ pub async fn create_device(
|
||||
user_id: &UserId,
|
||||
device_id: &DeviceId,
|
||||
token: &str,
|
||||
token_max_age: Option<Duration>,
|
||||
initial_device_display_name: Option<String>,
|
||||
client_ip: Option<String>,
|
||||
) -> Result<()> {
|
||||
@@ -451,7 +749,8 @@ pub async fn create_device(
|
||||
|
||||
increment(&self.db.userid_devicelistversion, user_id.as_bytes());
|
||||
self.db.userdeviceid_metadata.put(key, Json(device));
|
||||
self.set_token(user_id, device_id, token).await
|
||||
self.set_token(user_id, device_id, token, token_max_age)
|
||||
.await
|
||||
}
|
||||
|
||||
/// Removes a device from a user.
|
||||
@@ -467,6 +766,7 @@ pub async fn remove_device(&self, user_id: &UserId, device_id: &DeviceId) {
|
||||
if let Ok(old_token) = self.db.userdeviceid_token.qry(&userdeviceid).await {
|
||||
self.db.userdeviceid_token.del(userdeviceid);
|
||||
self.db.token_userdeviceid.remove(&old_token);
|
||||
self.db.userdeviceid_tokenexpires.del(userdeviceid);
|
||||
}
|
||||
|
||||
// Remove todevice events
|
||||
@@ -480,6 +780,9 @@ pub async fn remove_device(&self, user_id: &UserId, device_id: &DeviceId) {
|
||||
|
||||
// TODO: Remove onetimekeys
|
||||
|
||||
// Remove OAuth session information
|
||||
self.services.oauth.remove_session(user_id, device_id).await;
|
||||
|
||||
increment(&self.db.userid_devicelistversion, user_id.as_bytes());
|
||||
|
||||
self.db.userdeviceid_metadata.del(userdeviceid);
|
||||
@@ -535,6 +838,7 @@ pub async fn set_token(
|
||||
user_id: &UserId,
|
||||
device_id: &DeviceId,
|
||||
token: &str,
|
||||
token_max_age: Option<Duration>,
|
||||
) -> Result<()> {
|
||||
let key = (user_id, device_id);
|
||||
if self.db.userdeviceid_metadata.qry(&key).await.is_err() {
|
||||
@@ -561,6 +865,7 @@ pub async fn set_token(
|
||||
// Remove old token
|
||||
if let Ok(old_token) = self.db.userdeviceid_token.qry(&key).await {
|
||||
self.db.token_userdeviceid.remove(&old_token);
|
||||
self.db.userdeviceid_tokenexpires.remove(&old_token);
|
||||
// It will be removed from userdeviceid_token by the insert later
|
||||
}
|
||||
|
||||
@@ -568,6 +873,18 @@ pub async fn set_token(
|
||||
self.db.userdeviceid_token.put_raw(key, token);
|
||||
self.db.token_userdeviceid.raw_put(token, key);
|
||||
|
||||
if let Some(max_age) = token_max_age {
|
||||
let expires = SystemTime::now()
|
||||
.duration_since(SystemTime::UNIX_EPOCH)
|
||||
.expect("system time should not be before the epoch")
|
||||
.saturating_add(max_age)
|
||||
.as_secs();
|
||||
|
||||
self.db.userdeviceid_tokenexpires.put(key, expires);
|
||||
} else {
|
||||
self.db.userdeviceid_tokenexpires.del(key);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -1238,7 +1555,7 @@ pub async fn get_filter(
|
||||
pub fn create_openid_token(&self, user_id: &UserId, token: &str) -> Result<u64> {
|
||||
use std::num::Saturating as Sat;
|
||||
|
||||
let expires_in = self.services.server.config.openid_token_ttl;
|
||||
let expires_in = self.services.config.openid_token_ttl;
|
||||
let expires_at = Sat(utils::millis_since_unix_epoch()) + Sat(expires_in) * Sat(1000);
|
||||
|
||||
let mut value = expires_at.0.to_be_bytes().to_vec();
|
||||
@@ -1282,7 +1599,7 @@ pub async fn find_from_openid_token(&self, token: &str) -> Result<OwnedUserId> {
|
||||
pub fn create_login_token(&self, user_id: &UserId, token: &str) -> u64 {
|
||||
use std::num::Saturating as Sat;
|
||||
|
||||
let expires_in = self.services.server.config.login_token_ttl;
|
||||
let expires_in = self.services.config.login_token_ttl;
|
||||
let expires_at = Sat(utils::millis_since_unix_epoch()) + Sat(expires_in);
|
||||
|
||||
let value = (expires_at.0, user_id);
|
||||
|
||||
@@ -22,6 +22,8 @@ crate-type = [
|
||||
conduwuit-build-metadata.workspace = true
|
||||
conduwuit-service.workspace = true
|
||||
conduwuit-core.workspace = true
|
||||
conduwuit-database.workspace = true
|
||||
conduwuit-api.workspace = true
|
||||
async-trait.workspace = true
|
||||
askama.workspace = true
|
||||
axum.workspace = true
|
||||
@@ -35,9 +37,18 @@ ruma.workspace = true
|
||||
thiserror.workspace = true
|
||||
tower-http.workspace = true
|
||||
serde.workspace = true
|
||||
serde_json.workspace = true
|
||||
lettre.workspace = true
|
||||
memory-serve = "2.1.0"
|
||||
validator = { version = "0.20.0", features = ["derive"] }
|
||||
tower-sec-fetch = { version = "0.1.2", features = ["tracing"] }
|
||||
tower-sessions = { version = "0.15.0", default-features = false, features = ["axum-core"] }
|
||||
tower-sessions-core = { version = "0.15.0", features = ["deletion-task"] }
|
||||
serde_urlencoded.workspace = true
|
||||
url.workspace = true
|
||||
recaptcha-verify = { version = "0.2.0", default-features = false }
|
||||
reqwest_recaptcha = { package = "reqwest", version = "0.12.28", default-features = false, features = ["rustls-tls-native-roots-no-provider"] } # As long as recaptcha-verify's reqwest is outdated
|
||||
form_urlencoded = "1.2.2"
|
||||
|
||||
[build-dependencies]
|
||||
memory-serve = "2.1.0"
|
||||
|
||||
@@ -0,0 +1,48 @@
|
||||
use axum::{
|
||||
extract::{FromRequest, FromRequestParts, Request},
|
||||
http::{Method, request::Parts},
|
||||
};
|
||||
use serde::de::DeserializeOwned;
|
||||
|
||||
use crate::WebError;
|
||||
|
||||
/// An extractor which deserializes a struct from a POST request's body.
|
||||
/// For GET requests the struct will be None.
|
||||
#[derive(Debug, Clone, Copy, Default)]
|
||||
#[must_use]
|
||||
pub(crate) struct PostForm<T>(pub Option<T>);
|
||||
|
||||
impl<T, S> FromRequest<S> for PostForm<T>
|
||||
where
|
||||
T: DeserializeOwned,
|
||||
S: Send + Sync,
|
||||
{
|
||||
type Rejection = WebError;
|
||||
|
||||
async fn from_request(req: Request, state: &S) -> Result<Self, Self::Rejection> {
|
||||
if req.method() == Method::POST {
|
||||
let axum::Form(data) = axum::Form::from_request(req, state).await?;
|
||||
|
||||
Ok(Self(Some(data)))
|
||||
} else {
|
||||
Ok(Self(None))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/// An extractor which wraps another extractor and converts its errors into
|
||||
/// `WebError`s.
|
||||
pub(crate) struct Expect<E>(pub E);
|
||||
|
||||
impl<E, S, R> FromRequestParts<S> for Expect<E>
|
||||
where
|
||||
E: FromRequestParts<S, Rejection = R>,
|
||||
WebError: From<R>,
|
||||
S: Send + Sync,
|
||||
{
|
||||
type Rejection = WebError;
|
||||
|
||||
async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
|
||||
Ok(Self(E::from_request_parts(parts, state).await?))
|
||||
}
|
||||
}
|
||||
+61
-15
@@ -1,25 +1,34 @@
|
||||
use std::any::Any;
|
||||
use std::{any::Any, sync::Once, time::Duration};
|
||||
|
||||
use askama::Template;
|
||||
use axum::{
|
||||
Router,
|
||||
extract::rejection::{FormRejection, QueryRejection},
|
||||
http::{HeaderValue, StatusCode, header},
|
||||
response::{Html, IntoResponse, Response},
|
||||
extract::rejection::{FormRejection, PathRejection, QueryRejection},
|
||||
http::StatusCode,
|
||||
middleware::from_fn_with_state,
|
||||
response::{Html, IntoResponse, Redirect, Response},
|
||||
};
|
||||
use conduwuit_service::state;
|
||||
use tower_http::{catch_panic::CatchPanicLayer, set_header::SetResponseHeaderLayer};
|
||||
use conduwuit_service::{Services, state};
|
||||
use tower_http::catch_panic::CatchPanicLayer;
|
||||
use tower_sec_fetch::SecFetchLayer;
|
||||
use tower_sessions::{ExpiredDeletion, SessionManagerLayer, cookie::SameSite};
|
||||
|
||||
use crate::pages::TemplateContext;
|
||||
use crate::{
|
||||
pages::TemplateContext,
|
||||
session::{LoginQuery, store::RocksDbSessionStore},
|
||||
};
|
||||
|
||||
mod extract;
|
||||
mod pages;
|
||||
mod session;
|
||||
|
||||
type State = state::State;
|
||||
|
||||
const CATASTROPHIC_FAILURE: &str = "cat-astrophic failure! we couldn't even render the error template. \
|
||||
please contact the team @ https://continuwuity.org";
|
||||
|
||||
const ROUTE_PREFIX: &str = conduwuit_core::ROUTE_PREFIX;
|
||||
|
||||
#[derive(Debug, thiserror::Error)]
|
||||
enum WebError {
|
||||
#[error("Failed to validate form body: {0}")]
|
||||
@@ -29,10 +38,16 @@ enum WebError {
|
||||
#[error("{0}")]
|
||||
FormRejection(#[from] FormRejection),
|
||||
#[error("{0}")]
|
||||
PathRejection(#[from] PathRejection),
|
||||
#[error("{0}")]
|
||||
BadRequest(String),
|
||||
|
||||
#[error("This page does not exist.")]
|
||||
NotFound,
|
||||
#[error("You are not allowed to request this page: {0}")]
|
||||
Forbidden(String),
|
||||
#[error("You must log in to access this page")]
|
||||
LoginRequired(LoginQuery),
|
||||
|
||||
#[error("Failed to render template: {0}")]
|
||||
Render(#[from] askama::Error),
|
||||
@@ -52,12 +67,26 @@ struct Error {
|
||||
context: TemplateContext,
|
||||
}
|
||||
|
||||
if let Self::LoginRequired(query) = self {
|
||||
return Redirect::to(&format!(
|
||||
"{}/account/login?{}",
|
||||
ROUTE_PREFIX,
|
||||
serde_urlencoded::to_string(query).unwrap()
|
||||
))
|
||||
.into_response();
|
||||
}
|
||||
|
||||
let status = match &self {
|
||||
| Self::ValidationError(_)
|
||||
| Self::BadRequest(_)
|
||||
| Self::QueryRejection(_)
|
||||
| Self::FormRejection(_) => StatusCode::BAD_REQUEST,
|
||||
| Self::FormRejection(_)
|
||||
| Self::InternalError(_) => StatusCode::BAD_REQUEST,
|
||||
| Self::NotFound => StatusCode::NOT_FOUND,
|
||||
| Self::Forbidden(_) => StatusCode::FORBIDDEN,
|
||||
| Self::LoginRequired(_) => {
|
||||
unreachable!("LoginRequired is handled earlier")
|
||||
},
|
||||
| _ => StatusCode::INTERNAL_SERVER_ERROR,
|
||||
};
|
||||
|
||||
@@ -67,6 +96,7 @@ struct Error {
|
||||
context: TemplateContext {
|
||||
// Statically set false to prevent error pages from being indexed.
|
||||
allow_indexing: false,
|
||||
csp_nonce: String::new(),
|
||||
},
|
||||
};
|
||||
|
||||
@@ -78,21 +108,40 @@ struct Error {
|
||||
}
|
||||
}
|
||||
|
||||
pub fn build() -> Router<state::State> {
|
||||
static STORE_CLEANUP_TASK: Once = Once::new();
|
||||
|
||||
pub fn build(services: &Services) -> Router<state::State> {
|
||||
#[allow(clippy::wildcard_imports)]
|
||||
use pages::*;
|
||||
|
||||
let store = RocksDbSessionStore::new(&services.db);
|
||||
|
||||
STORE_CLEANUP_TASK.call_once(|| {
|
||||
services.server.runtime().spawn(
|
||||
store
|
||||
.clone()
|
||||
.continuously_delete_expired(Duration::from_hours(1)),
|
||||
);
|
||||
});
|
||||
|
||||
Router::new()
|
||||
.merge(index::build())
|
||||
.nest(
|
||||
"/_continuwuity/",
|
||||
Router::new()
|
||||
.merge(resources::build())
|
||||
.merge(password_reset::build())
|
||||
.nest("/about", about::build())
|
||||
.nest("/account/", account::build())
|
||||
.merge(debug::build())
|
||||
.nest("/oauth2/", oauth::build())
|
||||
.merge(resources::build())
|
||||
.merge(threepid::build())
|
||||
.fallback(async || WebError::NotFound),
|
||||
)
|
||||
.layer(
|
||||
SessionManagerLayer::new(store)
|
||||
.with_name("_c10y_session")
|
||||
.with_same_site(SameSite::Lax),
|
||||
)
|
||||
.layer(CatchPanicLayer::custom(|panic: Box<dyn Any + Send + 'static>| {
|
||||
let details = if let Some(s) = panic.downcast_ref::<String>() {
|
||||
s.clone()
|
||||
@@ -104,10 +153,7 @@ pub fn build() -> Router<state::State> {
|
||||
|
||||
WebError::Panic(details).into_response()
|
||||
}))
|
||||
.layer(SetResponseHeaderLayer::if_not_present(
|
||||
header::CONTENT_SECURITY_POLICY,
|
||||
HeaderValue::from_static("default-src 'self'; img-src 'self' data:;"),
|
||||
))
|
||||
.layer(from_fn_with_state(services.config.clone(), template_context_middleware))
|
||||
.layer(SecFetchLayer::new(|policy| {
|
||||
policy.allow_safe_methods().reject_missing_metadata();
|
||||
}))
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
use std::collections::BTreeMap;
|
||||
|
||||
use axum::{Extension, Router, extract::State, routing::get};
|
||||
use conduwuit_core::config::TermsDocument;
|
||||
use ruma::{
|
||||
OwnedServerName,
|
||||
api::client::discovery::discover_support::{Contact, ContactRole},
|
||||
};
|
||||
use url::Url;
|
||||
|
||||
use crate::{
|
||||
pages::{Result, TemplateContext},
|
||||
response, template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> { Router::new().route("/", get(get_about)) }
|
||||
|
||||
template! {
|
||||
struct About use "about.html.j2" {
|
||||
server_name: OwnedServerName,
|
||||
support_page: Option<Url>,
|
||||
contacts: Vec<Contact>,
|
||||
terms: BTreeMap<String, TermsDocument>
|
||||
}
|
||||
}
|
||||
|
||||
async fn get_about(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
) -> Result {
|
||||
response!(About::new(
|
||||
context,
|
||||
services.globals.server_name().to_owned(),
|
||||
services.config.well_known.support_page.clone(),
|
||||
services.admin.get_support_contacts().await,
|
||||
services.config.registration_terms.documents.clone()
|
||||
))
|
||||
}
|
||||
@@ -0,0 +1,47 @@
|
||||
use axum::{Extension, Router, extract::State, routing::on};
|
||||
use conduwuit_service::oauth::OAuthTicket;
|
||||
|
||||
use crate::{
|
||||
extract::PostForm,
|
||||
pages::{GET_POST, Result, TemplateContext, components::UserCard},
|
||||
response,
|
||||
session::{LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new().route("/", on(GET_POST, route_cross_signing_reset))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct CrossSigningReset use "cross_signing_reset.html.j2" {
|
||||
user_card: UserCard,
|
||||
body: CrossSigningResetBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum CrossSigningResetBody {
|
||||
Form,
|
||||
Success,
|
||||
}
|
||||
|
||||
async fn route_cross_signing_reset(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
PostForm(form): PostForm<()>,
|
||||
) -> Result {
|
||||
let user_id = user.expect_recent(LoginTarget::CrossSigningReset)?;
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
if form.is_some() {
|
||||
services
|
||||
.oauth
|
||||
.issue_ticket(user_id.localpart().to_owned(), OAuthTicket::CrossSigningReset);
|
||||
|
||||
response!(CrossSigningReset::new(context, user_card, CrossSigningResetBody::Success))
|
||||
} else {
|
||||
response!(CrossSigningReset::new(context, user_card, CrossSigningResetBody::Form))
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,129 @@
|
||||
use axum::{Extension, Router, extract::State, routing::on};
|
||||
use conduwuit_api::client::full_user_deactivate;
|
||||
use futures::StreamExt;
|
||||
use ruma::{OwnedRoomId, OwnedUserId, UserId};
|
||||
use tower_sessions::Session;
|
||||
use validator::{Validate, ValidationError, ValidationErrors};
|
||||
|
||||
use crate::{
|
||||
extract::PostForm,
|
||||
form,
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
components::{UserCard, form::Form},
|
||||
},
|
||||
response,
|
||||
session::{LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new().route("/", on(GET_POST, route_deactivate))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct Deactivate use "deactivate.html.j2" {
|
||||
body: DeactivateBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
#[allow(clippy::large_enum_variant)]
|
||||
enum DeactivateBody {
|
||||
Unavailable,
|
||||
Form {
|
||||
user_id: OwnedUserId,
|
||||
user_card: UserCard,
|
||||
form: Form<'static>,
|
||||
},
|
||||
Success,
|
||||
}
|
||||
|
||||
form! {
|
||||
struct DeactivateForm {
|
||||
password: String where {
|
||||
input_type: "password",
|
||||
label: "Enter your password to confirm",
|
||||
autocomplete: "current-password"
|
||||
},
|
||||
#[validate(required(message = "This checkbox must be checked"))]
|
||||
confirm: Option<String> where {
|
||||
input_type: "checkbox",
|
||||
label: "I understand that deactivating my account cannot be undone."
|
||||
}
|
||||
|
||||
submit: "Deactivate my account",
|
||||
slowdown: true
|
||||
}
|
||||
}
|
||||
|
||||
async fn route_deactivate(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
session: Session,
|
||||
PostForm(form): PostForm<DeactivateForm>,
|
||||
) -> Result {
|
||||
let user_id = user.expect_recent(LoginTarget::Deactivate)?;
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
let body = {
|
||||
if !services.config.allow_deactivation {
|
||||
DeactivateBody::Unavailable
|
||||
} else if let Some(form) = form {
|
||||
if let Err(err) = validate_deactivate_form(&services, &user_id, form).await {
|
||||
DeactivateBody::Form {
|
||||
user_id,
|
||||
user_card,
|
||||
form: DeactivateForm::with_errors(context.clone(), err),
|
||||
}
|
||||
} else {
|
||||
let all_joined_rooms: Vec<OwnedRoomId> = services
|
||||
.rooms
|
||||
.state_cache
|
||||
.rooms_joined(&user_id)
|
||||
.collect()
|
||||
.await;
|
||||
|
||||
full_user_deactivate(&services, &user_id, &all_joined_rooms).await?;
|
||||
|
||||
session.clear().await;
|
||||
|
||||
DeactivateBody::Success
|
||||
}
|
||||
} else {
|
||||
DeactivateBody::Form {
|
||||
user_id,
|
||||
user_card,
|
||||
form: DeactivateForm::build(context.clone()),
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
response!(Deactivate::new(context, body))
|
||||
}
|
||||
|
||||
async fn validate_deactivate_form(
|
||||
services: &crate::State,
|
||||
user_id: &UserId,
|
||||
form: DeactivateForm,
|
||||
) -> Result<(), ValidationErrors> {
|
||||
form.validate()?;
|
||||
|
||||
if services
|
||||
.users
|
||||
.check_password(user_id, &form.password)
|
||||
.await
|
||||
.is_err()
|
||||
{
|
||||
let mut errors = ValidationErrors::new();
|
||||
errors.add(
|
||||
"password",
|
||||
ValidationError::new("wrong").with_message("Incorrect password".into()),
|
||||
);
|
||||
|
||||
return Err(errors);
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
@@ -0,0 +1,126 @@
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Path, State},
|
||||
routing::{get, on},
|
||||
};
|
||||
use conduwuit_service::oauth::{SessionInfo, client_metadata::ClientMetadata};
|
||||
use futures::StreamExt;
|
||||
use ruma::OwnedDeviceId;
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::{
|
||||
WebError,
|
||||
extract::{Expect, PostForm},
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
components::{ClientScopes, DeviceCard, DeviceCardStyle},
|
||||
},
|
||||
response,
|
||||
session::{LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/{device}/", get(get_device_info))
|
||||
.route("/{device}/remove", on(GET_POST, route_remove_device))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct DeviceInfo use "device_info.html.j2" {
|
||||
device_card: DeviceCard,
|
||||
client_metadata: Option<(ClientMetadata, SessionInfo)>
|
||||
}
|
||||
}
|
||||
|
||||
async fn get_device_info(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
Expect(Path(query)): Expect<Path<DevicePath>>,
|
||||
) -> Result {
|
||||
let user_id = user.expect(LoginTarget::RemoveDevice(query.clone()))?;
|
||||
|
||||
let Ok(device) = services
|
||||
.users
|
||||
.get_device_metadata(&user_id, &query.device)
|
||||
.await
|
||||
else {
|
||||
return response!(WebError::BadRequest("Unknown device".to_owned()));
|
||||
};
|
||||
|
||||
let client_metadata = async {
|
||||
let session_info = services
|
||||
.oauth
|
||||
.get_session_info_for_device(&user_id, &device.device_id)
|
||||
.await?;
|
||||
let client_metadata = services
|
||||
.oauth
|
||||
.get_client_metadata(&session_info.client_id)
|
||||
.await?;
|
||||
|
||||
Some((client_metadata, session_info))
|
||||
}
|
||||
.await;
|
||||
|
||||
let device_card =
|
||||
DeviceCard::for_device(&services, &user_id, device, DeviceCardStyle::Detailed).await;
|
||||
|
||||
response!(DeviceInfo::new(context, device_card, client_metadata))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct RemoveDevice use "remove_device.html.j2" {
|
||||
body: RemoveDeviceBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum RemoveDeviceBody {
|
||||
Form {
|
||||
device_card: Box<DeviceCard>,
|
||||
last_device: bool,
|
||||
},
|
||||
Success,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Deserialize, Serialize)]
|
||||
pub(crate) struct DevicePath {
|
||||
pub device: OwnedDeviceId,
|
||||
}
|
||||
|
||||
async fn route_remove_device(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
Expect(Path(query)): Expect<Path<DevicePath>>,
|
||||
PostForm(form): PostForm<()>,
|
||||
) -> Result {
|
||||
let user_id = user.expect_recent(LoginTarget::RemoveDevice(query.clone()))?;
|
||||
|
||||
let Ok(device) = services
|
||||
.users
|
||||
.get_device_metadata(&user_id, &query.device)
|
||||
.await
|
||||
else {
|
||||
return response!(WebError::BadRequest("Unknown device".to_owned()));
|
||||
};
|
||||
|
||||
if form.is_some() {
|
||||
services
|
||||
.users
|
||||
.remove_device(&user_id, &device.device_id)
|
||||
.await;
|
||||
|
||||
response!(RemoveDevice::new(context, RemoveDeviceBody::Success))
|
||||
} else {
|
||||
let device_card =
|
||||
DeviceCard::for_device(&services, &user_id, device, DeviceCardStyle::Minimal).await;
|
||||
let last_device = services.users.all_devices_metadata(&user_id).count().await <= 1;
|
||||
|
||||
response!(RemoveDevice::new(context, RemoveDeviceBody::Form {
|
||||
device_card: Box::new(device_card),
|
||||
last_device
|
||||
}))
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,210 @@
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Query, State},
|
||||
routing::{get, on, post},
|
||||
};
|
||||
use conduwuit_core::warn;
|
||||
use conduwuit_service::{mailer::messages, threepid::session::ValidationSessions};
|
||||
use lettre::{Address, message::Mailbox};
|
||||
use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId};
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::{
|
||||
WebError,
|
||||
extract::{Expect, PostForm},
|
||||
form,
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
account::ThreepidQuery,
|
||||
components::{UserCard, form::Form},
|
||||
},
|
||||
response,
|
||||
session::{LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/change/", on(GET_POST, route_change_email))
|
||||
.route("/change/validate", get(get_change_email_validate))
|
||||
.route("/change/delete", post(post_delete_email))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct ChangeEmail use "change_email.html.j2" {
|
||||
user_card: UserCard,
|
||||
email: Option<String>,
|
||||
form: Form<'static>,
|
||||
may_remove: bool
|
||||
}
|
||||
}
|
||||
|
||||
form! {
|
||||
struct ChangeEmailForm {
|
||||
email: Address where {
|
||||
input_type: "email",
|
||||
label: "Email address"
|
||||
}
|
||||
|
||||
submit: "Change email"
|
||||
}
|
||||
}
|
||||
|
||||
template! {
|
||||
struct ChangeEmailValidate use "change_email_validate.html.j2" {
|
||||
user_card: UserCard,
|
||||
body: ChangeEmailValidateBody
|
||||
}
|
||||
}
|
||||
|
||||
template! {
|
||||
struct DeleteEmail use "delete_email.html.j2" {
|
||||
user_card: UserCard
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum ChangeEmailValidateBody {
|
||||
ValidationPending {
|
||||
session_id: OwnedSessionId,
|
||||
client_secret: OwnedClientSecret,
|
||||
validation_error: bool,
|
||||
},
|
||||
Success,
|
||||
}
|
||||
|
||||
async fn route_change_email(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
PostForm(form): PostForm<ChangeEmailForm>,
|
||||
) -> Result {
|
||||
let user_id = user.expect_recent(LoginTarget::ChangeEmail)?;
|
||||
|
||||
let Some(form) = form else {
|
||||
return response!(ChangeEmail::new(
|
||||
context.clone(),
|
||||
UserCard::for_local_user(&services, user_id.clone()).await,
|
||||
services
|
||||
.threepid
|
||||
.get_email_for_localpart(user_id.localpart())
|
||||
.await
|
||||
.map(|address| address.to_string()),
|
||||
ChangeEmailForm::build(context),
|
||||
services.threepid.email_requirement().may_remove(),
|
||||
));
|
||||
};
|
||||
|
||||
let client_secret = ClientSecret::new();
|
||||
|
||||
let session_id = {
|
||||
let display_name = services.users.displayname(&user_id).await.ok();
|
||||
|
||||
match services
|
||||
.threepid
|
||||
.send_validation_email(
|
||||
Mailbox::new(display_name, form.email.clone()),
|
||||
|verification_link| messages::ChangeEmail {
|
||||
server_name: services.globals.server_name().as_str(),
|
||||
user_id: Some(&user_id),
|
||||
verification_link,
|
||||
},
|
||||
&client_secret,
|
||||
0,
|
||||
)
|
||||
.await
|
||||
{
|
||||
| Ok(session_id) => session_id,
|
||||
| Err(err) => {
|
||||
// If we couldn't send an email, generate a random session ID to not give that
|
||||
// away
|
||||
warn!(
|
||||
"Failed to send email change message for {user_id} to {}: {err}",
|
||||
form.email
|
||||
);
|
||||
|
||||
ValidationSessions::generate_session_id()
|
||||
},
|
||||
}
|
||||
};
|
||||
|
||||
response!(ChangeEmailValidate::new(
|
||||
context,
|
||||
UserCard::for_local_user(&services, user_id).await,
|
||||
ChangeEmailValidateBody::ValidationPending {
|
||||
session_id,
|
||||
client_secret,
|
||||
validation_error: false
|
||||
}
|
||||
))
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
struct ChangeEmailQuery {
|
||||
#[serde(flatten)]
|
||||
threepid: ThreepidQuery,
|
||||
}
|
||||
|
||||
async fn get_change_email_validate(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
Expect(Query(ChangeEmailQuery {
|
||||
threepid: ThreepidQuery { client_secret, session_id },
|
||||
})): Expect<Query<ChangeEmailQuery>>,
|
||||
user: User,
|
||||
) -> Result {
|
||||
let user_id = user.expect(LoginTarget::ChangeEmail)?;
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
if !services.threepid.email_requirement().may_change() {
|
||||
return Err(WebError::Forbidden("You may not change your email address.".to_owned()));
|
||||
}
|
||||
|
||||
let Ok(session) = services
|
||||
.threepid
|
||||
.get_valid_session(&session_id, &client_secret)
|
||||
.await
|
||||
else {
|
||||
return response!(ChangeEmailValidate::new(
|
||||
context,
|
||||
user_card,
|
||||
ChangeEmailValidateBody::ValidationPending {
|
||||
session_id,
|
||||
client_secret,
|
||||
validation_error: true
|
||||
}
|
||||
));
|
||||
};
|
||||
|
||||
let new_email = session.consume();
|
||||
|
||||
if let Err(err) = services
|
||||
.threepid
|
||||
.associate_localpart_email(user_id.localpart(), &new_email)
|
||||
.await
|
||||
{
|
||||
return response!(BadRequest(err.message()));
|
||||
}
|
||||
|
||||
response!(ChangeEmailValidate::new(context, user_card, ChangeEmailValidateBody::Success))
|
||||
}
|
||||
|
||||
async fn post_delete_email(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
) -> Result {
|
||||
let user_id = user.expect(LoginTarget::ChangeEmail)?;
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
if !services.threepid.email_requirement().may_remove() {
|
||||
return Err(WebError::Forbidden("You may not remove your email address.".to_owned()));
|
||||
}
|
||||
|
||||
let _ = services
|
||||
.threepid
|
||||
.disassociate_localpart_email(user_id.localpart())
|
||||
.await;
|
||||
|
||||
response!(DeleteEmail::new(context, user_card))
|
||||
}
|
||||
@@ -0,0 +1,155 @@
|
||||
use std::time::SystemTime;
|
||||
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Query, RawQuery, State},
|
||||
response::{IntoResponse, Redirect},
|
||||
routing::{get, on},
|
||||
};
|
||||
use conduwuit_api::client::handle_login;
|
||||
use ruma::{
|
||||
OwnedUserId,
|
||||
api::client::uiaa::{EmailUserIdentifier, MatrixUserIdentifier, UserIdentifier},
|
||||
};
|
||||
use serde::Deserialize;
|
||||
use tower_sessions::Session;
|
||||
|
||||
use crate::{
|
||||
ROUTE_PREFIX, WebError,
|
||||
extract::{Expect, PostForm},
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
account::register::{TrustedFlowStatus, UntrustedFlowStatus, registration_flow_status},
|
||||
components::UserCard,
|
||||
},
|
||||
response,
|
||||
session::{LoginQuery, LoginTarget, User, UserSession},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/login", on(GET_POST, route_login))
|
||||
.route("/logout", get(get_logout))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct Login use "login.html.j2" {
|
||||
body: LoginBody,
|
||||
login_error: Option<String>
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum LoginBody {
|
||||
Unauthenticated {
|
||||
server_name: String,
|
||||
registration_available: bool,
|
||||
next: Option<LoginTarget>,
|
||||
},
|
||||
Authenticated {
|
||||
user_card: UserCard,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct LoginForm {
|
||||
identifier: Option<String>,
|
||||
password: String,
|
||||
}
|
||||
|
||||
async fn route_login(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
Expect(Query(LoginQuery { next, reauthenticate })): Expect<Query<LoginQuery>>,
|
||||
session_store: Session,
|
||||
user: User<true>,
|
||||
PostForm(form): PostForm<LoginForm>,
|
||||
) -> Result {
|
||||
let user_id = user.into_session().map(|session| session.user_id);
|
||||
|
||||
let body = match &user_id {
|
||||
| None => {
|
||||
let (trusted_flow_status, untrusted_flow_status) =
|
||||
registration_flow_status(&services).await;
|
||||
|
||||
let registration_available =
|
||||
matches!(trusted_flow_status, TrustedFlowStatus::Available)
|
||||
|| matches!(untrusted_flow_status, UntrustedFlowStatus::Available { .. });
|
||||
|
||||
LoginBody::Unauthenticated {
|
||||
server_name: services.globals.server_name().to_string(),
|
||||
registration_available,
|
||||
next: next.clone(),
|
||||
}
|
||||
},
|
||||
| Some(user_id) => {
|
||||
if !reauthenticate {
|
||||
return response!(Redirect::to(&next.unwrap_or_default().target_path()));
|
||||
}
|
||||
|
||||
let user_card = UserCard::for_local_user(&services, user_id.to_owned()).await;
|
||||
|
||||
LoginBody::Authenticated { user_card }
|
||||
},
|
||||
};
|
||||
|
||||
let mut template = Login::new(context, body, None);
|
||||
|
||||
if let Some(form) = form {
|
||||
let login_result = match (user_id, form.identifier) {
|
||||
| (Some(user_id), _) => {
|
||||
// The user is already authenticated, we need to check their password
|
||||
services
|
||||
.users
|
||||
.check_password(&user_id, &form.password)
|
||||
.await
|
||||
},
|
||||
| (None, Some(identifier)) => {
|
||||
// The user isn't authenticated, we need to log them in
|
||||
let identifier = if identifier.parse::<lettre::Address>().is_ok() {
|
||||
UserIdentifier::Email(EmailUserIdentifier::new(identifier))
|
||||
} else {
|
||||
UserIdentifier::Matrix(MatrixUserIdentifier::new(identifier))
|
||||
};
|
||||
|
||||
handle_login(&services, Some(&identifier), &form.password, None).await
|
||||
},
|
||||
| (None, None) => {
|
||||
// The user isn't authenticated and didn't supply an identity
|
||||
return response!(WebError::BadRequest("No identity provided".to_owned()));
|
||||
},
|
||||
};
|
||||
|
||||
let user_id = match login_result {
|
||||
| Ok(user_id) => user_id,
|
||||
| Err(err) => {
|
||||
let error_message = if let conduwuit_core::Error::Request(_, message, _) = err {
|
||||
message.into_owned()
|
||||
} else {
|
||||
"Internal login error".to_owned()
|
||||
};
|
||||
|
||||
template.login_error = Some(error_message);
|
||||
return response!(template);
|
||||
},
|
||||
};
|
||||
|
||||
let user_session = UserSession { user_id, last_login: SystemTime::now() };
|
||||
|
||||
session_store
|
||||
.insert(User::KEY, user_session)
|
||||
.await
|
||||
.expect("should be able to serialize user session");
|
||||
|
||||
return response!(Redirect::to(&next.unwrap_or_default().target_path()));
|
||||
}
|
||||
|
||||
response!(template)
|
||||
}
|
||||
|
||||
async fn get_logout(session: Session, RawQuery(query): RawQuery) -> impl IntoResponse {
|
||||
let _ = session.remove::<OwnedUserId>(User::KEY).await;
|
||||
|
||||
Redirect::to(&format!("{}/account/login?{}", ROUTE_PREFIX, query.unwrap_or_default()))
|
||||
}
|
||||
@@ -0,0 +1,173 @@
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Query, State},
|
||||
response::Redirect,
|
||||
routing::get,
|
||||
};
|
||||
use conduwuit_core::utils::{IterStream, ReadyExt, stream::TryExpect};
|
||||
use conduwuit_service::threepid::EmailRequirement;
|
||||
use futures::StreamExt;
|
||||
use ruma::{
|
||||
OwnedClientSecret, OwnedDeviceId, OwnedSessionId,
|
||||
api::client::discovery::get_authorization_server_metadata::v1::AccountManagementAction,
|
||||
};
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::{
|
||||
WebError,
|
||||
extract::Expect,
|
||||
pages::{
|
||||
Result, TemplateContext,
|
||||
components::{DeviceCard, DeviceCardStyle, UserCard},
|
||||
},
|
||||
response,
|
||||
session::{LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) mod cross_signing_reset;
|
||||
pub(crate) mod deactivate;
|
||||
pub(crate) mod device;
|
||||
pub(crate) mod email;
|
||||
pub(crate) mod login;
|
||||
pub(crate) mod password;
|
||||
pub(crate) mod register;
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
#[allow(clippy::wildcard_imports)]
|
||||
use self::*;
|
||||
|
||||
Router::new()
|
||||
.route("/", get(get_account))
|
||||
.route("/deeplink", get(get_account_deeplink))
|
||||
.merge(login::build())
|
||||
.nest("/password/", password::build())
|
||||
.nest("/email/", email::build())
|
||||
.nest("/cross_signing_reset", cross_signing_reset::build())
|
||||
.nest("/deactivate", deactivate::build())
|
||||
.nest("/device/", device::build())
|
||||
.nest("/register/", register::build())
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
struct ThreepidQuery {
|
||||
client_secret: OwnedClientSecret,
|
||||
session_id: OwnedSessionId,
|
||||
}
|
||||
|
||||
template! {
|
||||
struct Account use "account.html.j2" {
|
||||
user_card: UserCard,
|
||||
body: AccountBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum AccountBody {
|
||||
Unlocked {
|
||||
suspended: bool,
|
||||
email_requirement: EmailRequirement,
|
||||
email: Option<String>,
|
||||
devices: Vec<DeviceCard>,
|
||||
},
|
||||
Locked,
|
||||
}
|
||||
|
||||
async fn get_account(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User<true>,
|
||||
) -> Result {
|
||||
let user_id = user.expect(LoginTarget::Account)?;
|
||||
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
if services.users.is_locked(&user_id).await.unwrap() {
|
||||
return response!(Account::new(context, user_card, AccountBody::Locked));
|
||||
}
|
||||
|
||||
let email_requirement = services.threepid.email_requirement();
|
||||
let email = services
|
||||
.threepid
|
||||
.get_email_for_localpart(user_id.localpart())
|
||||
.await
|
||||
.map(|address| address.to_string());
|
||||
|
||||
let dehydrated_device_id = services.users.get_dehydrated_device_id(&user_id).await.ok();
|
||||
|
||||
let mut devices: Vec<_> = services
|
||||
.users
|
||||
.all_device_ids(&user_id)
|
||||
.then(async |device_id| {
|
||||
services
|
||||
.users
|
||||
.get_device_metadata(&user_id, &device_id)
|
||||
.await
|
||||
})
|
||||
.expect_ok()
|
||||
.ready_filter(|device| {
|
||||
dehydrated_device_id
|
||||
.as_ref()
|
||||
.is_none_or(|id| device.device_id != *id)
|
||||
})
|
||||
.collect()
|
||||
.await;
|
||||
|
||||
devices.sort_unstable_by(|a, b| a.last_seen_ts.cmp(&b.last_seen_ts).reverse());
|
||||
|
||||
let device_cards = devices
|
||||
.into_iter()
|
||||
.stream()
|
||||
.then(async |device| {
|
||||
DeviceCard::for_device(&services, &user_id, device, DeviceCardStyle::Minimal).await
|
||||
})
|
||||
.collect()
|
||||
.await;
|
||||
|
||||
let suspended = services.users.is_suspended(&user_id).await.unwrap();
|
||||
|
||||
response!(Account::new(context, user_card, AccountBody::Unlocked {
|
||||
suspended,
|
||||
email_requirement,
|
||||
email,
|
||||
devices: device_cards
|
||||
}))
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct AccountDeeplinkQuery {
|
||||
action: Option<AccountManagementAction>,
|
||||
device_id: Option<OwnedDeviceId>,
|
||||
}
|
||||
|
||||
async fn get_account_deeplink(
|
||||
Expect(Query(query)): Expect<Query<AccountDeeplinkQuery>>,
|
||||
) -> Result {
|
||||
let redirect_target = match query.action.unwrap_or(AccountManagementAction::Profile) {
|
||||
| AccountManagementAction::AccountDeactivate => "deactivate".to_owned(),
|
||||
| AccountManagementAction::CrossSigningReset => "cross_signing_reset".to_owned(),
|
||||
| AccountManagementAction::DeviceDelete => {
|
||||
let Some(device_id) = query.device_id else {
|
||||
return response!(WebError::BadRequest(
|
||||
"A device ID is required for this action".to_owned()
|
||||
));
|
||||
};
|
||||
|
||||
format!("device/{device_id}/delete")
|
||||
},
|
||||
| AccountManagementAction::DeviceView => {
|
||||
let Some(device_id) = query.device_id else {
|
||||
return response!(WebError::BadRequest(
|
||||
"A device ID is required for this action".to_owned()
|
||||
));
|
||||
};
|
||||
|
||||
format!("device/{device_id}/")
|
||||
},
|
||||
| AccountManagementAction::DevicesList => "#devices".to_owned(),
|
||||
| AccountManagementAction::Profile => String::new(),
|
||||
| _ => return response!(WebError::BadRequest("Unknown action".to_owned())),
|
||||
};
|
||||
|
||||
response!(Redirect::to(&format!("{}/account/{}", crate::ROUTE_PREFIX, redirect_target)))
|
||||
}
|
||||
@@ -0,0 +1,122 @@
|
||||
use axum::{Extension, Router, extract::State, routing::on};
|
||||
use conduwuit_service::users::HashedPassword;
|
||||
use ruma::UserId;
|
||||
use validator::{Validate, ValidationError, ValidationErrors};
|
||||
|
||||
use crate::{
|
||||
extract::PostForm,
|
||||
form,
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
components::{UserCard, form::Form},
|
||||
},
|
||||
response,
|
||||
session::{LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new().route("/", on(GET_POST, route_change_password))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct ChangePassword use "change_password.html.j2" {
|
||||
user_card: UserCard,
|
||||
body: ChangePasswordBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum ChangePasswordBody {
|
||||
Form(Form<'static>),
|
||||
Success,
|
||||
}
|
||||
|
||||
form! {
|
||||
struct ChangePasswordForm {
|
||||
#[validate(length(min = 1, message = "Current password cannot be empty"))]
|
||||
current_password: String where {
|
||||
input_type: "password",
|
||||
label: "Current password",
|
||||
autocomplete: "current-password"
|
||||
},
|
||||
|
||||
#[validate(length(min = 1, message = "New password cannot be empty"))]
|
||||
new_password: String where {
|
||||
input_type: "password",
|
||||
label: "New password",
|
||||
autocomplete: "new-password"
|
||||
},
|
||||
|
||||
#[validate(must_match(other = "new_password", message = "Passwords must match"))]
|
||||
confirm_new_password: String where {
|
||||
input_type: "password",
|
||||
label: "Confirm new password",
|
||||
autocomplete: "new-password"
|
||||
}
|
||||
|
||||
submit: "Change password"
|
||||
}
|
||||
}
|
||||
|
||||
async fn route_change_password(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User,
|
||||
PostForm(form): PostForm<ChangePasswordForm>,
|
||||
) -> Result {
|
||||
let user_id = user.expect(LoginTarget::ChangePassword)?;
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
let body = if let Some(form) = form {
|
||||
match change_password(&services, &user_id, form).await {
|
||||
| Ok(()) => ChangePasswordBody::Success,
|
||||
| Err(errors) =>
|
||||
ChangePasswordBody::Form(ChangePasswordForm::with_errors(context.clone(), errors)),
|
||||
}
|
||||
} else {
|
||||
ChangePasswordBody::Form(ChangePasswordForm::build(context.clone()))
|
||||
};
|
||||
|
||||
response!(ChangePassword::new(context, user_card, body))
|
||||
}
|
||||
|
||||
async fn change_password(
|
||||
services: &crate::State,
|
||||
user_id: &UserId,
|
||||
form: ChangePasswordForm,
|
||||
) -> Result<(), ValidationErrors> {
|
||||
form.validate()?;
|
||||
|
||||
if services
|
||||
.users
|
||||
.check_password(user_id, &form.current_password)
|
||||
.await
|
||||
.is_err()
|
||||
{
|
||||
let mut errors = ValidationErrors::new();
|
||||
errors.add(
|
||||
"current_password",
|
||||
ValidationError::new("wrong").with_message("Incorrect password".into()),
|
||||
);
|
||||
|
||||
return Err(errors);
|
||||
}
|
||||
|
||||
match HashedPassword::new(&form.new_password) {
|
||||
| Ok(hash) => {
|
||||
services.users.set_password(user_id, Some(hash));
|
||||
},
|
||||
| Err(err) => {
|
||||
let mut errors = ValidationErrors::new();
|
||||
errors.add(
|
||||
"new_password",
|
||||
ValidationError::new("malformed").with_message(err.message().into()),
|
||||
);
|
||||
|
||||
return Err(errors);
|
||||
},
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
use axum::Router;
|
||||
|
||||
mod change;
|
||||
mod reset;
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
#[allow(clippy::wildcard_imports)]
|
||||
use self::*;
|
||||
|
||||
Router::new()
|
||||
.nest("/change", change::build())
|
||||
.nest("/reset/", reset::build())
|
||||
}
|
||||
@@ -0,0 +1,252 @@
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Query, State},
|
||||
routing::on,
|
||||
};
|
||||
use conduwuit_core::warn;
|
||||
use conduwuit_service::{
|
||||
mailer::messages, threepid::session::ValidationSessions, users::HashedPassword,
|
||||
};
|
||||
use lettre::{Address, message::Mailbox};
|
||||
use ruma::{ClientSecret, OwnedClientSecret, OwnedSessionId, UserId};
|
||||
use serde::{Deserialize, Serialize};
|
||||
use validator::{Validate, ValidationError, ValidationErrors};
|
||||
|
||||
use crate::{
|
||||
WebError,
|
||||
extract::{Expect, PostForm},
|
||||
form,
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
account::ThreepidQuery,
|
||||
components::{UserCard, form::Form},
|
||||
},
|
||||
response,
|
||||
session::require_active,
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/", on(GET_POST, route_reset_password))
|
||||
.route("/validate", on(GET_POST, route_reset_password_validate))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct ResetPassword use "reset_password.html.j2" {
|
||||
body: ResetPasswordBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum ResetPasswordBody {
|
||||
Form(Form<'static>),
|
||||
Unavailable,
|
||||
}
|
||||
|
||||
form! {
|
||||
struct ResetPasswordRequestForm {
|
||||
email: Address where {
|
||||
input_type: "email",
|
||||
label: "Email address"
|
||||
}
|
||||
|
||||
submit: "Send email"
|
||||
}
|
||||
}
|
||||
|
||||
async fn route_reset_password(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
PostForm(form): PostForm<ResetPasswordRequestForm>,
|
||||
) -> Result {
|
||||
// Check if SMTP is configured
|
||||
if services.mailer.mailer().is_none() {
|
||||
return response!(ResetPassword::new(context, ResetPasswordBody::Unavailable));
|
||||
}
|
||||
|
||||
let Some(form) = form else {
|
||||
// For GET requests return the reset request form
|
||||
return response!(ResetPassword::new(
|
||||
context.clone(),
|
||||
ResetPasswordBody::Form(ResetPasswordRequestForm::build(context))
|
||||
));
|
||||
};
|
||||
|
||||
let client_secret = ClientSecret::new();
|
||||
|
||||
let session_id = async {
|
||||
let Some(localpart) = services.threepid.get_localpart_for_email(&form.email).await else {
|
||||
warn!("No user is associated with the email address {}", form.email);
|
||||
|
||||
return None;
|
||||
};
|
||||
|
||||
let user_id =
|
||||
UserId::parse(format!("@{localpart}:{}", services.globals.server_name())).unwrap();
|
||||
let display_name = services.users.displayname(&user_id).await.ok();
|
||||
|
||||
match services
|
||||
.threepid
|
||||
.send_validation_email(
|
||||
Mailbox::new(display_name.clone(), form.email.clone()),
|
||||
|verification_link| messages::PasswordReset {
|
||||
display_name: display_name.as_deref(),
|
||||
user_id: &user_id,
|
||||
verification_link,
|
||||
},
|
||||
&client_secret,
|
||||
0,
|
||||
)
|
||||
.await
|
||||
{
|
||||
| Ok(session_id) => Some(session_id),
|
||||
| Err(err) => {
|
||||
warn!("Failed to send reset email for {localpart} to {}: {err}", form.email);
|
||||
|
||||
None
|
||||
},
|
||||
}
|
||||
}
|
||||
.await
|
||||
.unwrap_or_else(|| {
|
||||
// If we couldn't send an email, generate a random session ID to not give that
|
||||
// away
|
||||
ValidationSessions::generate_session_id()
|
||||
});
|
||||
|
||||
response!(ResetPasswordValidate::new(
|
||||
context,
|
||||
ResetPasswordValidateBody::ValidationPending {
|
||||
client_secret,
|
||||
session_id,
|
||||
validation_error: false
|
||||
}
|
||||
))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct ResetPasswordValidate use "reset_password_validate.html.j2" {
|
||||
body: ResetPasswordValidateBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum ResetPasswordValidateBody {
|
||||
ValidationPending {
|
||||
session_id: OwnedSessionId,
|
||||
client_secret: OwnedClientSecret,
|
||||
validation_error: bool,
|
||||
},
|
||||
ValidationSuccess {
|
||||
user_card: UserCard,
|
||||
form: Form<'static>,
|
||||
},
|
||||
ResetSuccess {
|
||||
user_card: UserCard,
|
||||
},
|
||||
}
|
||||
|
||||
form! {
|
||||
struct ResetPasswordForm {
|
||||
#[validate(length(min = 1, message = "Password cannot be empty"))]
|
||||
new_password: String where {
|
||||
input_type: "password",
|
||||
label: "New password",
|
||||
autocomplete: "new-password"
|
||||
},
|
||||
|
||||
#[validate(must_match(other = "new_password", message = "Passwords must match"))]
|
||||
confirm_new_password: String where {
|
||||
input_type: "password",
|
||||
label: "Confirm new password",
|
||||
autocomplete: "new-password"
|
||||
}
|
||||
|
||||
submit: "Reset password"
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
struct ResetPasswordQuery {
|
||||
#[serde(flatten)]
|
||||
threepid: ThreepidQuery,
|
||||
}
|
||||
|
||||
async fn route_reset_password_validate(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
Expect(Query(query)): Expect<Query<ResetPasswordQuery>>,
|
||||
PostForm(form): PostForm<ResetPasswordForm>,
|
||||
) -> Result {
|
||||
let body = match services
|
||||
.threepid
|
||||
.get_valid_session(&query.threepid.session_id, &query.threepid.client_secret)
|
||||
.await
|
||||
{
|
||||
| Ok(session) => {
|
||||
let Some(localpart) = services
|
||||
.threepid
|
||||
.get_localpart_for_email(&session.email)
|
||||
.await
|
||||
else {
|
||||
return Err(WebError::BadRequest("Inapplicable threepid session.".to_owned()));
|
||||
};
|
||||
|
||||
let user_id =
|
||||
UserId::parse(format!("@{localpart}:{}", services.globals.server_name()))
|
||||
.unwrap();
|
||||
|
||||
if let Err(response) = require_active(&services, &user_id, true).await {
|
||||
return Ok(response);
|
||||
}
|
||||
|
||||
let user_card = UserCard::for_local_user(&services, user_id.clone()).await;
|
||||
|
||||
if let Some(form) = form {
|
||||
if let Err(err) = form.validate() {
|
||||
ResetPasswordValidateBody::ValidationSuccess {
|
||||
user_card,
|
||||
form: ResetPasswordForm::with_errors(context.clone(), err),
|
||||
}
|
||||
} else {
|
||||
match HashedPassword::new(&form.new_password) {
|
||||
| Ok(hash) => {
|
||||
let _ = session.consume();
|
||||
|
||||
services.users.set_password(&user_id, Some(hash));
|
||||
|
||||
ResetPasswordValidateBody::ResetSuccess { user_card }
|
||||
},
|
||||
| Err(err) => {
|
||||
let mut errors = ValidationErrors::new();
|
||||
|
||||
errors.add(
|
||||
"new_password",
|
||||
ValidationError::new("malformed")
|
||||
.with_message(err.message().into()),
|
||||
);
|
||||
|
||||
ResetPasswordValidateBody::ValidationSuccess {
|
||||
user_card,
|
||||
form: ResetPasswordForm::with_errors(context.clone(), errors),
|
||||
}
|
||||
},
|
||||
}
|
||||
}
|
||||
} else {
|
||||
ResetPasswordValidateBody::ValidationSuccess {
|
||||
user_card,
|
||||
form: ResetPasswordForm::build(context.clone()),
|
||||
}
|
||||
}
|
||||
},
|
||||
| Err(_) => ResetPasswordValidateBody::ValidationPending {
|
||||
session_id: query.threepid.session_id,
|
||||
client_secret: query.threepid.client_secret,
|
||||
validation_error: true,
|
||||
},
|
||||
};
|
||||
|
||||
response!(ResetPasswordValidate::new(context, body))
|
||||
}
|
||||
@@ -0,0 +1,591 @@
|
||||
use std::{collections::BTreeMap, time::SystemTime};
|
||||
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Query, State},
|
||||
response::{Redirect, Response},
|
||||
routing::{get, on},
|
||||
};
|
||||
use conduwuit_core::{config::TermsDocument, warn};
|
||||
use conduwuit_service::{
|
||||
mailer::messages, registration_tokens::ValidToken, users::HashedPassword,
|
||||
};
|
||||
use futures::{FutureExt, StreamExt};
|
||||
use lettre::{Address, message::Mailbox};
|
||||
use ruma::{ClientSecret, OwnedClientSecret, OwnedServerName, OwnedSessionId, OwnedUserId};
|
||||
use serde::{Deserialize, Serialize, de::IgnoredAny};
|
||||
use tower_sessions::Session;
|
||||
use validator::{Validate, ValidationError, ValidationErrors};
|
||||
|
||||
use crate::{
|
||||
WebError,
|
||||
extract::{Expect, PostForm},
|
||||
pages::{GET_POST, Result, TemplateContext, account::ThreepidQuery},
|
||||
response,
|
||||
session::{LoginTarget, User, UserSession},
|
||||
template,
|
||||
};
|
||||
|
||||
const COMPLETED_REGISTRATION_KEY: &str = "completed_registration";
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/", on(GET_POST, route_register))
|
||||
.route("/validate", get(get_register_email_validate))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct Register use "register.html.j2" {
|
||||
server_name: OwnedServerName,
|
||||
is_first_run: bool,
|
||||
body: RegisterBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum RegisterBody {
|
||||
Unavailable,
|
||||
UsernamePrompt {
|
||||
allow_federation: bool,
|
||||
trusted_flow_status: TrustedFlowStatus,
|
||||
untrusted_flow_status: UntrustedFlowStatus,
|
||||
username_error: Option<String>,
|
||||
next: Option<LoginTarget>,
|
||||
},
|
||||
DetailsPrompt {
|
||||
username: Option<String>,
|
||||
require_email: bool,
|
||||
flow: RegistrationFlowParameters,
|
||||
terms: BTreeMap<String, TermsDocument>,
|
||||
validation_errors: ValidationErrors,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub(super) enum TrustedFlowStatus {
|
||||
Unavailable,
|
||||
Available,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
pub(super) enum UntrustedFlowStatus {
|
||||
Unavailable,
|
||||
Available {
|
||||
require_email: bool,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(Default, Deserialize, Serialize)]
|
||||
pub(crate) struct RegisterQuery {
|
||||
pub username: Option<String>,
|
||||
pub token: Option<String>,
|
||||
pub flow: Option<RequestedRegistrationFlow>,
|
||||
#[serde(default)]
|
||||
pub from_landing: bool,
|
||||
#[serde(flatten)]
|
||||
pub next: Option<LoginTarget>,
|
||||
}
|
||||
|
||||
#[derive(Clone, Copy, Deserialize, Serialize)]
|
||||
#[serde(rename_all = "snake_case")]
|
||||
pub(crate) enum RequestedRegistrationFlow {
|
||||
Untrusted,
|
||||
Trusted,
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum RegistrationFlowParameters {
|
||||
Untrusted {
|
||||
recaptcha_sitekey: Option<String>,
|
||||
},
|
||||
Trusted {
|
||||
registration_token: Option<String>,
|
||||
},
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Validate)]
|
||||
struct RegistrationForm {
|
||||
flow: RequestedRegistrationFlow,
|
||||
username: String,
|
||||
email: Option<Address>,
|
||||
#[validate(length(min = 1, message = "Password cannot be empty"))]
|
||||
password: String,
|
||||
#[validate(must_match(other = "password", message = "Passwords must match"))]
|
||||
confirm_password: String,
|
||||
registration_token: Option<String>,
|
||||
#[serde(rename = "g-recaptcha-response")]
|
||||
recaptcha_response: Option<String>,
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
struct CompletedRegistration {
|
||||
user_id: OwnedUserId,
|
||||
password_hash: HashedPassword,
|
||||
registration_token: Option<ValidToken>,
|
||||
next: Option<LoginTarget>,
|
||||
}
|
||||
|
||||
async fn route_register(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
session_store: Session,
|
||||
Expect(Query(query)): Expect<Query<RegisterQuery>>,
|
||||
PostForm(form): PostForm<RegistrationForm>,
|
||||
) -> Result {
|
||||
let is_first_run = services.firstrun.is_first_run();
|
||||
|
||||
if session_store
|
||||
.get::<IgnoredAny>(User::KEY)
|
||||
.await
|
||||
.unwrap()
|
||||
.is_some()
|
||||
{
|
||||
// Redirect already logged-in users to the account panel
|
||||
return response!(Redirect::to(&LoginTarget::Account.target_path()));
|
||||
}
|
||||
|
||||
let validation_errors = if let Some(form) = form {
|
||||
match form.validate() {
|
||||
| Ok(()) => {
|
||||
match begin_registration(
|
||||
&services,
|
||||
context.clone(),
|
||||
session_store,
|
||||
form,
|
||||
query.next.clone(),
|
||||
)
|
||||
.boxed()
|
||||
.await?
|
||||
{
|
||||
| Ok(response) => return Ok(response),
|
||||
| Err(err) => err,
|
||||
}
|
||||
},
|
||||
| Err(err) => err,
|
||||
}
|
||||
} else {
|
||||
ValidationErrors::new()
|
||||
};
|
||||
|
||||
let (trusted_flow_status, untrusted_flow_status) = registration_flow_status(&services).await;
|
||||
|
||||
if matches!(trusted_flow_status, TrustedFlowStatus::Unavailable)
|
||||
&& matches!(untrusted_flow_status, UntrustedFlowStatus::Unavailable)
|
||||
{
|
||||
return response!(Register::new(
|
||||
context,
|
||||
services.globals.server_name().to_owned(),
|
||||
services.firstrun.is_first_run(),
|
||||
RegisterBody::Unavailable
|
||||
));
|
||||
}
|
||||
|
||||
if query.username.is_some() && query.flow.is_none() {
|
||||
return response!(WebError::BadRequest(
|
||||
"A flow must be provided if a username is provided".to_owned()
|
||||
));
|
||||
}
|
||||
|
||||
if let Some(username) = &query.username
|
||||
&& query.from_landing
|
||||
{
|
||||
// Check if the username is valid and available before showing the details form
|
||||
// to keep the user from wasting their time
|
||||
|
||||
if let Err(err) = services
|
||||
.users
|
||||
.determine_registration_user_id(Some(username.to_owned()), None, None)
|
||||
.await
|
||||
{
|
||||
return response!(Register::new(
|
||||
context,
|
||||
services.globals.server_name().to_owned(),
|
||||
services.firstrun.is_first_run(),
|
||||
RegisterBody::UsernamePrompt {
|
||||
allow_federation: services.config.allow_federation,
|
||||
trusted_flow_status,
|
||||
untrusted_flow_status,
|
||||
username_error: Some(err.message()),
|
||||
next: query.next,
|
||||
}
|
||||
));
|
||||
}
|
||||
}
|
||||
|
||||
let body = {
|
||||
let terms = services.config.registration_terms.documents.clone();
|
||||
|
||||
match (query.flow, query.token) {
|
||||
| (Some(RequestedRegistrationFlow::Trusted), token) | (_, token @ Some(_)) =>
|
||||
RegisterBody::DetailsPrompt {
|
||||
username: query.username,
|
||||
require_email: services
|
||||
.config
|
||||
.smtp
|
||||
.as_ref()
|
||||
.is_some_and(|smtp| smtp.require_email_for_token_registration),
|
||||
flow: RegistrationFlowParameters::Trusted { registration_token: token },
|
||||
terms,
|
||||
validation_errors,
|
||||
},
|
||||
| (_, token) if is_first_run => RegisterBody::DetailsPrompt {
|
||||
username: query.username,
|
||||
require_email: false,
|
||||
flow: RegistrationFlowParameters::Trusted { registration_token: token },
|
||||
terms,
|
||||
validation_errors,
|
||||
},
|
||||
| (Some(RequestedRegistrationFlow::Untrusted), _) => RegisterBody::DetailsPrompt {
|
||||
username: query.username,
|
||||
require_email: services
|
||||
.config
|
||||
.smtp
|
||||
.as_ref()
|
||||
.is_some_and(|smtp| smtp.require_email_for_registration),
|
||||
flow: RegistrationFlowParameters::Untrusted {
|
||||
recaptcha_sitekey: services.config.recaptcha_site_key.clone(),
|
||||
},
|
||||
terms,
|
||||
validation_errors,
|
||||
},
|
||||
| (None, None) => RegisterBody::UsernamePrompt {
|
||||
allow_federation: services.config.allow_federation,
|
||||
trusted_flow_status,
|
||||
untrusted_flow_status,
|
||||
username_error: None,
|
||||
next: query.next,
|
||||
},
|
||||
}
|
||||
};
|
||||
|
||||
response!(Register::new(
|
||||
context,
|
||||
services.globals.server_name().to_owned(),
|
||||
is_first_run,
|
||||
body
|
||||
))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct RegisterEmailValidate use "register_email_validate.html.j2" {
|
||||
session_id: OwnedSessionId,
|
||||
client_secret: OwnedClientSecret,
|
||||
validation_error: bool
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Serialize)]
|
||||
struct RegisterEmailValidateQuery {
|
||||
#[serde(flatten)]
|
||||
threepid: ThreepidQuery,
|
||||
}
|
||||
|
||||
async fn get_register_email_validate(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
session_store: Session,
|
||||
Expect(Query(RegisterEmailValidateQuery {
|
||||
threepid: ThreepidQuery { client_secret, session_id },
|
||||
})): Expect<Query<RegisterEmailValidateQuery>>,
|
||||
) -> Result {
|
||||
let Ok(session) = services
|
||||
.threepid
|
||||
.get_valid_session(&session_id, &client_secret)
|
||||
.await
|
||||
else {
|
||||
return response!(RegisterEmailValidate::new(context, session_id, client_secret, true));
|
||||
};
|
||||
|
||||
let Some(completed_registration) = session_store
|
||||
.get::<CompletedRegistration>(COMPLETED_REGISTRATION_KEY)
|
||||
.await
|
||||
.expect("should be able to deserialize completed session")
|
||||
else {
|
||||
return response!(WebError::BadRequest(
|
||||
"Inapplicable session. What are you doing here?".to_owned()
|
||||
));
|
||||
};
|
||||
|
||||
let email = session.consume();
|
||||
|
||||
response!(
|
||||
complete_registration(&services, session_store, completed_registration, Some(email))
|
||||
.await
|
||||
)
|
||||
}
|
||||
|
||||
async fn begin_registration(
|
||||
services: &crate::State,
|
||||
context: TemplateContext,
|
||||
session_store: Session,
|
||||
form: RegistrationForm,
|
||||
next: Option<LoginTarget>,
|
||||
) -> Result<Result<Response, ValidationErrors>> {
|
||||
let open_registration = services
|
||||
.config
|
||||
.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse;
|
||||
let mut errors = ValidationErrors::new();
|
||||
|
||||
let user_id = match services
|
||||
.users
|
||||
.determine_registration_user_id(Some(form.username), form.email.as_ref(), None)
|
||||
.await
|
||||
{
|
||||
| Ok(user_id) => user_id,
|
||||
| Err(err) => {
|
||||
errors.add(
|
||||
"username",
|
||||
ValidationError::new("invalid").with_message(err.message().into()),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
},
|
||||
};
|
||||
|
||||
let password_hash = match HashedPassword::new(&form.password) {
|
||||
| Ok(password) => password,
|
||||
| Err(err) => {
|
||||
errors.add(
|
||||
"password",
|
||||
ValidationError::new("invalid").with_message(err.message().into()),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
},
|
||||
};
|
||||
|
||||
let mut registration_token = None;
|
||||
|
||||
// Check flow-specific form fields
|
||||
match form.flow {
|
||||
| RequestedRegistrationFlow::Trusted => {
|
||||
// If the form claims to be using the trusted flow, it has to have a
|
||||
// registration token
|
||||
|
||||
let Some(valid_token) = async {
|
||||
services
|
||||
.registration_tokens
|
||||
.validate_token(form.registration_token?)
|
||||
.await
|
||||
}
|
||||
.await
|
||||
else {
|
||||
errors.add(
|
||||
"registration_token",
|
||||
ValidationError::new("invalid")
|
||||
.with_message("Invalid registration token".into()),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
};
|
||||
|
||||
registration_token = Some(valid_token);
|
||||
},
|
||||
| RequestedRegistrationFlow::Untrusted => {
|
||||
// Don't check auth for the untrusted flow at all if open reg is enabled
|
||||
if !open_registration {
|
||||
// If the form claims to be using the untrusted flow, it _may_ need to have a
|
||||
// reCAPTCHA response if reCAPTCHA is configured
|
||||
|
||||
if let Some(recaptcha_private_site_key) =
|
||||
&services.config.recaptcha_private_site_key
|
||||
{
|
||||
let Some(recaptcha_response) = form.recaptcha_response else {
|
||||
return Err(WebError::BadRequest(
|
||||
"reCAPTCHA response expected".to_owned(),
|
||||
));
|
||||
};
|
||||
|
||||
if recaptcha_verify::verify_v3(
|
||||
recaptcha_private_site_key,
|
||||
&recaptcha_response,
|
||||
None,
|
||||
)
|
||||
.await
|
||||
.is_err()
|
||||
{
|
||||
errors.add(
|
||||
"recaptcha",
|
||||
ValidationError::new("missing")
|
||||
.with_message("Please complete the CAPTCHA".into()),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
}
|
||||
|
||||
let completed_registration = CompletedRegistration {
|
||||
user_id,
|
||||
password_hash,
|
||||
registration_token,
|
||||
next,
|
||||
};
|
||||
|
||||
// Check if we need to send an email
|
||||
let require_email = services
|
||||
.config
|
||||
.smtp
|
||||
.as_ref()
|
||||
.is_some_and(|smtp| match form.flow {
|
||||
| RequestedRegistrationFlow::Trusted => smtp.require_email_for_token_registration,
|
||||
| RequestedRegistrationFlow::Untrusted =>
|
||||
!open_registration && smtp.require_email_for_registration,
|
||||
});
|
||||
|
||||
if require_email {
|
||||
// If an email is required we have to validate it before we can complete
|
||||
// registration
|
||||
let Some(address) = form.email else {
|
||||
errors.add(
|
||||
"email",
|
||||
ValidationError::new("missing")
|
||||
.with_message("Please provide an email address".into()),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
};
|
||||
|
||||
if services
|
||||
.threepid
|
||||
.get_localpart_for_email(&address)
|
||||
.await
|
||||
.is_some()
|
||||
{
|
||||
errors.add(
|
||||
"email",
|
||||
ValidationError::new("in_use")
|
||||
.with_message("This email address is already in use.".into()),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
}
|
||||
|
||||
let client_secret = ClientSecret::new();
|
||||
|
||||
let session_id = {
|
||||
match services
|
||||
.threepid
|
||||
.send_validation_email(
|
||||
Mailbox::new(None, address.clone()),
|
||||
|verification_link| messages::NewAccount {
|
||||
server_name: services.globals.server_name().as_str(),
|
||||
verification_link,
|
||||
},
|
||||
&client_secret,
|
||||
0,
|
||||
)
|
||||
.await
|
||||
{
|
||||
| Ok(session_id) => session_id,
|
||||
| Err(err) => {
|
||||
warn!(
|
||||
"Failed to send new account message for {} to {}: {err}",
|
||||
&completed_registration.user_id, address,
|
||||
);
|
||||
|
||||
errors.add(
|
||||
"email",
|
||||
ValidationError::new("invalid").with_message(
|
||||
"Failed to send validation email. Is this address correct?".into(),
|
||||
),
|
||||
);
|
||||
return Ok(Err(errors));
|
||||
},
|
||||
}
|
||||
};
|
||||
|
||||
session_store
|
||||
.insert(COMPLETED_REGISTRATION_KEY, completed_registration)
|
||||
.await
|
||||
.expect("should have been able to serialize completed registration");
|
||||
|
||||
Ok(response!(
|
||||
RegisterEmailValidate::new(context, session_id, client_secret, false,)
|
||||
))
|
||||
} else {
|
||||
// If email isn't required we can immediately complete registration
|
||||
Ok(response!(
|
||||
complete_registration(services, session_store, completed_registration, None).await
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
async fn complete_registration(
|
||||
services: &crate::State,
|
||||
session_store: Session,
|
||||
CompletedRegistration {
|
||||
user_id,
|
||||
password_hash,
|
||||
registration_token,
|
||||
next,
|
||||
}: CompletedRegistration,
|
||||
email: Option<Address>,
|
||||
) -> Redirect {
|
||||
services
|
||||
.users
|
||||
.create_local_account(&user_id, password_hash, email)
|
||||
.await;
|
||||
|
||||
if let Some(registration_token) = registration_token {
|
||||
services
|
||||
.registration_tokens
|
||||
.mark_token_as_used(registration_token);
|
||||
}
|
||||
|
||||
let user_session = UserSession { user_id, last_login: SystemTime::now() };
|
||||
|
||||
session_store
|
||||
.insert(User::KEY, user_session)
|
||||
.await
|
||||
.expect("should be able to serialize user session");
|
||||
|
||||
Redirect::to(&next.unwrap_or_default().target_path())
|
||||
}
|
||||
|
||||
pub(super) async fn registration_flow_status(
|
||||
services: &crate::State,
|
||||
) -> (TrustedFlowStatus, UntrustedFlowStatus) {
|
||||
// Allow registration if it's enabled in the config file or if this is the first
|
||||
// run (so the first user account can be created)
|
||||
let allow_registration =
|
||||
services.config.allow_registration || services.firstrun.is_first_run();
|
||||
|
||||
// Trusted flow is only available if any registration tokens exist
|
||||
let trusted_flow_status = {
|
||||
if !allow_registration {
|
||||
TrustedFlowStatus::Unavailable
|
||||
} else if services
|
||||
.registration_tokens
|
||||
.iterate_tokens()
|
||||
.next()
|
||||
.await
|
||||
.is_some()
|
||||
{
|
||||
TrustedFlowStatus::Available
|
||||
} else {
|
||||
TrustedFlowStatus::Unavailable
|
||||
}
|
||||
};
|
||||
|
||||
// Untrusted flow is available if email is required for registration,
|
||||
// or reCAPTCHA is configured, or open registration is enabled
|
||||
let untrusted_flow_status = {
|
||||
let require_email = services
|
||||
.config
|
||||
.smtp
|
||||
.as_ref()
|
||||
.is_some_and(|smtp| smtp.require_email_for_registration);
|
||||
|
||||
if !allow_registration || services.firstrun.is_first_run() {
|
||||
UntrustedFlowStatus::Unavailable
|
||||
} else if services.config.recaptcha_private_site_key.is_some() || require_email {
|
||||
UntrustedFlowStatus::Available { require_email }
|
||||
} else if services
|
||||
.config
|
||||
.yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse
|
||||
{
|
||||
UntrustedFlowStatus::Available { require_email: false }
|
||||
} else {
|
||||
UntrustedFlowStatus::Unavailable
|
||||
}
|
||||
};
|
||||
|
||||
(trusted_flow_status, untrusted_flow_status)
|
||||
}
|
||||
@@ -1,13 +1,34 @@
|
||||
use askama::{Template, filters::HtmlSafe};
|
||||
use validator::ValidationErrors;
|
||||
|
||||
use crate::pages::TemplateContext;
|
||||
|
||||
/// A reusable form component with field validation.
|
||||
#[derive(Debug, Template)]
|
||||
#[template(path = "_components/form.html.j2")]
|
||||
pub(crate) struct Form<'a> {
|
||||
pub inputs: Vec<FormInput<'a>>,
|
||||
context: TemplateContext,
|
||||
inputs: Vec<FormInput<'a>>,
|
||||
submit_label: &'a str,
|
||||
slowdown: bool,
|
||||
pub validation_errors: Option<ValidationErrors>,
|
||||
pub submit_label: &'a str,
|
||||
}
|
||||
|
||||
impl<'a> Form<'a> {
|
||||
pub(crate) fn new(
|
||||
context: TemplateContext,
|
||||
inputs: Vec<FormInput<'a>>,
|
||||
submit_label: &'a str,
|
||||
slowdown: bool,
|
||||
) -> Self {
|
||||
Self {
|
||||
context,
|
||||
inputs,
|
||||
submit_label,
|
||||
slowdown,
|
||||
validation_errors: None,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl HtmlSafe for Form<'_> {}
|
||||
@@ -50,6 +71,16 @@ fn default() -> Self {
|
||||
}
|
||||
}
|
||||
|
||||
#[macro_export]
|
||||
macro_rules! default {
|
||||
($value:expr) => {
|
||||
$value
|
||||
};
|
||||
() => {
|
||||
Default::default()
|
||||
};
|
||||
}
|
||||
|
||||
/// Generate a deserializable struct which may be turned into a [`Form`]
|
||||
/// for inclusion in another template.
|
||||
#[macro_export]
|
||||
@@ -63,6 +94,7 @@ struct $struct_name:ident {
|
||||
),*
|
||||
|
||||
submit: $submit_label:expr
|
||||
$(, slowdown: $slowdown:expr)?
|
||||
}
|
||||
) => {
|
||||
#[derive(Debug, serde::Deserialize, validator::Validate)]
|
||||
@@ -77,9 +109,10 @@ struct $struct_name {
|
||||
impl $struct_name {
|
||||
/// Generate a [`Form`] which matches the shape of this struct.
|
||||
#[allow(clippy::needless_update)]
|
||||
fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::pages::components::form::Form<'static> {
|
||||
$crate::pages::components::form::Form {
|
||||
inputs: vec![
|
||||
fn build(context: TemplateContext) -> $crate::pages::components::form::Form<'static> {
|
||||
$crate::pages::components::form::Form::new(
|
||||
context,
|
||||
vec![
|
||||
$(
|
||||
$crate::pages::components::form::FormInput {
|
||||
id: stringify!($name),
|
||||
@@ -89,9 +122,17 @@ fn build(validation_errors: Option<validator::ValidationErrors>) -> $crate::page
|
||||
},
|
||||
)*
|
||||
],
|
||||
validation_errors,
|
||||
submit_label: $submit_label,
|
||||
}
|
||||
$submit_label,
|
||||
$crate::default!($($slowdown)?)
|
||||
)
|
||||
}
|
||||
|
||||
/// Generate a [`Form`] with validation errors.
|
||||
#[allow(unused)]
|
||||
fn with_errors(context: TemplateContext, errors: validator::ValidationErrors) -> $crate::pages::components::form::Form<'static> {
|
||||
let mut form = Self::build(context);
|
||||
form.validation_errors = Some(errors);
|
||||
form
|
||||
}
|
||||
}
|
||||
};
|
||||
|
||||
+143
-29
@@ -1,37 +1,33 @@
|
||||
use std::{collections::BTreeSet, time::SystemTime};
|
||||
|
||||
use askama::{Template, filters::HtmlSafe};
|
||||
use base64::Engine;
|
||||
use conduwuit_core::result::FlatOk;
|
||||
use conduwuit_service::{Services, media::mxc::Mxc};
|
||||
use ruma::UserId;
|
||||
use conduwuit_core::{result::FlatOk, utils};
|
||||
use conduwuit_service::{
|
||||
Services,
|
||||
media::mxc::Mxc,
|
||||
oauth::{client_metadata::ClientMetadata, grant::Scope},
|
||||
};
|
||||
use ruma::{OwnedDeviceId, OwnedUserId, UserId, api::client::device::Device};
|
||||
|
||||
pub(super) mod form;
|
||||
|
||||
#[derive(Debug)]
|
||||
pub(super) enum AvatarType<'a> {
|
||||
pub(super) enum AvatarType {
|
||||
Initial(char),
|
||||
Image(&'a str),
|
||||
Image(String),
|
||||
}
|
||||
|
||||
#[derive(Debug, Template)]
|
||||
#[template(path = "_components/avatar.html.j2")]
|
||||
pub(super) struct Avatar<'a> {
|
||||
pub(super) avatar_type: AvatarType<'a>,
|
||||
pub(super) struct Avatar {
|
||||
pub(super) avatar_type: AvatarType,
|
||||
}
|
||||
|
||||
impl HtmlSafe for Avatar<'_> {}
|
||||
impl HtmlSafe for Avatar {}
|
||||
|
||||
#[derive(Debug, Template)]
|
||||
#[template(path = "_components/user_card.html.j2")]
|
||||
pub(super) struct UserCard<'a> {
|
||||
pub user_id: &'a UserId,
|
||||
pub display_name: Option<String>,
|
||||
pub avatar_src: Option<String>,
|
||||
}
|
||||
|
||||
impl HtmlSafe for UserCard<'_> {}
|
||||
|
||||
impl<'a> UserCard<'a> {
|
||||
pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) -> Self {
|
||||
impl Avatar {
|
||||
pub(super) async fn for_local_user(services: &Services, user_id: &UserId) -> Self {
|
||||
let display_name = services.users.displayname(user_id).await.ok();
|
||||
|
||||
let avatar_src = async {
|
||||
@@ -54,22 +50,140 @@ pub(super) async fn for_local_user(services: &Services, user_id: &'a UserId) ->
|
||||
}
|
||||
.await;
|
||||
|
||||
Self { user_id, display_name, avatar_src }
|
||||
}
|
||||
|
||||
fn avatar(&'a self) -> Avatar<'a> {
|
||||
let avatar_type = if let Some(ref avatar_src) = self.avatar_src {
|
||||
let avatar_type = if let Some(avatar_src) = avatar_src {
|
||||
AvatarType::Image(avatar_src)
|
||||
} else if let Some(initial) = self
|
||||
.display_name
|
||||
} else if let Some(initial) = display_name
|
||||
.as_ref()
|
||||
.and_then(|display_name| display_name.chars().next())
|
||||
{
|
||||
AvatarType::Initial(initial)
|
||||
} else {
|
||||
AvatarType::Initial(self.user_id.localpart().chars().next().unwrap())
|
||||
AvatarType::Initial(user_id.localpart().chars().next().unwrap())
|
||||
};
|
||||
|
||||
Avatar { avatar_type }
|
||||
Self { avatar_type }
|
||||
}
|
||||
|
||||
pub(super) fn for_device(
|
||||
oauth_metadata: Option<&ClientMetadata>,
|
||||
display_name: Option<&str>,
|
||||
) -> Self {
|
||||
let avatar_src = oauth_metadata
|
||||
.and_then(|metadata| metadata.logo_uri.as_ref())
|
||||
.map(|uri| uri.as_str().to_owned());
|
||||
|
||||
let avatar_type = if let Some(avatar_src) = avatar_src {
|
||||
AvatarType::Image(avatar_src)
|
||||
} else if let Some(initial) = display_name.and_then(|name| name.chars().next()) {
|
||||
if oauth_metadata.is_some() {
|
||||
AvatarType::Initial(initial)
|
||||
} else {
|
||||
AvatarType::Initial('❖')
|
||||
}
|
||||
} else {
|
||||
AvatarType::Initial('?')
|
||||
};
|
||||
|
||||
Self { avatar_type }
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Template)]
|
||||
#[template(path = "_components/user_card.html.j2")]
|
||||
pub(super) struct UserCard {
|
||||
pub user_id: OwnedUserId,
|
||||
pub display_name: Option<String>,
|
||||
pub avatar: Avatar,
|
||||
}
|
||||
|
||||
impl HtmlSafe for UserCard {}
|
||||
|
||||
impl UserCard {
|
||||
pub(super) async fn for_local_user(services: &Services, user_id: OwnedUserId) -> Self {
|
||||
let display_name = services.users.displayname(&user_id).await.ok();
|
||||
let avatar = Avatar::for_local_user(services, &user_id).await;
|
||||
|
||||
Self { user_id, display_name, avatar }
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Template)]
|
||||
#[template(path = "_components/device_card.html.j2")]
|
||||
pub(super) struct DeviceCard {
|
||||
pub device_id: OwnedDeviceId,
|
||||
pub display_name: Option<String>,
|
||||
pub avatar: Avatar,
|
||||
pub last_active: String,
|
||||
pub oauth_metadata: Option<ClientMetadata>,
|
||||
pub style: DeviceCardStyle,
|
||||
}
|
||||
|
||||
impl HtmlSafe for DeviceCard {}
|
||||
|
||||
#[derive(Debug, PartialEq, Eq)]
|
||||
pub(super) enum DeviceCardStyle {
|
||||
Minimal,
|
||||
Detailed,
|
||||
}
|
||||
|
||||
impl DeviceCard {
|
||||
pub(super) async fn for_device(
|
||||
services: &Services,
|
||||
user_id: &UserId,
|
||||
device: Device,
|
||||
style: DeviceCardStyle,
|
||||
) -> Self {
|
||||
let oauth_metadata = async {
|
||||
let session_info = services
|
||||
.oauth
|
||||
.get_session_info_for_device(user_id, &device.device_id)
|
||||
.await?;
|
||||
|
||||
Some(
|
||||
services
|
||||
.oauth
|
||||
.get_client_metadata(&session_info.client_id)
|
||||
.await
|
||||
.expect("client should exist"),
|
||||
)
|
||||
}
|
||||
.await;
|
||||
|
||||
let display_name = oauth_metadata
|
||||
.as_ref()
|
||||
.and_then(|metadata| metadata.client_name.clone())
|
||||
.or_else(|| device.display_name.clone());
|
||||
|
||||
let avatar = Avatar::for_device(oauth_metadata.as_ref(), display_name.as_deref());
|
||||
|
||||
let last_active = device.last_seen_ts.map_or_else(
|
||||
|| "unknown".to_owned(),
|
||||
|last_seen_ts| {
|
||||
last_seen_ts
|
||||
.to_system_time()
|
||||
.and_then(|t| SystemTime::now().duration_since(t).ok())
|
||||
.map_or_else(
|
||||
|| "now".to_owned(),
|
||||
|duration| format!("{} ago", utils::time::pretty(duration)),
|
||||
)
|
||||
},
|
||||
);
|
||||
|
||||
Self {
|
||||
device_id: device.device_id,
|
||||
display_name,
|
||||
avatar,
|
||||
last_active,
|
||||
oauth_metadata,
|
||||
style,
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug, Template)]
|
||||
#[template(path = "_components/client_scopes.html.j2")]
|
||||
pub(super) struct ClientScopes {
|
||||
pub scopes: BTreeSet<Scope>,
|
||||
}
|
||||
|
||||
impl HtmlSafe for ClientScopes {}
|
||||
|
||||
+28
-14
@@ -1,25 +1,39 @@
|
||||
use axum::{Router, extract::State, response::IntoResponse, routing::get};
|
||||
use axum::{Extension, Router, extract::State, routing::get};
|
||||
|
||||
use crate::{WebError, template};
|
||||
use crate::{
|
||||
pages::{Result, TemplateContext},
|
||||
response, template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/", get(index))
|
||||
.route("/_continuwuity/", get(index))
|
||||
.route("/", get(get_index))
|
||||
.route(&format!("{}/", crate::ROUTE_PREFIX), get(get_index))
|
||||
.route(&format!("{}/_book", crate::ROUTE_PREFIX), get(get_book))
|
||||
}
|
||||
|
||||
async fn index(State(services): State<crate::State>) -> Result<impl IntoResponse, WebError> {
|
||||
template! {
|
||||
struct Index<'a> use "index.html.j2" {
|
||||
server_name: &'a str,
|
||||
first_run: bool
|
||||
}
|
||||
template! {
|
||||
struct Index<'a> use "index.html.j2" {
|
||||
server_name: &'a str,
|
||||
first_run: bool
|
||||
}
|
||||
}
|
||||
|
||||
Ok(Index::new(
|
||||
&services,
|
||||
async fn get_index(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
) -> Result {
|
||||
response!(Index::new(
|
||||
context,
|
||||
services.globals.server_name().as_str(),
|
||||
services.firstrun.is_first_run(),
|
||||
)
|
||||
.into_response())
|
||||
))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct Book use "book.html.j2" {}
|
||||
}
|
||||
|
||||
async fn get_book(Extension(context): Extension<TemplateContext>) -> Result {
|
||||
response!(Book::new(context))
|
||||
}
|
||||
|
||||
+76
-11
@@ -1,21 +1,71 @@
|
||||
use std::sync::Arc;
|
||||
|
||||
use axum::{
|
||||
extract::{Request, State},
|
||||
http::{HeaderValue, header},
|
||||
middleware::Next,
|
||||
response::Response,
|
||||
routing::MethodFilter,
|
||||
};
|
||||
use conduwuit_core::utils;
|
||||
|
||||
use crate::WebError;
|
||||
|
||||
pub(super) mod about;
|
||||
pub(super) mod account;
|
||||
mod components;
|
||||
pub(super) mod debug;
|
||||
pub(super) mod index;
|
||||
pub(super) mod password_reset;
|
||||
pub(super) mod oauth;
|
||||
pub(super) mod resources;
|
||||
pub(super) mod threepid;
|
||||
|
||||
#[derive(Debug)]
|
||||
type Result<T = Response, E = WebError> = std::result::Result<T, E>;
|
||||
|
||||
const GET_POST: MethodFilter = MethodFilter::GET.or(MethodFilter::POST);
|
||||
|
||||
#[derive(Debug, Clone)]
|
||||
pub(crate) struct TemplateContext {
|
||||
pub allow_indexing: bool,
|
||||
pub csp_nonce: String,
|
||||
}
|
||||
|
||||
impl From<&crate::State> for TemplateContext {
|
||||
fn from(state: &crate::State) -> Self {
|
||||
Self {
|
||||
allow_indexing: state.config.allow_web_indexing,
|
||||
}
|
||||
}
|
||||
const CSP_NONCE_LENGTH: usize = 32;
|
||||
|
||||
pub(super) async fn template_context_middleware(
|
||||
State(config): State<Arc<conduwuit_service::config::Service>>,
|
||||
mut request: Request,
|
||||
next: Next,
|
||||
) -> Response {
|
||||
let csp_nonce = utils::random_string(CSP_NONCE_LENGTH);
|
||||
let context = TemplateContext {
|
||||
allow_indexing: config.allow_web_indexing,
|
||||
csp_nonce: csp_nonce.clone(),
|
||||
};
|
||||
|
||||
assert!(
|
||||
request.extensions_mut().insert(context).is_none(),
|
||||
"template context should only be inserted once"
|
||||
);
|
||||
|
||||
let mut response = next.run(request).await;
|
||||
|
||||
let child_src = if config.recaptcha_site_key.is_some() {
|
||||
"www.google.com"
|
||||
} else {
|
||||
"'none'"
|
||||
};
|
||||
|
||||
response.headers_mut().insert(
|
||||
header::CONTENT_SECURITY_POLICY,
|
||||
HeaderValue::from_str(&format!(
|
||||
"default-src 'none'; style-src 'self'; img-src 'self' https: data:; script-src \
|
||||
'nonce-{csp_nonce}'; child-src {child_src};"
|
||||
))
|
||||
.expect("should be able to build CSP header"),
|
||||
);
|
||||
|
||||
response
|
||||
}
|
||||
|
||||
#[macro_export]
|
||||
@@ -27,15 +77,17 @@ struct $name:ident $(<$lifetime:lifetime>)? use $path:literal {
|
||||
) => {
|
||||
#[derive(Debug, askama::Template)]
|
||||
#[template(path = $path)]
|
||||
#[allow(unused)]
|
||||
struct $name$(<$lifetime>)? {
|
||||
context: $crate::pages::TemplateContext,
|
||||
context: $crate::pages::TemplateContext,
|
||||
$($field_name: $field_type,)*
|
||||
}
|
||||
|
||||
impl$(<$lifetime>)? $name$(<$lifetime>)? {
|
||||
fn new(state: &$crate::State, $($field_name: $field_type,)*) -> Self {
|
||||
#[allow(clippy::too_many_arguments)]
|
||||
fn new(context: $crate::pages::TemplateContext, $($field_name: $field_type,)*) -> Self {
|
||||
Self {
|
||||
context: state.into(),
|
||||
context,
|
||||
$($field_name,)*
|
||||
}
|
||||
}
|
||||
@@ -54,3 +106,16 @@ fn into_response(self) -> axum::response::Response {
|
||||
}
|
||||
};
|
||||
}
|
||||
|
||||
#[macro_export]
|
||||
macro_rules! response {
|
||||
(BadRequest($body:expr)) => {
|
||||
response!((axum::http::StatusCode::BAD_REQUEST, $body))
|
||||
};
|
||||
|
||||
($body:expr) => {{
|
||||
use axum::response::IntoResponse;
|
||||
|
||||
Ok($body.into_response())
|
||||
}};
|
||||
}
|
||||
|
||||
@@ -0,0 +1,144 @@
|
||||
use axum::{
|
||||
Extension, Router,
|
||||
extract::{Query, State},
|
||||
response::Redirect,
|
||||
routing::on,
|
||||
};
|
||||
use conduwuit_service::oauth::grant::{AuthorizationCodeQuery, Prompt};
|
||||
use ruma::OwnedUserId;
|
||||
use url::Url;
|
||||
|
||||
use crate::{
|
||||
ROUTE_PREFIX, WebError,
|
||||
extract::{Expect, PostForm},
|
||||
pages::{
|
||||
GET_POST, Result, TemplateContext,
|
||||
account::register::{RegisterQuery, RequestedRegistrationFlow},
|
||||
components::{Avatar, AvatarType, ClientScopes},
|
||||
},
|
||||
response,
|
||||
session::{LoginQuery, LoginTarget, User},
|
||||
template,
|
||||
};
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new().route("/authorization_code", on(GET_POST, route_authorization_code))
|
||||
}
|
||||
|
||||
template! {
|
||||
struct Grant use "grant.html.j2" {
|
||||
logout_query: String,
|
||||
user_id: OwnedUserId,
|
||||
user_avatar: Avatar,
|
||||
client_uri: Url,
|
||||
client_name: String,
|
||||
client_avatar: Avatar,
|
||||
policy_uri: Option<Url>,
|
||||
tos_uri: Option<Url>,
|
||||
scopes: ClientScopes
|
||||
}
|
||||
}
|
||||
|
||||
async fn route_authorization_code(
|
||||
State(services): State<crate::State>,
|
||||
Extension(context): Extension<TemplateContext>,
|
||||
user: User<true>,
|
||||
Expect(Query(query)): Expect<Query<AuthorizationCodeQuery>>,
|
||||
PostForm(form): PostForm<()>,
|
||||
) -> Result {
|
||||
let user_id = if let Some(user) = user.into_session() {
|
||||
user.user_id
|
||||
} else {
|
||||
let is_first_run = services.firstrun.is_first_run();
|
||||
let next = LoginTarget::AuthorizationCode(query.clone());
|
||||
|
||||
let uri = if query
|
||||
.prompt
|
||||
.is_some_and(|prompt| matches!(prompt, Prompt::Create))
|
||||
|| is_first_run
|
||||
{
|
||||
format!(
|
||||
"{}/account/register/?{}",
|
||||
ROUTE_PREFIX,
|
||||
serde_urlencoded::to_string(RegisterQuery {
|
||||
next: Some(next),
|
||||
flow: if is_first_run {
|
||||
Some(RequestedRegistrationFlow::Trusted)
|
||||
} else {
|
||||
None
|
||||
},
|
||||
..Default::default()
|
||||
})
|
||||
.unwrap()
|
||||
)
|
||||
} else {
|
||||
format!(
|
||||
"{}/account/login?{}",
|
||||
ROUTE_PREFIX,
|
||||
serde_urlencoded::to_string(LoginQuery {
|
||||
next: Some(next),
|
||||
..Default::default()
|
||||
})
|
||||
.unwrap()
|
||||
)
|
||||
};
|
||||
|
||||
return response!(Redirect::to(&uri));
|
||||
};
|
||||
|
||||
if form.is_some() {
|
||||
let redirect_uri = services
|
||||
.oauth
|
||||
.request_authorization_code(user_id, query)
|
||||
.await
|
||||
.map_err(WebError::BadRequest)?;
|
||||
|
||||
return response!(Redirect::to(&redirect_uri));
|
||||
}
|
||||
|
||||
let Some(client) = services.oauth.get_client_metadata(&query.client_id).await else {
|
||||
return Err(WebError::BadRequest("Invalid client ID".to_owned()));
|
||||
};
|
||||
|
||||
let scopes = query.scope.to_scopes().map_err(WebError::BadRequest)?;
|
||||
|
||||
let client_name = if let Some(name) = &client.client_name {
|
||||
name
|
||||
} else {
|
||||
"Unknown application"
|
||||
}
|
||||
.to_owned();
|
||||
|
||||
let client_avatar = {
|
||||
let avatar_type = if let Some(logo) = &client.logo_uri {
|
||||
AvatarType::Image(logo.to_string())
|
||||
} else if let Some(name) = &client.client_name
|
||||
&& let Some(char) = name.chars().next()
|
||||
{
|
||||
AvatarType::Initial(char)
|
||||
} else {
|
||||
AvatarType::Initial('?')
|
||||
};
|
||||
|
||||
Avatar { avatar_type }
|
||||
};
|
||||
|
||||
let user_avatar = Avatar::for_local_user(&services, &user_id).await;
|
||||
|
||||
response!(Grant::new(
|
||||
context,
|
||||
serde_urlencoded::to_string(LoginQuery {
|
||||
next: Some(LoginTarget::AuthorizationCode(query)),
|
||||
reauthenticate: false,
|
||||
})
|
||||
.unwrap(),
|
||||
user_id,
|
||||
user_avatar,
|
||||
client.client_uri.clone(),
|
||||
client_name,
|
||||
client_avatar,
|
||||
client.policy_uri.clone(),
|
||||
client.tos_uri.clone(),
|
||||
ClientScopes { scopes },
|
||||
))
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
use axum::Router;
|
||||
|
||||
mod grant;
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
#[allow(clippy::wildcard_imports)]
|
||||
use self::*;
|
||||
|
||||
Router::new().nest("/grant/", grant::build())
|
||||
}
|
||||
@@ -1,119 +0,0 @@
|
||||
use axum::{
|
||||
Router,
|
||||
extract::{
|
||||
Query, State,
|
||||
rejection::{FormRejection, QueryRejection},
|
||||
},
|
||||
http::StatusCode,
|
||||
response::{IntoResponse, Response},
|
||||
routing::get,
|
||||
};
|
||||
use serde::Deserialize;
|
||||
use validator::Validate;
|
||||
|
||||
use crate::{
|
||||
WebError, form,
|
||||
pages::components::{UserCard, form::Form},
|
||||
template,
|
||||
};
|
||||
|
||||
const INVALID_TOKEN_ERROR: &str = "Invalid reset token. Your reset link may have expired.";
|
||||
|
||||
template! {
|
||||
struct PasswordReset<'a> use "password_reset.html.j2" {
|
||||
user_card: UserCard<'a>,
|
||||
body: PasswordResetBody
|
||||
}
|
||||
}
|
||||
|
||||
#[derive(Debug)]
|
||||
enum PasswordResetBody {
|
||||
Form(Form<'static>),
|
||||
Success,
|
||||
}
|
||||
|
||||
form! {
|
||||
struct PasswordResetForm {
|
||||
#[validate(length(min = 1, message = "Password cannot be empty"))]
|
||||
new_password: String where {
|
||||
input_type: "password",
|
||||
label: "New password",
|
||||
autocomplete: "new-password"
|
||||
},
|
||||
|
||||
#[validate(must_match(other = "new_password", message = "Passwords must match"))]
|
||||
confirm_new_password: String where {
|
||||
input_type: "password",
|
||||
label: "Confirm new password",
|
||||
autocomplete: "new-password"
|
||||
}
|
||||
|
||||
submit: "Reset Password"
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) fn build() -> Router<crate::State> {
|
||||
Router::new()
|
||||
.route("/account/reset_password", get(get_password_reset).post(post_password_reset))
|
||||
}
|
||||
|
||||
#[derive(Deserialize)]
|
||||
struct PasswordResetQuery {
|
||||
token: String,
|
||||
}
|
||||
|
||||
async fn password_reset_form(
|
||||
services: crate::State,
|
||||
query: PasswordResetQuery,
|
||||
reset_form: Form<'static>,
|
||||
) -> Result<impl IntoResponse, WebError> {
|
||||
let Some(token) = services.password_reset.check_token(&query.token).await else {
|
||||
return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
|
||||
};
|
||||
|
||||
let user_card = UserCard::for_local_user(&services, &token.info.user).await;
|
||||
|
||||
Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Form(reset_form))
|
||||
.into_response())
|
||||
}
|
||||
|
||||
async fn get_password_reset(
|
||||
State(services): State<crate::State>,
|
||||
query: Result<Query<PasswordResetQuery>, QueryRejection>,
|
||||
) -> Result<impl IntoResponse, WebError> {
|
||||
let Query(query) = query?;
|
||||
|
||||
password_reset_form(services, query, PasswordResetForm::build(None)).await
|
||||
}
|
||||
|
||||
async fn post_password_reset(
|
||||
State(services): State<crate::State>,
|
||||
query: Result<Query<PasswordResetQuery>, QueryRejection>,
|
||||
form: Result<axum::Form<PasswordResetForm>, FormRejection>,
|
||||
) -> Result<Response, WebError> {
|
||||
let Query(query) = query?;
|
||||
let axum::Form(form) = form?;
|
||||
|
||||
match form.validate() {
|
||||
| Ok(()) => {
|
||||
let Some(token) = services.password_reset.check_token(&query.token).await else {
|
||||
return Err(WebError::BadRequest(INVALID_TOKEN_ERROR.to_owned()));
|
||||
};
|
||||
let user_id = token.info.user.clone();
|
||||
|
||||
services
|
||||
.password_reset
|
||||
.consume_token(token, &form.new_password)
|
||||
.await?;
|
||||
|
||||
let user_card = UserCard::for_local_user(&services, &user_id).await;
|
||||
Ok(PasswordReset::new(&services, user_card, PasswordResetBody::Success)
|
||||
.into_response())
|
||||
},
|
||||
| Err(err) => Ok((
|
||||
StatusCode::BAD_REQUEST,
|
||||
password_reset_form(services, query, PasswordResetForm::build(Some(err))).await,
|
||||
)
|
||||
.into_response()),
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
html {
|
||||
height: 100svh;
|
||||
--bg: oklch(0.44 0.177 353.06);
|
||||
background-color: var(--bg);
|
||||
background-image: linear-gradient(180deg, var(--bg) 55%, black 100%);;
|
||||
}
|
||||
|
||||
main {
|
||||
margin-top: 20vh;
|
||||
margin-left: 5%;
|
||||
margin-right: 5%;
|
||||
color: white;
|
||||
font-family: monospace;
|
||||
font-size: 1.3em;
|
||||
line-height: 1.2;
|
||||
}
|
||||
|
||||
em {
|
||||
font-size: 1.35em;
|
||||
font-weight: bold;
|
||||
white-space: nowrap;
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user