baileytownsend.dev
Microservice to bring 2FA to self hosted PDSes
down graded to a public client
+27
-70
src/admin/oauth.rs
+27
-70
src/admin/oauth.rs
···
1
+
use crate::AppState;
1
2
use axum::{
2
3
extract::{Query, State},
3
4
http::StatusCode,
···
16
17
};
17
18
use jose_jwk::Jwk;
18
19
use serde::Deserialize;
19
-
20
-
use crate::AppState;
20
+
use tracing::log;
21
21
22
22
use super::session;
23
23
···
26
26
27
27
/// Initialize the OAuth client for admin portal authentication.
28
28
pub fn init_oauth_client(pds_hostname: &str) -> Result<AdminOAuthClient, anyhow::Error> {
29
-
// Generate ES256 keypair
30
-
let secret_key = p256::SecretKey::random(&mut p256::elliptic_curve::rand_core::OsRng);
31
-
let public_key = secret_key.public_key();
32
-
33
-
// Build JWK JSON manually with both public and private components
34
-
let public_jwk_str = public_key.to_jwk_string();
35
-
let mut jwk: serde_json::Value = serde_json::from_str(&public_jwk_str)?;
36
-
37
-
// Add the private key component 'd'
38
-
let secret_scalar = secret_key.to_bytes();
39
-
let d_b64 = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(secret_scalar.as_slice());
40
-
let jwk_obj = jwk
41
-
.as_object_mut()
42
-
.ok_or_else(|| anyhow::anyhow!("JWK is not an object"))?;
43
-
jwk_obj.insert("d".to_string(), serde_json::Value::String(d_b64));
44
-
45
-
// Add kid and alg
46
-
let kid = uuid::Uuid::new_v4().to_string();
47
-
jwk_obj.insert("kid".to_string(), serde_json::Value::String(kid));
48
-
jwk_obj.insert(
49
-
"alg".to_string(),
50
-
serde_json::Value::String("ES256".to_string()),
51
-
);
52
-
jwk_obj.insert(
53
-
"use".to_string(),
54
-
serde_json::Value::String("sig".to_string()),
55
-
);
56
-
57
-
// Parse into jose-jwk type for Keyset
58
-
let jose_jwk: Jwk = serde_json::from_value(jwk)?;
59
-
let keyset = Keyset::try_from(vec![jose_jwk])?;
60
-
61
29
// Build client metadata
62
30
let client_id = format!("https://{}/admin/client-metadata.json", pds_hostname)
63
31
.parse()
···
74
42
Some(client_uri),
75
43
vec![redirect_uri],
76
44
vec![GrantType::AuthorizationCode],
77
-
vec![
78
-
jacquard_oauth::scopes::Scope::parse("atproto").expect("valid scope"),
79
-
],
45
+
vec![jacquard_oauth::scopes::Scope::parse("atproto").expect("valid scope")],
80
46
None,
81
47
);
82
48
83
-
let client_data = ClientData::new(Some(keyset), config);
49
+
let client_data = ClientData::new(None, config);
84
50
let store = MemoryAuthStore::new();
85
51
let client = OAuthClient::new(store, client_data);
86
52
···
99
65
let redirect_uri = format!("https://{}/admin/oauth/callback", pds_hostname);
100
66
let client_uri = format!("https://{}/admin/", pds_hostname);
101
67
102
-
let jwks = oauth_client.jwks();
103
-
104
68
let metadata = serde_json::json!({
105
69
"client_id": client_id,
106
70
"client_uri": client_uri,
···
108
72
"grant_types": ["authorization_code"],
109
73
"response_types": ["code"],
110
74
"scope": "atproto",
111
-
"token_endpoint_auth_method": "private_key_jwt",
112
-
"token_endpoint_auth_signing_alg": "ES256",
75
+
"token_endpoint_auth_method": "none",
113
76
"application_type": "web",
114
77
"dpop_bound_access_tokens": true,
115
-
"jwks": jwks,
78
+
116
79
});
117
80
118
81
(
···
137
100
}
138
101
139
102
use axum_template::TemplateEngine;
140
-
match state.template_engine.render("admin/login.hbs", data)
141
-
{
103
+
match state.template_engine.render("admin/login.hbs", data) {
142
104
Ok(html) => Html(html).into_response(),
143
105
Err(e) => {
144
106
tracing::error!("Failed to render login template: {}", e);
···
168
130
};
169
131
170
132
let pds_hostname = &state.app_config.pds_hostname;
171
-
let redirect_uri: url::Url =
172
-
match format!("https://{}/admin/oauth/callback", pds_hostname).parse() {
173
-
Ok(u) => u,
174
-
Err(_) => {
175
-
return Redirect::to("/admin/login?error=Invalid+server+configuration")
176
-
.into_response()
177
-
}
178
-
};
133
+
let redirect_uri: url::Url = match format!("https://{}/admin/oauth/callback", pds_hostname)
134
+
.parse()
135
+
{
136
+
Ok(u) => u,
137
+
Err(_) => {
138
+
return Redirect::to("/admin/login?error=Invalid+server+configuration").into_response();
139
+
}
140
+
};
179
141
180
142
let options = AuthorizeOptions {
181
143
redirect_uri: Some(redirect_uri),
···
242
204
let (did, handle) = oauth_session.session_info().await;
243
205
let did_str = did.to_string();
244
206
let handle_str = handle.to_string();
245
-
207
+
log::info!("Authenticated as DID {} ({})", did_str, handle_str);
246
208
// Check if this DID is a member in the RBAC config
247
209
if !rbac.is_member(&did_str) {
248
210
tracing::warn!("Access denied for DID {} (not in RBAC config)", did_str);
···
258
220
259
221
// Create admin session
260
222
let ttl_hours = state.app_config.admin_session_ttl_hours;
261
-
let session_id = match session::create_session(
262
-
&state.pds_gatekeeper_pool,
263
-
&did_str,
264
-
&handle_str,
265
-
ttl_hours,
266
-
)
267
-
.await
268
-
{
269
-
Ok(id) => id,
270
-
Err(e) => {
271
-
tracing::error!("Failed to create admin session: {}", e);
272
-
return Redirect::to("/admin/login?error=Session+creation+failed").into_response();
273
-
}
274
-
};
223
+
let session_id =
224
+
match session::create_session(&state.pds_gatekeeper_pool, &did_str, &handle_str, ttl_hours)
225
+
.await
226
+
{
227
+
Ok(id) => id,
228
+
Err(e) => {
229
+
tracing::error!("Failed to create admin session: {}", e);
230
+
return Redirect::to("/admin/login?error=Session+creation+failed").into_response();
231
+
}
232
+
};
275
233
276
234
// Set signed cookie
277
235
let mut cookie = Cookie::new("__gatekeeper_admin_session", session_id);
···
293
251
});
294
252
295
253
use axum_template::TemplateEngine;
296
-
match state.template_engine.render("admin/error.hbs", data)
297
-
{
254
+
match state.template_engine.render("admin/error.hbs", data) {
298
255
Ok(html) => Html(html).into_response(),
299
256
Err(_) => (StatusCode::FORBIDDEN, format!("{}: {}", title, message)).into_response(),
300
257
}