basileus 0.3.0

All-in-one library for user management, authorization, sessions and permission management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

use std::{collections::HashMap, fmt::Display, sync::Mutex};

use base64::{Engine, prelude::BASE64_URL_SAFE};
use sha2::{Digest, Sha256};

use crate::{
    Basileus,
    err::{BeginPkceError, VerifyPkceError},
};

#[derive(Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
pub struct Pkce {
    /// Base64URL-encoded [code challenge](https://datatracker.ietf.org/doc/html/rfc7636#section-4.2).
    pub code_challenge: String,
    /// The code challenge method, **must** be "S256".
    pub code_challenge_method: String,
}

impl Pkce {
    pub fn new(code_challenge: String) -> Self {
        Self {
            code_challenge,
            code_challenge_method: "S256".into(),
        }
    }
}

impl Display for Pkce {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(
            f,
            "PKCE {}:{}",
            self.code_challenge_method, self.code_challenge
        )
    }
}

pub struct PkceModule {
    /// Map from PKCE challenges to their beloinging users.
    pending: Mutex<HashMap<Pkce, String>>,
}

impl PkceModule {
    pub fn new() -> Self {
        Self {
            pending: Mutex::new(HashMap::new()),
        }
    }
}

impl Basileus {
    pub async fn begin_pkce(
        &self,
        user: &str,
        pass: &str,
        pkce: Pkce,
    ) -> Result<(), BeginPkceError> {
        if !self.verify_pass(user, pass).await? {
            return Err(BeginPkceError::Unauthorized);
        }
        if pkce.code_challenge_method != "S256" {
            return Err(BeginPkceError::UnsupportedMethod);
        }
        self.pkce.pending.lock().unwrap().insert(pkce, user.into());
        Ok(())
    }

    pub fn verify_pkce(&self, code_verifier: &str) -> Result<String, VerifyPkceError> {
        let hash = Sha256::digest(code_verifier);
        let code_challenge = BASE64_URL_SAFE.encode(hash);
        let pkce = Pkce::new(code_challenge);

        let mut pending = self.pkce.pending.lock().unwrap();

        if let Some(user) = pending.remove(&pkce) {
            Ok(user)
        } else {
            Err(VerifyPkceError::InvalidVerifier)
        }
    }
}