esetres 0.1.1

A self hosted file storage server.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

use crate::{
    config,
    db::schema::{Access, Token},
    jwt::validate,
};
use axum::{
    http::HeaderMap,
    routing::{get, post, put},
    Extension, Router,
};
use bcrypt::verify;
use reqwest::Method;
use std::{collections::HashMap, sync::Arc};
use tokio::sync::Mutex;
use tower::ServiceBuilder;
use tower_http::cors::{Any, CorsLayer};

pub mod buckets;

pub mod cache;

pub mod files;

pub mod health;

pub mod middleware;

pub struct AppState {
    pub config: config::Object,
    pub mime_types: HashMap<String, String>,
}

pub fn create(tokens: HashMap<String, Token>, app_state: AppState) -> Router {
    let state = Arc::new(app_state);

    let token_cache = Arc::new(Mutex::new(tokens));

    let cors = CorsLayer::new()
        .allow_origin(Any)
        .allow_methods(Any)
        .allow_headers(Any);

    let private = CorsLayer::new()
        .allow_private_network(true)
        .allow_methods([Method::POST])
        .allow_headers(Any);

    axum::Router::new()
        .route("/health", axum::routing::get(health::health_check))
        .route(
            "/buckets",
            post(buckets::create).layer(axum::middleware::from_fn(middleware::authorization)),
        )
        .route("/cache/invalidate", post(cache::invalidate).layer(private))
        .route(
            "/buckets/:bucketId/public/:resourcePath",
            get(files::public_get),
        )
        .route(
            "/buckets/:bucketId/public/:resourcePath",
            put(files::public_upload)
                .delete(files::public_delete)
                .layer(axum::middleware::from_fn(middleware::authorization)),
        )
        .route(
            "/buckets/:bucketId/private/:resourcePath",
            get(files::private_get)
                .put(files::private_upload)
                .delete(files::private_delete)
                .layer(axum::middleware::from_fn(middleware::authorization)),
        )
        .with_state(state)
        .layer(
            ServiceBuilder::new()
                .layer(cors)
                .layer(Extension(token_cache)),
        )
}

pub async fn is_authed(
    headers: HeaderMap,
    bucket_id: Option<&str>,
    required_access: Access,
    token_cache: Arc<Mutex<HashMap<String, Token>>>,
) -> bool {
    let token = if let Some(header) = headers.get("Authorization") {
        // remove `Bearer ` prefix to get token
        let header = header.to_str().unwrap();
        &header["Bearer ".len()..]
    } else {
        return false;
    };

    let token_data = if let Ok(data) = validate(token.to_string()) {
        data
    } else {
        return false;
    };

    let cache = token_cache.lock().await;

    let cached_token = if let Some(t) = cache.get(&token_data.claims.nm) {
        t
    } else {
        return false;
    };

    // controls access to specific buckets
    if let Some(identifier) = bucket_id {
        if cached_token.bucket_scope != "*" && cached_token.bucket_scope != identifier {
            return false;
        }
    }

    if cached_token.access != Access::FULL && required_access != cached_token.access {
        return false;
    }

    if let Ok(valid) = verify(&token, &cached_token.token) {
        if !valid {
            return false;
        }
    } else {
        return false;
    }

    true
}