openauth-plugins 0.0.4

Official OpenAuth plugin modules.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

//! Plugin construction for Have I Been Pwned password checks.

use std::sync::Arc;

use openauth_core::plugin::{AuthPlugin, PluginErrorCode, PluginPasswordValidationRejection};

use super::checker::{
    sha1_prefix_suffix, HaveIBeenPwnedCheckError, HaveIBeenPwnedChecker,
    ReqwestHaveIBeenPwnedChecker,
};
use super::error::{CHECK_FAILED_MESSAGE, PASSWORD_COMPROMISED_CODE, PASSWORD_COMPROMISED_MESSAGE};
use super::options::HaveIBeenPwnedOptions;

pub const UPSTREAM_PLUGIN_ID: &str = "haveibeenpwned";
pub const RUNTIME_PLUGIN_ID: &str = "have-i-been-pwned";

pub fn have_i_been_pwned() -> AuthPlugin {
    have_i_been_pwned_with_options(HaveIBeenPwnedOptions::default())
}

pub fn have_i_been_pwned_with_options(options: HaveIBeenPwnedOptions) -> AuthPlugin {
    have_i_been_pwned_with_checker(options, Arc::new(ReqwestHaveIBeenPwnedChecker::new()))
}

pub fn have_i_been_pwned_with_checker(
    options: HaveIBeenPwnedOptions,
    checker: Arc<dyn HaveIBeenPwnedChecker>,
) -> AuthPlugin {
    let plugin_options = serde_json::json!({
        "enabled": options.enabled,
        "paths": options.paths,
        "customPasswordCompromisedMessage": options.custom_password_compromised_message,
    });
    let validation_options = options.clone();
    let validation_checker = Arc::clone(&checker);

    AuthPlugin::new(RUNTIME_PLUGIN_ID)
        .with_version(crate::VERSION)
        .with_options(plugin_options)
        .with_error_code(PluginErrorCode::new(
            PASSWORD_COMPROMISED_CODE,
            PASSWORD_COMPROMISED_MESSAGE,
        ))
        .with_password_validator(move |_context, input| {
            let options = validation_options.clone();
            let checker = Arc::clone(&validation_checker);
            Box::pin(async move {
                if !options.enabled || !options.paths.iter().any(|path| path == &input.path) {
                    return Ok(());
                }
                if input.password.is_empty() {
                    return Ok(());
                }
                let (prefix, suffix) = sha1_prefix_suffix(&input.password);
                let compromised = checker
                    .is_hash_suffix_compromised(&prefix, &suffix)
                    .await
                    .map_err(check_error_response)?;
                if compromised {
                    return Err(PluginPasswordValidationRejection::bad_request(
                        PASSWORD_COMPROMISED_CODE,
                        options
                            .custom_password_compromised_message
                            .unwrap_or_else(|| PASSWORD_COMPROMISED_MESSAGE.to_owned()),
                    ));
                }
                Ok(())
            })
        })
}

fn check_error_response(error: HaveIBeenPwnedCheckError) -> PluginPasswordValidationRejection {
    match error {
        HaveIBeenPwnedCheckError::HttpStatus(status) => {
            PluginPasswordValidationRejection::internal_server_error(format!(
                "Failed to check password. Status: {status}"
            ))
        }
        HaveIBeenPwnedCheckError::Transport(_) => {
            PluginPasswordValidationRejection::internal_server_error(CHECK_FAILED_MESSAGE)
        }
    }
}