de_server: Implement request authentication

Relates to DigitalExtinction#255.

crates/server/Cargo.toml

@@ -14,6 +14,7 @@ categories.workspace = true
 
 [dependencies]
 actix-web = "4.2.1"
+actix-web-httpauth = "0.8.0"
 anyhow = "1.0.66"
 base64 = "0.13.1"
 env_logger = "0.10.0"

crates/server/src/auth/endpoints.rs

@@ -9,7 +9,7 @@ use super::{
 
 /// Registers all authentication endpoints.
 pub(super) fn configure(cfg: &mut web::ServiceConfig) {
-    cfg.service(web::scope("/p/auth").service(sign_up).service(sign_in));
+    cfg.service(web::scope("/auth").service(sign_up).service(sign_in));
 }
 
 #[post("/sign-up")]

crates/server/src/auth/middleware.rs

@@ -0,0 +1,82 @@
+use std::future::{ready, Ready};
+
+use actix_web::{
+    dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform},
+    error::ErrorUnauthorized,
+    http::header::Header,
+    web, Error, HttpMessage,
+};
+use actix_web_httpauth::headers::authorization::{Authorization, Bearer};
+use futures_util::future::LocalBoxFuture;
+use log::warn;
+
+use super::token::Tokens;
+
+pub struct AuthMiddlewareFactory;
+
+impl<S, B> Transform<S, ServiceRequest> for AuthMiddlewareFactory
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
+    S::Future: 'static,
+    B: 'static,
+{
+    type Response = ServiceResponse<B>;
+    type Error = Error;
+    type InitError = ();
+    type Transform = AuthMiddleware<S>;
+    type Future = Ready<Result<Self::Transform, Self::InitError>>;
+
+    fn new_transform(&self, service: S) -> Self::Future {
+        ready(Ok(AuthMiddleware { service }))
+    }
+}
+
+pub struct AuthMiddleware<S> {
+    service: S,
+}
+
+impl<S, B> Service<ServiceRequest> for AuthMiddleware<S>
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = Error>,
+    S::Future: 'static,
+    B: 'static,
+{
+    type Response = ServiceResponse<B>;
+    type Error = Error;
+    type Future = LocalBoxFuture<'static, Result<Self::Response, Self::Error>>;
+
+    forward_ready!(service);
+
+    fn call(&self, req: ServiceRequest) -> Self::Future {
+        let tokens = req.app_data::<web::Data<Tokens>>().unwrap().as_ref();
+
+        match Authorization::<Bearer>::parse(&req) {
+            Ok(auth) => match tokens.decode(auth.as_ref().token()) {
+                Ok(claims) => {
+                    let previous = req.extensions_mut().insert(claims);
+                    assert!(previous.is_none());
+                }
+                Err(error) => {
+                    warn!("JWT decoding error: {:?}", error);
+                    return Box::pin(async move {
+                        Err(ErrorUnauthorized(format!(
+                            "Invalid Bearer token provided: {}",
+                            error
+                        )))
+                    });
+                }
+            },
+            Err(error) => {
+                warn!("JWT extraction error: {:?}", error);
+                return Box::pin(async move {
+                    Err(ErrorUnauthorized(
+                        "Authorization header with Bearer token not provided.",
+                    ))
+                });
+            }
+        }
+
+        let fut = self.service.call(req);
+        Box::pin(async move { fut.await })
+    }
+}

crates/server/src/auth/mod.rs

@@ -2,11 +2,13 @@ use actix_web::web;
 use anyhow::{ensure, Context, Result};
 use sqlx::{Pool, Sqlite};
 
+pub use self::middleware::AuthMiddlewareFactory;
 use self::{db::Users, token::Tokens};
 use crate::conf;
 
 mod db;
 mod endpoints;
+mod middleware;
 pub mod model;
 mod passwd;
 mod token;
@@ -52,10 +54,14 @@ impl Auth {
         })
     }
 
-    /// Configure actix-web application.
-    pub fn configure(&self, cfg: &mut web::ServiceConfig) {
+    /// Configure root scope of the actix-web application.
+    pub fn configure_root(&self, cfg: &mut web::ServiceConfig) {
         cfg.app_data(web::Data::new(self.tokens.clone()));
         cfg.app_data(web::Data::new(self.users.clone()));
+    }
+
+    /// Configure public scope of the actix-web application.
+    pub fn configure_public(&self, cfg: &mut web::ServiceConfig) {
         endpoints::configure(cfg);
     }
 }

crates/server/src/auth/token.rs

@@ -1,5 +1,7 @@
 use anyhow::{Context, Result};
-use jsonwebtoken::{encode, get_current_timestamp, EncodingKey, Header};
+use jsonwebtoken::{
+    decode, encode, get_current_timestamp, DecodingKey, EncodingKey, Header, Validation,
+};
 use serde::{Deserialize, Serialize};
 
 const TOKEN_LIFETIME: u64 = 86400;
@@ -25,19 +27,31 @@ impl Claims {
 #[derive(Clone)]
 pub(super) struct Tokens {
     encoding_key: EncodingKey,
+    decoding_key: DecodingKey,
 }
 
 impl Tokens {
     pub(super) fn new(secret: &str) -> Result<Self> {
         let secret = base64::decode(secret).context("Failed to decode JWT secret")?;
         let encoding_key = EncodingKey::from_secret(secret.as_ref());
-        Ok(Self { encoding_key })
+        let decoding_key = DecodingKey::from_secret(secret.as_ref());
+        Ok(Self {
+            encoding_key,
+            decoding_key,
+        })
     }
 
     /// Encodes a user ID into a new JWT.
     pub(super) fn encode(&self, claims: &Claims) -> Result<String> {
         encode(&Header::default(), &claims, &self.encoding_key).context("Failed to encode JWT")
     }
+
+    /// Decodes and validates a JWT.
+    pub fn decode(&self, token: &str) -> Result<Claims> {
+        decode(token, &self.decoding_key, &Validation::default())
+            .context("Failed to decode JWT")
+            .map(|t| t.claims)
+    }
 }
 
 #[cfg(test)]
@@ -51,5 +65,7 @@ mod tests {
         let token_a = tokens.encode(&Claims::standard("Indy")).unwrap();
         let token_b = tokens.encode(&Claims::standard("Indy2")).unwrap();
         assert_ne!(token_a, token_b);
+        assert_eq!(tokens.decode(&token_a).unwrap().sub, "Indy");
+        assert_eq!(tokens.decode(&token_b).unwrap().sub, "Indy2");
     }
 }

crates/server/src/games/endpoints.rs

@@ -8,7 +8,7 @@ use super::{
 
 /// Registers all authentication endpoints.
 pub(super) fn configure(cfg: &mut web::ServiceConfig) {
-    cfg.service(web::scope("/a/games").service(create).service(list));
+    cfg.service(web::scope("/games").service(create).service(list));
 }
 
 #[post("/")]

crates/server/src/main.rs

@@ -1,6 +1,6 @@
 use actix_web::{middleware::Logger, web, App, HttpServer};
 use anyhow::{Context, Result};
-use auth::Auth;
+use auth::{Auth, AuthMiddlewareFactory};
 use games::GamesService;
 use log::info;
 use sqlx::{sqlite::SqlitePoolOptions, Pool, Sqlite};
@@ -44,11 +44,17 @@ async fn main() -> std::io::Result<()> {
     let games = handle_error!(GamesService::setup(db_pool).await);
 
     HttpServer::new(move || {
+        let public_scope = web::scope("/p").configure(|c| auth.configure_public(c));
+        let authenticated_scope = web::scope("/a")
+            .wrap(AuthMiddlewareFactory)
+            .configure(|c| games.configure(c));
+
         App::new()
             .wrap(Logger::default())
             .app_data(json_cfg.clone())
-            .configure(|c| auth.configure(c))
-            .configure(|c| games.configure(c))
+            .configure(|c| auth.configure_root(c))
+            .service(public_scope)
+            .service(authenticated_scope)
     })
     .bind(("0.0.0.0", http_port))?
     .run()

docs/content/lobby/openapi.yaml

@@ -64,6 +64,8 @@ paths:
     get:
       summary: List games.
       description: This endpoint returns list of all games on the server.
+      security:
+        - bearerAuth: []
       responses:
         "200":
           description: Game listing.
@@ -79,6 +81,8 @@ paths:
         This endpoint is used to crate a new game. The user automatically joins
         the game. It is not possible to simultaneously be part of multiple
         games.
+      security:
+        - bearerAuth: []
       requestBody:
         content:
           application/json:
@@ -97,6 +101,12 @@ paths:
           description: A different game with the same name already exists.
 
 components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+
   schemas:
     token-response:
       type: object