oauth2

2026-06-18 18:26:40 +02:00
parent 7da4109584
commit 42bab82960
25 changed files with 1250 additions and 5 deletions
--- a/src/app.rs
+++ b/src/app.rs
@@ -18,7 +18,8 @@ use std::{path::Path, sync::Arc};
 use crate::{
    controllers::{
        admin_categories, admin_dashboard, admin_form, admin_orders,
-        admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, shop,
+        admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, oauth2,
+        shop,
    },
    initializers,
    models::_entities::users,
@@ -75,6 +76,8 @@ impl Hooks for App {
            Box::new(initializers::view_engine::ViewEngineInitializer),
            Box::new(initializers::admin_seeder::AdminSeeder),
            Box::new(initializers::shipping_seeder::ShippingSeeder),
+            Box::new(initializers::oauth2::OAuth2StoreInitializer),
+            Box::new(initializers::oauth2_session::OAuth2SessionInitializer),
        ])
    }

@@ -88,6 +91,7 @@ impl Hooks for App {
            // cross-cutting
            .add_route(auth::routes())
            .add_route(auth_pages::routes())
+            .add_route(oauth2::routes())
            .add_route(i18n::routes())
            .add_route(media::routes())
            // admin
--- a/src/controllers/mod.rs
+++ b/src/controllers/mod.rs
@@ -1,5 +1,6 @@
 pub mod auth;
 pub mod auth_pages;
+pub mod oauth2;
 pub mod admin_categories;
 pub mod admin_dashboard;
 pub mod admin_form;
--- a/src/controllers/oauth2.rs
+++ b/src/controllers/oauth2.rs
@@ -0,0 +1,56 @@
+//! HTML OAuth2 (Google) sign-in.
+//!
+//! The provider round-trip is handled by loco-oauth2's built-in authorize +
+//! cookie-callback handlers. The callback upserts the user, stores an OAuth2
+//! session, sets loco-oauth2's *private* session cookie, and redirects to the
+//! configured `protected_url` — which is our [`complete`] handler. There we
+//! trade the OAuth2 session for OUR Loco `auth_token` JWT cookie, so the rest of
+//! the app (the Casbin layer, `guard`, the unified `/login`) treats a Google
+//! user exactly like a password login. Admins (matching `ADMIN_EMAIL`) land on
+//! the dashboard, everyone else on the storefront.
+
+use loco_oauth2::controllers::{
+    middleware::OAuth2CookieUser,
+    oauth2::{google_authorization_url, google_callback_cookie},
+};
+use loco_rs::prelude::*;
+
+use crate::{
+    controllers::auth as auth_controller,
+    models::{o_auth2_sessions, users, users::OAuth2UserProfile},
+    shared::guard,
+};
+
+type GoogleCookieUser = OAuth2CookieUser<OAuth2UserProfile, users::Model, o_auth2_sessions::Model>;
+
+/// Bridge from loco-oauth2's session cookie to our own auth cookie.
+#[debug_handler]
+async fn complete(State(ctx): State<AppContext>, user: GoogleCookieUser) -> Result<Response> {
+    let user: &users::Model = user.as_ref();
+    let jwt_secret = ctx.config.get_jwt_config()?;
+    let token = user
+        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
+        .or_else(|_| unauthorized("unauthorized!"))?;
+    let dest = if guard::is_admin(&ctx, user) {
+        "/admin/dashboard"
+    } else {
+        "/"
+    };
+    format::render()
+        .cookies(&[auth_controller::auth_cookie(&token, jwt_secret.expiration)])?
+        .redirect(dest)
+}
+
+pub fn routes() -> Routes {
+    Routes::new()
+        .prefix("api/oauth2")
+        // Redirects the browser to Google's consent screen.
+        .add("/google", get(google_authorization_url))
+        // Google redirects back here; loco-oauth2 exchanges the code, upserts
+        // the user, and redirects to `protected_url` (/api/oauth2/protected).
+        .add(
+            "/google/callback/cookie",
+            get(google_callback_cookie::<OAuth2UserProfile, users::Model, o_auth2_sessions::Model>),
+        )
+        .add("/protected", get(complete))
+}
--- a/src/initializers/mod.rs
+++ b/src/initializers/mod.rs
@@ -1,3 +1,5 @@
 pub mod admin_seeder;
+pub mod oauth2;
+pub mod oauth2_session;
 pub mod shipping_seeder;
 pub mod view_engine;
--- a/src/initializers/oauth2.rs
+++ b/src/initializers/oauth2.rs
@@ -0,0 +1,36 @@
+//! Builds the loco-oauth2 client store from `initializers.oauth2` config and
+//! injects it as an Axum extension so the oauth2 controllers can reach it.
+
+use axum::{Extension, Router as AxumRouter};
+use loco_oauth2::{config::Config as OAuth2Config, OAuth2ClientStore};
+use loco_rs::prelude::*;
+
+pub struct OAuth2StoreInitializer;
+
+#[async_trait]
+impl Initializer for OAuth2StoreInitializer {
+    fn name(&self) -> String {
+        "oauth2-store".to_string()
+    }
+
+    async fn after_routes(&self, router: AxumRouter, ctx: &AppContext) -> Result<AxumRouter> {
+        let settings = ctx.config.initializers.clone().ok_or_else(|| {
+            Error::Message("Initializers config not configured for OAuth2".to_string())
+        })?;
+        let oauth2_config_value = settings
+            .get("oauth2")
+            .ok_or_else(|| {
+                Error::Message("oauth2 config not found in initializers configuration".to_string())
+            })?
+            .clone();
+        let oauth2_config: OAuth2Config = oauth2_config_value.try_into().map_err(|e| {
+            tracing::error!(error = ?e, "could not convert oauth2 config from yaml");
+            Error::Message("could not convert oauth2 config from yaml".to_string())
+        })?;
+        let oauth2_store = OAuth2ClientStore::new(oauth2_config).map_err(|e| {
+            tracing::error!(error = ?e, "could not create oauth2 store from config");
+            Error::Message("could not create oauth2 store from config".to_string())
+        })?;
+        Ok(router.layer(Extension(oauth2_store)))
+    }
+}
--- a/src/initializers/oauth2_session.rs
+++ b/src/initializers/oauth2_session.rs
@@ -0,0 +1,25 @@
+//! tower-sessions layer that loco-oauth2 uses to hold the short-lived CSRF /
+//! PKCE state between the authorize redirect and the provider callback. An
+//! in-memory store is sufficient since the state only needs to survive the
+//! round-trip to the provider.
+
+use axum::Router as AxumRouter;
+use loco_rs::prelude::*;
+use tower_sessions::{cookie::time::Duration, Expiry, MemoryStore, SessionManagerLayer};
+
+pub struct OAuth2SessionInitializer;
+
+#[async_trait]
+impl Initializer for OAuth2SessionInitializer {
+    fn name(&self) -> String {
+        "oauth2-session".to_string()
+    }
+
+    async fn after_routes(&self, router: AxumRouter, _ctx: &AppContext) -> Result<AxumRouter> {
+        let session_store = MemoryStore::default();
+        let session_layer = SessionManagerLayer::new(session_store)
+            .with_secure(false)
+            .with_expiry(Expiry::OnInactivity(Duration::minutes(10)));
+        Ok(router.layer(session_layer))
+    }
+}
--- a/src/models/_entities/mod.rs
+++ b/src/models/_entities/mod.rs
@@ -4,6 +4,7 @@ pub mod prelude;

 pub mod audit_logs;
 pub mod categories;
+pub mod o_auth2_sessions;
 pub mod order_items;
 pub mod orders;
 pub mod product_images;
--- a/src/models/_entities/o_auth2_sessions.rs
+++ b/src/models/_entities/o_auth2_sessions.rs
@@ -0,0 +1,36 @@
+//! `SeaORM` Entity for loco-oauth2 sessions. Hand-written to match the
+//! `o_auth2_sessions` migration (the rest of `_entities/` is codegen; this table
+//! is owned by the loco-oauth2 integration).
+
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Serialize, Deserialize)]
+#[sea_orm(table_name = "o_auth2_sessions")]
+pub struct Model {
+    pub created_at: DateTimeUtc,
+    pub updated_at: DateTimeUtc,
+    #[sea_orm(primary_key)]
+    pub id: i32,
+    pub session_id: String,
+    pub expires_at: DateTimeUtc,
+    pub user_id: i32,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::users::Entity",
+        from = "Column::UserId",
+        to = "super::users::Column::Id",
+        on_update = "Cascade",
+        on_delete = "Cascade"
+    )]
+    Users,
+}
+
+impl Related<super::users::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Users.def()
+    }
+}
--- a/src/models/_entities/prelude.rs
+++ b/src/models/_entities/prelude.rs
@@ -2,6 +2,7 @@

 pub use super::audit_logs::Entity as AuditLogs;
 pub use super::categories::Entity as Categories;
+pub use super::o_auth2_sessions::Entity as OAuth2Sessions;
 pub use super::order_items::Entity as OrderItems;
 pub use super::orders::Entity as Orders;
 pub use super::product_images::Entity as ProductImages;
--- a/src/models/mod.rs
+++ b/src/models/mod.rs
@@ -8,6 +8,7 @@ pub mod _entities;

 pub mod audit_logs;
 pub mod categories;
+pub mod o_auth2_sessions;
 pub mod order_items;
 pub mod orders;
 pub mod product_images;
--- a/src/models/o_auth2_sessions.rs
+++ b/src/models/o_auth2_sessions.rs
@@ -0,0 +1,79 @@
+pub use super::_entities::o_auth2_sessions::{ActiveModel, Column, Entity, Model};
+use crate::models::{o_auth2_sessions, users};
+use async_trait::async_trait;
+use chrono::Utc;
+use loco_oauth2::base_oauth2::{basic::BasicTokenResponse, TokenResponse};
+use loco_oauth2::models::oauth2_sessions::OAuth2SessionsTrait;
+use loco_rs::prelude::*;
+use sea_orm::entity::prelude::*;
+
+pub type OAuth2Sessions = Entity;
+
+#[async_trait::async_trait]
+impl ActiveModelBehavior for ActiveModel {
+    async fn before_save<C>(self, _db: &C, insert: bool) -> std::result::Result<Self, DbErr>
+    where
+        C: ConnectionTrait,
+    {
+        if !insert && self.updated_at.is_unchanged() {
+            let mut this = self;
+            this.updated_at = sea_orm::ActiveValue::Set(Utc::now());
+            Ok(this)
+        } else {
+            Ok(self)
+        }
+    }
+}
+
+#[async_trait]
+impl OAuth2SessionsTrait<users::Model> for Model {
+    /// Whether the session identified by `session_id` has expired.
+    async fn is_expired(db: &DatabaseConnection, session_id: &str) -> ModelResult<bool> {
+        let session = o_auth2_sessions::Entity::find()
+            .filter(o_auth2_sessions::Column::SessionId.eq(session_id))
+            .one(db)
+            .await?
+            .ok_or_else(|| ModelError::EntityNotFound)?;
+        Ok(session.expires_at < Utc::now())
+    }
+
+    /// Create or refresh the session row for `user` from the provider token.
+    async fn upsert_with_oauth2(
+        db: &DatabaseConnection,
+        token: &BasicTokenResponse,
+        user: &users::Model,
+    ) -> ModelResult<Self> {
+        let txn = db.begin().await?;
+        let session_id = token.access_token().secret().clone();
+        let expires_at = Utc::now()
+            + token
+                .expires_in()
+                .unwrap_or(std::time::Duration::from_secs(3600));
+
+        let session = match o_auth2_sessions::Entity::find()
+            .filter(o_auth2_sessions::Column::UserId.eq(user.id))
+            .one(&txn)
+            .await?
+        {
+            Some(session) => {
+                let mut session: o_auth2_sessions::ActiveModel = session.into();
+                session.session_id = ActiveValue::set(session_id);
+                session.expires_at = ActiveValue::set(expires_at);
+                session.updated_at = ActiveValue::set(Utc::now());
+                session.update(&txn).await?
+            }
+            None => {
+                o_auth2_sessions::ActiveModel {
+                    session_id: ActiveValue::set(session_id),
+                    expires_at: ActiveValue::set(expires_at),
+                    user_id: ActiveValue::set(user.id),
+                    ..Default::default()
+                }
+                .insert(&txn)
+                .await?
+            }
+        };
+        txn.commit().await?;
+        Ok(session)
+    }
+}
--- a/src/models/users.rs
+++ b/src/models/users.rs
@@ -1,10 +1,13 @@
 use async_trait::async_trait;
 use chrono::{offset::Local, Duration};
+use loco_oauth2::models::users::OAuth2UserTrait;
 use loco_rs::{auth::jwt, hash, prelude::*};
+use passwords::PasswordGenerator;
 use serde::{Deserialize, Serialize};
 use serde_json::Map;
 use uuid::Uuid;

+use crate::models::_entities::o_auth2_sessions;
 pub use crate::models::_entities::users::{self, ActiveModel, Entity, Model};

 pub const MAGIC_LINK_LENGTH: i8 = 32;
@@ -367,3 +370,93 @@ impl ActiveModel {
        self.update(db).await.map_err(ModelError::from)
    }
 }
+
+/// Google OpenID Connect user profile (the fields our scopes request).
+/// <https://developers.google.com/identity/openid-connect/openid-connect#obtainuserinfo>
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct OAuth2UserProfile {
+    pub email: String,
+    pub name: String,
+    pub sub: String,
+    pub email_verified: bool,
+    pub given_name: Option<String>,
+    pub family_name: Option<String>,
+    pub picture: Option<String>,
+    pub locale: Option<String>,
+}
+
+#[async_trait]
+impl OAuth2UserTrait<OAuth2UserProfile> for Model {
+    /// Resolve the user behind an active OAuth2 session id.
+    async fn find_by_oauth2_session_id(
+        db: &DatabaseConnection,
+        session_id: &str,
+    ) -> ModelResult<Self> {
+        let session = o_auth2_sessions::Entity::find()
+            .filter(o_auth2_sessions::Column::SessionId.eq(session_id))
+            .one(db)
+            .await?
+            .ok_or_else(|| ModelError::EntityNotFound)?;
+        users::Entity::find_by_id(session.user_id)
+            .one(db)
+            .await?
+            .ok_or_else(|| ModelError::EntityNotFound)
+    }
+
+    /// Find-or-create the local user for a verified OAuth2 profile.
+    ///
+    /// Per security advisory LOC-2025-04, OAuth2-created accounts get a strong
+    /// RANDOM password (never the provider `sub`) — they sign in via the
+    /// provider, and the random secret just satisfies the NOT NULL column.
+    /// Google has already verified the email, so we mark it verified.
+    async fn upsert_with_oauth(
+        db: &DatabaseConnection,
+        profile: &OAuth2UserProfile,
+    ) -> ModelResult<Self> {
+        let txn = db.begin().await?;
+        let user = match users::Entity::find()
+            .filter(users::Column::Email.eq(&profile.email))
+            .one(&txn)
+            .await?
+        {
+            Some(user) => user,
+            None => {
+                let password = PasswordGenerator::new()
+                    .length(16)
+                    .numbers(true)
+                    .lowercase_letters(true)
+                    .uppercase_letters(true)
+                    .symbols(true)
+                    .exclude_similar_characters(true)
+                    .strict(true)
+                    .generate_one()
+                    .map_err(|e| ModelError::Any(e.into()))?;
+                let password_hash =
+                    hash::hash_password(&password).map_err(|e| ModelError::Any(e.into()))?;
+                users::ActiveModel {
+                    email: ActiveValue::set(profile.email.to_string()),
+                    name: ActiveValue::set(profile.name.to_string()),
+                    email_verified_at: ActiveValue::set(Some(Local::now().into())),
+                    password: ActiveValue::set(password_hash),
+                    ..Default::default()
+                }
+                .insert(&txn)
+                .await
+                .map_err(|e| {
+                    tracing::error!(error = %e, "failed to create OAuth2 user");
+                    ModelError::Any(e.into())
+                })?
+            }
+        };
+        txn.commit().await?;
+        Ok(user)
+    }
+
+    /// Required by the trait; mirrors the inherent [`Model::generate_jwt`]
+    /// (inlined to avoid the inherent/trait name clash).
+    fn generate_jwt(&self, secret: &str, expiration: &u64) -> ModelResult<String> {
+        jwt::JWT::new(secret)
+            .generate_token(*expiration, self.pid.to_string(), Map::new())
+            .map_err(ModelError::from)
+    }
+}