oauth2
This commit is contained in:
Priec
@@ -1,10 +1,13 @@
|
||||
use async_trait::async_trait;
|
||||
use chrono::{offset::Local, Duration};
|
||||
use loco_oauth2::models::users::OAuth2UserTrait;
|
||||
use loco_rs::{auth::jwt, hash, prelude::*};
|
||||
use passwords::PasswordGenerator;
|
||||
use serde::{Deserialize, Serialize};
|
||||
use serde_json::Map;
|
||||
use uuid::Uuid;
|
||||
|
||||
use crate::models::_entities::o_auth2_sessions;
|
||||
pub use crate::models::_entities::users::{self, ActiveModel, Entity, Model};
|
||||
|
||||
pub const MAGIC_LINK_LENGTH: i8 = 32;
|
||||
@@ -367,3 +370,93 @@ impl ActiveModel {
|
||||
self.update(db).await.map_err(ModelError::from)
|
||||
}
|
||||
}
|
||||
|
||||
/// Google OpenID Connect user profile (the fields our scopes request).
|
||||
/// <https://developers.google.com/identity/openid-connect/openid-connect#obtainuserinfo>
|
||||
#[derive(Serialize, Deserialize, Clone, Debug)]
|
||||
pub struct OAuth2UserProfile {
|
||||
pub email: String,
|
||||
pub name: String,
|
||||
pub sub: String,
|
||||
pub email_verified: bool,
|
||||
pub given_name: Option<String>,
|
||||
pub family_name: Option<String>,
|
||||
pub picture: Option<String>,
|
||||
pub locale: Option<String>,
|
||||
}
|
||||
|
||||
#[async_trait]
|
||||
impl OAuth2UserTrait<OAuth2UserProfile> for Model {
|
||||
/// Resolve the user behind an active OAuth2 session id.
|
||||
async fn find_by_oauth2_session_id(
|
||||
db: &DatabaseConnection,
|
||||
session_id: &str,
|
||||
) -> ModelResult<Self> {
|
||||
let session = o_auth2_sessions::Entity::find()
|
||||
.filter(o_auth2_sessions::Column::SessionId.eq(session_id))
|
||||
.one(db)
|
||||
.await?
|
||||
.ok_or_else(|| ModelError::EntityNotFound)?;
|
||||
users::Entity::find_by_id(session.user_id)
|
||||
.one(db)
|
||||
.await?
|
||||
.ok_or_else(|| ModelError::EntityNotFound)
|
||||
}
|
||||
|
||||
/// Find-or-create the local user for a verified OAuth2 profile.
|
||||
///
|
||||
/// Per security advisory LOC-2025-04, OAuth2-created accounts get a strong
|
||||
/// RANDOM password (never the provider `sub`) — they sign in via the
|
||||
/// provider, and the random secret just satisfies the NOT NULL column.
|
||||
/// Google has already verified the email, so we mark it verified.
|
||||
async fn upsert_with_oauth(
|
||||
db: &DatabaseConnection,
|
||||
profile: &OAuth2UserProfile,
|
||||
) -> ModelResult<Self> {
|
||||
let txn = db.begin().await?;
|
||||
let user = match users::Entity::find()
|
||||
.filter(users::Column::Email.eq(&profile.email))
|
||||
.one(&txn)
|
||||
.await?
|
||||
{
|
||||
Some(user) => user,
|
||||
None => {
|
||||
let password = PasswordGenerator::new()
|
||||
.length(16)
|
||||
.numbers(true)
|
||||
.lowercase_letters(true)
|
||||
.uppercase_letters(true)
|
||||
.symbols(true)
|
||||
.exclude_similar_characters(true)
|
||||
.strict(true)
|
||||
.generate_one()
|
||||
.map_err(|e| ModelError::Any(e.into()))?;
|
||||
let password_hash =
|
||||
hash::hash_password(&password).map_err(|e| ModelError::Any(e.into()))?;
|
||||
users::ActiveModel {
|
||||
email: ActiveValue::set(profile.email.to_string()),
|
||||
name: ActiveValue::set(profile.name.to_string()),
|
||||
email_verified_at: ActiveValue::set(Some(Local::now().into())),
|
||||
password: ActiveValue::set(password_hash),
|
||||
..Default::default()
|
||||
}
|
||||
.insert(&txn)
|
||||
.await
|
||||
.map_err(|e| {
|
||||
tracing::error!(error = %e, "failed to create OAuth2 user");
|
||||
ModelError::Any(e.into())
|
||||
})?
|
||||
}
|
||||
};
|
||||
txn.commit().await?;
|
||||
Ok(user)
|
||||
}
|
||||
|
||||
/// Required by the trait; mirrors the inherent [`Model::generate_jwt`]
|
||||
/// (inlined to avoid the inherent/trait name clash).
|
||||
fn generate_jwt(&self, secret: &str, expiration: &u64) -> ModelResult<String> {
|
||||
jwt::JWT::new(secret)
|
||||
.generate_token(*expiration, self.pid.to_string(), Map::new())
|
||||
.map_err(ModelError::from)
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user