2020-01-26 21:36:50 +01:00
|
|
|
defmodule Mobilizon.Web.Auth.Guardian do
|
2018-01-14 17:56:50 +01:00
|
|
|
@moduledoc """
|
|
|
|
|
Handles the JWT tokens encoding and decoding
|
|
|
|
|
"""
|
2020-01-23 21:59:50 +01:00
|
|
|
|
2018-07-27 10:45:35 +02:00
|
|
|
use Guardian,
|
2018-10-11 17:37:39 +02:00
|
|
|
otp_app: :mobilizon,
|
2018-07-27 10:45:35 +02:00
|
|
|
permissions: %{
|
|
|
|
|
superuser: [:moderate, :super],
|
|
|
|
|
user: [:base]
|
|
|
|
|
}
|
2017-12-09 14:58:37 +01:00
|
|
|
|
2023-02-15 19:31:23 +01:00
|
|
|
alias Mobilizon.{Applications, Users}
|
|
|
|
|
alias Mobilizon.Applications.ApplicationToken
|
2019-03-05 17:23:05 +01:00
|
|
|
alias Mobilizon.Users.User
|
2020-01-23 21:59:50 +01:00
|
|
|
|
2019-03-06 18:45:26 +01:00
|
|
|
require Logger
|
2017-12-09 14:58:37 +01:00
|
|
|
|
2021-09-28 19:40:37 +02:00
|
|
|
@spec subject_for_token(any(), any()) :: {:ok, String.t()} | {:error, :unknown_resource}
|
2023-02-15 19:31:23 +01:00
|
|
|
def subject_for_token(%User{id: user_id}, _claims) do
|
|
|
|
|
{:ok, "User:" <> to_string(user_id)}
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def subject_for_token(%ApplicationToken{id: app_token_id}, _claims) do
|
|
|
|
|
{:ok, "AppToken:" <> to_string(app_token_id)}
|
2017-12-09 14:58:37 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def subject_for_token(_, _) do
|
|
|
|
|
{:error, :unknown_resource}
|
|
|
|
|
end
|
|
|
|
|
|
2021-09-24 16:46:42 +02:00
|
|
|
@spec resource_from_claims(any) ::
|
|
|
|
|
{:error, :invalid_id | :no_result | :no_claims} | {:ok, Mobilizon.Users.User.t()}
|
2017-12-09 14:58:37 +01:00
|
|
|
def resource_from_claims(%{"sub" => "User:" <> uid_str}) do
|
2019-03-06 18:45:26 +01:00
|
|
|
Logger.debug(fn -> "Receiving claim for user #{uid_str}" end)
|
|
|
|
|
|
2017-12-09 14:58:37 +01:00
|
|
|
try do
|
|
|
|
|
case Integer.parse(uid_str) do
|
|
|
|
|
{uid, ""} ->
|
2019-03-05 17:23:05 +01:00
|
|
|
{:ok, Users.get_user_with_actors!(uid)}
|
2018-07-27 10:45:35 +02:00
|
|
|
|
2017-12-09 14:58:37 +01:00
|
|
|
_ ->
|
|
|
|
|
{:error, :invalid_id}
|
|
|
|
|
end
|
|
|
|
|
rescue
|
2023-03-17 18:10:59 +01:00
|
|
|
e in Ecto.NoResultsError ->
|
2023-08-02 09:59:09 +02:00
|
|
|
Logger.warning("Received token claim for non existing user: #{inspect(e)}")
|
2023-03-17 18:10:59 +01:00
|
|
|
{:error, :no_result}
|
2017-12-09 14:58:37 +01:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2023-02-15 19:31:23 +01:00
|
|
|
def resource_from_claims(%{"sub" => "AppToken:" <> id_str}) do
|
|
|
|
|
Logger.debug(fn -> "Receiving claim for app token #{id_str}" end)
|
|
|
|
|
|
|
|
|
|
try do
|
|
|
|
|
case Integer.parse(id_str) do
|
|
|
|
|
{id, ""} ->
|
|
|
|
|
application_token = Applications.get_application_token!(id)
|
|
|
|
|
user = Users.get_user_with_actors!(application_token.user_id)
|
|
|
|
|
application = Applications.get_application!(application_token.application_id)
|
|
|
|
|
{:ok, application_token |> Map.put(:user, user) |> Map.put(:application, application)}
|
|
|
|
|
|
|
|
|
|
_ ->
|
|
|
|
|
{:error, :invalid_id}
|
|
|
|
|
end
|
|
|
|
|
rescue
|
2023-03-17 18:10:59 +01:00
|
|
|
e in Ecto.NoResultsError ->
|
|
|
|
|
Logger.info("Received token claim for non existing app token: #{inspect(e.message)}")
|
|
|
|
|
{:error, :no_result}
|
2023-02-15 19:31:23 +01:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2018-01-14 17:56:50 +01:00
|
|
|
def resource_from_claims(_) do
|
2021-09-24 16:46:42 +02:00
|
|
|
{:error, :no_claims}
|
2017-12-09 14:58:37 +01:00
|
|
|
end
|
|
|
|
|
|
2021-09-28 19:40:37 +02:00
|
|
|
@spec after_encode_and_sign(any(), any(), any(), any()) :: {:ok, String.t()}
|
2018-01-13 23:33:03 +01:00
|
|
|
def after_encode_and_sign(resource, claims, token, _options) do
|
|
|
|
|
with {:ok, _} <- Guardian.DB.after_encode_and_sign(resource, claims["typ"], claims, token) do
|
|
|
|
|
{:ok, token}
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-10-04 18:59:41 +02:00
|
|
|
@spec on_verify(any(), any(), any()) :: {:ok, map()} | {:error, :token_not_found}
|
2018-01-13 23:33:03 +01:00
|
|
|
def on_verify(claims, token, _options) do
|
2023-03-17 18:10:59 +01:00
|
|
|
Logger.debug("[Guardian] Called on_verify")
|
|
|
|
|
|
2018-01-13 23:33:03 +01:00
|
|
|
with {:ok, _} <- Guardian.DB.on_verify(claims, token) do
|
|
|
|
|
{:ok, claims}
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-10-04 18:59:41 +02:00
|
|
|
@spec on_revoke(any(), any(), any()) :: {:ok, map()} | {:error, :could_not_revoke_token}
|
2018-01-13 23:33:03 +01:00
|
|
|
def on_revoke(claims, token, _options) do
|
2023-03-17 18:10:59 +01:00
|
|
|
Logger.debug("[Guardian] Called on_revoke")
|
|
|
|
|
|
2018-01-13 23:33:03 +01:00
|
|
|
with {:ok, _} <- Guardian.DB.on_revoke(claims, token) do
|
|
|
|
|
{:ok, claims}
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-10-04 18:59:41 +02:00
|
|
|
@spec on_refresh({any(), any()}, {any(), any()}, any()) ::
|
|
|
|
|
{:ok, {String.t(), map()}, {String.t(), map()}} | {:error, any()}
|
2019-08-12 17:41:41 +02:00
|
|
|
def on_refresh({old_token, old_claims}, {new_token, new_claims}, _options) do
|
2023-03-17 18:10:59 +01:00
|
|
|
Logger.debug("[Guardian] Called on_refresh")
|
|
|
|
|
|
2019-08-12 17:41:41 +02:00
|
|
|
with {:ok, _, _} <- Guardian.DB.on_refresh({old_token, old_claims}, {new_token, new_claims}) do
|
|
|
|
|
{:ok, {old_token, old_claims}, {new_token, new_claims}}
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-10-04 18:59:41 +02:00
|
|
|
@spec on_exchange(any(), any(), any()) ::
|
|
|
|
|
{:ok, {String.t(), map()}, {String.t(), map()}} | {:error, any()}
|
2023-03-17 18:10:59 +01:00
|
|
|
def on_exchange(old_stuff, new_stuff, options) do
|
|
|
|
|
Logger.debug("[Guardian] Called on_exchange")
|
|
|
|
|
on_refresh(old_stuff, new_stuff, options)
|
|
|
|
|
end
|
2019-08-12 17:41:41 +02:00
|
|
|
|
2018-01-13 23:33:03 +01:00
|
|
|
# def build_claims(claims, _resource, opts) do
|
|
|
|
|
# claims = claims
|
|
|
|
|
# |> encode_permissions_into_claims!(Keyword.get(opts, :permissions))
|
|
|
|
|
# {:ok, claims}
|
|
|
|
|
# end
|
2018-01-14 17:56:50 +01:00
|
|
|
end
|
