diff options
Diffstat (limited to 'src/api/auth/account.rs')
-rw-r--r-- | src/api/auth/account.rs | 41 |
1 files changed, 19 insertions, 22 deletions
diff --git a/src/api/auth/account.rs b/src/api/auth/account.rs index 0f12d49..c0c2099 100644 --- a/src/api/auth/account.rs +++ b/src/api/auth/account.rs @@ -11,6 +11,7 @@ use serde::{Deserialize, Serialize}; use validator::Validate; use crate::api::{Empty, EMPTY}; +use crate::crypto::{KeyFetchToken, SessionToken}; use crate::db::{Db, DbConn}; use crate::mailer::Mailer; use crate::push::PushClient; @@ -21,7 +22,7 @@ use crate::{ api::{auth, serialize_dt}, auth::{AuthSource, Authenticated}, crypto::{AuthPW, KeyBundle, KeyFetchReq, SecretBytes, SessionCredentials}, - types::{HawkKey, KeyFetchID, OauthToken, SecretKey, SessionID, User, UserID, VerifyHash}, + types::{HawkKey, KeyFetchID, OauthToken, SecretKey, User, UserID, VerifyHash}, }; // TODO better error handling @@ -52,9 +53,9 @@ pub(crate) struct Create { #[serde(deny_unknown_fields)] pub(crate) struct CreateResp { uid: UserID, - sessionToken: SecretBytes<32>, + sessionToken: SessionToken, #[serde(skip_serializing_if = "Option::is_none")] - keyFetchToken: Option<SecretBytes<32>>, + keyFetchToken: Option<KeyFetchToken>, #[serde(serialize_with = "serialize_dt")] authAt: DateTime<Utc>, // MISSING verificationMethod @@ -94,17 +95,16 @@ pub(crate) async fn create( let auth_salt = SaltString::generate(rand::rngs::OsRng); let stretched = data.authPW.stretch(auth_salt.as_salt())?; let verify_hash = stretched.verify_hash(); - let session_token = SecretBytes::generate(); - let session = SessionCredentials::derive(&session_token); + let session_token = SessionToken::generate(); + let session = SessionCredentials::derive_from(&session_token); let key_fetch_token = if keys { - let key_fetch_token = SecretBytes::generate(); - let req = KeyFetchReq::from_token(&key_fetch_token); + let key_fetch_token = KeyFetchToken::generate(); + let req = KeyFetchReq::derive_from(&key_fetch_token); let wrapped = req.derive_resp().wrap_keys(&KeyBundle { ka: ka.clone(), wrap_kb: stretched.decrypt_wwkb(&wrapwrap_kb), }); - db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped) - .await?; + db.add_key_fetch(req.token_id, &HawkKey(req.req_hmac_key.0), &wrapped).await?; Some(key_fetch_token) } else { None @@ -120,12 +120,11 @@ pub(crate) async fn create( verified: false, }) .await?; - let session_id = SessionID(session.token_id.0); let auth_at = db - .add_session(session_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None) + .add_session(session.token_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, None) .await?; let verify_code = hex::encode(&SecretBytes::<16>::generate().0); - db.add_verify_code(&uid, &session_id, &verify_code).await?; + db.add_verify_code(&uid, &session.token_id, &verify_code).await?; // NOTE we send the email in this context rather than a spawn to signal // send errors to the client. mailer.send_account_verify(&uid, &data.email, &verify_code).await.map_err(|e| { @@ -161,9 +160,9 @@ pub(crate) struct Login { #[serde(deny_unknown_fields)] pub(crate) struct LoginResp { uid: UserID, - sessionToken: SecretBytes<32>, + sessionToken: SessionToken, #[serde(skip_serializing_if = "Option::is_none")] - keyFetchToken: Option<SecretBytes<32>>, + keyFetchToken: Option<KeyFetchToken>, // MISSING verificationMethod // MISSING verificationReason // NOTE this is the *account* verified status, not the session status. @@ -200,27 +199,25 @@ pub(crate) async fn login( return Err(auth::Error::IncorrectPassword); } - let session_token = SecretBytes::generate(); - let session = SessionCredentials::derive(&session_token); + let session_token = SessionToken::generate(); + let session = SessionCredentials::derive_from(&session_token); let key_fetch_token = if keys { - let key_fetch_token = SecretBytes::generate(); - let req = KeyFetchReq::from_token(&key_fetch_token); + let key_fetch_token = KeyFetchToken::generate(); + let req = KeyFetchReq::derive_from(&key_fetch_token); let wrapped = req.derive_resp().wrap_keys(&KeyBundle { ka: SecretBytes(user.ka.0), wrap_kb: stretched.decrypt_wwkb(&SecretBytes(user.wrapwrap_kb.0)), }); - db.add_key_fetch(KeyFetchID(req.token_id.0), &HawkKey(req.req_hmac_key.0), &wrapped) - .await?; + db.add_key_fetch(req.token_id, &HawkKey(req.req_hmac_key.0), &wrapped).await?; Some(key_fetch_token) } else { None }; - let session_id = SessionID(session.token_id.0); let verify_code = format!("{:06}", thread_rng().gen_range(0..=999999)); let auth_at = db .add_session( - session_id.clone(), + session.token_id.clone(), &uid, HawkKey(session.req_hmac_key.0), false, |