Feat: introduced hma secret feature

Author: Utilitycoder

Cargo.lock

@@ -35,6 +35,11 @@ thiserror = "1"
 anyhow = "1"
 base64 = "0.13.0"
 argon2 = { version = "0.3", features = ["std"] }
+urlencoding = "2"
+htmlescape = "0.3"
+hmac = { version = "0.12", features = ["std"] }
+sha2 = "0.10"
+hex = "0.4"
 
 [dev-dependencies]
 once_cell = "1"

Cargo.toml

@@ -1,6 +1,7 @@
 application:
   port: 8000
   host: 0.0.0.0
+  hmac_secret: "super-long-and-secret-random-key-needed-to-verify-message-integrity"
 database:
   host: "127.0.0.1"
   port: 5432

configuration/base.yml

@@ -1,6 +1,9 @@
+pub mod authentication;
 pub mod configuration;
 pub mod domain;
 pub mod email_client;
 pub mod routes;
+pub mod session_state;
 pub mod startup;
 pub mod telemetry;
+pub mod utils;

src/lib.rs

@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
+    <title>Home</title>
+  </head>
+  <body>
+    <p>Welcome to our newsletter!</p>
+  </body>
+</html>

src/routes/home/home.html

@@ -0,0 +1,7 @@
+use actix_web::{http::header::ContentType, HttpResponse};
+
+pub async fn home() -> HttpResponse {
+    HttpResponse::Ok()
+        .content_type(ContentType::html())
+        .body(include_str!("home.html"))
+}

src/routes/home/mod.rs

@@ -0,0 +1,77 @@
+use crate::startup::HmacSecret;
+use actix_web::{http::header::ContentType, web, HttpResponse};
+use hmac::{Hmac, Mac};
+use secrecy::ExposeSecret;
+
+#[derive(serde::Deserialize)]
+pub struct QueryParams {
+    error: String,
+    tag: String,
+}
+
+impl QueryParams {
+    fn verify(self, secret: &HmacSecret) -> Result<String, anyhow::Error> {
+        let tag = hex::decode(self.tag)?;
+        let query_string = format!("error={}", urlencoding::Encoded::new(&self.error));
+
+        let mut mac =
+            Hmac::<sha2::Sha256>::new_from_slice(secret.0.expose_secret().as_bytes()).unwrap();
+        mac.update(query_string.as_bytes());
+        mac.verify_slice(&tag)?;
+
+        Ok(self.error)
+    }
+}
+
+pub async fn login_form(
+    query: Option<web::Query<QueryParams>>,
+    secret: web::Data<HmacSecret>,
+) -> HttpResponse {
+    let error_html = match query {
+        None => "".into(),
+        Some(query) => match query.0.verify(&secret) {
+            Ok(error) => {
+                format!("<p><i>{}</i></p>", htmlescape::encode_minimal(&error))
+            }
+            Err(e) => {
+                tracing::warn!(
+                    error.message = %e,
+                    error.cause_chain = ?e,
+                    "Failed to verify query parameters using the HMAC tag"
+                );
+                "".into()
+            }
+        },
+    };
+    HttpResponse::Ok()
+        .content_type(ContentType::html())
+        .body(format!(
+            r#"<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta http-equiv="content-type" content="text/html; charset=utf-8">
+    <title>Login</title>
+</head>
+<body>
+    {error_html}
+    <form action="/login" method="post">
+        <label>Username
+            <input
+                type="text"
+                placeholder="Enter Username"
+                name="username"
+            >
+        </label>
+        <label>Password
+            <input
+                type="password"
+                placeholder="Enter Password"
+                name="password"
+            >
+        </label>
+        <button type="submit">Login</button>
+    </form>
+</body>
+</html>"#,
+        ))
+}

src/routes/login/get.rs

@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta http-equiv="content-type" content="text/html; charset=utf-8" />
+    <title>Login</title>
+  </head>
+  <body>
+    <form action="/login" method="post">
+      <label
+        >Username
+        <input type="text" placeholder="Enter Username" name="username" />
+      </label>
+      <label
+        >Password
+        <input type="password" placeholder="Enter Password" name="password" />
+      </label>
+      <button type="submit">Login</button>
+    </form>
+  </body>
+</html>

src/routes/login/login.html

@@ -0,0 +1,5 @@
+mod get;
+mod post;
+
+pub use get::login_form;
+pub use post::login;

src/routes/login/mod.rs

@@ -0,0 +1,74 @@
+use crate::authentication::AuthError;
+use crate::authentication::{validate_credentials, Credentials};
+use crate::routes::error_chain_fmt;
+use crate::startup::HmacSecret;
+use actix_web::error::InternalError;
+use actix_web::http::header::LOCATION;
+use actix_web::web;
+use actix_web::HttpResponse;
+use hmac::{Hmac, Mac};
+use secrecy::{ExposeSecret, Secret};
+use sqlx::PgPool;
+
+#[derive(serde::Deserialize)]
+pub struct FormData {
+    username: String,
+    password: Secret<String>,
+}
+
+#[tracing::instrument(
+    skip(form, pool, secret),
+    fields(username=tracing::field::Empty, user_id=tracing::field::Empty)
+)]
+// We are now injecting `PgPool` to retrieve stored credentials from the database
+pub async fn login(
+    form: web::Form<FormData>,
+    pool: web::Data<PgPool>,
+    secret: web::Data<HmacSecret>,
+) -> Result<HttpResponse, InternalError<LoginError>> {
+    let credentials = Credentials {
+        username: form.0.username,
+        password: form.0.password,
+    };
+    tracing::Span::current().record("username", &tracing::field::display(&credentials.username));
+    match validate_credentials(credentials, &pool).await {
+        Ok(user_id) => {
+            tracing::Span::current().record("user_id", &tracing::field::display(&user_id));
+            Ok(HttpResponse::SeeOther()
+                .insert_header((LOCATION, "/"))
+                .finish())
+        }
+        Err(e) => {
+            let e = match e {
+                AuthError::InvalidCredentials(_) => LoginError::AuthError(e.into()),
+                AuthError::UnexpectedError(_) => LoginError::UnexpectedError(e.into()),
+            };
+            let query_string = format!("error={}", urlencoding::Encoded::new(e.to_string()));
+            let hmac_tag = {
+                let mut mac =
+                    Hmac::<sha2::Sha256>::new_from_slice(secret.0.expose_secret().as_bytes())
+                        .unwrap();
+                mac.update(query_string.as_bytes());
+                mac.finalize().into_bytes()
+            };
+            let response = HttpResponse::SeeOther()
+                .insert_header((LOCATION, format!("/login?{query_string}&tag={hmac_tag:x}")))
+                .finish();
+            Err(InternalError::from_response(e, response))
+        }
+    }
+}
+
+#[derive(thiserror::Error)]
+pub enum LoginError {
+    #[error("Authentication failed")]
+    AuthError(#[source] anyhow::Error),
+    #[error("Something went wrong")]
+    UnexpectedError(#[from] anyhow::Error),
+}
+
+impl std::fmt::Debug for LoginError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        error_chain_fmt(self, f)
+    }
+}