refactor(api): add api authentification to auth middleware and implement a permission middleware to check api permissions

Author: Akinator31

Cargo.lock

@@ -25,6 +25,9 @@ serde_json = "1.0.145"
 rand = "0.9.2"
 base64 = "0.22.1"
 subtle = "2.6.1"
+prefixed-api-key = "0.3.0"
+sha2 = "0.10.8"
+hex = "0.4.3"
 
 [dependencies.uuid]
 version = "1.18.1"

rustmail/Cargo.toml

@@ -1,3 +1,4 @@
+use crate::db::operations::{get_api_key_by_hash, hash_api_key, update_last_used};
 use crate::prelude::api::*;
 use crate::prelude::types::*;
 use axum::extract::State;
@@ -86,7 +87,7 @@ pub async fn auth_middleware(
     State(bot_state): State<Arc<Mutex<BotState>>>,
     ConnectInfo(addr): ConnectInfo<SocketAddr>,
     jar: CookieJar,
-    req: Request,
+    mut req: Request,
     next: Next,
 ) -> Response {
     if addr.ip().is_loopback() {
@@ -103,12 +104,6 @@ pub async fn auth_middleware(
         }
     }
 
-    let session_cookie = jar.get("session_id");
-
-    if session_cookie.is_none() {
-        return (StatusCode::UNAUTHORIZED, "Unauthorized").into_response();
-    }
-
     let db_pool = {
         let state_lock = bot_state.lock().await;
         match &state_lock.db_pool {
@@ -123,6 +118,44 @@ pub async fn auth_middleware(
         }
     };
 
+    if let Some(api_key_header) = req.headers().get("x-api-key") {
+        if let Ok(api_key_str) = api_key_header.to_str() {
+            let key_hash = hash_api_key(api_key_str);
+
+            match get_api_key_by_hash(&db_pool, &key_hash).await {
+                Ok(Some(api_key)) => {
+                    if api_key.is_valid() {
+                        let pool_clone = db_pool.clone();
+                        let key_id = api_key.id;
+                        tokio::spawn(async move {
+                            let _ = update_last_used(&pool_clone, key_id).await;
+                        });
+
+                        req.extensions_mut().insert(api_key);
+                        return next.run(req).await;
+                    } else {
+                        return (StatusCode::UNAUTHORIZED, "API key expired or inactive")
+                            .into_response();
+                    }
+                }
+                Ok(None) => {
+                    return (StatusCode::UNAUTHORIZED, "Invalid API key").into_response();
+                }
+                Err(e) => {
+                    eprintln!("Error fetching API key: {}", e);
+                    return (StatusCode::INTERNAL_SERVER_ERROR, "Internal server error")
+                        .into_response();
+                }
+            }
+        }
+    }
+
+    let session_cookie = jar.get("session_id");
+
+    if session_cookie.is_none() {
+        return (StatusCode::UNAUTHORIZED, "Unauthorized").into_response();
+    }
+
     let session_id = session_cookie.unwrap().value().to_string();
     let user_id = get_user_id_from_session(&session_id, &db_pool).await;
 

rustmail/src/api/middleware/auth.rs

@@ -1,3 +1,5 @@
 pub mod auth;
+pub mod permissions;
 
 pub use auth::*;
+pub use permissions::*;

rustmail/src/api/middleware/mod.rs

@@ -0,0 +1,36 @@
+use crate::db::repr::{ApiKey, Permission};
+use axum::http::StatusCode;
+use axum::response::{IntoResponse, Response};
+
+#[derive(Debug)]
+pub struct PermissionError {
+    pub required: &'static str,
+}
+
+impl IntoResponse for PermissionError {
+    fn into_response(self) -> Response {
+        (
+            StatusCode::FORBIDDEN,
+            format!("Missing required permission: {}", self.required),
+        )
+            .into_response()
+    }
+}
+
+pub fn check_permission(api_key: &ApiKey, permission: Permission) -> Result<(), PermissionError> {
+    if api_key.has_permission(permission) {
+        Ok(())
+    } else {
+        Err(PermissionError {
+            required: match permission {
+                Permission::CreateTicket => "CREATE_TICKET",
+                Permission::ReadTickets => "READ_TICKETS",
+                Permission::UpdateTicket => "UPDATE_TICKET",
+                Permission::DeleteTicket => "DELETE_TICKET",
+                Permission::ReadConfig => "READ_CONFIG",
+                Permission::UpdateConfig => "UPDATE_CONFIG",
+                Permission::ManageBot => "MANAGE_BOT",
+            },
+        })
+    }
+}