Use persistent sessions for authentication.

adsnaider · adsnaider · commit 31b548bc1d79 · 2022-04-04T13:57:18.000-07:00
diff --git a/src/controllers/util.rs b/src/controllers/util.rs
@@ -1,13 +1,14 @@
 use chrono::Utc;
-use conduit_cookie::RequestSession;
+use conduit_cookie::RequestCookies;
 
 use super::prelude::*;
-
+use crate::controllers::user::session::SESSION_COOKIE_NAME;
 use crate::middleware::log_request;
-use crate::models::{ApiToken, User};
+use crate::models::{ApiToken, PersistentSession, User};
 use crate::util::errors::{
     account_locked, forbidden, internal, AppError, AppResult, InsecurelyGeneratedTokenRevoked,
 };
+use conduit_cookie::RequestSession;
 
 #[derive(Debug)]
 pub struct AuthenticatedUser {
@@ -67,6 +68,7 @@ fn verify_origin(req: &dyn RequestExt) -> AppResult<()> {
 fn authenticate_user(req: &dyn RequestExt) -> AppResult<AuthenticatedUser> {
     let conn = req.db_conn()?;
 
+    // TODO(adsnaider): Remove this.
     let session = req.session();
     let user_id_from_session = session.get("user_id").and_then(|s| s.parse::<i32>().ok());
 
@@ -80,6 +82,34 @@ fn authenticate_user(req: &dyn RequestExt) -> AppResult<AuthenticatedUser> {
         });
     }
 
+    if let Some(session_token) = req
+        .cookies()
+        .get(SESSION_COOKIE_NAME)
+        .map(|cookie| cookie.value())
+    {
+        let ip_addr = req.remote_addr().ip();
+
+        let user_agent = req
+            .headers()
+            .get(header::USER_AGENT)
+            .and_then(|value| value.to_str().ok())
+            .unwrap_or_default();
+
+        if let Some(session) = PersistentSession::find_from_token_and_update(
+            &conn,
+            session_token,
+            ip_addr,
+            user_agent,
+        )? {
+            let user = User::find(&conn, session.user_id)
+                .map_err(|e| e.chain(internal("user_id from session not found in the database")))?;
+            return Ok(AuthenticatedUser {
+                user,
+                token_id: None,
+            });
+        }
+    }
+
     // Otherwise, look for an `Authorization` header on the request
     let maybe_authorization = req
         .headers()
diff --git a/src/models/persistent_session.rs b/src/models/persistent_session.rs
@@ -44,6 +44,32 @@ impl PersistentSession {
         }
     }
 
+    pub fn find_from_token_and_update(
+        conn: &PgConnection,
+        token: &str,
+        ip_address: IpAddr,
+        user_agent: &str,
+    ) -> Result<Option<Self>, SessionError> {
+        let hashed_token = SecureToken::parse(SecureTokenKind::Session, token)
+            .ok_or(SessionError::InvalidSessionToken)?;
+        let sessions = persistent_sessions::table
+            .filter(persistent_sessions::revoked.eq(false))
+            .filter(persistent_sessions::hashed_token.eq(hashed_token));
+
+        conn.transaction(|| {
+            diesel::update(sessions.clone())
+                .set((
+                    persistent_sessions::last_used_at.eq(diesel::dsl::now),
+                    persistent_sessions::last_ip_address.eq(IpNetwork::from(ip_address)),
+                    persistent_sessions::last_user_agent.eq(user_agent),
+                ))
+                .get_result(conn)
+                .optional()
+        })
+        .or_else(|_| sessions.first(conn).optional())
+        .map_err(SessionError::DieselError)
+    }
+
     pub fn revoke_from_token(conn: &PgConnection, token: &str) -> Result<usize, SessionError> {
         let hashed_token = SecureToken::parse(SecureTokenKind::Session, token)
             .ok_or(SessionError::InvalidSessionToken)?;
