Holding on to the authorisation token.

Author: markcatley

src/middleware/current_user.rs

@@ -6,6 +6,7 @@ use diesel::prelude::*;
 use crate::db::RequestTransaction;
 use crate::util::errors::{std_error, CargoResult, ChainError, Unauthorized};
 
+use crate::models::ApiToken;
 use crate::models::User;
 use crate::schema::users;
 
@@ -15,7 +16,7 @@ pub struct CurrentUser;
 #[derive(Debug, Copy, Clone, Eq, PartialEq)]
 pub enum AuthenticationSource {
     SessionCookie,
-    ApiToken,
+    ApiToken(i32),
 }
 
 impl Middleware for CurrentUser {
@@ -44,18 +45,22 @@ impl Middleware for CurrentUser {
         } else {
             // Otherwise, look for an `Authorization` header on the request
             // and try to find a user in the database with a matching API token
-            let user = if let Some(headers) = req.headers().find("Authorization") {
-                User::find_by_api_token(&conn, headers[0])
+            let user_and_token = if let Some(headers) = req.headers().find("Authorization") {
+                ApiToken::find_by_api_token_and_revoked(&conn, headers[0], false)
+                    .and_then(|api_token| {
+                        User::find(&conn, api_token.user_id).map(|user| (user, api_token.id))
+                    })
                     .optional()
                     .map_err(|e| Box::new(e) as Box<dyn Error + Send>)?
             } else {
                 None
             };
             drop(conn);
-            if let Some(user) = user {
+            if let Some((user, token)) = user_and_token {
                 // Attach the `User` model from the database to the request
                 req.mut_extensions().insert(user);
-                req.mut_extensions().insert(AuthenticationSource::ApiToken);
+                req.mut_extensions()
+                    .insert(AuthenticationSource::ApiToken(token));
             }
         }
 

src/models/token.rs

@@ -46,6 +46,28 @@ impl ApiToken {
             last_used_at: self.last_used_at,
         }
     }
+
+    pub fn find_by_api_token_and_revoked(
+        conn: &PgConnection,
+        token_: &str,
+        revoked_: bool,
+    ) -> QueryResult<ApiToken> {
+        use crate::schema::api_tokens::dsl::{api_tokens, last_used_at, revoked, token};
+        use diesel::{dsl::now, update};
+
+        let tokens = api_tokens
+            .filter(token.eq(token_))
+            .filter(revoked.eq(revoked_));
+
+        // If the database is in read only mode, we can't update last_used_at.
+        // Try updating in a new transaction, if that fails, fall back to reading
+        conn.transaction(|| {
+            update(tokens)
+                .set(last_used_at.eq(now.nullable()))
+                .get_result::<ApiToken>(conn)
+        })
+        .or_else(|_| tokens.first(conn))
+    }
 }
 
 #[cfg(test)]

src/models/user.rs

@@ -1,11 +1,10 @@
-use diesel::dsl::now;
 use diesel::prelude::*;
 use std::borrow::Cow;
 
 use crate::app::App;
 use crate::util::CargoResult;
 
-use crate::models::{Crate, CrateOwner, Email, NewEmail, Owner, OwnerKind, Rights};
+use crate::models::{ApiToken, Crate, CrateOwner, Email, NewEmail, Owner, OwnerKind, Rights};
 use crate::schema::{crate_owners, emails, users};
 use crate::views::{EncodablePrivateUser, EncodablePublicUser};
 
@@ -105,27 +104,14 @@ impl<'a> NewUser<'a> {
 }
 
 impl User {
-    /// Queries the database for a user with a certain `api_token` value.
-    pub fn find_by_api_token(conn: &PgConnection, token_: &str) -> QueryResult<User> {
-        use crate::schema::api_tokens::dsl::{api_tokens, last_used_at, revoked, token, user_id};
-        use diesel::update;
-
-        let tokens = api_tokens
-            .filter(token.eq(token_))
-            .filter(revoked.eq(false));
-
-        // If the database is in read only mode, we can't update last_used_at.
-        // Try updating in a new transaction, if that fails, fall back to reading
-        let user_id_ = conn
-            .transaction(|| {
-                update(tokens)
-                    .set(last_used_at.eq(now.nullable()))
-                    .returning(user_id)
-                    .get_result::<i32>(conn)
-            })
-            .or_else(|_| tokens.select(user_id).first(conn))?;
-
-        users::table.find(user_id_).first(conn)
+    pub fn find(conn: &PgConnection, id: i32) -> QueryResult<User> {
+        users::table.find(id).first(conn)
+    }
+
+    pub fn find_by_api_token(conn: &PgConnection, token: &str) -> QueryResult<User> {
+        let api_token = ApiToken::find_by_api_token_and_revoked(conn, token, false)?;
+
+        Self::find(conn, api_token.user_id)
     }
 
     pub fn owning(krate: &Crate, conn: &PgConnection) -> CargoResult<Vec<Owner>> {