what2watch/src/users.rs

use std::fmt::Display;

use argon2::{
    password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
    Argon2,
};
use askama::Template;
use axum::{
    extract::{Form, Path, State},
    http::StatusCode,
    response::{IntoResponse, Response},
};
use sqlx::{sqlite::SqliteRow, Row, SqlitePool};
use unicode_segmentation::UnicodeSegmentation;
use uuid::Uuid;

use crate::{templates::CreateUser, ToBlob};

const CREATE_QUERY: &str =
    "insert into witches (id, username, displayname, email, pwhash) values ($1, $2, $3, $4, $5)";

const ID_QUERY: &str = "select * from witches where id = $1";

#[derive(Debug, Default, Clone, PartialEq, Eq)]
pub struct User {
    id: Uuid,
    username: String,
    displayname: Option<String>,
    email: Option<String>,
    last_seen: Option<i64>,
}

impl Display for User {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        let uname = &self.username;
        let dname = if let Some(ref n) = self.displayname {
            n
        } else {
            ""
        };
        let email = if let Some(ref e) = self.email { e } else { "" };
        write!(f, "Username: {uname}\nDisplayname: {dname}\nEmail: {email}")
    }
}

#[derive(Debug, Clone, Template)]
#[template(path = "signup_success.html")]
pub struct CreateUserSuccess(User);

impl sqlx::FromRow<'_, SqliteRow> for User {
    fn from_row(row: &SqliteRow) -> Result<Self, sqlx::Error> {
        let bytes: Vec<u8> = row.get("id");
        let bytes = bytes.as_slice();
        let bytes: [u8; 16] = bytes.try_into().unwrap();
        let id = Uuid::from_bytes_le(bytes);
        let username: String = row.get("username");
        let displayname: Option<String> = row.get("displayname");
        let last_seen: Option<i64> = row.get("last_seen");
        let email: Option<String> = row.get("email");

        Ok(Self {
            id,
            username,
            displayname,
            email,
            last_seen,
        })
    }
}

/// Get Handler: displays the form to create a user
pub async fn get_create_user() -> CreateUser {
    CreateUser::default()
}

/// Post Handler: validates form values and calls the actual, private user
/// creation function
#[axum::debug_handler]
pub async fn post_create_user(
    State(pool): State<SqlitePool>,
    Form(signup): Form<CreateUser>,
) -> Result<Response, CreateUserError> {
    let username = &signup.username;
    let displayname = &signup.displayname;
    let email = &signup.email;
    let password = &signup.password;
    let verify = &signup.pw_verify;
    let username = username.trim();

    let name_len = username.graphemes(true).size_hint().1.unwrap();
    // we are not ascii exclusivists around here
    if !(1..=20).contains(&name_len) {
        return Err(CreateUserErrorKind::BadUsername.into());
    }

    if let Some(ref dn) = displayname {
        if dn.len() > 50 {
            return Err(CreateUserErrorKind::BadDisplayname.into());
        }
    }

    if password != verify {
        return Err(CreateUserErrorKind::PasswordMismatch.into());
    }

    let password = urlencoding::decode(password)
        .map_err(|_| CreateUserErrorKind::BadPassword)?
        .to_string();
    let password = password.as_bytes();

    let displayname = if let Some(dn) = displayname {
        let dn = urlencoding::decode(dn)
            .map_err(|_| CreateUserErrorKind::BadDisplayname)?
            .to_string();
        Some(dn)
    } else {
        None
    };
    let displayname = &displayname;

    // TODO(2023-05-17): validate email
    let email = if let Some(email) = email {
        let email = urlencoding::decode(email)
            .map_err(|_| CreateUserErrorKind::BadEmail)?
            .to_string();
        Some(email)
    } else {
        None
    };
    let email = &email;

    let user = create_user(username, displayname, email, password, &pool).await?;
    tracing::debug!("created {user:?}");
    let id = user.id.simple().to_string();
    let location = format!("/signup_success/{id}");

    let resp = axum::response::Redirect::temporary(&location).into_response();

    Ok(resp)
}

/// Get handler for successful signup
pub async fn handle_signup_success(
    Path(id): Path<String>,
    State(pool): State<SqlitePool>,
) -> Response {
    let user: User = {
        let id = id.trim();
        let id = Uuid::try_parse(id).unwrap_or_default();
        sqlx::query_as(ID_QUERY)
            .bind(id.blob())
            .fetch_one(&pool)
            .await
            .unwrap_or_default()
    };

    let mut resp = CreateUserSuccess(user.clone()).into_response();

    if user.username.is_empty() || id.is_empty() {
        // redirect to front page if we got here without a valid witch ID
        *resp.status_mut() = StatusCode::TEMPORARY_REDIRECT;
        resp.headers_mut().insert("Location", "/".parse().unwrap());
    }
    resp
}

async fn create_user(
    username: &str,
    displayname: &Option<String>,
    email: &Option<String>,
    password: &[u8],
    pool: &SqlitePool,
) -> Result<User, CreateUserError> {
    // Argon2 with default params (Argon2id v19)
    let argon2 = Argon2::default();
    let salt = SaltString::generate(&mut OsRng);
    let pwhash = argon2
        .hash_password(password, &salt)
        .unwrap() // safe to unwrap, we know the salt is valid
        .to_string();

    let id = Uuid::new_v4();
    let res = sqlx::query(CREATE_QUERY)
        .bind(id.blob())
        .bind(username)
        .bind(displayname)
        .bind(email)
        .bind(pwhash)
        .execute(pool)
        .await;

    match res {
        Ok(_) => {
            let user = User {
                id,
                username: username.to_string(),
                displayname: displayname.to_owned(),
                email: email.to_owned(),
                last_seen: None,
            };
            Ok(user)
        }
        Err(sqlx::Error::Database(db)) => {
            if let Some(exit) = db.code() {
                let exit = exit.parse().unwrap_or(0u32);
                // https://www.sqlite.org/rescode.html codes for unique constraint violations:
                if exit == 2067u32 || exit == 1555 {
                    Err(CreateUserErrorKind::AlreadyExists.into())
                } else {
                    Err(CreateUserErrorKind::UnknownDBError.into())
                }
            } else {
                Err(CreateUserErrorKind::UnknownDBError.into())
            }
        }
        _ => Err(CreateUserErrorKind::UnknownDBError.into()),
    }
}

#[Error(desc = "Could not create user.")]
#[non_exhaustive]
pub struct CreateUserError(#[from] CreateUserErrorKind);

impl IntoResponse for CreateUserError {
    fn into_response(self) -> askama_axum::Response {
        match self.0 {
            CreateUserErrorKind::UnknownDBError => {
                (StatusCode::INTERNAL_SERVER_ERROR, format!("{self}")).into_response()
            }
            _ => (StatusCode::BAD_REQUEST, format!("{self}")).into_response(),
        }
    }
}

#[Error]
#[non_exhaustive]
pub enum CreateUserErrorKind {
    AlreadyExists,
    #[error(desc = "Usernames must be between 1 and 20 non-whitespace characters long")]
    BadUsername,
    PasswordMismatch,
    BadPassword,
    BadDisplayname,
    BadEmail,
    MissingFields,
    UnknownDBError,
}
Fixed redirect on success, removed DbUser struct. 2023-05-22 22:08:14 +00:00			`use std::fmt::Display;`
better signup pages 2023-05-18 22:49:33 +00:00
move user stuff to module 2023-05-12 21:24:57 +00:00			`use argon2::{`
			`password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},`
			`Argon2,`
			`};`
better signup pages 2023-05-18 22:49:33 +00:00			`use askama::Template;`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`use axum::{`
Fixed redirect on success, removed DbUser struct. 2023-05-22 22:08:14 +00:00			`extract::{Form, Path, State},`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`http::StatusCode,`
Add redirect response to signup success. 2023-05-19 22:13:49 +00:00			`response::{IntoResponse, Response},`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`};`
redirects weirdly 2023-05-20 00:17:24 +00:00			`use sqlx::{sqlite::SqliteRow, Row, SqlitePool};`
add username validation (length only) 2023-05-16 19:24:53 +00:00			`use unicode_segmentation::UnicodeSegmentation;`
move user stuff to module 2023-05-12 21:24:57 +00:00			`use uuid::Uuid;`

simplify uuid/db handling 2023-05-23 00:18:13 +00:00			`use crate::{templates::CreateUser, ToBlob};`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`const CREATE_QUERY: &str =`
			`"insert into witches (id, username, displayname, email, pwhash) values ($1, $2, $3, $4, $5)";`
add user structs 2023-05-12 22:36:19 +00:00
redirects weirdly 2023-05-20 00:17:24 +00:00			`const ID_QUERY: &str = "select * from witches where id = $1";`

			`#[derive(Debug, Default, Clone, PartialEq, Eq)]`
add user structs 2023-05-12 22:36:19 +00:00			`pub struct User {`
			`id: Uuid,`
			`username: String,`
			`displayname: Option<String>,`
			`email: Option<String>,`
redirects weirdly 2023-05-20 00:17:24 +00:00			`last_seen: Option<i64>,`
add user structs 2023-05-12 22:36:19 +00:00			`}`

better signup pages 2023-05-18 22:49:33 +00:00			`impl Display for User {`
			`fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {`
			`let uname = &self.username;`
			`let dname = if let Some(ref n) = self.displayname {`
			`n`
			`} else {`
			`""`
			`};`
			`let email = if let Some(ref e) = self.email { e } else { "" };`
			`write!(f, "Username: {uname}\nDisplayname: {dname}\nEmail: {email}")`
			`}`
			`}`

			`#[derive(Debug, Clone, Template)]`
			`#[template(path = "signup_success.html")]`
			`pub struct CreateUserSuccess(User);`

redirects weirdly 2023-05-20 00:17:24 +00:00			`impl sqlx::FromRow<'_, SqliteRow> for User {`
			`fn from_row(row: &SqliteRow) -> Result<Self, sqlx::Error> {`
			`let bytes: Vec<u8> = row.get("id");`
			`let bytes = bytes.as_slice();`
			`let bytes: [u8; 16] = bytes.try_into().unwrap();`
			`let id = Uuid::from_bytes_le(bytes);`
			`let username: String = row.get("username");`
			`let displayname: Option<String> = row.get("displayname");`
			`let last_seen: Option<i64> = row.get("last_seen");`
			`let email: Option<String> = row.get("email");`

			`Ok(Self {`
			`id,`
			`username,`
			`displayname,`
			`email,`
			`last_seen,`
			`})`
			`}`
			`}`

more cleanup 2023-05-18 19:24:43 +00:00			`/// Get Handler: displays the form to create a user`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`pub async fn get_create_user() -> CreateUser {`
			`CreateUser::default()`
			`}`

more cleanup 2023-05-18 19:24:43 +00:00			`/// Post Handler: validates form values and calls the actual, private user`
			`/// creation function`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`#[axum::debug_handler]`
			`pub async fn post_create_user(`
more cleanup 2023-05-18 19:24:43 +00:00			`State(pool): State<SqlitePool>,`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`Form(signup): Form<CreateUser>,`
Add redirect response to signup success. 2023-05-19 22:13:49 +00:00			`) -> Result<Response, CreateUserError> {`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`let username = &signup.username;`
			`let displayname = &signup.displayname;`
			`let email = &signup.email;`
			`let password = &signup.password;`
			`let verify = &signup.pw_verify;`
add username validation (length only) 2023-05-16 19:24:53 +00:00			`let username = username.trim();`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00
add username validation (length only) 2023-05-16 19:24:53 +00:00			`let name_len = username.graphemes(true).size_hint().1.unwrap();`
			`// we are not ascii exclusivists around here`
			`if !(1..=20).contains(&name_len) {`
			`return Err(CreateUserErrorKind::BadUsername.into());`
			`}`

Fixed redirect on success, removed DbUser struct. 2023-05-22 22:08:14 +00:00			`if let Some(ref dn) = displayname {`
			`if dn.len() > 50 {`
			`return Err(CreateUserErrorKind::BadDisplayname.into());`
			`}`
			`}`

Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`if password != verify {`
			`return Err(CreateUserErrorKind::PasswordMismatch.into());`
			`}`

			`let password = urlencoding::decode(password)`
			`.map_err(\|_\| CreateUserErrorKind::BadPassword)?`
			`.to_string();`
			`let password = password.as_bytes();`

			`let displayname = if let Some(dn) = displayname {`
			`let dn = urlencoding::decode(dn)`
			`.map_err(\|_\| CreateUserErrorKind::BadDisplayname)?`
			`.to_string();`
			`Some(dn)`
			`} else {`
			`None`
			`};`
			`let displayname = &displayname;`

			`// TODO(2023-05-17): validate email`
			`let email = if let Some(email) = email {`
			`let email = urlencoding::decode(email)`
			`.map_err(\|_\| CreateUserErrorKind::BadEmail)?`
			`.to_string();`
			`Some(email)`
			`} else {`
			`None`
			`};`
			`let email = &email;`

more cleanup 2023-05-18 19:24:43 +00:00			`let user = create_user(username, displayname, email, password, &pool).await?;`
			`tracing::debug!("created {user:?}");`
Fixed redirect on success, removed DbUser struct. 2023-05-22 22:08:14 +00:00			`let id = user.id.simple().to_string();`
			`let location = format!("/signup_success/{id}");`

			`let resp = axum::response::Redirect::temporary(&location).into_response();`
redirects weirdly 2023-05-20 00:17:24 +00:00
Add redirect response to signup success. 2023-05-19 22:13:49 +00:00			`Ok(resp)`
			`}`

Fixed redirect on success, removed DbUser struct. 2023-05-22 22:08:14 +00:00			`/// Get handler for successful signup`
			`pub async fn handle_signup_success(`
			`Path(id): Path<String>,`
Add redirect response to signup success. 2023-05-19 22:13:49 +00:00			`State(pool): State<SqlitePool>,`
redirects weirdly 2023-05-20 00:17:24 +00:00			`) -> Response {`
Fixed redirect on success, removed DbUser struct. 2023-05-22 22:08:14 +00:00			`let user: User = {`
re-org some handlers, handle '/'. 2023-05-22 23:57:08 +00:00			`let id = id.trim();`
			`let id = Uuid::try_parse(id).unwrap_or_default();`
redirects weirdly 2023-05-20 00:17:24 +00:00			`sqlx::query_as(ID_QUERY)`
simplify uuid/db handling 2023-05-23 00:18:13 +00:00			`.bind(id.blob())`
redirects weirdly 2023-05-20 00:17:24 +00:00			`.fetch_one(&pool)`
			`.await`
			`.unwrap_or_default()`
			`};`

			`let mut resp = CreateUserSuccess(user.clone()).into_response();`

re-org some handlers, handle '/'. 2023-05-22 23:57:08 +00:00			`if user.username.is_empty() \|\| id.is_empty() {`
			`// redirect to front page if we got here without a valid witch ID`
redirects weirdly 2023-05-20 00:17:24 +00:00			`*resp.status_mut() = StatusCode::TEMPORARY_REDIRECT;`
			`resp.headers_mut().insert("Location", "/".parse().unwrap());`
Add redirect response to signup success. 2023-05-19 22:13:49 +00:00			`}`
redirects weirdly 2023-05-20 00:17:24 +00:00			`resp`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`}`

			`async fn create_user(`
			`username: &str,`
			`displayname: &Option<String>,`
			`email: &Option<String>,`
			`password: &[u8],`
			`pool: &SqlitePool,`
			`) -> Result<User, CreateUserError> {`
move user stuff to module 2023-05-12 21:24:57 +00:00			`// Argon2 with default params (Argon2id v19)`
			`let argon2 = Argon2::default();`
			`let salt = SaltString::generate(&mut OsRng);`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`let pwhash = argon2`
move user stuff to module 2023-05-12 21:24:57 +00:00			`.hash_password(password, &salt)`
			`.unwrap() // safe to unwrap, we know the salt is valid`
			`.to_string();`

checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`let id = Uuid::new_v4();`
			`let res = sqlx::query(CREATE_QUERY)`
simplify uuid/db handling 2023-05-23 00:18:13 +00:00			`.bind(id.blob())`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`.bind(username)`
			`.bind(displayname)`
			`.bind(email)`
			`.bind(pwhash)`
			`.execute(pool)`
			`.await;`

			`match res {`
			`Ok(_) => {`
			`let user = User {`
			`id,`
			`username: username.to_string(),`
			`displayname: displayname.to_owned(),`
			`email: email.to_owned(),`
redirects weirdly 2023-05-20 00:17:24 +00:00			`last_seen: None,`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`};`
			`Ok(user)`
			`}`
			`Err(sqlx::Error::Database(db)) => {`
			`if let Some(exit) = db.code() {`
add check for uniqueness violation in account creation 2023-05-16 18:55:32 +00:00			`let exit = exit.parse().unwrap_or(0u32);`
			`// https://www.sqlite.org/rescode.html codes for unique constraint violations:`
			`if exit == 2067u32 \|\| exit == 1555 {`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`Err(CreateUserErrorKind::AlreadyExists.into())`
			`} else {`
rename error 2023-05-16 23:24:24 +00:00			`Err(CreateUserErrorKind::UnknownDBError.into())`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`}`
			`} else {`
rename error 2023-05-16 23:24:24 +00:00			`Err(CreateUserErrorKind::UnknownDBError.into())`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`}`
			`}`
rename error 2023-05-16 23:24:24 +00:00			`_ => Err(CreateUserErrorKind::UnknownDBError.into()),`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`}`
move user stuff to module 2023-05-12 21:24:57 +00:00			`}`

			`#[Error(desc = "Could not create user.")]`
			`#[non_exhaustive]`
			`pub struct CreateUserError(#[from] CreateUserErrorKind);`

Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`impl IntoResponse for CreateUserError {`
			`fn into_response(self) -> askama_axum::Response {`
			`match self.0 {`
			`CreateUserErrorKind::UnknownDBError => {`
			`(StatusCode::INTERNAL_SERVER_ERROR, format!("{self}")).into_response()`
			`}`
			`_ => (StatusCode::BAD_REQUEST, format!("{self}")).into_response(),`
			`}`
			`}`
			`}`

move user stuff to module 2023-05-12 21:24:57 +00:00			`#[Error]`
			`#[non_exhaustive]`
			`pub enum CreateUserErrorKind {`
			`AlreadyExists,`
add username validation (length only) 2023-05-16 19:24:53 +00:00			`#[error(desc = "Usernames must be between 1 and 20 non-whitespace characters long")]`
checkpoint fucking with errors 2023-05-15 03:33:36 +00:00			`BadUsername,`
move user stuff to module 2023-05-12 21:24:57 +00:00			`PasswordMismatch,`
Working user signup, looks ugly. Still no login or sessions, though. 2023-05-18 17:05:29 +00:00			`BadPassword,`
			`BadDisplayname,`
			`BadEmail,`
move user stuff to module 2023-05-12 21:24:57 +00:00			`MissingFields,`
rename error 2023-05-16 23:24:24 +00:00			`UnknownDBError,`
move user stuff to module 2023-05-12 21:24:57 +00:00			`}`