src/login/repo/tokens.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103

use chrono::TimeDelta;
use sqlx::{sqlite::Sqlite, SqliteConnection, Transaction};
use uuid::Uuid;

use super::logins::{Id as LoginId, Login};
use crate::error::BoxedError;

type DateTime = chrono::DateTime<chrono::Utc>;

pub trait Provider {
    fn tokens(&mut self) -> Tokens;
}

impl<'c> Provider for Transaction<'c, Sqlite> {
    fn tokens(&mut self) -> Tokens {
        Tokens(self)
    }
}

pub struct Tokens<'t>(&'t mut SqliteConnection);

impl<'c> Tokens<'c> {
    /// Issue a new token for an existing login. The issued_at timestamp will
    /// be used to control expiry.
    pub async fn issue(
        &mut self,
        login: &LoginId,
        issued_at: DateTime,
    ) -> Result<String, BoxedError> {
        let secret = Uuid::new_v4().to_string();

        let secret = sqlx::query_scalar!(
            r#"
                insert
                into token (secret, login, issued_at)
                values ($1, $2, $3)
                returning secret as "secret!"
            "#,
            secret,
            login,
            issued_at,
        )
        .fetch_one(&mut *self.0)
        .await?;

        Ok(secret)
    }

    /// Revoke a token by its secret. If there is no such token with that
    /// secret, this will succeed by doing nothing.
    pub async fn revoke(&mut self, secret: &str) -> Result<(), BoxedError> {
        sqlx::query!(
            r#"
                delete
                from token
                where secret = $1
            "#,
            secret,
        )
        .execute(&mut *self.0)
        .await?;

        Ok(())
    }

    pub async fn expire(&mut self, expire_at: DateTime) -> Result<(), BoxedError> {
        // Somewhat arbitrarily, expire after 90 days.
        let expired_issue_at = expire_at - TimeDelta::days(90);
        sqlx::query!(
            r#"
                delete
                from token
                where issued_at < $1
            "#,
            expired_issue_at,
        )
        .execute(&mut *self.0)
        .await?;

        Ok(())
    }

    /// Validate a token by its secret, retrieving the associated Login record.
    /// Will return [None] if the token is not valid.
    pub async fn validate(&mut self, secret: &str) -> Result<Option<Login>, BoxedError> {
        let login = sqlx::query_as!(
            Login,
            r#"
                select
                    login.id as "id: LoginId",
                    name
                from login
                join token on login.id = token.login
                where token.secret = $1
            "#,
            secret,
        )
        .fetch_optional(&mut *self.0)
        .await?;

        Ok(login)
    }
}