PluralKit/crates/api/src/middleware/auth.rs

use axum::{
    extract::{Request, State},
    http::StatusCode,
    middleware::Next,
    response::Response,
};

use tracing::error;

use crate::auth::AuthState;
use crate::{util::json_err, ApiContext};

pub async fn auth(State(ctx): State<ApiContext>, mut req: Request, next: Next) -> Response {
    let mut authed_system_id: Option<i32> = None;
    let mut authed_app_id: Option<i32> = None;

    // fetch user authorization
    if let Some(system_auth_header) = req
        .headers()
        .get("authorization")
        .map(|h| h.to_str().ok())
        .flatten()
        && let Some(system_id) =
            match libpk::db::repository::legacy_token_auth(&ctx.db, system_auth_header).await {
                Ok(val) => val,
                Err(err) => {
                    error!(?err, "failed to query authorization token in postgres");
                    return json_err(
                        StatusCode::INTERNAL_SERVER_ERROR,
                        r#"{"message": "500: Internal Server Error", "code": 0}"#.to_string(),
                    );
                }
            }
    {
        authed_system_id = Some(system_id);
    }

    // fetch app authorization
    // todo: actually fetch it from db
    if let Some(app_auth_header) = req
        .headers()
        .get("x-pluralkit-app")
        .map(|h| h.to_str().ok())
        .flatten()
        && let Some(config_token2) = libpk::config
            .api
            .as_ref()
            .expect("missing api config")
            .temp_token2
            .as_ref()
        // this is NOT how you validate tokens
        // but this is low abuse risk so we're keeping it for now
        && app_auth_header == config_token2
    {
        authed_app_id = Some(1);
    }

    req.extensions_mut()
        .insert(AuthState::new(authed_system_id, authed_app_id));

    next.run(req).await
}
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`use axum::{`
			`extract::{Request, State},`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`http::StatusCode,`
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`middleware::Next,`
			`response::Response,`
			`};`
feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`use tracing::error;`

feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00			`use crate::auth::AuthState;`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`use crate::{util::json_err, ApiContext};`
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00
feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00			`pub async fn auth(State(ctx): State<ApiContext>, mut req: Request, next: Next) -> Response {`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`let mut authed_system_id: Option<i32> = None;`
			`let mut authed_app_id: Option<i32> = None;`

			`// fetch user authorization`
feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00			`if let Some(system_auth_header) = req`
			`.headers()`
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`.get("authorization")`
			`.map(\|h\| h.to_str().ok())`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`.flatten()`
			`&& let Some(system_id) =`
			`match libpk::db::repository::legacy_token_auth(&ctx.db, system_auth_header).await {`
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`Ok(val) => val,`
			`Err(err) => {`
			`error!(?err, "failed to query authorization token in postgres");`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`return json_err(`
			`StatusCode::INTERNAL_SERVER_ERROR,`
			`r#"{"message": "500: Internal Server Error", "code": 0}"#.to_string(),`
			`);`
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`}`
			`}`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`{`
			`authed_system_id = Some(system_id);`
			`}`

			`// fetch app authorization`
			`// todo: actually fetch it from db`
feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00			`if let Some(app_auth_header) = req`
			`.headers()`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00			`.get("x-pluralkit-app")`
			`.map(\|h\| h.to_str().ok())`
			`.flatten()`
			`&& let Some(config_token2) = libpk::config`
			`.api`
			`.as_ref()`
			`.expect("missing api config")`
			`.temp_token2`
			`.as_ref()`
			`// this is NOT how you validate tokens`
			`// but this is low abuse risk so we're keeping it for now`
			`&& app_auth_header == config_token2`
			`{`
			`authed_app_id = Some(1);`
			`}`

feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00			`req.extensions_mut()`
			`.insert(AuthState::new(authed_system_id, authed_app_id));`
feat(api): pull SP avatars 2025-04-26 12:03:00 +00:00
feat(api): improve auth middleware 2025-05-17 20:39:29 +00:00			`next.run(req).await`
chore(api): move token auth to rust api service 2024-08-04 07:29:57 +09:00			`}`