feat(api): pull SP avatars

2026-02-10 15:57:53 +00:00 · 2025-04-26 12:03:00 +00:00 · 2025-04-26 12:03:00 +00:00 · 6c0c7a5c99
commit 6c0c7a5c99
parent 63d9b411ae
10 changed files with 153 additions and 58 deletions
--- a/crates/api/src/middleware/authnz.rs
+++ b/crates/api/src/middleware/authnz.rs
@ -1,45 +1,90 @@
 use axum::{
    extract::{Request, State},
-    http::HeaderValue,
+    http::StatusCode,
    middleware::Next,
    response::Response,
 };
 use tracing::error;

-use crate::ApiContext;
+use crate::{util::json_err, ApiContext};

-use super::logger::DID_AUTHENTICATE_HEADER;
+pub const INTERNAL_SYSTEMID_HEADER: &'static str = "x-pluralkit-systemid";
+pub const INTERNAL_APPID_HEADER: &'static str = "x-pluralkit-appid";
+
+// todo: auth should pass down models in request context
+// not numerical ids in headers

 pub async fn authnz(State(ctx): State<ApiContext>, mut request: Request, next: Next) -> Response {
    let headers = request.headers_mut();
-    headers.remove("x-pluralkit-systemid");
-    let auth_header = headers
+
+    headers.remove(INTERNAL_SYSTEMID_HEADER);
+    headers.remove(INTERNAL_APPID_HEADER);
+
+    let mut authed_system_id: Option<i32> = None;
+    let mut authed_app_id: Option<i32> = None;
+
+    // fetch user authorization
+    if let Some(system_auth_header) = headers
        .get("authorization")
        .map(|h| h.to_str().ok())
-        .flatten();
-    let mut authenticated = false;
-    if let Some(auth_header) = auth_header {
-        if let Some(system_id) =
-            match libpk::db::repository::legacy_token_auth(&ctx.db, auth_header).await {
+        .flatten()
+        && let Some(system_id) =
+            match libpk::db::repository::legacy_token_auth(&ctx.db, system_auth_header).await {
                Ok(val) => val,
                Err(err) => {
                    error!(?err, "failed to query authorization token in postgres");
-                    None
+                    return json_err(
+                        StatusCode::INTERNAL_SERVER_ERROR,
+                        r#"{"message": "500: Internal Server Error", "code": 0}"#.to_string(),
+                    );
                }
            }
-        {
-            headers.append(
-                "x-pluralkit-systemid",
-                HeaderValue::from_str(format!("{system_id}").as_str()).unwrap(),
-            );
-            authenticated = true;
+    {
+        authed_system_id = Some(system_id);
+    }
+
+    // fetch app authorization
+    // todo: actually fetch it from db
+    if let Some(app_auth_header) = headers
+        .get("x-pluralkit-app")
+        .map(|h| h.to_str().ok())
+        .flatten()
+        && let Some(config_token2) = libpk::config
+            .api
+            .as_ref()
+            .expect("missing api config")
+            .temp_token2
+            .as_ref()
+        // this is NOT how you validate tokens
+        // but this is low abuse risk so we're keeping it for now
+        && app_auth_header == config_token2
+    {
+        authed_app_id = Some(1);
+    }
+
+    // add headers for ratelimiter / dotnet-api
+    {
+        let headers = request.headers_mut();
+        if let Some(sid) = authed_system_id {
+            headers.append(INTERNAL_SYSTEMID_HEADER, sid.into());
+        }
+        if let Some(aid) = authed_app_id {
+            headers.append(INTERNAL_APPID_HEADER, aid.into());
        }
    }
+
    let mut response = next.run(request).await;
-    if authenticated {
-        response
-            .headers_mut()
-            .insert(DID_AUTHENTICATE_HEADER, HeaderValue::from_static("1"));
+
+    // add headers for logger module (ugh)
+    {
+        let headers = response.headers_mut();
+        if let Some(sid) = authed_system_id {
+            headers.append(INTERNAL_SYSTEMID_HEADER, sid.into());
+        }
+        if let Some(aid) = authed_app_id {
+            headers.append(INTERNAL_APPID_HEADER, aid.into());
+        }
    }
+
    response
 }