Merge pull request 'nx-auth' (#906) from nx-auth into staging

Reviewed-on: Ruderverein-Donau-Linz/rowt#906
2025-04-16 10:57:35 +02:00
parent 43c0b9ffc1 dc2ee38aa0
commit 78aafe4d41
3 changed files with 55 additions and 4 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2544,6 +2544,7 @@ name = "rot"
 version = "0.1.0"
 dependencies = [
 "argon2",
+ "base64",
 "chrono",
 "chrono-tz 0.10.3",
 "csv",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -29,6 +29,7 @@ job_scheduler_ng = "2.0"
 ureq = { version = "3.0", features = ["json"] }
 regex = "1.10"
 urlencoding = "2.1"
+base64 = "0.22"

 [target.'cfg(not(windows))'.dependencies]
 openssl = { version = "0.10", features = [ "vendored" ] }
--- a/src/tera/mod.rs
+++ b/src/tera/mod.rs
@@ -9,7 +9,7 @@ use rocket::{
    get,
    http::{Cookie, Status},
    post,
-    request::FlashMessage,
+    request::{FlashMessage, FromRequest, Outcome},
    response::{Flash, Redirect},
    routes,
    time::{Duration, OffsetDateTime},
@@ -30,6 +30,7 @@ use crate::{
    },
    SCHECKBUCH,
 };
+use base64::alphabet::STANDARD;

 pub(crate) mod admin;
 mod auth;
@@ -123,9 +124,57 @@ async fn wikiauth(db: &State<SqlitePool>, login: Form<LoginForm<'_>>) -> String
    "FAIL".into()
 }

-#[get("/?<username>&<password>")]
-async fn nextcloud_auth(db: &State<SqlitePool>, username: String, password: String) -> Status {
-    if let Ok(user) = User::login(db, &username, &password).await {
+struct BasicAuth {
+    username: String,
+    password: String,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for BasicAuth {
+    type Error = ();
+
+    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        // Get the Authorization header
+        let auth_header = match request.headers().get_one("Authorization") {
+            Some(h) => h,
+            None => return Outcome::Error((Status::Unauthorized, ())),
+        };
+
+        // Check if it's a Basic auth header
+        if !auth_header.starts_with("Basic ") {
+            return Outcome::Error((Status::Unauthorized, ()));
+        }
+
+        // Decode the base64 credentials
+        let credentials = match base64::decode(&auth_header[6..]) {
+            Ok(c) => c,
+            Err(_) => return Outcome::Error((Status::Unauthorized, ())),
+        };
+
+        // Convert to UTF-8 string
+        let credentials_str = match std::str::from_utf8(&credentials) {
+            Ok(s) => s,
+            Err(_) => return Outcome::Error((Status::Unauthorized, ())),
+        };
+
+        // Split into username and password
+        let mut parts = credentials_str.splitn(2, ':');
+        let username = match parts.next() {
+            Some(u) => u.to_string(),
+            None => return Outcome::Error((Status::Unauthorized, ())),
+        };
+        let password = match parts.next() {
+            Some(p) => p.to_string(),
+            None => return Outcome::Error((Status::Unauthorized, ())),
+        };
+
+        Outcome::Success(BasicAuth { username, password })
+    }
+}
+
+#[get("/")]
+async fn nextcloud_auth(db: &State<SqlitePool>, auth: BasicAuth) -> Status {
+    if let Ok(user) = User::login(db, &auth.username, &auth.password).await {
        if user.has_role(db, "admin").await {
            return Status::Ok;
        }