WIP: Implement sessions database table

Cargo.toml

@@ -49,9 +49,10 @@ conduit-static = "0.9.0-alpha.3"
 
 cookie = { version = "0.14", features = ["secure"] }
 ctrlc = { version = "3.0", features = ["termination"] }
+derive_builder = "0.9.0"
 derive_deref = "1.1.1"
 dialoguer = "0.7.1"
-diesel = { version = "1.4.0", features = ["postgres", "serde_json", "chrono", "r2d2"] }
+diesel = { version = "1.4.0", features = ["postgres", "serde_json", "chrono", "r2d2", "network-address"] }
 diesel_full_text_search = "1.0.0"
 dotenv = "0.15"
 flate2 = "1.0"
@@ -64,6 +65,7 @@ htmlescape = "0.3.1"
 http = "0.2"
 hyper = { version = "0.14", features = ["client", "http1"] }
 indexmap = "1.0.2"
+ipnetwork = "0.16.0"
 jemallocator = { version = "0.3", features = ['unprefixed_malloc_on_supported_platforms', 'profiling'] }
 lettre = { version = "0.10.0-alpha.1", default-features = false, features = ["file-transport", "smtp-transport", "native-tls", "hostname", "builder"] }
 license-exprs = "^1.4"

migrations/2021-02-14-201950_session-table/down.sql

@@ -0,0 +1 @@
+DROP TABLE sessions;

migrations/2021-02-14-201950_session-table/up.sql

@@ -0,0 +1,24 @@
+CREATE TABLE sessions
+(
+    id SERIAL
+        CONSTRAINT sessions_pk
+            PRIMARY KEY,
+    user_id INTEGER NOT NULL
+        CONSTRAINT sessions_users_id_fk
+            REFERENCES users
+            ON UPDATE CASCADE ON DELETE CASCADE,
+    hashed_token bytea NOT NULL,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    last_used_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP NOT NULL,
+    revoked BOOLEAN DEFAULT FALSE NOT NULL,
+    last_ip_address inet NOT NULL,
+    last_user_agent VARCHAR NOT NULL
+);
+
+COMMENT ON TABLE sessions IS 'This table contains the tokens for all of the cookie-based sessions';
+
+CREATE INDEX sessions_user_id_index
+    ON sessions (user_id);
+
+CREATE UNIQUE INDEX sessions_token_uindex
+	ON sessions (hashed_token);

src/controllers.rs

@@ -82,7 +82,7 @@ mod prelude {
 }
 
 pub mod helpers;
-mod util;
+pub mod util;
 
 pub mod category;
 pub mod crate_owner_invitation;

src/controllers/user/session.rs

@@ -1,13 +1,15 @@
 use crate::controllers::frontend_prelude::*;
 
-use conduit_cookie::RequestSession;
+use conduit_cookie::{RequestCookies, RequestSession};
 use oauth2::reqwest::http_client;
 use oauth2::{AuthorizationCode, Scope, TokenResponse};
 
+use crate::controllers::util::{auth_cookie, AUTH_COOKIE_NAME};
 use crate::github::GithubUser;
-use crate::models::{NewUser, User};
+use crate::models::{NewUser, Session, User};
 use crate::schema::users;
 use crate::util::errors::ReadOnlyMode;
+use crate::Env;
 
 /// Handles the `GET /api/private/session/begin` route.
 ///
@@ -104,9 +106,32 @@ pub fn authorize(req: &mut dyn RequestExt) -> EndpointResult {
     let ghuser = req.app().github.current_user(token)?;
     let user = save_user_to_database(&ghuser, &token.secret(), &*req.db_conn()?)?;
 
-    // Log in by setting a cookie and the middleware authentication
-    req.session_mut()
-        .insert("user_id".to_string(), user.id.to_string());
+    // Create a new `Session`
+    let token = Session::generate_token();
+
+    let ip_addr = req.remote_addr().ip();
+
+    let user_agent = req
+        .headers()
+        .get(header::USER_AGENT)
+        .and_then(|value| value.to_str().ok())
+        .map(|value| value.to_string())
+        .unwrap_or_default();
+
+    Session::new()
+        .user_id(user.id)
+        .token(&token)
+        .last_ip_address(ip_addr)
+        .last_user_agent(user_agent)
+        .build()
+        .map_err(|_err| server_error("Error obtaining token"))?
+        .insert(&*req.db_conn()?)?;
+
+    // Log in by setting an auth cookie
+    let app = req.app();
+    let secure = app.config.env == Env::Production;
+
+    req.cookies_mut().add(auth_cookie(token, secure));
 
     super::me::me(req)
 }
@@ -143,6 +168,28 @@ fn save_user_to_database(
 /// Handles the `DELETE /api/private/session` route.
 pub fn logout(req: &mut dyn RequestExt) -> EndpointResult {
     req.session_mut().remove(&"user_id".to_string());
+
+    // read the current session token, if it exists
+    let session_token = req
+        .cookies()
+        .get(AUTH_COOKIE_NAME)
+        .map(|cookie| cookie.value().to_string());
+
+    if let Some(token) = session_token {
+        let app = req.app();
+        let secure = app.config.env == Env::Production;
+
+        // remove the `cargo_auth` cookie
+        req.cookies_mut().remove(auth_cookie("", secure));
+
+        // try to revoke the session in the database, but explicitly
+        // ignore failures
+        let _result: Result<_, Box<dyn AppError>> = req
+            .db_conn()
+            .map_err(Into::into)
+            .and_then(|conn| Session::revoke_by_token(&conn, &token).map_err(Into::into));
+    }
+
     Ok(req.json(&true))
 }