From b007f57dfe0b5f367305d51d70ce676f3bb62e25 Mon Sep 17 00:00:00 2001
From: shockrah <alejandros714@protonmail.com>
Date: Tue, 19 May 2020 19:36:29 -0700
Subject: [PATCH] priv auth::blind_remove_session => impl not tested pub
 auth::login => impl not tested

---
 server/src/auth.rs | 27 ++++++++++++++++-----------
 server/src/main.rs |  2 +-
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/server/src/auth.rs b/server/src/auth.rs
index 97e989e..899fe49 100644
--- a/server/src/auth.rs
+++ b/server/src/auth.rs
@@ -1,6 +1,7 @@
 // Handlers for the base auth routes
 use crate::{
     DBConn, schema,
+    utils,
     models::{
         Invite,
         User
@@ -10,7 +11,7 @@ use crate::{
 use rocket::http::Status;
 use rocket::response::{self, Responder, Response};
 use rocket::request::{Form, Request};
-use rocket_contrib::json::Json;
+use rocket_contrib::json::{Json, JsonValue};
 use diesel::{self, prelude::*};
 use std::{error, fmt};
 
@@ -27,10 +28,6 @@ pub struct AuthKey {
     secret: String,
 }
 
-#[derive(Serialize)]
-pub struct SessionToken {
-    pub data: String
-}
 pub type AuthResult<T, AuthErr> = std::result::Result<T, AuthErr>;
 
 #[derive(Debug, Clone)]
@@ -100,7 +97,7 @@ pub fn join(conn: DBConn, hashcode: u64, name: String) -> AuthResult<Json<User>,
 }
 
 fn confirm_user_api_access(conn: &MysqlConnection, user_id: u64, user_secret: &str) -> bool {
-    use schema::users::{self, dsl::*};
+    use schema::users::dsl::*;
     let result = users
         .filter(id.eq(user_id))
         .filter(secret.eq(user_secret))
@@ -113,21 +110,29 @@ fn confirm_user_api_access(conn: &MysqlConnection, user_id: u64, user_secret: &s
 }
 
 fn blind_remove_session(conn: &MysqlConnection, sesh_secret: &str) {
+    use crate::schema::sessions::dsl::*;
+
+    let _ignore_result = diesel::delete(sessions
+        .filter(secret.eq(sesh_secret)))
+        .execute(conn);
+}
+
+fn create_new_session_key() -> String {
+    let key_raw = utils::new_key();
+    utils::encode_param(&key_raw)
 }
 
 #[post("/login", data = "<api_key>")]
-pub fn login(conn: DBConn, api_key: Form<AuthKey>) -> AuthResult<Json<SessionToken>, AuthErr>{
+pub fn login(conn: DBConn, api_key: Form<AuthKey>) -> AuthResult<JsonValue, AuthErr>{
     /*
      * Session Tokens are used to key into a subset of online users
      * This is what should make queries faster per instance as we'll have less data to sift through w/ diesel
     */
 
     if confirm_user_api_access(&conn.0, api_key.id, &api_key.secret) {
-        // Dump any tokens from before and make a new one
         blind_remove_session(&conn.0, &api_key.secret);
-        Ok(Json(SessionToken {
-            data: "skeleton code".to_string()
-        }))
+        let key = create_new_session_key();
+        Ok(json!({"key": key}))
     }
     else {
         Err(AuthErr {
diff --git a/server/src/main.rs b/server/src/main.rs
index 51aa89f..c2828a7 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -46,7 +46,7 @@ pub fn rocket() -> rocket::Rocket {
             remove_user, get_user_list
         ])
         .mount("/auth", routes![
-            auth::leave
+            auth::leave, auth::login
         ])
         .attach(Template::fairing())
         .attach(DBConn::fairing())