From 1c3a136730b6c2fd2419a56d061e04c3193932de Mon Sep 17 00:00:00 2001
From: JMARyA <jmarya@hydrar.de>
Date: Tue, 6 May 2025 16:03:41 +0200
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20auth?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Cargo.lock             |  3 +++
 Cargo.toml             |  2 +-
 src/herd_core/route.rs | 27 +++++++++++++++++++--------
 3 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 950df40..8a0545a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -358,6 +358,7 @@ dependencies = [
  "axum",
  "axum-core",
  "bytes",
+ "cookie",
  "futures-util",
  "headers",
  "http",
@@ -421,6 +422,8 @@ name = "based_auth"
 version = "0.1.0"
 source = "git+https://git.hydrar.de/jmarya/based_auth#bab73914bdddc53cbec5c1d2fabdcfe857838aa8"
 dependencies = [
+ "axum",
+ "axum-extra",
  "bcrypt",
  "chrono",
  "data-encoding",
diff --git a/Cargo.toml b/Cargo.toml
index 5c14301..9406126 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -38,7 +38,7 @@ axum-client-ip = { version = "1.0.0", optional = true }
 toml = "0.8.21"
 hex = "0.4.3"
 rand = "0.9.1"
-based_auth = { git = "https://git.hydrar.de/jmarya/based_auth" }
+based_auth = { git = "https://git.hydrar.de/jmarya/based_auth", features = ["axum"] }
 http2 = "0.4.21"
 ureq = { version = "3.0.11", features = ["json"] }
 rumqttc = { version = "0.24.0", features = ["url", "websocket"] }
diff --git a/src/herd_core/route.rs b/src/herd_core/route.rs
index 9753f70..605e2a1 100644
--- a/src/herd_core/route.rs
+++ b/src/herd_core/route.rs
@@ -16,6 +16,7 @@ use axum_client_ip::ClientIp;
 use axum_extra::TypedHeader;
 use axum_extra::headers::Authorization;
 use axum_extra::headers::authorization::Bearer;
+use based_auth::APIUser;
 use based_auth::Sessions;
 use based_auth::User;
 use owl::get;
@@ -30,12 +31,23 @@ use sheepd::DeviceList;
 use super::mqtt::is_within_80_seconds;
 use super::mqtt::send_msg;
 
+macro_rules! check_admin {
+    ($user:ident) => {
+        if !$user.read().is_admin() {
+            return (
+                StatusCode::UNAUTHORIZED,
+                Json(api::Result::Err("Invalid credentials")),
+            );
+        }
+    };
+}
+
 pub async fn device_shell_cmd(
     Path(device_id): Path<String>,
-    TypedHeader(session): TypedHeader<Authorization<Bearer>>,
+    APIUser(user): APIUser,
     Json(payload): Json<api::ShellParam>,
 ) -> (StatusCode, Json<api::Result<ShellResponse>>) {
-    // TODO : check auth
+    check_admin!(user);
 
     let machine: Option<Model<Machine>> = get!(device_id);
 
@@ -65,9 +77,9 @@ pub async fn device_shell_cmd(
 
 pub async fn device_get_api(
     Path(device_id): Path<String>,
-    session: TypedHeader<Authorization<Bearer>>,
+    APIUser(user): APIUser,
 ) -> (StatusCode, Json<api::Result<DeviceEntry>>) {
-    // TODO : check auth
+    check_admin!(user);
 
     let machine: Option<Model<Machine>> = get!(device_id.clone());
 
@@ -94,10 +106,9 @@ pub fn device_online(id: &String) -> bool {
         .unwrap_or(false)
 }
 
-pub async fn devices_list(
-    session: TypedHeader<Authorization<Bearer>>,
-) -> (StatusCode, Json<api::Result<DeviceList>>) {
-    // TODO : auth?
+pub async fn devices_list(APIUser(user): APIUser) -> (StatusCode, Json<api::Result<DeviceList>>) {
+    check_admin!(user);
+
     let machines: Vec<Model<Machine>> = query!(|_| true);
 
     let mut ret = vec![];