minkan-chat · Erik1000 · Dec 4, 2021 · Dec 8, 2021 · Dec 11, 2021 · Dec 12, 2021
@@ -1,50 +1,55 @@
 [package]
 name = "minkan_server"
 version = "0.1.0"
-authors = [
-    "Erik Tesar <[email protected]>",
-]
-edition = "2018"
+authors = ["Erik Tesar <[email protected]>"]
+edition = "2021"
 license = "AGPL-3.0-or-later"
 
 [dependencies]
-actix = "0.10"
-actix-web = "3"
-async-graphql = { version = "2.10", features = ["apollo_tracing", "uuid", "dataloader", "cbor"] }
-async-graphql-actix-web = "2.10"
-bitflags = "1.3"
-log = "0.4"
-pretty_env_logger = "0.4"
-thiserror = "1"
-sqlx = { version = "0.4", features = ["chrono", "ipnetwork", "macros", "migrate", "offline", "postgres", "runtime-actix-rustls", "uuid"] }
-serde = { version = "1", features = ["derive"]}
-serde_cbor = "0.11"
-serde_json = "1.0.66"
-uuid = { version = "0.8", features = ["serde", "v4"] }
-bytes = { version = "1", features = ["serde"] }
-moka = { version = "0.5", features = ["future"] }
-chrono = { version = "0.4", features = ["serde"] }
-rand = "0.8.4"
-hex = "0.4.3"
-argon2 = "0.2"
-regex = "1.5.4"
-lazy_static = "1.4.0"
-jsonwebtoken = "8.0.0-beta.2"
-anyhow = "1.0.43"
-sequoia-openpgp = { version = "1.3", default-features = false}
-async-trait = "0.1.51"
-actix-web-httpauth = "0.5.1"
-futures = "0.3.17"
-redis = { version = "0.21.2", features = ["async-std-comp", "aio", "r2d2"] }
-r2d2 = "0.8.9"
-figment = { version = "0.10.6", features = ["env", "toml"]}
-directories = "3"
+# the web framework to serve endpoints
+actix-web = "4.0.1"
+# for the logger macros
+log = "0.4.14"
+# an backend to actually output logs
+env_logger = "0.9.0"
+serde = { version = "1.0.131", features = ["derive"] }
+# to proccess raw binary data
+bytes = { version = "1.1.0", features = ["serde"] }
+# for easy error handling
+anyhow = { version = "1.0.51", features = ["std"] }
+# for configuration
+figment = { version = "0.10.6", features = ["env", "toml"] }
+# for openid connect integrations
+openidconnect = "2.2"
+chrono = { version = "0.4.19", features = ["clock"] }
+oauth2 = "4.1.0"
+# for hashing of the nonce and state parameter
+sha2 = "0.10.0"
+# used to encode the hash into base64 so it can be stored as a cookie 
+base64 = "0.13.0"
+# used for redirect url parsing and cookie domain / path
+url = { version = "2.2.2", features = ["serde"] }
+# for communication with the postgres database
+sqlx = { version = "0.5.9", features = [
+    "macros",
+    "migrate",
+    "postgres",
+    "runtime-actix-rustls",
+] }
+# for communication with redis so we can share state between instances
+redis = { version = "0.21.4", features = [
+    "tokio-native-tls-comp",
+    "tokio-comp",
+    "connection-manager",
+    "r2d2",
+] }
+serde_json = "1.0.59"
+# for an async Mutex
+tokio = { version = "1.14.0", features = ["sync"] }
 
 [features]
-# This is a workaround for https://github.com/rust-lang/cargo/issues/1197
-# On windows disable default features when building and enable the "win" feature
-# We won't need this anymore if Cargo supports target feature flags or we have
-# a full rust crypto backend (no c/c++ dependencies).
-default = ["unix"]
-win = ["sequoia-openpgp/crypto-cng"]
-unix = ["sequoia-openpgp/crypto-nettle"]
+# built-in authentication with an openid connect provider
+oidc_login = []
+
+# features enabled by default
+default = ["oidc_login"]
@@ -1,16 +1,9 @@
 CREATE TABLE users (
-    user_id UUID NOT NULL UNIQUE DEFAULT gen_random_uuid() PRIMARY KEY,
-    -- we have to create an index for the username because it is used all the time
-    username VARCHAR(16) NOT NULL UNIQUE CONSTRAINT check_username CHECK (username ~* '^[a-z0-9_]{3,16}$'),
-    -- A argon2 hash. It uses a PHC string to represent the hash and the salt
-    hash TEXT NOT NULL,
-    -- times ALWAYS in UTC
-    created_at TIMESTAMPTZ NOT NULL DEFAULT current_timestamp,
-    token_expiry TIMESTAMPTZ NOT NULL DEFAULT current_timestamp,
-    -- the backend server has to make sure that this is unique and that the cert's uid
-    -- containts the username and there's no other pub cer with that fingerprint in 
-    -- pub_certs
-    enc_cert BYTEA NOT NULL,
-    suspended BOOLEAN NOT NULL DEFAULT false,
-    suspended_reason TEXT
+    -- refers to the `sub` claim in openid connect core
+    -- see https://openid.net/specs/openid-connect-core-1_0.html
+    -- it must be a json string (not an UUID)
+    "id" TEXT NOT NULL UNIQUE PRIMARY KEY,
+    -- refers to the `preferred_username`
+    -- see https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+    "username" TEXT NOT NULL
 );
@@ -0,0 +1,13 @@
+CREATE TABLE certificates (
+    "user_id" TEXT NOT NULL UNIQUE REFERENCES users(id) PRIMARY KEY,
+    -- a pgp fingerprint is a sha-1 hash which is hex encoded without spaces
+    -- and all UPPERCASE
+    "fingerprint" VARCHAR(40) NOT NULL UNIQUE CONSTRAINT check_sha1_uppercase_hex 
+        -- a sha1 hash in uppercase hex
+        CHECK (fingerprint ~* '^[A-F0-9]{40}$'),
+    -- all openpgp packets for this certificate
+    -- Note: if the user uploaded a certificate with encrypted secret key 
+    -- material, this will be in here, so remember not to return it. 
+    -- e.g. dont use https://docs.rs/sequoia-openpgp/1.6.0/sequoia_openpgp/struct.Cert.html#method.as_tsk when exporting the certificate
+    "body" BYTEA NOT NULL
+);
@@ -1,17 +1,19 @@
 CREATE TABLE certifications (
     -- the fingerprint of the certifying certificate
     -- this links the actual user that created the certification
-    -- in the pub_certs table
-    certifier_cert VARCHAR(40) NOT NULL REFERENCES pub_certs(cert_fingerprint),
+    -- in the certificates table
+    "certifier_cert" VARCHAR(40) NOT NULL REFERENCES certificates(fingerprint),
     -- the certificate this certification is for
     -- it's actually a userid packet of a certificate
     -- but because we assume that a user's name is the only userid
     -- of a certificate, this is okay because there can only be
     -- one certification for one userid 
-    target_cert VARCHAR(40) NOT NULL REFERENCES pub_certs(cert_fingerprint)
+    "target_cert" VARCHAR(40) NOT NULL REFERENCES certificates(fingerprint)
     -- a user shouldn't certify itself
     CONSTRAINT check_no_self_signature CHECK (certifier_cert != target_cert),
-    -- the actual certification a openpgp implementation can verify
-    -- its a openpgp signature packet
-    certification BYTEA NOT NULL
+    -- the actual certification an openpgp implementation can verify
+    -- its an openpgp signature packet as defined in in sectopm 5.2 of RFC 4880
+    -- see https://datatracker.ietf.org/doc/html/rfc4880#section-5.2
+    "body" BYTEA NOT NULL,
+    PRIMARY KEY ("certifier_cert", "target_cert")
 )
@@ -0,0 +1,8 @@
+CREATE TABLE sessions (
+    -- the session id (`sid` claim in the id token)
+    "id" TEXT NOT NULL PRIMARY KEY,
+    -- the user this session related to (`sub` claim)
+    "user_id" TEXT NOT NULL REFERENCES users(id),
+    -- the date and time this session was first encountered
+    "encountered" TIMESTAMPTZ NOT NULL DEFAULT current_timestamp
+)
@@ -0,0 +1,6 @@
+-- this table stores sessions which got revoked via backchannel logout
+-- if a session is encountered and it is in this table, it will be rejected.
+CREATE TABLE revoked_sessions (
+    -- the `sid` claim
+    "id" TEXT NOT NULL PRIMARY KEY UNIQUE
+)
@@ -1,9 +1,14 @@
-db_uri = "postgresql://my_user@[email protected]/my_database"
-redis_ui  = "redis://my_other_user@[email protected]/"
-listen = "0.0.0.0:8080"
-jwt_secret = ""
-server_cert = """
------BEGIN PGP PRIVATE KEY BLOCK-----
-insert my privat key here
------END PGP PRIVATE KEY BLOCK-----
-"""
+listen = "127.0.0.1:8080"
+postgres_uri = "postgres://my_user:[email protected]:5432/minkan"
+redis_uri = "rediss://redis:[email protected]:6380"
+
+
+[openid_connect]
+client_id = "minkan-server"
+client_secret = "aaa"
+discovery_url = "https://sso.erik-tesar.com/auth/realms/minkan"
+
+# Optional if the instance is built without the `oidc_login` feature flag
+redirect_url = "http://localhost:8080/odic/callback"
+app_redirect_error = "https://localhost:8080/#/oidc/err"
+app_redirect_success = "https://localhost:8080/#/oidc/ok"