andras/vault-link
1
0
Fork 0
Code Issues Pull requests 18 Projects Releases 55 Packages Wiki Activity Actions 1

Add vault-level access control

Browse source
This commit is contained in:
Andras Schmelczer 2025-03-29 12:25:15 +00:00
parent a8c813b9a7
commit b3e98d32b6
No known key found for this signature in database
GPG key ID: FC8F2C3D3D1A718C
17 changed files with 86 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

23
backend/sync_server/src/server/auth.rs
View file

@ -1,15 +1,26 @@
use crate::{
app_state::AppState,
config::user_config::User,
errors::{SyncServerError, unauthorized_error},
app_state::{AppState, database::models::VaultId},
config::user_config::{AllowListedVaults, User, VaultAccess},
errors::{SyncServerError, permission_denied_error, unauthenticated_error},
};
// TODO: turn this into a middleware
pub fn auth(app_state: &AppState, token: &str) -> Result<User, SyncServerError> {
app_state
pub fn auth(app_state: &AppState, token: &str, vault: &VaultId) -> Result<User, SyncServerError> {
let user = app_state
.config
.users
.get_user(token)
.cloned()
.ok_or_else(|| unauthorized_error(anyhow::anyhow!("Invalid token")))
.ok_or_else(|| unauthenticated_error(anyhow::anyhow!("Invalid token")))?;
if match user.vault_access {
VaultAccess::AllowAccessToAll => true,
VaultAccess::AllowList(AllowListedVaults { ref allowed }) => allowed.contains(vault),
} {
Ok(user)
} else {
Err(permission_denied_error(anyhow::anyhow!(
"Permission denied for vault `{vault}`"
)))
}
}

2
backend/sync_server/src/server/create_document.rs
View file

@ -87,7 +87,7 @@ async fn internal_create_document(
relative_path: String,
content: Vec<u8>,
) -> Result<Json<DocumentVersionWithoutContent>, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
let mut transaction = state
.database

2
backend/sync_server/src/server/delete_document.rs
View file

@ -37,7 +37,7 @@ pub async fn delete_document(
State(state): State<AppState>,
Json(request): Json<DeleteDocumentVersion>,
) -> Result<Json<DocumentVersionWithoutContent>, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
let mut transaction = state
.database

2
backend/sync_server/src/server/fetch_document_version.rs
View file

@ -35,7 +35,7 @@ pub async fn fetch_document_version(
}): Path<FetchDocumentVersionPathParams>,
State(state): State<AppState>,
) -> Result<Json<DocumentVersion>, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
let result = state
.database

2
backend/sync_server/src/server/fetch_document_version_content.rs
View file

@ -37,7 +37,7 @@ pub async fn fetch_document_version_content(
}): Path<FetchDocumentVersionContentPathParams>,
State(state): State<AppState>,
) -> Result<Bytes, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
let result = state
.database

2
backend/sync_server/src/server/fetch_latest_document_version.rs
View file

@ -33,7 +33,7 @@ pub async fn fetch_latest_document_version(
}): Path<FetchLatestDocumentVersionPathParams>,
State(state): State<AppState>,
) -> Result<Json<DocumentVersion>, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
let latest_version = state
.database

2
backend/sync_server/src/server/fetch_latest_documents.rs
View file

@ -35,7 +35,7 @@ pub async fn fetch_latest_documents(
Query(QueryParams { since_update_id }): Query<QueryParams>,
State(state): State<AppState>,
) -> Result<Json<FetchLatestDocumentsResponse>, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
let documents = if let Some(since_update_id) = since_update_id {
state

23
backend/sync_server/src/server/ping.rs
View file

@ -1,19 +1,34 @@
use axum::{Json, extract::State};
use axum::{
Json,
extract::{Path, State},
};
use axum_extra::{
TypedHeader,
headers::{Authorization, authorization::Bearer},
};
use schemars::JsonSchema;
use serde::Deserialize;
use super::{auth::auth, responses::PingResponse};
use crate::{app_state::AppState, errors::SyncServerError};
use crate::{
app_state::{AppState, database::models::VaultId},
errors::SyncServerError,
};
// This is required for aide to infer the path parameter types and names
#[derive(Deserialize, JsonSchema)]
pub struct PingPathParams {
vault_id: VaultId,
}
#[axum::debug_handler]
pub async fn ping(
maybe_auth_header: Option<TypedHeader<Authorization<Bearer>>>,
Path(PingPathParams { vault_id }): Path<PingPathParams>,
State(state): State<AppState>,
) -> Result<Json<PingResponse>, SyncServerError> {
let is_authenticated =
maybe_auth_header.is_some_and(|auth_header| auth(&state, auth_header.token()).is_ok());
let is_authenticated = maybe_auth_header
.is_some_and(|auth_header| auth(&state, auth_header.token(), &vault_id).is_ok());
Ok(Json(PingResponse {
server_version: env!("CARGO_PKG_VERSION").to_owned(),

2
backend/sync_server/src/server/update_document.rs
View file

@ -92,7 +92,7 @@ async fn internal_update_document(
relative_path: String,
content: Vec<u8>,
) -> Result<Json<DocumentUpdateResponse>, SyncServerError> {
auth(&state, auth_header.token())?;
auth(&state, auth_header.token(), &vault_id)?;
// No need for a transaction as document versions are immutable
let parent_document = state

6
backend/sync_server/src/server/websocket.rs
View file

@ -20,7 +20,7 @@ use crate::{
AppState,
database::models::{DocumentVersionWithoutContent, VaultId, VaultUpdateId},
},
errors::{SyncServerError, server_error, unauthorized_error},
errors::{SyncServerError, server_error, unauthenticated_error},
};
// This is required for aide to infer the path parameter types and names
@ -73,9 +73,9 @@ async fn websocket(
let (mut sender, mut receiver) = stream.split();
if let Some(Ok(Message::Text(token))) = receiver.next().await {
auth(&state, &token)?;
auth(&state, &token, &vault_id)?;
} else {
return Err(unauthorized_error(anyhow::anyhow!(
return Err(unauthenticated_error(anyhow::anyhow!(
"Failed to authenticate"
)));
}