Prevent deleted users from using the service using their old session

2020-01-12 21:49:22 -08:00 · 2020-01-12 21:49:22 -08:00 · 448198acb6
commit 448198acb6
parent c49fdbab37
2 changed files with 25 additions and 4 deletions
--- a/src/api.rs
+++ b/src/api.rs
@ -122,7 +122,19 @@ impl<'a, 'r> FromRequest<'a, 'r> for Auth {

 	fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, ()> {
 		let mut cookies = request.guard::<Cookies<'_>>().unwrap();
+		let db = match request.guard::<State<'_, Arc<DB>>>() {
+			Outcome::Success(d) => d,
+			_ => return Outcome::Failure((Status::InternalServerError, ())),
+		};
+
 		if let Some(u) = cookies.get_private(COOKIE_SESSION) {
+			let exists = match user::exists(db.deref().deref(), u.value()) {
+				Ok(e) => e,
+				Err(_) => return Outcome::Failure((Status::InternalServerError, ())),
+			};
+			if !exists {
+				return Outcome::Failure((Status::Unauthorized, ()));
+			}
 			return Outcome::Success(Auth {
 				username: u.value().to_string(),
 			});
@ -135,10 +147,6 @@ impl<'a, 'r> FromRequest<'a, 'r> for Auth {
 				password: Some(password),
 			}) = Basic::from_str(auth_header_string.trim_start_matches("Basic "))
 			{
-				let db = match request.guard::<State<'_, Arc<DB>>>() {
-					Outcome::Success(d) => d,
-					_ => return Outcome::Failure((Status::InternalServerError, ())),
-				};
 				if user::auth(db.deref().deref(), &username, &password).unwrap_or(false) {
 					let is_admin = match user::is_admin(db.deref().deref(), &username) {
 						Ok(a) => a,
--- a/src/user.rs
+++ b/src/user.rs
@ -68,6 +68,19 @@ where
 	Ok(count)
 }

+pub fn exists<T>(db: &T, username: &str) -> Result<bool>
+where
+	T: ConnectionSource,
+{
+	use crate::db::users::dsl::*;
+	let connection = db.get_connection();
+	let results: Vec<String> = users
+		.select(name)
+		.filter(name.eq(username))
+		.get_results(connection.deref())?;
+	Ok(results.len() > 0)
+}
+
 pub fn is_admin<T>(db: &T, username: &str) -> Result<bool>
 where
 	T: ConnectionSource,