Refactoring of frontend and OIDC

I want to make some code reusable for other projects
2025-12-13 22:52:22 +00:00 · 2025-04-20 21:23:52 +02:00
parent 678d2291e0
commit 2c74d56f50
6 changed files with 109 additions and 87 deletions
--- a/crates/frontend/src/config.rs
+++ b/crates/frontend/src/config.rs
@@ -1,35 +1,10 @@
-use openidconnect::{ClientId, ClientSecret, IssuerUrl, Scope};
+pub use crate::oidc::OidcConfig;
 use serde::{Deserialize, Serialize};

 fn default_true() -> bool {
    true
 }

-#[derive(Deserialize, Serialize, Clone, Default)]
-#[serde(rename_all = "snake_case")]
-pub enum UserIdClaim {
-    // The correct option
-    Sub,
-    // The more ergonomic option if you know what you're doing
-    #[default]
-    PreferredUsername,
-}
-
-#[derive(Deserialize, Serialize, Clone)]
-#[serde(deny_unknown_fields)]
-pub struct OidcConfig {
-    pub name: String,
-    pub issuer: IssuerUrl,
-    pub client_id: ClientId,
-    pub client_secret: Option<ClientSecret>,
-    pub scopes: Vec<Scope>,
-    #[serde(default)]
-    pub allow_sign_up: bool,
-    pub require_group: Option<String>,
-    #[serde(default)]
-    pub claim_userid: UserIdClaim,
-}
-
 #[derive(Deserialize, Serialize, Clone)]
 #[serde(deny_unknown_fields)]
 pub struct FrontendConfig {
--- a/crates/frontend/src/lib.rs
+++ b/crates/frontend/src/lib.rs
@@ -14,7 +14,7 @@ use actix_web::{
 use askama::Template;
 use askama_web::WebTemplate;
 use assets::{Assets, EmbedService};
-use oidc::{route_get_oidc_callback, route_post_oidc};
+use oidc::configure_oidc;
 use rand::{Rng, distributions::Alphanumeric};
 use routes::{
    addressbook::{route_addressbook, route_addressbook_restore},
@@ -34,6 +34,9 @@ pub mod nextcloud_login;
 mod oidc;
 mod routes;

+pub const ROUTE_NAME_HOME: &str = "frontend_home";
+pub const ROUTE_USER_NAMED: &str = "frontend_user_named";
+
 pub use config::{FrontendConfig, OidcConfig};

 pub fn generate_app_token() -> String {
@@ -54,15 +57,6 @@ struct UserPage {
    pub deleted_addressbooks: Vec<Addressbook>,
 }

-async fn route_user(user: User, req: HttpRequest) -> Redirect {
-    Redirect::to(
-        req.url_for("frontend_user_named", &[user.id])
-            .unwrap()
-            .to_string(),
-    )
-    .see_other()
-}
-
 async fn route_user_named<CS: CalendarStore, AS: AddressbookStore>(
    path: Path<String>,
    cal_store: Data<CS>,
@@ -106,9 +100,18 @@ async fn route_user_named<CS: CalendarStore, AS: AddressbookStore>(
    .respond_to(&req)
 }

+async fn route_get_home(user: User, req: HttpRequest) -> Redirect {
+    Redirect::to(
+        req.url_for(ROUTE_USER_NAMED, &[user.id])
+            .unwrap()
+            .to_string(),
+    )
+    .see_other()
+}
+
 async fn route_root(user: Option<User>, req: HttpRequest) -> impl Responder {
    let redirect_url = match user {
-        Some(_) => req.url_for_static("frontend_user").unwrap(),
+        Some(_) => req.url_for_static(ROUTE_NAME_HOME).unwrap(),
        None => req
            .resource_map()
            .url_for::<[_; 0], String>(&req, "frontend_login", [])
@@ -208,63 +211,52 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
        .service(web::resource("").route(web::method(Method::GET).to(route_root)))
        .service(
            web::resource("/user")
-                .route(web::method(Method::GET).to(route_user))
-                .name("frontend_user"),
+                .get(route_get_home)
+                .name(ROUTE_NAME_HOME),
        )
        .service(
            web::resource("/user/{user}")
-                .route(web::method(Method::GET).to(route_user_named::<CS, AS>))
-                .name("frontend_user_named"),
+                .get(route_user_named::<CS, AS>)
+                .name(ROUTE_USER_NAMED),
        )
+        // App token management
+        .service(web::resource("/user/{user}/app_token").post(route_post_app_token::<AP>))
        .service(
-            web::resource("/user/{user}/app_token")
-                .route(web::method(Method::POST).to(route_post_app_token::<AP>)),
-        )
-        .service(
-            web::resource("/user/{user}/app_token/{id}/delete")
-                .route(web::method(Method::POST).to(route_delete_app_token::<AP>)),
-        )
-        .service(
-            web::resource("/user/{user}/calendar/{calendar}")
-                .route(web::method(Method::GET).to(route_calendar::<CS>)),
+            // POST because HTML5 forms don't support DELETE method
+            web::resource("/user/{user}/app_token/{id}/delete").post(route_delete_app_token::<AP>),
        )
+        // Calendar
+        .service(web::resource("/user/{user}/calendar/{calendar}").get(route_calendar::<CS>))
        .service(
            web::resource("/user/{user}/calendar/{calendar}/restore")
-                .route(web::method(Method::POST).to(route_calendar_restore::<CS>)),
+                .post(route_calendar_restore::<CS>),
        )
+        // Addressbook
        .service(
-            web::resource("/user/{user}/addressbook/{addressbook}")
-                .route(web::method(Method::GET).to(route_addressbook::<AS>)),
+            web::resource("/user/{user}/addressbook/{addressbook}").get(route_addressbook::<AS>),
        )
        .service(
            web::resource("/user/{user}/addressbook/{addressbook}/restore")
-                .route(web::method(Method::POST).to(route_addressbook_restore::<AS>)),
+                .post(route_addressbook_restore::<AS>),
        )
+        // Login
        .service(
            web::resource("/login")
                .name("frontend_login")
-                .route(web::method(Method::GET).to(route_get_login))
-                .route(web::method(Method::POST).to(route_post_login::<AP>)),
+                .get(route_get_login)
+                .post(route_post_login::<AP>),
        )
        .service(
            web::resource("/logout")
                .name("frontend_logout")
-                .route(web::method(Method::POST).to(route_post_logout)),
+                .post(route_post_logout),
        );

    if let Some(oidc_config) = oidc_config {
-        scope = scope
-            .app_data(Data::new(oidc_config))
-            .service(
-                web::resource("/login/oidc")
-                    .name("frontend_login_oidc")
-                    .route(web::method(Method::POST).to(route_post_oidc)),
-            )
-            .service(
-                web::resource("/login/oidc/callback")
-                    .name("frontend_oidc_callback")
-                    .route(web::method(Method::GET).to(route_get_oidc_callback::<AP>)),
-            );
+        scope = scope.service(
+            web::scope("/login/oidc")
+                .configure(|cfg| configure_oidc::<AP>(cfg, oidc_config, ROUTE_NAME_HOME)),
+        );
    }

    cfg.service(scope);
--- a/crates/frontend/src/oidc/config.rs
+++ b/crates/frontend/src/oidc/config.rs
@@ -0,0 +1,27 @@
+use openidconnect::{ClientId, ClientSecret, IssuerUrl, Scope};
+use serde::{Deserialize, Serialize};
+
+#[derive(Deserialize, Serialize, Clone, Default)]
+#[serde(rename_all = "snake_case")]
+pub enum UserIdClaim {
+    // The correct option
+    Sub,
+    // The more ergonomic option if you know what you're doing
+    #[default]
+    PreferredUsername,
+}
+
+#[derive(Deserialize, Serialize, Clone)]
+#[serde(deny_unknown_fields)]
+pub struct OidcConfig {
+    pub name: String,
+    pub issuer: IssuerUrl,
+    pub client_id: ClientId,
+    pub client_secret: Option<ClientSecret>,
+    pub scopes: Vec<Scope>,
+    #[serde(default)]
+    pub allow_sign_up: bool,
+    pub require_group: Option<String>,
+    #[serde(default)]
+    pub claim_userid: UserIdClaim,
+}
--- a/crates/frontend/src/oidc/mod.rs
+++ b/crates/frontend/src/oidc/mod.rs
@@ -1,10 +1,11 @@
-use crate::config::{OidcConfig, UserIdClaim};
 use actix_session::Session;
 use actix_web::{
    HttpRequest, HttpResponse, Responder,
    http::StatusCode,
-    web::{Data, Form, Query, Redirect},
+    web::{self, Data, Form, Query, Redirect, ServiceConfig},
 };
+pub use config::OidcConfig;
+use config::UserIdClaim;
 use error::OidcError;
 use openidconnect::{
    AuthenticationFlow, AuthorizationCode, CsrfToken, EndpointMaybeSet, EndpointNotSet,
@@ -15,15 +16,16 @@ use openidconnect::{
 use rustical_store::auth::{AuthenticationProvider, User, user::PrincipalType::Individual};
 use serde::{Deserialize, Serialize};

+mod config;
 mod error;

-pub(crate) struct OidcProviderData<'a> {
-    pub name: &'a str,
-    pub redirect_url: String,
-}
-
+pub const ROUTE_NAME_OIDC_LOGIN: &str = "oidc_login";
+const ROUTE_NAME_OIDC_CALLBACK: &str = "oidc_callback";
 const SESSION_KEY_OIDC_STATE: &str = "oidc_state";

+#[derive(Debug)]
+pub struct DefaultRedirectRouteName(pub &'static str);
+
 #[derive(Debug, Deserialize, Serialize)]
 struct OidcState {
    state: CsrfToken,
@@ -96,7 +98,7 @@ pub async fn route_post_oidc(
    let oidc_client = get_oidc_client(
        oidc_config.as_ref().clone(),
        &http_client,
-        RedirectUrl::new(req.url_for_static("frontend_oidc_callback")?.to_string())?,
+        RedirectUrl::new(req.url_for_static(ROUTE_NAME_OIDC_CALLBACK)?.to_string())?,
    )
    .await?;

@@ -138,6 +140,7 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
    session: Session,
    auth_provider: Data<AP>,
    Query(AuthCallbackQuery { code, iss }): Query<AuthCallbackQuery>,
+    default_redirect_name: Data<DefaultRedirectRouteName>,
 ) -> Result<impl Responder, OidcError> {
    assert_eq!(iss, oidc_config.issuer);
    let oidc_state = session
@@ -149,7 +152,7 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
    let oidc_client = get_oidc_client(
        oidc_config.get_ref().clone(),
        &http_client,
-        RedirectUrl::new(req.url_for_static("frontend_oidc_callback")?.to_string())?,
+        RedirectUrl::new(req.url_for_static(ROUTE_NAME_OIDC_CALLBACK)?.to_string())?,
    )
    .await?;

@@ -207,7 +210,9 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
        user = Some(new_user);
    }

-    let default_redirect = req.url_for_static("frontend_user")?.to_string();
+    let default_redirect = req
+        .url_for_static(default_redirect_name.as_ref().0)?
+        .to_string();
    let redirect_uri = oidc_state.redirect_uri.unwrap_or(default_redirect.clone());
    let redirect_uri = req
        .full_url()
@@ -225,7 +230,25 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
            .respond_to(&req)
            .map_into_boxed_body())
    } else {
-        // Add user provisioning
        Ok(HttpResponse::build(StatusCode::UNAUTHORIZED).body("User does not exist"))
    }
 }
+
+pub fn configure_oidc<AP: AuthenticationProvider>(
+    cfg: &mut ServiceConfig,
+    oidc_config: OidcConfig,
+    default_redirect_name: &'static str,
+) {
+    cfg.app_data(Data::new(oidc_config))
+        .app_data(Data::new(DefaultRedirectRouteName(default_redirect_name)))
+        .service(
+            web::resource("")
+                .name(ROUTE_NAME_OIDC_LOGIN)
+                .post(route_post_oidc),
+        )
+        .service(
+            web::resource("/callback")
+                .name(ROUTE_NAME_OIDC_CALLBACK)
+                .get(route_get_oidc_callback::<AP>),
+        );
+}
--- a/crates/frontend/src/routes/calendar.rs
+++ b/crates/frontend/src/routes/calendar.rs
@@ -18,7 +18,7 @@ pub async fn route_calendar<C: CalendarStore>(
    store: Data<C>,
    user: User,
    req: HttpRequest,
-) -> Result<impl Responder, rustical_store::Error> {
+) -> Result<HttpResponse, rustical_store::Error> {
    let (owner, cal_id) = path.into_inner();
    if !user.is_principal(&owner) {
        return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
@@ -34,7 +34,7 @@ pub async fn route_calendar_restore<CS: CalendarStore>(
    req: HttpRequest,
    store: Data<CS>,
    user: User,
-) -> Result<impl Responder, rustical_store::Error> {
+) -> Result<HttpResponse, rustical_store::Error> {
    let (owner, cal_id) = path.into_inner();
    if !user.is_principal(&owner) {
        return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
@@ -45,6 +45,6 @@ pub async fn route_calendar_restore<CS: CalendarStore>(
            .using_status_code(StatusCode::FOUND)
            .respond_to(&req)
            .map_into_boxed_body(),
-        None => HttpResponse::Ok().body("Restored"),
+        None => HttpResponse::Created().body("Restored"),
    })
 }
--- a/crates/frontend/src/routes/login.rs
+++ b/crates/frontend/src/routes/login.rs
@@ -1,4 +1,4 @@
-use crate::{FrontendConfig, OidcConfig, oidc::OidcProviderData};
+use crate::{FrontendConfig, OidcConfig, oidc::ROUTE_NAME_OIDC_LOGIN};
 use actix_session::Session;
 use actix_web::{
    HttpRequest, HttpResponse, Responder,
@@ -19,6 +19,11 @@ struct LoginPage<'a> {
    allow_password_login: bool,
 }

+struct OidcProviderData<'a> {
+    pub name: &'a str,
+    pub redirect_url: String,
+}
+
 #[derive(Debug, Deserialize)]
 pub struct GetLoginQuery {
    redirect_uri: Option<String>,
@@ -30,14 +35,14 @@ pub async fn route_get_login(
    req: HttpRequest,
    config: Data<FrontendConfig>,
    oidc_config: Data<Option<OidcConfig>>,
-) -> impl Responder {
+) -> HttpResponse {
    let oidc_data = oidc_config
        .as_ref()
        .as_ref()
        .map(|oidc_config| OidcProviderData {
            name: &oidc_config.name,
            redirect_url: req
-                .url_for_static("frontend_login_oidc")
+                .url_for_static(ROUTE_NAME_OIDC_LOGIN)
                .unwrap()
                .to_string(),
        });