flotte-user-management/src/database/users.rs

use crate::database::models::UserRecord;
use crate::database::tokens::SessionTokens;
use crate::database::user_roles::UserRoles;
use crate::database::{DatabaseResult, RedisConnection, Table};
use crate::utils::error::DBError;
use crate::utils::{create_salt, get_user_id_from_token, TOKEN_LENGTH};
use postgres::Client;
use scrypt::ScryptParams;
use std::sync::{Arc, Mutex};
use zeroize::{Zeroize, Zeroizing};

#[derive(Clone)]
pub struct Users {
    database_connection: Arc<Mutex<Client>>,
    redis_connection: Arc<Mutex<RedisConnection>>,
    user_roles: UserRoles,
}

impl Table for Users {
    fn new(
        database_connection: Arc<Mutex<Client>>,
        redis_connection: Arc<Mutex<RedisConnection>>,
    ) -> Self {
        Self {
            user_roles: UserRoles::new(
                Arc::clone(&database_connection),
                Arc::clone(&redis_connection),
            ),
            database_connection,
            redis_connection,
        }
    }

    fn init(&self) -> DatabaseResult<()> {
        self.database_connection
            .lock()
            .unwrap()
            .batch_execute(
                "CREATE TABLE IF NOT EXISTS users (
            id              SERIAL PRIMARY KEY,
            name            VARCHAR(255) NOT NULL,
            email           VARCHAR(255) UNIQUE NOT NULL,
            password_hash   BYTEA NOT NULL,
            salt            BYTEA NOT NULL
        );",
            )
            .map_err(DBError::from)
    }
}

impl Users {
    pub fn create_user(
        &self,
        name: String,
        email: String,
        password: String,
    ) -> DatabaseResult<UserRecord> {
        let mut connection = self.database_connection.lock().unwrap();
        let mut password = Zeroizing::new(password);

        if !connection
            .query("SELECT email FROM users WHERE email = $1", &[&email])?
            .is_empty()
        {
            return Err(DBError::RecordExists);
        }
        let salt = Zeroizing::new(create_salt());
        let mut pw_hash = Zeroizing::new([0u8; 32]);
        scrypt::scrypt(
            password.as_bytes(),
            &*salt,
            &ScryptParams::recommended(),
            &mut *pw_hash,
        )
        .map_err(|_| DBError::ScryptError)?;
        password.zeroize();
        let row = connection.query_one("
            INSERT INTO users (name, email, password_hash, salt) VALUES ($1, $2, $3, $4) RETURNING *;
        ", &[&name, &email, &pw_hash.to_vec(), &salt.to_vec()])?;

        Ok(UserRecord::from_ordered_row(&row))
    }

    pub fn create_token(&self, email: String, password: String) -> DatabaseResult<SessionTokens> {
        if self.validate_login(&email, password)? {
            let mut connection = self.database_connection.lock().unwrap();
            let row = connection.query_one("SELECT id FROM users WHERE email = $1", &[&email])?;
            let id: i32 = row.get(0);
            let mut redis_connection = self.redis_connection.lock().unwrap();

            let tokens = SessionTokens::new(id);
            tokens.store(&mut redis_connection)?;

            Ok(tokens)
        } else {
            Err(DBError::GenericError("Invalid password".to_string()))
        }
    }

    pub fn validate_request_token(
        &self,
        token: &[u8; TOKEN_LENGTH],
    ) -> DatabaseResult<(bool, i32)> {
        let id = get_user_id_from_token(token);
        let mut redis_connection = self.redis_connection.lock().unwrap();
        let tokens = SessionTokens::retrieve(id, &mut redis_connection)?;

        Ok((tokens.request_token == *token, tokens.request_ttl))
    }

    pub fn validate_refresh_token(
        &self,
        token: &[u8; TOKEN_LENGTH],
    ) -> DatabaseResult<(bool, i32)> {
        let id = get_user_id_from_token(token);
        let mut redis_connection = self.redis_connection.lock().unwrap();
        let tokens = SessionTokens::retrieve(id, &mut redis_connection)?;

        Ok((tokens.refresh_token == *token, tokens.refresh_ttl))
    }

    pub fn refresh_tokens(
        &self,
        refresh_token: &[u8; TOKEN_LENGTH],
    ) -> DatabaseResult<SessionTokens> {
        let id = get_user_id_from_token(refresh_token);
        let mut redis_connection = self.redis_connection.lock().unwrap();
        let mut tokens = SessionTokens::retrieve(id, &mut redis_connection)?;

        if tokens.refresh_token == *refresh_token {
            tokens.refresh();
            tokens.store(&mut redis_connection)?;

            Ok(tokens)
        } else {
            Err(DBError::GenericError("Invalid refresh token!".to_string()))
        }
    }

    fn validate_login(&self, email: &String, password: String) -> DatabaseResult<bool> {
        let password = Zeroizing::new(password);
        let mut connection = self.database_connection.lock().unwrap();
        let row = connection.query_one(
            "SELECT password_hash, salt FROM users WHERE email = $1",
            &[&email],
        )?;
        let original_pw_hash: Zeroizing<Vec<u8>> = Zeroizing::new(row.get(0));
        let salt: Zeroizing<Vec<u8>> = Zeroizing::new(row.get(1));
        let mut pw_hash = Zeroizing::new([0u8; 32]);

        scrypt::scrypt(
            password.as_bytes(),
            &*salt,
            &ScryptParams::recommended(),
            &mut *pw_hash,
        )
        .map_err(|_| DBError::ScryptError)?;

        Ok(*pw_hash == *original_pw_hash.as_slice())
    }
}