1use base64::Engine;
2use core_db_types::models::{
3 MagicLinkRequest, MagicLinkRequestId, Organization, OrganizationMember, User, UserGoogleAccount, UserId,
4};
5use core_db_types::schema::{magic_link_requests, organization_members, organizations, user_google_accounts, users};
6use core_traits::EmailServiceClient;
7use diesel::{BoolExpressionMethods, ExpressionMethods, OptionalExtension, QueryDsl, SelectableHelper};
8use diesel_async::RunQueryDsl;
9use ext_traits::{OptionExt, RequestExt, ResultExt};
10use geo_ip::GeoIpRequestExt;
11use pb::scufflecloud::core::v1::CaptchaProvider;
12use sha2::Digest;
13use tonic::Code;
14use tonic_types::{ErrorDetails, StatusExt};
15
16use crate::cedar::{Action, CoreApplication, Unauthenticated};
17use crate::common::normalize_email;
18use crate::http_ext::CoreRequestExt;
19use crate::operations::{Operation, OperationDriver};
20use crate::{captcha, common, google_api};
21
22impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::LoginWithMagicLinkRequest> {
23 type Principal = Unauthenticated;
24 type Resource = CoreApplication;
25 type Response = ();
26
27 const ACTION: Action = Action::RequestMagicLink;
28
29 async fn validate(&mut self) -> Result<(), tonic::Status> {
30 let global = &self.global::<G>()?;
31 let captcha = self.get_ref().captcha.clone().require("captcha")?;
32
33 match captcha.provider() {
35 CaptchaProvider::Unspecified => {
36 return Err(tonic::Status::with_error_details(
37 Code::InvalidArgument,
38 "captcha provider must be set",
39 ErrorDetails::new(),
40 ));
41 }
42 CaptchaProvider::Turnstile => {
43 captcha::turnstile::verify_in_tonic(global, self.ip_address_info()?.ip_address, &captcha.token).await?;
44 }
45 }
46
47 Ok(())
48 }
49
50 async fn load_principal(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
51 Ok(Unauthenticated)
52 }
53
54 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
55 Ok(CoreApplication)
56 }
57
58 async fn execute(
59 self,
60 driver: &mut OperationDriver<'_, G>,
61 _principal: Self::Principal,
62 _resource: Self::Resource,
63 ) -> Result<Self::Response, tonic::Status> {
64 let global = &self.global::<G>()?;
65
66 let email = normalize_email(&self.get_ref().email);
67
68 let conn = driver.conn().await?;
69
70 let user = common::get_user_by_email(conn, &email).await?;
71 let user_id = user.as_ref().map(|u| u.id);
72
73 let code = common::generate_random_bytes().into_tonic_internal_err("failed to generate magic link code")?;
74 let code_base64 = base64::prelude::BASE64_URL_SAFE.encode(code);
75
76 let timeout = global.timeout_config().magic_link_request;
77
78 let session_request = MagicLinkRequest {
80 id: MagicLinkRequestId::new(),
81 user_id,
82 email: email.clone(),
83 code: code.to_vec(),
84 expires_at: chrono::Utc::now() + timeout,
85 };
86 diesel::insert_into(magic_link_requests::dsl::magic_link_requests)
87 .values(session_request)
88 .execute(conn)
89 .await
90 .into_tonic_internal_err("failed to insert magic link user session request")?;
91
92 let email_msg = if user_id.is_none() {
94 core_emails::register_with_email_email(&self.dashboard_origin::<G>()?, code_base64, timeout)
95 .into_tonic_internal_err("failed to render registration email")?
96 } else {
97 core_emails::magic_link_email(&self.dashboard_origin::<G>()?, code_base64, timeout)
98 .into_tonic_internal_err("failed to render magic link email")?
99 };
100
101 let email_msg = common::email_to_pb(global, email, user.and_then(|u| u.preferred_name), email_msg);
102
103 global
104 .email_service()
105 .send_email(email_msg)
106 .await
107 .into_tonic_internal_err("failed to send magic link email")?;
108
109 Ok(())
110 }
111}
112
113#[derive(Clone)]
114struct CompleteLoginWithMagicLinkState {
115 create_user: bool,
116}
117
118impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::CompleteLoginWithMagicLinkRequest> {
119 type Principal = User;
120 type Resource = CoreApplication;
121 type Response = pb::scufflecloud::core::v1::NewUserSessionToken;
122
123 const ACTION: Action = Action::LoginWithMagicLink;
124
125 async fn load_principal(&mut self, driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
126 let conn = driver.conn().await?;
127
128 let Some(magic_link_request) = diesel::delete(magic_link_requests::dsl::magic_link_requests)
130 .filter(
131 magic_link_requests::dsl::code
132 .eq(&self.get_ref().code)
133 .and(magic_link_requests::dsl::expires_at.gt(chrono::Utc::now())),
134 )
135 .returning(MagicLinkRequest::as_select())
136 .get_result::<MagicLinkRequest>(conn)
137 .await
138 .optional()
139 .into_tonic_internal_err("failed to delete magic link request")?
140 else {
141 return Err(tonic::Status::with_error_details(
142 Code::NotFound,
143 "unknown code",
144 ErrorDetails::new(),
145 ));
146 };
147
148 let mut state = CompleteLoginWithMagicLinkState { create_user: false };
149
150 let user = if let Some(user_id) = magic_link_request.user_id {
152 users::dsl::users
153 .find(user_id)
154 .first::<User>(conn)
155 .await
156 .into_tonic_internal_err("failed to query user")?
157 } else {
158 state.create_user = true;
159
160 let hash = sha2::Sha256::digest(&magic_link_request.email);
161 let avatar_url = format!("https://gravatar.com/avatar/{:x}?s=80&d=identicon", hash);
162
163 User {
164 id: UserId::new(),
165 preferred_name: None,
166 first_name: None,
167 last_name: None,
168 password_hash: None,
169 primary_email: Some(magic_link_request.email),
170 avatar_url: Some(avatar_url),
171 }
172 };
173
174 self.extensions_mut().insert(state);
175
176 Ok(user)
177 }
178
179 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
180 Ok(CoreApplication)
181 }
182
183 async fn execute(
184 mut self,
185 driver: &mut OperationDriver<'_, G>,
186 principal: Self::Principal,
187 _resource: Self::Resource,
188 ) -> Result<Self::Response, tonic::Status> {
189 let global = &self.global::<G>()?;
190 let ip_info = self.ip_address_info()?;
191 let dashboard_origin = self.dashboard_origin::<G>()?;
192 let state: CompleteLoginWithMagicLinkState = self
193 .extensions_mut()
194 .remove()
195 .into_tonic_internal_err("missing CompleteLoginWithMagicLinkState state")?;
196
197 let device = self.into_inner().device.require("device")?;
198
199 let conn = driver.conn().await?;
200
201 if state.create_user {
202 common::create_user(conn, &principal).await?;
203 }
204
205 let new_token = common::create_session(
206 global,
207 conn,
208 &dashboard_origin,
209 &principal,
210 device,
211 &ip_info,
212 !state.create_user,
213 )
214 .await?;
215 Ok(new_token)
216 }
217}
218
219impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::LoginWithEmailAndPasswordRequest> {
220 type Principal = User;
221 type Resource = CoreApplication;
222 type Response = pb::scufflecloud::core::v1::NewUserSessionToken;
223
224 const ACTION: Action = Action::LoginWithEmailPassword;
225
226 async fn validate(&mut self) -> Result<(), tonic::Status> {
227 let global = &self.global::<G>()?;
228 let captcha = self.get_ref().captcha.clone().require("captcha")?;
229
230 match captcha.provider() {
232 CaptchaProvider::Unspecified => {
233 return Err(tonic::Status::with_error_details(
234 Code::InvalidArgument,
235 "captcha provider must be set",
236 ErrorDetails::new(),
237 ));
238 }
239 CaptchaProvider::Turnstile => {
240 captcha::turnstile::verify_in_tonic(global, self.ip_address_info()?.ip_address, &captcha.token).await?;
241 }
242 }
243
244 Ok(())
245 }
246
247 async fn load_principal(&mut self, driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
248 let conn = driver.conn().await?;
249 let Some(user) = common::get_user_by_email(conn, &self.get_ref().email).await? else {
250 return Err(tonic::Status::with_error_details(
251 tonic::Code::NotFound,
252 "user not found",
253 ErrorDetails::new(),
254 ));
255 };
256
257 Ok(user)
258 }
259
260 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
261 Ok(CoreApplication)
262 }
263
264 async fn execute(
265 self,
266 driver: &mut OperationDriver<'_, G>,
267 principal: Self::Principal,
268 _resource: Self::Resource,
269 ) -> Result<Self::Response, tonic::Status> {
270 let global = &self.global::<G>()?;
271 let ip_info = self.ip_address_info()?;
272 let dashboard_origin = self.dashboard_origin::<G>()?;
273 let payload = self.into_inner();
274
275 let conn = driver.conn().await?;
276
277 let device = payload.device.require("device")?;
278
279 let Some(password_hash) = &principal.password_hash else {
281 return Err(tonic::Status::with_error_details(
282 tonic::Code::FailedPrecondition,
283 "user does not have a password set",
284 ErrorDetails::new(),
285 ));
286 };
287
288 common::verify_password(password_hash, &payload.password)?;
289
290 common::create_session(global, conn, &dashboard_origin, &principal, device, &ip_info, true).await
291 }
292}
293
294#[derive(Clone, Default)]
295struct CompleteLoginWithGoogleState {
296 first_login: bool,
297 google_workspace: Option<pb::scufflecloud::core::v1::complete_login_with_google_response::GoogleWorkspace>,
298}
299
300impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::CompleteLoginWithGoogleRequest> {
301 type Principal = User;
302 type Resource = CoreApplication;
303 type Response = pb::scufflecloud::core::v1::CompleteLoginWithGoogleResponse;
304
305 const ACTION: Action = Action::LoginWithGoogle;
306
307 async fn validate(&mut self) -> Result<(), tonic::Status> {
308 let device = self.get_ref().device.clone().require("device")?;
309 let device_fingerprint = sha2::Sha256::digest(&device.public_key_data);
310 let state = base64::prelude::BASE64_URL_SAFE
311 .decode(&self.get_ref().state)
312 .into_tonic_internal_err("failed to decode state")?;
313
314 if *device_fingerprint != state {
315 return Err(tonic::Status::with_error_details(
316 tonic::Code::FailedPrecondition,
317 "device fingerprint does not match state",
318 ErrorDetails::new(),
319 ));
320 }
321
322 Ok(())
323 }
324
325 async fn load_principal(&mut self, driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
326 let global = &self.global::<G>()?;
327
328 let google_token = google_api::request_tokens(global, &self.dashboard_origin::<G>()?, &self.get_ref().code)
329 .await
330 .into_tonic_err_with_field_violation("code", "failed to request google token")?;
331
332 let workspace_user = if google_token.scope.contains(google_api::ADMIN_DIRECTORY_API_USER_SCOPE) {
334 if let Some(hd) = google_token.id_token.hd.clone() {
335 google_api::request_google_workspace_user(global, &google_token.access_token, &google_token.id_token.sub)
336 .await
337 .into_tonic_internal_err("failed to request Google Workspace user")?
338 .map(|u| (u, hd))
339 } else {
340 None
341 }
342 } else {
343 None
344 };
345
346 let mut state = CompleteLoginWithGoogleState {
347 first_login: false,
348 google_workspace: None,
349 };
350
351 let conn = driver.conn().await?;
352
353 if let Some((workspace_user, hd)) = workspace_user
355 && workspace_user.is_admin
356 {
357 let n = diesel::update(organizations::dsl::organizations)
358 .filter(organizations::dsl::google_customer_id.eq(&workspace_user.customer_id))
359 .set(organizations::dsl::google_hosted_domain.eq(&google_token.id_token.hd))
360 .execute(conn)
361 .await
362 .into_tonic_internal_err("failed to update organization")?;
363
364 if n == 0 {
365 state.google_workspace = Some(pb::scufflecloud::core::v1::complete_login_with_google_response::GoogleWorkspace::UnassociatedGoogleHostedDomain(hd));
366 }
367 }
368
369 let google_account = user_google_accounts::dsl::user_google_accounts
370 .find(&google_token.id_token.sub)
371 .first::<UserGoogleAccount>(conn)
372 .await
373 .optional()
374 .into_tonic_internal_err("failed to query google account")?;
375
376 match google_account {
377 Some(google_account) => {
378 let user = diesel::update(users::dsl::users)
380 .filter(users::dsl::id.eq(google_account.user_id))
381 .set(users::dsl::avatar_url.eq(google_token.id_token.picture))
382 .returning(User::as_select())
383 .get_result::<User>(conn)
384 .await
385 .into_tonic_internal_err("failed to update user")?;
386
387 self.extensions_mut().insert(state);
388
389 Ok(user)
390 }
391 None => {
392 let registered_user = if google_token.id_token.email_verified {
396 common::get_user_by_email(conn, &google_token.id_token.email).await?
397 } else {
398 None
399 };
400
401 let user = match registered_user {
402 Some(user) => user, None => {
404 let user = User {
406 id: UserId::new(),
407 preferred_name: google_token.id_token.name,
408 first_name: google_token.id_token.given_name,
409 last_name: google_token.id_token.family_name,
410 password_hash: None,
411 primary_email: google_token
412 .id_token
413 .email_verified
414 .then(|| normalize_email(&google_token.id_token.email)),
415 avatar_url: google_token.id_token.picture,
416 };
417
418 common::create_user(conn, &user).await?;
419
420 user
421 }
422 };
423
424 let google_account = UserGoogleAccount {
425 sub: google_token.id_token.sub,
426 access_token: google_token.access_token,
427 access_token_expires_at: chrono::Utc::now() + chrono::Duration::seconds(google_token.expires_in as i64),
428 user_id: user.id,
429 created_at: chrono::Utc::now(),
430 };
431
432 diesel::insert_into(user_google_accounts::dsl::user_google_accounts)
433 .values(google_account)
434 .execute(conn)
435 .await
436 .into_tonic_internal_err("failed to insert user google account")?;
437
438 if let Some(hd) = google_token.id_token.hd {
439 let organization = organizations::dsl::organizations
441 .filter(organizations::dsl::google_hosted_domain.eq(hd))
442 .first::<Organization>(conn)
443 .await
444 .optional()
445 .into_tonic_internal_err("failed to query organization")?;
446
447 if let Some(org) = organization {
448 let membership = OrganizationMember {
450 organization_id: org.id,
451 user_id: user.id,
452 invited_by_id: None,
453 inline_policy: None,
454 created_at: chrono::Utc::now(),
455 };
456
457 diesel::insert_into(organization_members::dsl::organization_members)
458 .values(membership)
459 .execute(conn)
460 .await
461 .into_tonic_internal_err("failed to insert organization membership")?;
462
463 state.google_workspace = Some(
464 pb::scufflecloud::core::v1::complete_login_with_google_response::GoogleWorkspace::Joined(
465 org.into(),
466 ),
467 );
468 }
469 }
470
471 state.first_login = true;
472 self.extensions_mut().insert(state);
473
474 Ok(user)
475 }
476 }
477 }
478
479 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
480 Ok(CoreApplication)
481 }
482
483 async fn execute(
484 mut self,
485 driver: &mut OperationDriver<'_, G>,
486 principal: Self::Principal,
487 _resource: Self::Resource,
488 ) -> Result<Self::Response, tonic::Status> {
489 let global = &self.global::<G>()?;
490 let ip_info = self.ip_address_info()?;
491 let dashboard_origin = self.dashboard_origin::<G>()?;
492
493 let state = self
494 .extensions_mut()
495 .remove::<CompleteLoginWithGoogleState>()
496 .into_tonic_internal_err("missing CompleteLoginWithGoogleState state")?;
497
498 let device = self.into_inner().device.require("device")?;
499
500 let conn = driver.conn().await?;
501
502 let token = common::create_session(global, conn, &dashboard_origin, &principal, device, &ip_info, false).await?;
504
505 Ok(pb::scufflecloud::core::v1::CompleteLoginWithGoogleResponse {
506 new_user_session_token: Some(token),
507 first_login: state.first_login,
508 google_workspace: state.google_workspace,
509 })
510 }
511}
512
513impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::LoginWithWebauthnRequest> {
514 type Principal = User;
515 type Resource = CoreApplication;
516 type Response = pb::scufflecloud::core::v1::NewUserSessionToken;
517
518 const ACTION: Action = Action::LoginWithWebauthn;
519
520 async fn load_principal(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
521 let global = &self.global::<G>()?;
522 let user_id: UserId = self
523 .get_ref()
524 .user_id
525 .parse()
526 .into_tonic_err_with_field_violation("user_id", "invalid ID")?;
527
528 common::get_user_by_id(global, user_id).await
529 }
530
531 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
532 Ok(CoreApplication)
533 }
534
535 async fn execute(
536 self,
537 driver: &mut OperationDriver<'_, G>,
538 principal: Self::Principal,
539 _resource: Self::Resource,
540 ) -> Result<Self::Response, tonic::Status> {
541 let global = &self.global::<G>()?;
542 let ip_info = self.ip_address_info()?;
543 let dashboard_origin = self.dashboard_origin::<G>()?;
544 let payload = self.into_inner();
545
546 let pk_cred: webauthn_rs::prelude::PublicKeyCredential = serde_json::from_str(&payload.response_json)
547 .into_tonic_err_with_field_violation("response_json", "invalid public key credential")?;
548 let device = payload.device.require("device")?;
549
550 let conn = driver.conn().await?;
551
552 common::finish_webauthn_authentication(global, conn, principal.id, &pk_cred).await?;
553
554 let new_token = common::create_session(global, conn, &dashboard_origin, &principal, device, &ip_info, false).await?;
556 Ok(new_token)
557 }
558}