strawberries/frangipane-backend
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added global rooms in backend and fixed room membership checks

Browse Source
This commit is contained in:
eiiko6
2025-12-17 17:14:39 +01:00
parent ffc2e99cc7
commit d20962101e
5 changed files with 81 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
db/init.sql
View File

@@ -10,7 +10,8 @@ CREATE TABLE IF NOT EXISTS room_ (
id SERIAL PRIMARY KEY, id SERIAL PRIMARY KEY,
uuid UUID UNIQUE, uuid UUID UNIQUE,
owner INT NOT NULL REFERENCES user_(id) ON DELETE CASCADE, owner INT NOT NULL REFERENCES user_(id) ON DELETE CASCADE,
name TEXT NOT NULL name TEXT NOT NULL,
global BOOLEAN DEFAULT false
); );
CREATE TABLE IF NOT EXISTS membership_ ( CREATE TABLE IF NOT EXISTS membership_ (

9
db/mock_data.sql
View File

@@ -3,14 +3,13 @@ INSERT INTO user_ (username, email, uuid, password_hash) VALUES
('bob', 'bob@example.com', '019b1e36-3b8c-7f82-b845-6bfeb72466ce', '$argon2id$v=19$m=19456,t=2,p=1$mzO6Qx8ZH4/wrj14ZgKiuA$7bxNWCgsIVEfPgtueFbjbi8mDjbAHMYAHOGpxTJnEpQ'), ('bob', 'bob@example.com', '019b1e36-3b8c-7f82-b845-6bfeb72466ce', '$argon2id$v=19$m=19456,t=2,p=1$mzO6Qx8ZH4/wrj14ZgKiuA$7bxNWCgsIVEfPgtueFbjbi8mDjbAHMYAHOGpxTJnEpQ'),
('carol', 'carol@example.com', '019b1e36-7706-76e2-b9ce-b37916ddfc99', '$argon2id$v=19$m=19456,t=2,p=1$5rw/7uIJIKMnyqNrYQt92Q$DJVEfgbaZtkflsmDEkSoR3uDQmujI4T73cWq9hOBgVI'); ('carol', 'carol@example.com', '019b1e36-7706-76e2-b9ce-b37916ddfc99', '$argon2id$v=19$m=19456,t=2,p=1$5rw/7uIJIKMnyqNrYQt92Q$DJVEfgbaZtkflsmDEkSoR3uDQmujI4T73cWq9hOBgVI');
INSERT INTO room_ (owner, name, uuid) VALUES INSERT INTO room_ (owner, name, global, uuid) VALUES
(1, 'General Discussion', '5dc599ee-1f5c-40c2-a22a-e40780d2d960'), (1, 'General Discussion', true, '5dc599ee-1f5c-40c2-a22a-e40780d2d960'),
(2, 'Tech Talk', '6b14fe7b-2171-4464-95af-4888062b1b6d'), (2, 'Tech Talk', false, '6b14fe7b-2171-4464-95af-4888062b1b6d'),
(1, 'Random Memes', 'fb794f59-6b2d-4daa-8980-dc5255862657'); (1, 'Random Memes', false, 'fb794f59-6b2d-4daa-8980-dc5255862657');
INSERT INTO membership_ (user_id, room) VALUES INSERT INTO membership_ (user_id, room) VALUES
(1, 1), -- Alice in General Discussion (1, 1), -- Alice in General Discussion
(2, 1), -- Bob in General Discussion
(2, 2), -- Bob in Tech Talk (2, 2), -- Bob in Tech Talk
(3, 1), -- Carol in General Discussion (3, 1), -- Carol in General Discussion
(1, 3); -- Alice in Random Memes (1, 3); -- Alice in Random Memes

20
src/routes/messages.rs
View File

@@ -7,7 +7,7 @@ use axum::{
use sqlx::PgPool; use sqlx::PgPool;
use uuid::Uuid; use uuid::Uuid;
use crate::{auth::verify_jwt, db::room_id_from_uuid}; use crate::{auth::verify_jwt, db::room_id_from_uuid, routes::rooms::is_member};
use crate::{ use crate::{
db::{user_id_from_uuid, username_from_uuid}, db::{user_id_from_uuid, username_from_uuid},
realtime::Realtime, realtime::Realtime,
@@ -51,15 +51,7 @@ async fn list_messages(
let user_id = user_id_from_uuid(&db, claims.sub).await?; let user_id = user_id_from_uuid(&db, claims.sub).await?;
let room_id = room_id_from_uuid(&db, room_uuid).await?; let room_id = room_id_from_uuid(&db, room_uuid).await?;
let membership: Vec<i32> = if !is_member(user_id, room_id, &db).await {
sqlx::query_scalar("SELECT user_id FROM membership_ WHERE user_id = $1 AND room = $2")
.bind(user_id)
.bind(room_id)
.fetch_all(&db)
.await
.unwrap_or_else(|_| Vec::new());
if membership.is_empty() {
return Err(( return Err((
StatusCode::UNAUTHORIZED, StatusCode::UNAUTHORIZED,
String::from("You are not a member of this room"), String::from("You are not a member of this room"),
@@ -115,9 +107,15 @@ async fn create_message(
let claims = verify_jwt(headers)?; let claims = verify_jwt(headers)?;
let user_id = user_id_from_uuid(&db, claims.sub).await?; let user_id = user_id_from_uuid(&db, claims.sub).await?;
let room_id = room_id_from_uuid(&db, room_uuid).await?; let room_id = room_id_from_uuid(&db, room_uuid).await?;
if !is_member(user_id, room_id, &db).await {
return Err((
StatusCode::UNAUTHORIZED,
String::from("You are not a member of this room"),
));
}
let sent_at: chrono::NaiveDateTime = sqlx::query_scalar( let sent_at: chrono::NaiveDateTime = sqlx::query_scalar(
"INSERT INTO message_ (sender, room, message_type, content) "INSERT INTO message_ (sender, room, message_type, content)
VALUES ($1, $2, $3, $4) RETURNING sent_at", VALUES ($1, $2, $3, $4) RETURNING sent_at",

98
src/routes/rooms.rs
View File

@@ -4,7 +4,7 @@ use axum::{
http::{HeaderMap, StatusCode}, http::{HeaderMap, StatusCode},
routing::{get, post}, routing::{get, post},
}; };
use sqlx::PgPool; use sqlx::{PgPool, Pool, Postgres};
use uuid::Uuid; use uuid::Uuid;
use crate::db::user_id_from_uuid; use crate::db::user_id_from_uuid;
@@ -20,13 +20,35 @@ pub struct Room {
#[derive(serde::Deserialize)] #[derive(serde::Deserialize)]
pub struct NewRoomPayload { pub struct NewRoomPayload {
pub name: String, pub name: String,
pub global: bool,
} }
pub fn routes() -> Router { pub fn routes() -> Router {
Router::new() Router::new()
.route("/rooms/{user_uuid}", get(list_rooms)) .route("/rooms/{user_uuid}", get(list_rooms))
.route("/rooms", post(create_room)) .route("/rooms", post(create_room))
.route("/rooms/{user_uuid}/{room_id}", get(get_room)) // .route("/rooms/{user_uuid}/{room_id}", get(get_room))
}
pub async fn is_member(user_id: i32, room_id: i32, db: &Pool<Postgres>) -> bool {
sqlx::query_scalar(
r#"
SELECT r.global
OR EXISTS (
SELECT 1
FROM membership_ m
WHERE m.user_id = $1
AND m.room = r.id
)
FROM room_ r
WHERE r.id = $2
"#,
)
.bind(user_id)
.bind(room_id)
.fetch_one(db)
.await
.unwrap_or(false)
} }
async fn list_rooms( async fn list_rooms(
@@ -43,17 +65,19 @@ async fn list_rooms(
let rooms = sqlx::query_as::<_, Room>( let rooms = sqlx::query_as::<_, Room>(
r#" r#"
SELECT uuid, owner, name FROM room_ r SELECT r.uuid, r.owner, r.name
JOIN membership_ m ON m.user_id = $1 AND m.room = r.id FROM room_ r
WHERE r.global OR EXISTS (
SELECT 1
FROM membership_ m
WHERE m.user_id = $1 AND m.room = r.id
)
"#, "#,
) )
.bind(user_id) .bind(user_id)
.fetch_all(&db) .fetch_all(&db)
.await .await
.unwrap_or_else(|e| { .unwrap_or_else(|_| Vec::new());
tracing::error!("faied to list rooms: {e}");
Vec::new()
});
Ok(Json(rooms)) Ok(Json(rooms))
} }
@@ -70,18 +94,20 @@ async fn create_room(
let room_uuid = uuid::Uuid::now_v7(); let room_uuid = uuid::Uuid::now_v7();
sqlx::query( sqlx::query(
"INSERT INTO room_ (uuid, owner, name) "INSERT INTO room_ (uuid, owner, name, global)
VALUES ($1, $2, $3)", VALUES ($1, $2, $3, $4)",
) )
.bind(room_uuid) .bind(room_uuid)
.bind(user_id) .bind(user_id)
.bind(&payload.name) .bind(&payload.name)
.bind(&payload.global)
.execute(&db) .execute(&db)
.await .await
.map_err(|_| (StatusCode::BAD_REQUEST, format!("Could not create room")))?; .map_err(|_| (StatusCode::BAD_REQUEST, format!("Could not create room")))?;
let room_id = room_id_from_uuid(&db, room_uuid).await?; let room_id = room_id_from_uuid(&db, room_uuid).await?;
// We do this even for the owner
sqlx::query("INSERT INTO membership_ (user_id, room) VALUES ($1, $2)") sqlx::query("INSERT INTO membership_ (user_id, room) VALUES ($1, $2)")
.bind(user_id) .bind(user_id)
.bind(room_id) .bind(room_id)
@@ -99,29 +125,29 @@ async fn create_room(
)) ))
} }
async fn get_room( // async fn get_room(
Path((user_uuid, room_uuid)): Path<(Uuid, Uuid)>, // Path((user_uuid, room_uuid)): Path<(Uuid, Uuid)>,
headers: HeaderMap, // headers: HeaderMap,
Extension(db): Extension<PgPool>, // Extension(db): Extension<PgPool>,
) -> Result<Json<Room>, (StatusCode, String)> { // ) -> Result<Json<Room>, (StatusCode, String)> {
let claims = verify_jwt(headers)?; // let claims = verify_jwt(headers)?;
if claims.sub != user_uuid { // if claims.sub != user_uuid {
return Err((StatusCode::FORBIDDEN, "Forbidden".to_string())); // return Err((StatusCode::FORBIDDEN, "Forbidden".to_string()));
} // }
//
let user_id = user_id_from_uuid(&db, user_uuid).await?; // let user_id = user_id_from_uuid(&db, user_uuid).await?;
//
let room: Room = // let room: Room =
sqlx::query_as("SELECT uuid, owner, name FROM room_ WHERE uuid = $1 AND owner = $2") // sqlx::query_as("SELECT uuid, owner, name FROM room_ WHERE uuid = $1 AND owner = $2")
.bind(room_uuid) // .bind(room_uuid)
.bind(user_id) // .bind(user_id)
.fetch_one(&db) // .fetch_one(&db)
.await // .await
.map_err(|_| (StatusCode::NOT_FOUND, "Room not found".to_string()))?; // .map_err(|_| (StatusCode::NOT_FOUND, "Room not found".to_string()))?;
//
Ok(Json(Room { // Ok(Json(Room {
uuid: room_uuid, // uuid: room_uuid,
owner: room.owner, // owner: room.owner,
name: room.name, // name: room.name,
})) // }))
} // }

16
src/routes/ws.rs
View File

@@ -14,6 +14,7 @@ use uuid::Uuid;
use crate::auth::{create_jwt, verify_jwt}; use crate::auth::{create_jwt, verify_jwt};
use crate::db::user_id_from_uuid; use crate::db::user_id_from_uuid;
use crate::routes::rooms::is_member;
use crate::{db::room_id_from_uuid, realtime::Realtime}; use crate::{db::room_id_from_uuid, realtime::Realtime};
#[derive(sqlx::FromRow, serde::Serialize, Deserialize)] #[derive(sqlx::FromRow, serde::Serialize, Deserialize)]
@@ -37,15 +38,7 @@ pub async fn issue_ws_token(
let room_id = room_id_from_uuid(&db, room_uuid).await?; let room_id = room_id_from_uuid(&db, room_uuid).await?;
let user_id = user_id_from_uuid(&db, claims.sub).await?; let user_id = user_id_from_uuid(&db, claims.sub).await?;
let membership: Vec<i32> = if !is_member(user_id, room_id, &db).await {
sqlx::query_scalar("SELECT user_id FROM membership_ WHERE user_id = $1 AND room = $2")
.bind(user_id)
.bind(room_id)
.fetch_all(&db)
.await
.unwrap_or_else(|_| Vec::new());
if membership.is_empty() {
return Err(( return Err((
StatusCode::UNAUTHORIZED, StatusCode::UNAUTHORIZED,
String::from("You are not a member of this room"), String::from("You are not a member of this room"),
@@ -70,11 +63,10 @@ pub async fn issue_ws_token(
.bind(room_id) .bind(room_id)
.execute(&db) .execute(&db)
.await .await
.map_err(|e| { .map_err(|_| {
tracing::error!("failed to insert ws token: {e}");
( (
StatusCode::INTERNAL_SERVER_ERROR, StatusCode::INTERNAL_SERVER_ERROR,
format!("failed to insert ws token: {e}"), format!("failed to provide ws token"),
) )
})?; })?;