1use base64::Engine;
2use core_db_types::models::{
3 MagicLinkRequest, MagicLinkRequestId, Organization, OrganizationMember, User, UserGoogleAccount, UserId,
4};
5use core_db_types::schema::{magic_link_requests, organization_members, organizations, user_google_accounts, users};
6use core_traits::EmailServiceClient;
7use diesel::{BoolExpressionMethods, ExpressionMethods, OptionalExtension, QueryDsl, SelectableHelper};
8use diesel_async::RunQueryDsl;
9use ext_traits::{OptionExt, RequestExt, ResultExt};
10use geo_ip::GeoIpRequestExt;
11use pb::scufflecloud::core::v1::CaptchaProvider;
12use sha2::Digest;
13use tonic::Code;
14use tonic_types::{ErrorDetails, StatusExt};
15
16use crate::cedar::{Action, CoreApplication, Unauthenticated};
17use crate::common::normalize_email;
18use crate::http_ext::CoreRequestExt;
19use crate::operations::{Operation, OperationDriver};
20use crate::{captcha, common, google_api};
21
22impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::LoginWithMagicLinkRequest> {
23 type Principal = Unauthenticated;
24 type Resource = CoreApplication;
25 type Response = ();
26
27 const ACTION: Action = Action::RequestMagicLink;
28
29 async fn validate(&mut self) -> Result<(), tonic::Status> {
30 let global = &self.global::<G>()?;
31 let captcha = self.get_ref().captcha.clone().require("captcha")?;
32
33 match captcha.provider() {
35 CaptchaProvider::Unspecified => {
36 return Err(tonic::Status::with_error_details(
37 Code::InvalidArgument,
38 "captcha provider must be set",
39 ErrorDetails::new(),
40 ));
41 }
42 CaptchaProvider::Turnstile => {
43 captcha::turnstile::verify_in_tonic(global, self.ip_address_info()?.ip_address, &captcha.token).await?;
44 }
45 }
46
47 Ok(())
48 }
49
50 async fn load_principal(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
51 Ok(Unauthenticated)
52 }
53
54 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
55 Ok(CoreApplication)
56 }
57
58 async fn execute(
59 self,
60 driver: &mut OperationDriver<'_, G>,
61 _principal: Self::Principal,
62 _resource: Self::Resource,
63 ) -> Result<Self::Response, tonic::Status> {
64 let global = &self.global::<G>()?;
65
66 let email = normalize_email(&self.get_ref().email);
67
68 let conn = driver.conn().await?;
69
70 let user = common::get_user_by_email(conn, &email).await?;
71 let user_id = user.as_ref().map(|u| u.id);
72
73 let code = common::generate_random_bytes().into_tonic_internal_err("failed to generate magic link code")?;
74 let code_base64 = base64::prelude::BASE64_URL_SAFE.encode(code);
75
76 let timeout = global.timeout_config().magic_link_request;
77
78 let session_request = MagicLinkRequest {
80 id: MagicLinkRequestId::new(),
81 user_id,
82 email: email.clone(),
83 code: code.to_vec(),
84 expires_at: chrono::Utc::now() + timeout,
85 };
86 diesel::insert_into(magic_link_requests::dsl::magic_link_requests)
87 .values(session_request)
88 .execute(conn)
89 .await
90 .into_tonic_internal_err("failed to insert magic link user session request")?;
91
92 let email_msg = if user_id.is_none() {
94 core_emails::register_with_email_email(&self.dashboard_origin::<G>()?, code_base64, timeout)
95 .into_tonic_internal_err("failed to render registration email")?
96 } else {
97 core_emails::magic_link_email(&self.dashboard_origin::<G>()?, code_base64, timeout)
98 .into_tonic_internal_err("failed to render magic link email")?
99 };
100
101 let email_msg = common::email_to_pb(global, email, user.and_then(|u| u.preferred_name), email_msg);
102
103 global
104 .email_service()
105 .send_email(email_msg)
106 .await
107 .into_tonic_internal_err("failed to send magic link email")?;
108
109 Ok(())
110 }
111}
112
113#[derive(Clone)]
114struct CompleteLoginWithMagicLinkState {
115 create_user: bool,
116}
117
118impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::CompleteLoginWithMagicLinkRequest> {
119 type Principal = User;
120 type Resource = CoreApplication;
121 type Response = pb::scufflecloud::core::v1::NewUserSessionToken;
122
123 const ACTION: Action = Action::LoginWithMagicLink;
124
125 async fn load_principal(&mut self, driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
126 let conn = driver.conn().await?;
127
128 let Some(magic_link_request) = diesel::delete(magic_link_requests::dsl::magic_link_requests)
130 .filter(
131 magic_link_requests::dsl::code
132 .eq(&self.get_ref().code)
133 .and(magic_link_requests::dsl::expires_at.gt(chrono::Utc::now())),
134 )
135 .returning(MagicLinkRequest::as_select())
136 .get_result::<MagicLinkRequest>(conn)
137 .await
138 .optional()
139 .into_tonic_internal_err("failed to delete magic link request")?
140 else {
141 return Err(tonic::Status::with_error_details(
142 Code::NotFound,
143 "unknown code",
144 ErrorDetails::new(),
145 ));
146 };
147
148 let mut state = CompleteLoginWithMagicLinkState { create_user: false };
149
150 let user = if let Some(user_id) = magic_link_request.user_id {
152 users::dsl::users
153 .find(user_id)
154 .first::<User>(conn)
155 .await
156 .into_tonic_internal_err("failed to query user")?
157 } else {
158 state.create_user = true;
159
160 let hash = sha2::Sha256::digest(&magic_link_request.email);
161 let avatar_url = format!("https://gravatar.com/avatar/{:x}?s=80&d=identicon", hash);
162
163 User {
164 id: UserId::new(),
165 preferred_name: None,
166 first_name: None,
167 last_name: None,
168 password_hash: None,
169 primary_email: Some(magic_link_request.email),
170 avatar_url: Some(avatar_url),
171 }
172 };
173
174 self.extensions_mut().insert(state);
175
176 Ok(user)
177 }
178
179 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
180 Ok(CoreApplication)
181 }
182
183 async fn execute(
184 mut self,
185 driver: &mut OperationDriver<'_, G>,
186 principal: Self::Principal,
187 _resource: Self::Resource,
188 ) -> Result<Self::Response, tonic::Status> {
189 let global = &self.global::<G>()?;
190 let metadata = common::CreateSessionMetadata::from_req::<G, _>(&self)?;
191 let state: CompleteLoginWithMagicLinkState = self
192 .extensions_mut()
193 .remove()
194 .into_tonic_internal_err("missing CompleteLoginWithMagicLinkState state")?;
195
196 let device = self.into_inner().device.require("device")?;
197
198 let conn = driver.conn().await?;
199
200 if state.create_user {
201 common::create_user(conn, &principal).await?;
202 }
203
204 let new_token = common::create_session(global, conn, &principal, device, metadata, !state.create_user).await?;
205 Ok(new_token)
206 }
207}
208
209impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::LoginWithEmailAndPasswordRequest> {
210 type Principal = User;
211 type Resource = CoreApplication;
212 type Response = pb::scufflecloud::core::v1::NewUserSessionToken;
213
214 const ACTION: Action = Action::LoginWithEmailPassword;
215
216 async fn validate(&mut self) -> Result<(), tonic::Status> {
217 let global = &self.global::<G>()?;
218 let captcha = self.get_ref().captcha.clone().require("captcha")?;
219
220 match captcha.provider() {
222 CaptchaProvider::Unspecified => {
223 return Err(tonic::Status::with_error_details(
224 Code::InvalidArgument,
225 "captcha provider must be set",
226 ErrorDetails::new(),
227 ));
228 }
229 CaptchaProvider::Turnstile => {
230 captcha::turnstile::verify_in_tonic(global, self.ip_address_info()?.ip_address, &captcha.token).await?;
231 }
232 }
233
234 Ok(())
235 }
236
237 async fn load_principal(&mut self, driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
238 let conn = driver.conn().await?;
239 let Some(user) = common::get_user_by_email(conn, &self.get_ref().email).await? else {
240 return Err(tonic::Status::with_error_details(
241 tonic::Code::NotFound,
242 "user not found",
243 ErrorDetails::new(),
244 ));
245 };
246
247 Ok(user)
248 }
249
250 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
251 Ok(CoreApplication)
252 }
253
254 async fn execute(
255 self,
256 driver: &mut OperationDriver<'_, G>,
257 principal: Self::Principal,
258 _resource: Self::Resource,
259 ) -> Result<Self::Response, tonic::Status> {
260 let global = &self.global::<G>()?;
261 let metadata = common::CreateSessionMetadata::from_req::<G, _>(&self)?;
262 let payload = self.into_inner();
263
264 let conn = driver.conn().await?;
265
266 let device = payload.device.require("device")?;
267
268 let Some(password_hash) = &principal.password_hash else {
270 return Err(tonic::Status::with_error_details(
271 tonic::Code::FailedPrecondition,
272 "user does not have a password set",
273 ErrorDetails::new(),
274 ));
275 };
276
277 common::verify_password(password_hash, &payload.password)?;
278
279 common::create_session(global, conn, &principal, device, metadata, true).await
280 }
281}
282
283#[derive(Clone, Default)]
284struct CompleteLoginWithGoogleState {
285 first_login: bool,
286 google_workspace: Option<pb::scufflecloud::core::v1::complete_login_with_google_response::GoogleWorkspace>,
287}
288
289impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::CompleteLoginWithGoogleRequest> {
290 type Principal = User;
291 type Resource = CoreApplication;
292 type Response = pb::scufflecloud::core::v1::CompleteLoginWithGoogleResponse;
293
294 const ACTION: Action = Action::LoginWithGoogle;
295
296 async fn validate(&mut self) -> Result<(), tonic::Status> {
297 let device = self.get_ref().device.clone().require("device")?;
298 let device_fingerprint = sha2::Sha256::digest(&device.public_key_data);
299 let state = urlencoding::decode(&self.get_ref().state).into_tonic_internal_err("failed to decode state")?;
300 let state = base64::prelude::BASE64_URL_SAFE
301 .decode(state.as_ref())
302 .into_tonic_internal_err("failed to decode state")?;
303
304 if *device_fingerprint != state {
305 return Err(tonic::Status::with_error_details(
306 tonic::Code::FailedPrecondition,
307 "device fingerprint does not match state",
308 ErrorDetails::new(),
309 ));
310 }
311
312 Ok(())
313 }
314
315 async fn load_principal(&mut self, driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
316 let global = &self.global::<G>()?;
317
318 let google_token = google_api::request_tokens(global, &self.dashboard_origin::<G>()?, &self.get_ref().code)
319 .await
320 .into_tonic_err_with_field_violation("code", "failed to request google token")?;
321
322 let workspace_user = if google_token.scope.contains(google_api::ADMIN_DIRECTORY_API_USER_SCOPE) {
324 if let Some(hd) = google_token.id_token.hd.clone() {
325 google_api::request_google_workspace_user(global, &google_token.access_token, &google_token.id_token.sub)
326 .await
327 .into_tonic_internal_err("failed to request Google Workspace user")?
328 .map(|u| (u, hd))
329 } else {
330 None
331 }
332 } else {
333 None
334 };
335
336 let mut state = CompleteLoginWithGoogleState {
337 first_login: false,
338 google_workspace: None,
339 };
340
341 let conn = driver.conn().await?;
342
343 if let Some((workspace_user, hd)) = workspace_user
345 && workspace_user.is_admin
346 {
347 let n = diesel::update(organizations::dsl::organizations)
348 .filter(organizations::dsl::google_customer_id.eq(&workspace_user.customer_id))
349 .set(organizations::dsl::google_hosted_domain.eq(&google_token.id_token.hd))
350 .execute(conn)
351 .await
352 .into_tonic_internal_err("failed to update organization")?;
353
354 if n == 0 {
355 state.google_workspace = Some(pb::scufflecloud::core::v1::complete_login_with_google_response::GoogleWorkspace::UnassociatedGoogleHostedDomain(hd));
356 }
357 }
358
359 let google_account = user_google_accounts::dsl::user_google_accounts
360 .find(&google_token.id_token.sub)
361 .first::<UserGoogleAccount>(conn)
362 .await
363 .optional()
364 .into_tonic_internal_err("failed to query google account")?;
365
366 match google_account {
367 Some(google_account) => {
368 let user = diesel::update(users::dsl::users)
370 .filter(users::dsl::id.eq(google_account.user_id))
371 .set(users::dsl::avatar_url.eq(google_token.id_token.picture))
372 .returning(User::as_select())
373 .get_result::<User>(conn)
374 .await
375 .into_tonic_internal_err("failed to update user")?;
376
377 self.extensions_mut().insert(state);
378
379 Ok(user)
380 }
381 None => {
382 let registered_user = if google_token.id_token.email_verified {
386 common::get_user_by_email(conn, &google_token.id_token.email).await?
387 } else {
388 None
389 };
390
391 let user = match registered_user {
392 Some(user) => user, None => {
394 let user = User {
396 id: UserId::new(),
397 preferred_name: google_token.id_token.name,
398 first_name: google_token.id_token.given_name,
399 last_name: google_token.id_token.family_name,
400 password_hash: None,
401 primary_email: google_token
402 .id_token
403 .email_verified
404 .then(|| normalize_email(&google_token.id_token.email)),
405 avatar_url: google_token.id_token.picture,
406 };
407
408 common::create_user(conn, &user).await?;
409
410 user
411 }
412 };
413
414 let google_account = UserGoogleAccount {
415 sub: google_token.id_token.sub,
416 access_token: google_token.access_token,
417 access_token_expires_at: chrono::Utc::now() + chrono::Duration::seconds(google_token.expires_in as i64),
418 user_id: user.id,
419 created_at: chrono::Utc::now(),
420 };
421
422 diesel::insert_into(user_google_accounts::dsl::user_google_accounts)
423 .values(google_account)
424 .execute(conn)
425 .await
426 .into_tonic_internal_err("failed to insert user google account")?;
427
428 if let Some(hd) = google_token.id_token.hd {
429 let organization = organizations::dsl::organizations
431 .filter(organizations::dsl::google_hosted_domain.eq(hd))
432 .first::<Organization>(conn)
433 .await
434 .optional()
435 .into_tonic_internal_err("failed to query organization")?;
436
437 if let Some(org) = organization {
438 let membership = OrganizationMember {
440 organization_id: org.id,
441 user_id: user.id,
442 invited_by_id: None,
443 inline_policy: None,
444 created_at: chrono::Utc::now(),
445 };
446
447 diesel::insert_into(organization_members::dsl::organization_members)
448 .values(membership)
449 .execute(conn)
450 .await
451 .into_tonic_internal_err("failed to insert organization membership")?;
452
453 state.google_workspace = Some(
454 pb::scufflecloud::core::v1::complete_login_with_google_response::GoogleWorkspace::Joined(
455 org.into(),
456 ),
457 );
458 }
459 }
460
461 state.first_login = true;
462 self.extensions_mut().insert(state);
463
464 Ok(user)
465 }
466 }
467 }
468
469 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
470 Ok(CoreApplication)
471 }
472
473 async fn execute(
474 mut self,
475 driver: &mut OperationDriver<'_, G>,
476 principal: Self::Principal,
477 _resource: Self::Resource,
478 ) -> Result<Self::Response, tonic::Status> {
479 let global = &self.global::<G>()?;
480 let metadata = common::CreateSessionMetadata::from_req::<G, _>(&self)?;
481
482 let state = self
483 .extensions_mut()
484 .remove::<CompleteLoginWithGoogleState>()
485 .into_tonic_internal_err("missing CompleteLoginWithGoogleState state")?;
486
487 let device = self.into_inner().device.require("device")?;
488
489 let conn = driver.conn().await?;
490
491 let token = common::create_session(global, conn, &principal, device, metadata, false).await?;
493
494 Ok(pb::scufflecloud::core::v1::CompleteLoginWithGoogleResponse {
495 new_user_session_token: Some(token),
496 first_login: state.first_login,
497 google_workspace: state.google_workspace,
498 })
499 }
500}
501
502impl<G: core_traits::Global> Operation<G> for tonic::Request<pb::scufflecloud::core::v1::LoginWithWebauthnRequest> {
503 type Principal = User;
504 type Resource = CoreApplication;
505 type Response = pb::scufflecloud::core::v1::NewUserSessionToken;
506
507 const ACTION: Action = Action::LoginWithWebauthn;
508
509 async fn load_principal(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Principal, tonic::Status> {
510 let global = &self.global::<G>()?;
511 let user_id: UserId = self
512 .get_ref()
513 .user_id
514 .parse()
515 .into_tonic_err_with_field_violation("user_id", "invalid ID")?;
516
517 common::get_user_by_id(global, user_id).await
518 }
519
520 async fn load_resource(&mut self, _driver: &mut OperationDriver<'_, G>) -> Result<Self::Resource, tonic::Status> {
521 Ok(CoreApplication)
522 }
523
524 async fn execute(
525 self,
526 driver: &mut OperationDriver<'_, G>,
527 principal: Self::Principal,
528 _resource: Self::Resource,
529 ) -> Result<Self::Response, tonic::Status> {
530 let global = &self.global::<G>()?;
531 let metadata = common::CreateSessionMetadata::from_req::<G, _>(&self)?;
532 let payload = self.into_inner();
533
534 let pk_cred: webauthn_rs::prelude::PublicKeyCredential = serde_json::from_str(&payload.response_json)
535 .into_tonic_err_with_field_violation("response_json", "invalid public key credential")?;
536 let device = payload.device.require("device")?;
537
538 let conn = driver.conn().await?;
539
540 common::finish_webauthn_authentication(global, conn, principal.id, &pk_cred).await?;
541
542 let new_token = common::create_session(global, conn, &principal, device, metadata, false).await?;
544 Ok(new_token)
545 }
546}