mirror of
https://github.com/LukeMathWalker/zero-to-production.git
synced 2024-11-22 00:31:01 +00:00
Store user list, insecurely.
This commit is contained in:
parent
984800f1a8
commit
f78f25c358
3 changed files with 68 additions and 3 deletions
6
migrations/20210815112026_create_users_table.sql
Normal file
6
migrations/20210815112026_create_users_table.sql
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
-- Add migration script here
|
||||||
|
CREATE TABLE users(
|
||||||
|
user_id uuid PRIMARY KEY,
|
||||||
|
username TEXT NOT NULL UNIQUE,
|
||||||
|
password TEXT NOT NULL
|
||||||
|
);
|
|
@ -83,6 +83,35 @@ fn basic_authentication(headers: &HeaderMap) -> Result<Credentials, anyhow::Erro
|
||||||
Ok(Credentials { username, password })
|
Ok(Credentials { username, password })
|
||||||
}
|
}
|
||||||
|
|
||||||
|
async fn validate_credentials(
|
||||||
|
credentials: Credentials,
|
||||||
|
pool: &PgPool,
|
||||||
|
) -> Result<uuid::Uuid, PublishError> {
|
||||||
|
let user_id: Option<_> = sqlx::query!(
|
||||||
|
r#"
|
||||||
|
SELECT user_id
|
||||||
|
FROM users
|
||||||
|
WHERE username = $1 AND password = $2
|
||||||
|
"#,
|
||||||
|
credentials.username,
|
||||||
|
credentials.password
|
||||||
|
)
|
||||||
|
.fetch_optional(pool)
|
||||||
|
.await
|
||||||
|
.context("Failed to performed a query to validate auth credentials.")
|
||||||
|
.map_err(PublishError::UnexpectedError)?;
|
||||||
|
|
||||||
|
user_id
|
||||||
|
.map(|row| row.user_id)
|
||||||
|
.ok_or_else(|| anyhow::anyhow!("Invalid username or password."))
|
||||||
|
.map_err(PublishError::AuthError)
|
||||||
|
}
|
||||||
|
|
||||||
|
#[tracing::instrument(
|
||||||
|
name = "Publish a newsletter issue",
|
||||||
|
skip(body, pool, email_client, request),
|
||||||
|
fields(username=tracing::field::Empty, user_id=tracing::field::Empty)
|
||||||
|
)]
|
||||||
pub async fn publish_newsletter(
|
pub async fn publish_newsletter(
|
||||||
body: web::Json<BodyData>,
|
body: web::Json<BodyData>,
|
||||||
pool: web::Data<PgPool>,
|
pool: web::Data<PgPool>,
|
||||||
|
@ -90,6 +119,10 @@ pub async fn publish_newsletter(
|
||||||
request: web::HttpRequest,
|
request: web::HttpRequest,
|
||||||
) -> Result<HttpResponse, PublishError> {
|
) -> Result<HttpResponse, PublishError> {
|
||||||
let credentials = basic_authentication(request.headers()).map_err(PublishError::AuthError)?;
|
let credentials = basic_authentication(request.headers()).map_err(PublishError::AuthError)?;
|
||||||
|
tracing::Span::current().record("username", &tracing::field::display(&credentials.username));
|
||||||
|
let user_id = validate_credentials(credentials, &pool).await?;
|
||||||
|
tracing::Span::current().record("user_id", &tracing::field::display(&user_id));
|
||||||
|
|
||||||
let subscribers = get_confirmed_subscribers(&pool).await?;
|
let subscribers = get_confirmed_subscribers(&pool).await?;
|
||||||
for subscriber in subscribers {
|
for subscriber in subscribers {
|
||||||
match subscriber {
|
match subscriber {
|
||||||
|
|
|
@ -44,9 +44,10 @@ impl TestApp {
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn post_newsletters(&self, body: serde_json::Value) -> reqwest::Response {
|
pub async fn post_newsletters(&self, body: serde_json::Value) -> reqwest::Response {
|
||||||
|
let (username, password) = self.test_user().await;
|
||||||
reqwest::Client::new()
|
reqwest::Client::new()
|
||||||
.post(&format!("{}/newsletters", &self.address))
|
.post(&format!("{}/newsletters", &self.address))
|
||||||
.basic_auth(Uuid::new_v4().to_string(), Some(Uuid::new_v4().to_string()))
|
.basic_auth(username, Some(password))
|
||||||
.json(&body)
|
.json(&body)
|
||||||
.send()
|
.send()
|
||||||
.await
|
.await
|
||||||
|
@ -76,6 +77,14 @@ impl TestApp {
|
||||||
let plain_text = get_link(&body["TextBody"].as_str().unwrap());
|
let plain_text = get_link(&body["TextBody"].as_str().unwrap());
|
||||||
ConfirmationLinks { html, plain_text }
|
ConfirmationLinks { html, plain_text }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
pub async fn test_user(&self) -> (String, String) {
|
||||||
|
let row = sqlx::query!("SELECT username, password FROM users LIMIT 1",)
|
||||||
|
.fetch_one(&self.db_pool)
|
||||||
|
.await
|
||||||
|
.expect("Failed to create test users.");
|
||||||
|
(row.username, row.password)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn spawn_app() -> TestApp {
|
pub async fn spawn_app() -> TestApp {
|
||||||
|
@ -106,14 +115,31 @@ pub async fn spawn_app() -> TestApp {
|
||||||
let application_port = application.port();
|
let application_port = application.port();
|
||||||
let _ = tokio::spawn(application.run_until_stopped());
|
let _ = tokio::spawn(application.run_until_stopped());
|
||||||
|
|
||||||
TestApp {
|
let test_app = TestApp {
|
||||||
address: format!("http://localhost:{}", application_port),
|
address: format!("http://localhost:{}", application_port),
|
||||||
port: application_port,
|
port: application_port,
|
||||||
db_pool: get_connection_pool(&configuration.database)
|
db_pool: get_connection_pool(&configuration.database)
|
||||||
.await
|
.await
|
||||||
.expect("Failed to connect to the database"),
|
.expect("Failed to connect to the database"),
|
||||||
email_server,
|
email_server,
|
||||||
}
|
};
|
||||||
|
|
||||||
|
add_test_user(&test_app.db_pool).await;
|
||||||
|
|
||||||
|
test_app
|
||||||
|
}
|
||||||
|
|
||||||
|
async fn add_test_user(pool: &PgPool) {
|
||||||
|
sqlx::query!(
|
||||||
|
"INSERT INTO users (user_id, username, password)
|
||||||
|
VALUES ($1, $2, $3)",
|
||||||
|
Uuid::new_v4(),
|
||||||
|
Uuid::new_v4().to_string(),
|
||||||
|
Uuid::new_v4().to_string(),
|
||||||
|
)
|
||||||
|
.execute(pool)
|
||||||
|
.await
|
||||||
|
.expect("Failed to create test users.");
|
||||||
}
|
}
|
||||||
|
|
||||||
async fn configure_database(config: &DatabaseSettings) -> PgPool {
|
async fn configure_database(config: &DatabaseSettings) -> PgPool {
|
||||||
|
|
Loading…
Reference in a new issue