jackmechem/server-dash-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Trying to get auth code working

Browse source
This commit is contained in:
Jack Mechem 2026-03-28 20:32:36 -07:00
parent b694e828f5
commit 4f54d8d612
3 changed files with 23 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Cargo.lock generated
View file

@ -1818,7 +1818,7 @@ dependencies = [
] ]
[[package]] [[package]]
name = "server-stats-rust" name = "server-dash-api"
version = "0.1.0" version = "0.1.0"
dependencies = [ dependencies = [
"axum", "axum",

18
flake.nix
View file

@ -45,7 +45,7 @@
pname = "server-dash-api"; pname = "server-dash-api";
version = "0.1.0"; version = "0.1.0";
src = ./.; src = ./.;
cargoHash = "sha256-ApTfxhXYXoxF0ixwUQKAxiQOLLwi92buPDLcK+VAbp4="; cargoHash = "sha256-z2sdfkRN25CAiXepQRzftoWGwbl8lI4KGuezGg4rD/A=";
inherit nativeBuildInputs buildInputs; inherit nativeBuildInputs buildInputs;
OPENSSL_NO_VENDOR = 1; OPENSSL_NO_VENDOR = 1;
PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig"; PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig";
@ -92,6 +92,20 @@
}; };
users.groups.server-dash-api = { }; users.groups.server-dash-api = { };
systemd.tmpfiles.rules = [
"d /var/lib/server-dash-api 0750 server-dash-api server-dash-api -"
"d /var/lib/server-dash-api/google-auth 0750 server-dash-api server-dash-api -"
];
security.pam.services.server-dash-api = {
text = ''
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so secret=/var/lib/server-dash-api/google-auth/%u user=server-dash-api no_increment_hotp
auth sufficient ${pkgs.linux-pam}/lib/security/pam_unix.so likeauth nullok
auth required ${pkgs.linux-pam}/lib/security/pam_unix.so
account required ${pkgs.linux-pam}/lib/security/pam_unix.so
'';
};
security.polkit.extraConfig = '' security.polkit.extraConfig = ''
polkit.addRule(function(action, subject) { polkit.addRule(function(action, subject) {
if ((action.id == "org.freedesktop.systemd1.manage-units" || if ((action.id == "org.freedesktop.systemd1.manage-units" ||
@ -118,6 +132,8 @@
"RUST_LOG=info" "RUST_LOG=info"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
]; ];
AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
}; };
}; };
}; };

8
src/auth.rs
View file

@ -108,7 +108,7 @@ pub fn decode_basic_auth(headers: &HeaderMap) -> Option<(String, String)> {
} }
pub fn verify_system_credentials(username: &str, password: &str) -> bool { pub fn verify_system_credentials(username: &str, password: &str) -> bool {
let mut client = match Client::with_password("login") { let mut client = match Client::with_password("server-dash-api") {
Ok(c) => c, Ok(c) => c,
Err(_) => return false, Err(_) => return false,
}; };
@ -128,7 +128,7 @@ pub async fn require_auth(headers: HeaderMap, request: Request<Body>, next: Next
// POST /auth/login // POST /auth/login
pub async fn post_login(headers: HeaderMap) -> impl IntoResponse { pub async fn post_login(headers: HeaderMap) -> impl IntoResponse {
let (username, password) = match decode_basic_auth(&headers) { let (username, password_and_totp) = match decode_basic_auth(&headers) {
Some(c) => c, Some(c) => c,
None => { None => {
return ( return (
@ -138,9 +138,11 @@ pub async fn post_login(headers: HeaderMap) -> impl IntoResponse {
.into_response(); .into_response();
} }
}; };
if !verify_system_credentials(&username, &password) {
if !verify_system_credentials(&username, &password_and_totp) {
return (StatusCode::UNAUTHORIZED, "Invalid credentials").into_response(); return (StatusCode::UNAUTHORIZED, "Invalid credentials").into_response();
} }
let token = create_token(&username); let token = create_token(&username);
(StatusCode::OK, Json(serde_json::json!({ "token": token }))).into_response() (StatusCode::OK, Json(serde_json::json!({ "token": token }))).into_response()
} }