Trying to get auth code working

2026-03-28 20:32:36 -07:00 · 2026-03-28 20:32:36 -07:00 · 4f54d8d612
commit 4f54d8d612
parent b694e828f5
3 changed files with 23 additions and 5 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -1818,7 +1818,7 @@ dependencies = [
 ]

 [[package]]
-name = "server-stats-rust"
+name = "server-dash-api"
 version = "0.1.0"
 dependencies = [
 "axum",
--- a/flake.nix
+++ b/flake.nix
@ -45,7 +45,7 @@
                    pname = "server-dash-api";
                    version = "0.1.0";
                    src = ./.;
-                    cargoHash = "sha256-ApTfxhXYXoxF0ixwUQKAxiQOLLwi92buPDLcK+VAbp4=";
+                    cargoHash = "sha256-z2sdfkRN25CAiXepQRzftoWGwbl8lI4KGuezGg4rD/A=";
                    inherit nativeBuildInputs buildInputs;
                    OPENSSL_NO_VENDOR = 1;
                    PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig";
@ -92,6 +92,20 @@
                        };
                        users.groups.server-dash-api = { };

+                        systemd.tmpfiles.rules = [
+                            "d /var/lib/server-dash-api 0750 server-dash-api server-dash-api -"
+                            "d /var/lib/server-dash-api/google-auth 0750 server-dash-api server-dash-api -"
+                        ];
+
+                        security.pam.services.server-dash-api = {
+                            text = ''
+                                auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so secret=/var/lib/server-dash-api/google-auth/%u user=server-dash-api no_increment_hotp
+                                auth sufficient ${pkgs.linux-pam}/lib/security/pam_unix.so likeauth nullok
+                                auth required ${pkgs.linux-pam}/lib/security/pam_unix.so
+                                account required ${pkgs.linux-pam}/lib/security/pam_unix.so
+                            '';
+                        };
+
                        security.polkit.extraConfig = ''
                            polkit.addRule(function(action, subject) {
                                if ((action.id == "org.freedesktop.systemd1.manage-units" ||
@ -118,6 +132,8 @@
                                    "RUST_LOG=info"
                                    "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
                                ];
+                                AmbientCapabilities = [ "CAP_DAC_READ_SEARCH" ];
+                                CapabilityBoundingSet = [ "CAP_DAC_READ_SEARCH" ];
                            };
                        };
                    };
--- a/src/auth.rs
+++ b/src/auth.rs
@ -108,7 +108,7 @@ pub fn decode_basic_auth(headers: &HeaderMap) -> Option<(String, String)> {
 }

 pub fn verify_system_credentials(username: &str, password: &str) -> bool {
-    let mut client = match Client::with_password("login") {
+    let mut client = match Client::with_password("server-dash-api") {
        Ok(c) => c,
        Err(_) => return false,
    };
@ -128,7 +128,7 @@ pub async fn require_auth(headers: HeaderMap, request: Request<Body>, next: Next

 // POST /auth/login
 pub async fn post_login(headers: HeaderMap) -> impl IntoResponse {
-    let (username, password) = match decode_basic_auth(&headers) {
+    let (username, password_and_totp) = match decode_basic_auth(&headers) {
        Some(c) => c,
        None => {
            return (
@ -138,9 +138,11 @@ pub async fn post_login(headers: HeaderMap) -> impl IntoResponse {
                .into_response();
        }
    };
-    if !verify_system_credentials(&username, &password) {
+
+    if !verify_system_credentials(&username, &password_and_totp) {
        return (StatusCode::UNAUTHORIZED, "Invalid credentials").into_response();
    }
+
    let token = create_token(&username);
    (StatusCode::OK, Json(serde_json::json!({ "token": token }))).into_response()
 }