diff options
author | Yigit Sever | 2021-04-14 11:55:25 +0300 |
---|---|---|
committer | Yigit Sever | 2021-04-14 19:11:49 +0300 |
commit | 3e333c952a54453bd877c556a09f2e8e0c434c87 (patch) | |
tree | 1010b5242877b663bf832b1f225a5c0fdbf7a4e1 | |
parent | edfab6ae2f97a7288ff456265050c01ff397ea8c (diff) | |
download | gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.tar.gz gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.tar.bz2 gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.zip |
Add auth documentation
-rw-r--r-- | src/handlers.rs | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/src/handlers.rs b/src/handlers.rs index 9d1bb10..55d3ab4 100644 --- a/src/handlers.rs +++ b/src/handlers.rs | |||
@@ -37,9 +37,37 @@ const BEARER: &str = "Bearer "; | |||
37 | /// POST request to /register endpoint | 37 | /// POST request to /register endpoint |
38 | /// | 38 | /// |
39 | /// Lets a [`User`] (=student) to authenticate themselves to the system | 39 | /// Lets a [`User`] (=student) to authenticate themselves to the system |
40 | /// This `request` can be rejected if the payload is malformed (= not authenticated properly) or if | 40 | /// This `request` can be rejected if the payload is malformed (=not authenticated properly) or if |
41 | /// the [`AuthRequest.user_id`] of the `request` is not in the list of users that can hold a Gradecoin account | 41 | /// the [`AuthRequest.user_id`] of the `request` is not in the list of users that can hold a Gradecoin account |
42 | /// The request first comes in encrypted | 42 | /// |
43 | /// # Authentication Process | ||
44 | /// - Gradecoin's Public Key (`G_PK`) is listed on moodle. | ||
45 | /// - Gradecoin's Private Key (`G_PR`) is loaded here | ||
46 | /// | ||
47 | /// - Student picks a short temporary key (`k_temp`) | ||
48 | /// - Creates a JSON object (`auth_plaintext`) with their `metu_id` and `public key` in base64 (PEM) format (`S_PK`): | ||
49 | /// { | ||
50 | /// student_id: "e12345", | ||
51 | /// public_key: "---BEGIN PUBLIC KEY..." | ||
52 | /// } | ||
53 | /// | ||
54 | /// - Encrypts the serialized string of `auth_plaintext` with AES in TODO format using the temporary key | ||
55 | /// (`k_temp`), the result is `auth_ciphertext`, (TODO base64?) | ||
56 | /// - The temporary key student has picked `k_temp` is encrypted (TODO details) with `G_PK` (TODO | ||
57 | /// base64?) = `key_ciphertext` | ||
58 | /// - The payload JSON object (`auth_request`) can be prepared now: | ||
59 | /// { | ||
60 | /// c: "auth_ciphertext" | ||
61 | /// key: "key_ciphertext" | ||
62 | /// } | ||
63 | /// | ||
64 | /// ## Gradecoin Side | ||
65 | /// | ||
66 | /// - Upon receiving, we first extract the temporary key by decrypting `key`, receiving `temp_key` | ||
67 | /// - With this key, we can decrypt c TODO with aes? | ||
68 | /// - We then verify the payload and calculate the User fingerprint | ||
69 | /// - Finally, create the new [`User`] object, insert to users HashMap `<fingerprint, User>` | ||
70 | /// | ||
43 | pub async fn authenticate_user( | 71 | pub async fn authenticate_user( |
44 | request: InitialAuthRequest, | 72 | request: InitialAuthRequest, |
45 | db: Db, | 73 | db: Db, |
@@ -47,6 +75,7 @@ pub async fn authenticate_user( | |||
47 | debug!("POST request to /register, authenticate_user"); | 75 | debug!("POST request to /register, authenticate_user"); |
48 | 76 | ||
49 | // TODO: lazyload or something <14-04-21, yigit> // | 77 | // TODO: lazyload or something <14-04-21, yigit> // |
78 | // This is our key, used to first decrypt the users temporal key | ||
50 | let der_encoded = PRIVATE_KEY | 79 | let der_encoded = PRIVATE_KEY |
51 | .lines() | 80 | .lines() |
52 | .filter(|line| !line.starts_with("-")) | 81 | .filter(|line| !line.starts_with("-")) |
@@ -54,6 +83,8 @@ pub async fn authenticate_user( | |||
54 | data.push_str(&line); | 83 | data.push_str(&line); |
55 | data | 84 | data |
56 | }); | 85 | }); |
86 | |||
87 | // Our private key is saved in PEM (base64) format | ||
57 | let der_bytes = base64::decode(&der_encoded).expect("failed to decode base64 content"); | 88 | let der_bytes = base64::decode(&der_encoded).expect("failed to decode base64 content"); |
58 | let private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key"); | 89 | let private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key"); |
59 | 90 | ||