Add auth documentation

author: Yigit Sever 2021-04-14 11:55:25 +0300
committer: Yigit Sever 2021-04-14 19:11:49 +0300
commit: 3e333c952a54453bd877c556a09f2e8e0c434c87 (patch)
tree: 1010b5242877b663bf832b1f225a5c0fdbf7a4e1 /src/handlers.rs
parent: edfab6ae2f97a7288ff456265050c01ff397ea8c (diff)
download: gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.tar.gz
gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.tar.bz2
gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.zip
1 files changed, 33 insertions, 2 deletions
diff --git a/src/handlers.rs b/src/handlers.rs
index 9d1bb10..55d3ab4 100644
--- a/src/handlers.rs
+++ b/src/handlers.rs
@@ -37,9 +37,37 @@ const BEARER: &str = "Bearer ";
 /// POST request to /register endpoint
 ///
 /// Lets a [`User`] (=student) to authenticate themselves to the system
-/// This `request` can be rejected if the payload is malformed (= not authenticated properly) or if
+/// This `request` can be rejected if the payload is malformed (=not authenticated properly) or if
 /// the [`AuthRequest.user_id`] of the `request` is not in the list of users that can hold a Gradecoin account
-/// The request first comes in encrypted
+///
+/// # Authentication Process
+/// - Gradecoin's Public Key (`G_PK`) is listed on moodle.
+/// - Gradecoin's Private Key (`G_PR`) is loaded here
+///
+/// - Student picks a short temporary key (`k_temp`)
+/// - Creates a JSON object (`auth_plaintext`) with their `metu_id` and `public key` in base64 (PEM) format (`S_PK`):
+/// {
+///     student_id: "e12345",
+///     public_key: "---BEGIN PUBLIC KEY..."
+/// }
+///
+/// - Encrypts the serialized string of `auth_plaintext` with AES in TODO format using the temporary key
+/// (`k_temp`), the result is `auth_ciphertext`, (TODO base64?)
+/// - The temporary key student has picked `k_temp` is encrypted (TODO details) with `G_PK` (TODO
+/// base64?) = `key_ciphertext`
+/// - The payload JSON object (`auth_request`) can be prepared now:
+/// {
+///     c: "auth_ciphertext"
+///     key: "key_ciphertext"
+/// }
+///
+/// ## Gradecoin Side
+///
+/// - Upon receiving, we first extract the temporary key by decrypting `key`, receiving `temp_key`
+/// - With this key, we can decrypt c TODO with aes?
+/// - We then verify the payload and calculate the User fingerprint
+/// - Finally, create the new [`User`] object, insert to users HashMap `<fingerprint, User>`
+///
 pub async fn authenticate_user(
    request: InitialAuthRequest,
    db: Db,
@@ -47,6 +75,7 @@ pub async fn authenticate_user(
    debug!("POST request to /register, authenticate_user");
    // TODO: lazyload or something <14-04-21, yigit> //
+    // This is our key, used to first decrypt the users temporal key
    let der_encoded = PRIVATE_KEY
        .lines()
        .filter(|line| !line.starts_with("-"))
@@ -54,6 +83,8 @@ pub async fn authenticate_user(
            data.push_str(&line);
            data
        });
+    // Our private key is saved in PEM (base64) format
    let der_bytes = base64::decode(&der_encoded).expect("failed to decode base64 content");
    let private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key");
author	Yigit Sever	2021-04-14 11:55:25 +0300
committer	Yigit Sever	2021-04-14 19:11:49 +0300
commit	3e333c952a54453bd877c556a09f2e8e0c434c87 (patch)
tree	1010b5242877b663bf832b1f225a5c0fdbf7a4e1 /src/handlers.rs
parent	edfab6ae2f97a7288ff456265050c01ff397ea8c (diff)
download	gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.tar.gz gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.tar.bz2 gradecoin-3e333c952a54453bd877c556a09f2e8e0c434c87.zip

diff --git a/src/handlers.rs b/src/handlers.rs index 9d1bb10..55d3ab4 100644 --- a/src/handlers.rs +++ b/src/handlers.rs
@@ -37,9 +37,37 @@ const BEARER: &str = "Bearer ";
37	/// POST request to /register endpoint	37	/// POST request to /register endpoint
38	///	38	///
39	/// Lets a [`User`] (=student) to authenticate themselves to the system	39	/// Lets a [`User`] (=student) to authenticate themselves to the system
40	/// This `request` can be rejected if the payload is malformed (= not authenticated properly) or if	40	/// This `request` can be rejected if the payload is malformed (=not authenticated properly) or if
41	/// the [`AuthRequest.user_id`] of the `request` is not in the list of users that can hold a Gradecoin account	41	/// the [`AuthRequest.user_id`] of the `request` is not in the list of users that can hold a Gradecoin account
42	/// The request first comes in encrypted	42	///
		43	/// # Authentication Process
		44	/// - Gradecoin's Public Key (`G_PK`) is listed on moodle.
		45	/// - Gradecoin's Private Key (`G_PR`) is loaded here
		46	///
		47	/// - Student picks a short temporary key (`k_temp`)
		48	/// - Creates a JSON object (`auth_plaintext`) with their `metu_id` and `public key` in base64 (PEM) format (`S_PK`):
		49	/// {
		50	/// student_id: "e12345",
		51	/// public_key: "---BEGIN PUBLIC KEY..."
		52	/// }
		53	///
		54	/// - Encrypts the serialized string of `auth_plaintext` with AES in TODO format using the temporary key
		55	/// (`k_temp`), the result is `auth_ciphertext`, (TODO base64?)
		56	/// - The temporary key student has picked `k_temp` is encrypted (TODO details) with `G_PK` (TODO
		57	/// base64?) = `key_ciphertext`
		58	/// - The payload JSON object (`auth_request`) can be prepared now:
		59	/// {
		60	/// c: "auth_ciphertext"
		61	/// key: "key_ciphertext"
		62	/// }
		63	///
		64	/// ## Gradecoin Side
		65	///
		66	/// - Upon receiving, we first extract the temporary key by decrypting `key`, receiving `temp_key`
		67	/// - With this key, we can decrypt c TODO with aes?
		68	/// - We then verify the payload and calculate the User fingerprint
		69	/// - Finally, create the new [`User`] object, insert to users HashMap `<fingerprint, User>`
		70	///
43	pub async fn authenticate_user(	71	pub async fn authenticate_user(
44	request: InitialAuthRequest,	72	request: InitialAuthRequest,
45	db: Db,	73	db: Db,
@@ -47,6 +75,7 @@ pub async fn authenticate_user(
47	debug!("POST request to /register, authenticate_user");	75	debug!("POST request to /register, authenticate_user");
48		76
49	// TODO: lazyload or something <14-04-21, yigit> //	77	// TODO: lazyload or something <14-04-21, yigit> //
		78	// This is our key, used to first decrypt the users temporal key
50	let der_encoded = PRIVATE_KEY	79	let der_encoded = PRIVATE_KEY
51	.lines()	80	.lines()
52	.filter(\|line\| !line.starts_with("-"))	81	.filter(\|line\| !line.starts_with("-"))
@@ -54,6 +83,8 @@ pub async fn authenticate_user(
54	data.push_str(&line);	83	data.push_str(&line);
55	data	84	data
56	});	85	});
		86
		87	// Our private key is saved in PEM (base64) format
57	let der_bytes = base64::decode(&der_encoded).expect("failed to decode base64 content");	88	let der_bytes = base64::decode(&der_encoded).expect("failed to decode base64 content");
58	let private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key");	89	let private_key = RSAPrivateKey::from_pkcs1(&der_bytes).expect("failed to parse key");
59		90