diff --git a/services/identity/src/http/handlers.rs b/services/identity/src/http/handlers.rs new file mode 100644 --- /dev/null +++ b/services/identity/src/http/handlers.rs @@ -0,0 +1,50 @@ +use super::{ + errors::{create_error_response, http400}, + ErrorResponse, HttpRequest, +}; +use comm_lib::auth::UserIdentity; +use hyper::header::AUTHORIZATION; +use hyper::StatusCode; +use tracing::error; + +#[tracing::instrument(skip_all)] +async fn verify_csat( + req: &HttpRequest, + db_client: &crate::DatabaseClient, +) -> Result<(), ErrorResponse> { + let Some(auth_header) = req.headers().get(AUTHORIZATION) else { + return Err(create_error_response( + StatusCode::UNAUTHORIZED, + "missing Authorization header", + )); + }; + + let bearer_token = auth_header + .to_str() + .map_err(|_| http400("malfolmed Authorization header"))? + .strip_prefix("Bearer ") + .ok_or_else(|| http400("malfolmed Authorization header"))?; + + let UserIdentity { + user_id, + device_id, + access_token, + } = bearer_token + .parse() + .map_err(|_| http400("malfolmed Authorization header"))?; + + let result = db_client + .verify_access_token(user_id, device_id, access_token) + .await; + match result { + Ok(true) => Ok(()), + Ok(false) => Err(create_error_response( + StatusCode::FORBIDDEN, + "invalid credentials", + )), + Err(err) => { + error!("CSAT verification error: {err:?}"); + Err(err.into()) + } + } +} diff --git a/services/identity/src/http/mod.rs b/services/identity/src/http/mod.rs --- a/services/identity/src/http/mod.rs +++ b/services/identity/src/http/mod.rs @@ -1,6 +1,7 @@ use hyper::{Body, Request, Response}; mod errors; +mod handlers; type HttpRequest = Request; type HttpResponse = Response;