new builtin function sqlpage.random_string

Author: lovasoa

Cargo.lock

@@ -43,6 +43,7 @@ markdown = { version = "1.0.0-alpha.9", features = ["log"] }
 password-hash = "0.5.0"
 argon2 = "0.5.0"
 actix-web-httpauth = "0.8.0"
+rand = "0.8.5"
 
 [build-dependencies]
 ureq = "2.6.2"

Cargo.toml

@@ -144,4 +144,39 @@ VALUES (
         'password',
         'The password to hash.',
         'TEXT'
-    );
+    );
+
+INSERT INTO sqlpage_functions ("name", "introduced_in_version", "icon", "description_md")
+VALUES (
+    'random_string',
+    '0.7.2',
+    'arrows-shuffle',
+    'Returns a cryptographically secure random string of the given length.
+
+### Example
+
+Generate a random string of 32 characters and use it as a session ID stored in a cookie:
+
+```sql
+INSERT INTO login_session (id, username) VALUES (sqlpage.random_string(32), :username)
+RETURNING 
+    ''cookie'' AS component,
+    ''session_id'' AS name,
+    sqlpage.random_string(32) AS value;
+```
+'
+);
+INSERT INTO sqlpage_function_parameters (
+    "function",
+    "index",
+    "name",
+    "description_md",
+    "type"
+)
+VALUES (
+    'random_string',
+    1,
+    'length',
+    'The length of the string to generate.',
+    'INTEGER'
+);

examples/official-site/sqlpage/migrations/08_functions.sql

@@ -3,26 +3,8 @@ CREATE TABLE user_info (
     password_hash TEXT NOT NULL
 );
 
--- Activate the pgcrypto extension to be able to hash passwords, and generate session IDs.
-CREATE EXTENSION IF NOT EXISTS pgcrypto;
-
 CREATE TABLE login_session (
     id TEXT PRIMARY KEY DEFAULT encode(gen_random_bytes(128), 'hex'),
     username TEXT NOT NULL REFERENCES user_info(username),
     created_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP
-);
-
-
--- Returns true if the session is valid, false otherwise
-CREATE FUNCTION is_valid_session(user_session text) RETURNS boolean AS $$
-BEGIN
-    RETURN EXISTS(SELECT 1 FROM login_session WHERE id=user_session);
-END;
-$$ LANGUAGE plpgsql;
-
--- Takes a session id, does nothing if it is valid, throws an error otherwise.
-CREATE FUNCTION raise_error(error_message_text text) RETURNS void AS $$
-BEGIN
-    RAISE EXCEPTION '%', error_message_text;
-END;
-$$ LANGUAGE plpgsql;
+);

examples/user-authentication/sqlpage/migrations/0000_init.sql

@@ -181,16 +181,21 @@ fn extract_req_param<'a>(
         StmtParam::BasicAuthUsername => extract_basic_auth_username(request)
             .map(Cow::Borrowed)
             .map(Some)?,
-        StmtParam::HashPassword(inner) => {
-            if let Some(password) = extract_req_param(inner, request)? {
-                Some(Cow::Owned(hash_password(&password)?))
-            } else {
-                None
-            }
-        }
+        StmtParam::HashPassword(inner) => extract_req_param(inner, request)?
+            .map_or(Ok(None), |x| hash_password(&x).map(Cow::Owned).map(Some))?,
+        StmtParam::RandomString(len) => Some(Cow::Owned(random_string(*len))),
     })
 }
 
+fn random_string(len: usize) -> String {
+    use rand::{distributions::Alphanumeric, Rng};
+    password_hash::rand_core::OsRng
+        .sample_iter(&Alphanumeric)
+        .take(len)
+        .map(char::from)
+        .collect()
+}
+
 fn hash_password(password: &str) -> anyhow::Result<String> {
     let phf = argon2::Argon2::default();
     let salt = password_hash::SaltString::generate(&mut password_hash::rand_core::OsRng);
@@ -375,6 +380,7 @@ enum StmtParam {
     BasicAuthPassword,
     BasicAuthUsername,
     HashPassword(Box<StmtParam>),
+    RandomString(usize),
 }
 
 #[actix_web::test]

src/webserver/database/mod.rs

@@ -166,6 +166,8 @@ fn func_call_to_param(func_name: &str, arguments: &mut [FunctionArg]) -> StmtPar
         "hash_password" => extract_variable_argument("hash_password", arguments)
             .map(Box::new)
             .map_or_else(StmtParam::Error, StmtParam::HashPassword),
+        "random_string" => extract_integer("random_string", arguments)
+            .map_or_else(StmtParam::Error, StmtParam::RandomString),
         unknown_name => {
             StmtParam::Error(format!("Unknown function {unknown_name}({arguments:#?})"))
         }
@@ -181,16 +183,42 @@ fn extract_single_quoted_string(
             Ok(std::mem::take(param_value))
         }
         _ => Err(format!(
-            "{func_name}({args}) is not a valid call. Expected a literal single quoted string.",
-            args = arguments
-                .iter()
-                .map(ToString::to_string)
-                .collect::<Vec<_>>()
-                .join(", ")
+            "{func_name}({}) is not a valid call. Expected a literal single quoted string.",
+            FormatArguments(arguments)
         )),
     }
 }
 
+fn extract_integer(
+    func_name: &'static str,
+    arguments: &mut [FunctionArg],
+) -> Result<usize, String> {
+    match arguments.first_mut().and_then(function_arg_expr) {
+        Some(Expr::Value(Value::Number(param_value, _b))) => param_value
+            .parse::<usize>()
+            .map_err(|e| format!("{func_name}({param_value}) failed: {e}")),
+        _ => Err(format!(
+            "{func_name}({}) is not a valid call. Expected a literal integer",
+            FormatArguments(arguments)
+        )),
+    }
+}
+
+/** This is a helper struct to format a list of arguments for an error message. */
+struct FormatArguments<'a>(&'a [FunctionArg]);
+impl std::fmt::Display for FormatArguments<'_> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let mut args = self.0.iter();
+        if let Some(arg) = args.next() {
+            write!(f, "{arg}")?;
+        }
+        for arg in args {
+            write!(f, ", {arg}")?;
+        }
+        Ok(())
+    }
+}
+
 fn extract_variable_argument(
     func_name: &'static str,
     arguments: &mut [FunctionArg],
@@ -208,12 +236,8 @@ fn extract_variable_argument(
             args.as_mut_slice(),
         )),
         _ => Err(format!(
-            "{func_name}({args}) is not a valid call. Expected either a placeholder or a sqlpage function call as argument.",
-            args = arguments
-                .iter()
-                .map(ToString::to_string)
-                .collect::<Vec<_>>()
-                .join(", ")
+            "{func_name}({}) is not a valid call. Expected either a placeholder or a sqlpage function call as argument.",
+            FormatArguments(arguments)
         )),
     }
 }