improve authorization flow, http basic auth, and error handling

Author: lovasoa

examples/official-site/functions.sql

@@ -1,3 +1,7 @@
+SELECT 'authentication' AS component,
+    sqlpage.basic_auth_password() AS password,
+    '$argon2id$v=19$m=16,t=2,p=1$TERTd0lIcUpraWFTcmRQYw$+bjtag7Xjb6p1dsuYOkngw' AS password_hash;
+
 select 'dynamic' as component, properties FROM example WHERE component = 'shell' LIMIT 1;
 
 select 'text' as component, 'SQLPage built-in functions' as title;

src/render.rs

@@ -143,8 +143,6 @@ impl<W: std::io::Write> HeaderContext<W> {
     fn authentication(mut self, data: &JsonValue) -> anyhow::Result<PageContext<W>> {
         use argon2::Argon2;
         use password_hash::PasswordHash;
-        let link = get_object_str(data, "link")
-            .with_context(|| "The authentication component requires a 'link' property")?;
         let password_hash = get_object_str(data, "password_hash");
         let password = get_object_str(data, "password");
         if let (Some(password), Some(password_hash)) = (password, password_hash) {
@@ -159,9 +157,16 @@ impl<W: std::io::Write> HeaderContext<W> {
             }
         }
         // The authentication failed
-        self.response.status(StatusCode::FOUND);
-        self.response.insert_header((header::LOCATION, link));
-        self.has_status = true;
+        if let Some(link) = get_object_str(data, "link") {
+            self.response.status(StatusCode::FOUND);
+            self.response.insert_header((header::LOCATION, link));
+            self.has_status = true;
+        } else {
+            self.response.status(StatusCode::UNAUTHORIZED);
+            self.response
+                .insert_header((header::WWW_AUTHENTICATE, "Basic realm=\"Auth required\""));
+            self.has_status = true;
+        }
         Ok(PageContext::Close(self))
     }
 

src/webserver/database/mod.rs

@@ -120,7 +120,8 @@ pub async fn stream_query_results_direct<'a>(
         for res in &sql_file.statements {
             match res {
                 Ok(stmt)=>{
-                    let query = bind_parameters(stmt, request)?;
+                    let query = bind_parameters(stmt, request)
+                        .with_context(|| format!("Unable to bind parameters to the SQL statement: {stmt}"))?;
                     let mut stream = query.fetch_many(&db.connection);
                     while let Some(elem) = stream.next().await {
                         yield elem.with_context(|| format!("Error while running SQL: {stmt}"))
@@ -147,7 +148,8 @@ fn bind_parameters<'a>(
 ) -> anyhow::Result<Query<'a, sqlx::Any, AnyArguments<'a>>> {
     let mut arguments = AnyArguments::default();
     for param in &stmt.parameters {
-        let argument = extract_req_param(param, request)?;
+        let argument = extract_req_param(param, request)
+            .with_context(|| format!("Unable to extract {param:?} from the HTTP request"))?;
         log::debug!("Binding value {:?} in statement {}", &argument, stmt);
         match argument {
             None => arguments.add(None::<String>),
@@ -189,17 +191,21 @@ pub struct ErrorWithStatus {
 }
 impl std::fmt::Display for ErrorWithStatus {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        write!(f, "HTTP error with status {}", self.status)
+        write!(f, "{}", self.status)
     }
 }
 impl std::error::Error for ErrorWithStatus {}
 
 fn extract_basic_auth(request: &RequestInfo) -> anyhow::Result<&Basic> {
-    request.basic_auth.as_ref().ok_or_else(|| {
-        anyhow::Error::new(ErrorWithStatus {
-            status: StatusCode::UNAUTHORIZED,
+    request
+        .basic_auth
+        .as_ref()
+        .ok_or_else(|| {
+            anyhow::Error::new(ErrorWithStatus {
+                status: StatusCode::UNAUTHORIZED,
+            })
         })
-    })
+        .with_context(|| "Expected the user to be authenticated with HTTP basic auth")
 }
 
 fn extract_basic_auth_username(request: &RequestInfo) -> anyhow::Result<&str> {

src/webserver/http.rs

@@ -1,16 +1,17 @@
 use crate::render::{HeaderContext, PageContext, RenderContext};
-use crate::webserver::database::{stream_query_results, DbItem};
+use crate::webserver::database::{stream_query_results, DbItem, ErrorWithStatus};
 use crate::{AppState, Config, ParsedSqlFile};
 use actix_web::dev::{fn_service, ServiceFactory, ServiceRequest};
 use actix_web::error::ErrorInternalServerError;
 use actix_web::http::header::{ContentType, Header, HttpDate, IfModifiedSince, LastModified};
+use actix_web::http::{header, StatusCode};
 use actix_web::web::Form;
 use actix_web::{
     dev::ServiceResponse, middleware, middleware::Logger, web, web::Bytes, App, FromRequest,
     HttpResponse, HttpServer,
 };
 
-use actix_web::body::MessageBody;
+use actix_web::body::{BoxBody, MessageBody};
 use actix_web_httpauth::headers::authorization::{Authorization, Basic};
 use anyhow::Context;
 use chrono::{DateTime, Utc};
@@ -145,56 +146,40 @@ async fn stream_response(
 async fn build_response_header_and_stream<S: Stream<Item = DbItem>>(
     app_state: Arc<AppState>,
     database_entries: S,
-) -> actix_web::Result<ResponseWithWriter<S>> {
+) -> anyhow::Result<ResponseWithWriter<S>> {
     let (sender, receiver) = mpsc::channel(MAX_PENDING_MESSAGES);
     let writer = ResponseWriter::new(sender);
     let mut head_context = HeaderContext::new(app_state, writer);
     let mut stream = Box::pin(database_entries);
     while let Some(item) = stream.next().await {
         match item {
-            DbItem::Row(data) => {
-                match head_context.handle_row(data).await.map_err(|e| {
-                    log::error!("Error while handling header context data: {e}");
-                    ErrorInternalServerError(e)
-                })? {
-                    PageContext::Header(h) => {
-                        head_context = h;
-                    }
-                    PageContext::Body {
-                        mut http_response,
+            DbItem::Row(data) => match head_context.handle_row(data).await? {
+                PageContext::Header(h) => {
+                    head_context = h;
+                }
+                PageContext::Body {
+                    mut http_response,
+                    renderer,
+                } => {
+                    let body_stream = tokio_stream::wrappers::ReceiverStream::new(receiver);
+                    let http_response = http_response.streaming(body_stream);
+                    return Ok(ResponseWithWriter {
+                        http_response,
                         renderer,
-                    } => {
-                        let body_stream = tokio_stream::wrappers::ReceiverStream::new(receiver);
-                        let http_response = http_response.streaming(body_stream);
-                        return Ok(ResponseWithWriter {
-                            http_response,
-                            renderer,
-                            database_entries_stream: stream,
-                        });
-                    }
-                    PageContext::Close(h) => {
-                        head_context = h;
-                        break;
-                    }
+                        database_entries_stream: stream,
+                    });
                 }
-            }
-            DbItem::FinishedQuery => {
-                log::debug!("finished query");
-            }
-            DbItem::Error(source_err) => {
-                let err = anyhow::format_err!(
-                    "An error occurred at the top of your SQL file: {source_err:#}"
-                );
-                log::error!("Response building error: {err}");
-                return Err(ErrorInternalServerError(err));
-            }
+                PageContext::Close(h) => {
+                    head_context = h;
+                    break;
+                }
+            },
+            DbItem::FinishedQuery => log::debug!("finished query"),
+            DbItem::Error(source_err) => return Err(source_err),
         }
     }
     log::debug!("No SQL statements left to execute for the body of the response");
-    let (renderer, http_response) = head_context.close().await.map_err(|e| {
-        log::error!("Error while closing header context: {e}");
-        ErrorInternalServerError(e)
-    })?;
+    let (renderer, http_response) = head_context.close().await?;
     Ok(ResponseWithWriter {
         http_response,
         renderer,
@@ -237,18 +222,42 @@ async fn render_sql(
                     .unwrap_or_else(|e| log::error!("could not send headers {e:?}"));
                 stream_response(database_entries_stream, renderer).await;
             }
-            Err(e) => {
-                log::error!("An error occured while building response headers: {e}");
-                let http_response = ErrorInternalServerError(e).into();
-                resp_send
-                    .send(http_response)
-                    .unwrap_or_else(|_| log::error!("could not send headers"));
+            Err(err) => {
+                send_anyhow_error(&err, resp_send);
             }
         }
     });
     resp_recv.await.map_err(ErrorInternalServerError)
 }
 
+fn send_anyhow_error(e: &anyhow::Error, resp_send: tokio::sync::oneshot::Sender<HttpResponse>) {
+    log::error!("An error occurred before starting to send the response body: {e:#}");
+    let mut resp = HttpResponse::new(StatusCode::INTERNAL_SERVER_ERROR).set_body(BoxBody::new(
+        format!("Sorry, but we were not able to process your request. \n\nError:\n\n {e:?}"),
+    ));
+    resp.headers_mut().insert(
+        header::CONTENT_TYPE,
+        header::HeaderValue::from_static("text/plain"),
+    );
+    if let Some(&ErrorWithStatus { status }) = e.downcast_ref() {
+        *resp.status_mut() = status;
+        if status == StatusCode::UNAUTHORIZED {
+            resp.headers_mut().insert(
+                header::WWW_AUTHENTICATE,
+                header::HeaderValue::from_static(
+                    "Basic realm=\"Authentication required\", charset=\"UTF-8\"",
+                ),
+            );
+            resp = resp.set_body(BoxBody::new(
+                "Sorry, but you are not authorized to access this page.",
+            ));
+        }
+    };
+    resp_send
+        .send(resp)
+        .unwrap_or_else(|_| log::error!("could not send headers"));
+}
+
 type ParamMap = HashMap<String, SingleOrVec>;
 
 #[derive(Debug)]