Enable regenerating tokens and fix panic on wrong length `AuthID`

CHANGELOG.md

@@ -12,6 +12,8 @@ All changes in this project will be noted in this file.
   - `auth logout`
   - `auth adduser <username>`
   - `auth deluser <username>`
+  - `auth restore <username>`
+  - `auth restore <origin key> <username>`
 - Shell now supports multiple `--eval` expressions
 
 ## Version 0.7.3

actiondoc.yml

@@ -105,6 +105,14 @@ global:
         syntax: [AUTH DELUSER <username>]
         desc: Attempts to delete the user with the provided username
         return: [Rcode 0, Rcode 10, Rcode 11]
+      - name: RESTORE
+        complexity: O(1)
+        accept: [AnyArray]
+        syntax: [AUTH RESTORE <username>, AUTH RESTORE <origin-key> <username>]
+        desc: |
+          Attempts to restore the password for the provided user. This will regenerate the token
+          and return the newly issued token. However, if you aren't a root account, that is, you
+          lost your root password, then you'll need to run `AUTH RESTORE <origin-key> root`.
 
 keyvalue:
   generic:

server/src/auth/mod.rs

@@ -52,6 +52,7 @@ const AUTH_LOGIN: &[u8] = b"login";
 const AUTH_LOGOUT: &[u8] = b"logout";
 const AUTH_ADDUSER: &[u8] = b"adduser";
 const AUTH_DELUSER: &[u8] = b"deluser";
+const AUTH_RESTORE: &[u8] = b"restore";
 
 action! {
     /// Handle auth. Should have passed the `auth` token
@@ -84,6 +85,24 @@ action! {
                 con.write_response(groups::OKAY).await?;
                 Ok(())
             }
+            AUTH_RESTORE => {
+                let newkey = match iter.len() {
+                    1 => {
+                        // so this fella thinks they're root
+                        auth.provider().regenerate(unsafe {iter.next_unchecked()})?
+                    }
+                    2 => {
+                        // so this fella is giving us the origin key
+                        let origin = unsafe { iter.next_unchecked() };
+                        let id = unsafe { iter.next_unchecked() };
+                        auth.provider().verify_origin(origin)?;
+                        auth.provider().regenerate(id)?
+                    }
+                    _ => return util::err(groups::ACTION_ERR),
+                };
+                con.write_response(StringWrapper(newkey)).await?;
+                Ok(())
+            }
             _ => util::err(groups::UNKNOWN_ACTION),
         }
     }

server/src/auth/provider.rs

@@ -122,19 +122,15 @@ impl AuthProvider {
         matches!(self.origin, Some(_))
     }
     pub fn claim_root(&mut self, origin_key: &[u8]) -> AuthResult<String> {
-        let origin = self.get_origin()?;
-        if origin == origin_key {
-            // the origin key was good, let's try claiming root
-            let (key, store) = keys::generate_full();
-            if self.authmap.true_if_insert(USER_ROOT, store) {
-                // claimed, sweet, log them in
-                self.whoami = Some(USER_ROOT);
-                Ok(key)
-            } else {
-                Err(AuthError::AlreadyClaimed)
-            }
+        self.verify_origin(origin_key)?;
+        // the origin key was good, let's try claiming root
+        let (key, store) = keys::generate_full();
+        if self.authmap.true_if_insert(USER_ROOT, store) {
+            // claimed, sweet, log them in
+            self.whoami = Some(USER_ROOT);
+            Ok(key)
         } else {
-            Err(AuthError::BadCredentials)
+            Err(AuthError::AlreadyClaimed)
         }
     }
     fn are_you_root(&self) -> AuthResult<bool> {
@@ -168,7 +164,7 @@ impl AuthProvider {
         {
             Some(true) => {
                 // great, authenticated
-                self.whoami = Some(Array::try_from_slice(account).unwrap());
+                self.whoami = Some(Self::try_auth_id(account)?);
                 Ok(())
             }
             Some(false) | None => {
@@ -177,6 +173,24 @@ impl AuthProvider {
             }
         }
     }
+    /// Regenerate the token for the given user. This returns a new token
+    pub fn regenerate(&self, account: &[u8]) -> AuthResult<String> {
+        self.ensure_root()?;
+        let id = Self::try_auth_id(account)?;
+        let (key, store) = keys::generate_full();
+        if self.authmap.true_if_update(id, store) {
+            Ok(key)
+        } else {
+            Err(AuthError::BadCredentials)
+        }
+    }
+    fn try_auth_id(authid: &[u8]) -> AuthResult<AuthID> {
+        if authid.len() == AUTHID_SIZE {
+            Ok(AuthID::try_from_slice(authid).unwrap())
+        } else {
+            Err(AuthError::Other(errors::AUTH_ERROR_TOO_LONG))
+        }
+    }
     pub fn logout(&mut self) -> AuthResult<()> {
         self.ensure_enabled()?;
         self.whoami.take().map(|_| ()).ok_or(AuthError::Anonymous)
@@ -184,6 +198,13 @@ impl AuthProvider {
     fn ensure_enabled(&self) -> AuthResult<()> {
         self.origin.as_ref().map(|_| ()).ok_or(AuthError::Disabled)
     }
+    pub fn verify_origin(&self, origin: &[u8]) -> AuthResult<()> {
+        if self.get_origin()?.eq(origin) {
+            Ok(())
+        } else {
+            Err(AuthError::BadCredentials)
+        }
+    }
     fn get_origin(&self) -> AuthResult<&Authkey> {
         match self.origin.as_ref() {
             Some(key) => Ok(key),

server/src/dbnet/connection.rs

@@ -97,6 +97,9 @@ where
     pub fn provider_mut(&mut self) -> &mut AuthProvider {
         &mut self.provider
     }
+    pub fn provider(&self) -> &AuthProvider {
+        &self.provider
+    }
     pub fn swap_executor_to_anonymous(&mut self) {
         *self.executor = ConnectionHandler::execute_unauth;
     }