tuxcord/authy-oidc
8
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: lay the ground for login

Browse Source
This commit is contained in:
javalsai
2026-03-26 21:56:23 +01:00
parent afc5e94adf
commit 4785ab529c
10 changed files with 801 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
src/main.rs
View File

@@ -2,6 +2,7 @@
#![feature(
decl_macro,
duration_constructors,
iterator_try_collect,
never_type,
once_cell_try,
seek_stream_len
@@ -26,6 +27,34 @@
//!
//! I will try to keep those 3 modules as documented as possible, please feel free to open any
//! issues/PRs regarding information in there.
//!
//! # Public Information
//!
//! To make sure this application doesn't expose any public imformation it's important to define
//! what public information we are willing to expose. The application deals with user information
//! so it must leak at least some information, to make sure we don't overreach, we must have clear
//! where we draw the line.
//!
//! By default all information is private, but this application might leak by default:
//!
//! - **User system information:** Unix's UID of a given username.
//! - **User profile pictures:** See [`consts::USER_PFP_PATHS`].
//! - **User's `autorized_ssh_keys`:** See [`consts::AUTHORIZED_KEYS_PATH`].
//!
//! Note that no file information within user's home can be accessed until the user adds `o+x`
//! permissions on their home directory. Once this is done, only state of files regarding the
//! previous can be publicly accessible, there's no arbirtary path reading.
//!
//! Any user information is checked ASAP against the allowed groups (see [`conf::Unix::groups`]) to
//! fail fast without exposing any personal information for users alien to these groups. That means
//! that any reference to the "user", will assume its already from an allowed group, if its not a
//! group member, it will be treated as nonexistent.
//!
//! Information about existance of a user alien to the configured groups might vulnerable to timing
//! attacks though.
//!
//! TODO: This was clearly defined after some API was already written so these assumptions will
//! need to be reviewed for the old code (notably pfp logic).
use std::fs::File;
@@ -37,6 +66,7 @@ pub mod args;
pub mod auth;
pub mod conf;
pub mod consts;
pub mod db;
pub mod ext;
pub mod serdes;
pub mod server;
@@ -61,7 +91,7 @@ async fn main() -> anyhow::Result<()> {
// (idek japanese but im vibing)
println!("\n\x1b[1;3;4;33mConfiguration\x1b[0m: {conf:#?}\n");
server::start_app(args, conf).await?;
server::start_app(args, conf, db::DB::new()).await?;
Ok(())
}