pointercrate-user: Add backend support for oauth registrations

It works pretty much the same as the login/link flow, except the payload
now also contains a username to register under. Put it into a different
endpoint though, to avoid having to think about weird interactions of
"what happens when registering and already being logged in?".

Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>

Author: stadust

pointercrate-core/src/error.rs

@@ -289,7 +289,7 @@ impl From<sqlx::Error> for CoreError {
         */
         if let sqlx::Error::Database(ref err) = error {
             if err.kind() == sqlx::error::ErrorKind::UniqueViolation {
-                return CoreError::Conflict
+                return CoreError::Conflict;
             }
         }
 

pointercrate-user-api/src/lib.rs

@@ -26,7 +26,7 @@ pub fn setup(mut rocket: Rocket<Build>) -> Rocket<Build> {
     #[cfg(feature = "legacy_accounts")]
     page_routes.extend(rocket::routes![pages::register]);
     #[cfg(feature = "oauth2")]
-    auth_routes.extend(rocket::routes![pages::google_oauth_login]);
+    auth_routes.extend(rocket::routes![pages::google_oauth_login, pages::google_oauth_register]);
 
     #[cfg(feature = "oauth2")]
     {

pointercrate-user-api/src/pages.rs

@@ -16,17 +16,16 @@ use rocket::{
 use std::net::IpAddr;
 
 #[cfg(any(feature = "legacy_accounts", feature = "oauth2"))]
-use {pointercrate_core::pool::PointercratePool, rocket::serde::json::Json};
+use {pointercrate_core::pool::PointercratePool, pointercrate_user::User, rocket::serde::json::Json};
 
 #[cfg(feature = "legacy_accounts")]
-use pointercrate_user::{
-    auth::legacy::{LegacyAuthenticatedUser, Registration},
-    User,
-};
+use pointercrate_user::auth::legacy::{LegacyAuthenticatedUser, Registration};
 
 #[cfg(feature = "oauth2")]
 use {
-    crate::oauth::GoogleCertificateStore, pointercrate_core::error::CoreError, pointercrate_user::auth::oauth::UnvalidatedOauthCredential,
+    crate::oauth::GoogleCertificateStore,
+    pointercrate_core::error::CoreError,
+    pointercrate_user::auth::oauth::{OauthRegistration, UnvalidatedOauthCredential},
 };
 
 fn build_cookies(user: &AuthenticatedUser<PasswordOrBrowser>, cookies: &CookieJar<'_>) -> pointercrate_user::error::Result<()> {
@@ -145,3 +144,28 @@ pub async fn google_oauth_login(
 
     Ok(Status::NoContent)
 }
+
+#[cfg(feature = "oauth2")]
+#[rocket::post("/oauth/google/register", data = "<payload>")]
+pub async fn google_oauth_register(
+    payload: Json<OauthRegistration>, key_store: &State<GoogleCertificateStore>, ip: IpAddr, pool: &State<PointercratePool>,
+    cookies: &rocket::http::CookieJar<'_>, ratelimits: &State<UserRatelimits>,
+) -> pointercrate_core_api::error::Result<Status> {
+    let OauthRegistration { credential, username } = payload.0;
+    let validated_credentials = key_store.validate_with_refresh(credential).await.ok_or(CoreError::Unauthorized)?;
+
+    let mut connection = pool.transaction().await.map_err(UserError::from)?;
+    ratelimits.soft_registrations(ip)?;
+
+    User::validate_name(&username)?;
+
+    let user = AuthenticatedUser::register_oauth(username, validated_credentials, &mut connection).await?;
+
+    ratelimits.registrations(ip)?;
+
+    connection.commit().await.map_err(UserError::from)?;
+
+    build_cookies(&user, cookies)?;
+
+    Ok(Status::NoContent)
+}

pointercrate-user/src/auth/get.rs

@@ -25,7 +25,11 @@ impl AuthenticatedUser<NoAuth> {
 
                 let auth_type = match row.google_account_id {
                     Some(_) => AuthenticationType::oauth(user),
-                    None => AuthenticationType::legacy(user, row.password_hash.ok_or_else(|| CoreError::internal_server_error("Non-oauth user without password in database!"))?),
+                    None => AuthenticationType::legacy(
+                        user,
+                        row.password_hash
+                            .ok_or_else(|| CoreError::internal_server_error("Non-oauth user without password in database!"))?,
+                    ),
                 };
 
                 Ok(AuthenticatedUser {
@@ -53,7 +57,11 @@ impl AuthenticatedUser<NoAuth> {
 
                 let auth_type = match row.google_account_id {
                     Some(_) => AuthenticationType::oauth(user),
-                    None => AuthenticationType::legacy(user, row.password_hash.ok_or_else(|| CoreError::internal_server_error("Non-oauth user without password in database!"))?),
+                    None => AuthenticationType::legacy(
+                        user,
+                        row.password_hash
+                            .ok_or_else(|| CoreError::internal_server_error("Non-oauth user without password in database!"))?,
+                    ),
                 };
 
                 Ok(AuthenticatedUser {

pointercrate-user/src/auth/oauth/mod.rs

@@ -6,7 +6,7 @@ mod patch;
 mod post;
 
 #[cfg(feature = "oauth2")]
-pub use post::{GoogleCertificateDatabase, UnvalidatedOauthCredential, ValidatedGoogleCredentials};
+pub use post::{GoogleCertificateDatabase, OauthRegistration, UnvalidatedOauthCredential, ValidatedGoogleCredentials};
 
 use crate::User;
 

pointercrate-user/src/auth/oauth/post.rs

@@ -1,14 +1,25 @@
+use crate::auth::{AuthenticatedUser, AuthenticationType, PasswordOrBrowser};
+use crate::error::UserError;
+use crate::Result;
+use crate::{config, User};
 use chrono::{DateTime, Utc};
 use jsonwebtoken::{Algorithm, DecodingKey, Validation};
+use pointercrate_core::error::CoreError;
 use serde::Deserialize;
-
-use crate::config;
+use sqlx::PgConnection;
 
 #[derive(Debug, Deserialize)]
 pub struct UnvalidatedOauthCredential {
     credential: String,
 }
 
+#[derive(Debug, Deserialize)]
+pub struct OauthRegistration {
+    #[serde(flatten)]
+    pub credential: UnvalidatedOauthCredential,
+    pub username: String,
+}
+
 #[derive(Deserialize)]
 pub struct ValidatedGoogleCredentials {
     sub: String,
@@ -86,3 +97,38 @@ impl GoogleCertificateDatabase {
         .ok()
     }
 }
+
+impl AuthenticatedUser<PasswordOrBrowser> {
+    pub async fn register_oauth(username: String, credentials: ValidatedGoogleCredentials, connection: &mut PgConnection) -> Result<Self> {
+        log::info!("Attempting oauth registration of new user under name {}", username);
+
+        match User::by_name(&username, connection).await {
+            Ok(_) => return Err(UserError::NameTaken),
+            Err(UserError::UserNotFoundName { .. }) => {},
+            Err(err) => return Err(err),
+        }
+
+        match AuthenticatedUser::by_validated_google_creds(&credentials, connection).await {
+            Ok(_) => return Err(CoreError::Unauthorized.into()),
+            Err(UserError::Core(CoreError::Unauthorized)) => {},
+            Err(err) => return Err(err),
+        }
+
+        let id = sqlx::query!("INSERT INTO members (name) VALUES ($1) RETURNING member_id", &username)
+            .fetch_one(connection)
+            .await?
+            .member_id;
+
+        Ok(AuthenticatedUser {
+            gen: 0,
+            auth_type: AuthenticationType::oauth(User {
+                id,
+                name: username,
+                permissions: 0,
+                display_name: None,
+                youtube_channel: None,
+            }),
+            auth_artifact: PasswordOrBrowser(true),
+        })
+    }
+}