fix: /repositories should requires authentication as well (#1042)

TabbyML · Dec 14, 2023 · 60845d6 · 60845d6
1 parent bd4d812
commit 60845d6
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 4 deletions.
diff --git a/ee/tabby-webserver/src/lib.rs b/ee/tabby-webserver/src/lib.rs
@@ -52,8 +52,8 @@ pub async fn attach_webserver(
         )
         .route("/graphql", routing::get(playground("/graphql", None)))
         .layer(Extension(schema))
-        .route("/hub", routing::get(ws_handler).with_state(ctx))
-        .nest("/repositories", repositories::routes());
+        .route("/hub", routing::get(ws_handler).with_state(ctx.clone()))
+        .nest("/repositories", repositories::routes(ctx.clone()));
 
     let ui = ui
         .route("/graphiql", routing::get(graphiql("/graphql", None)))

diff --git a/ee/tabby-webserver/src/repositories/mod.rs b/ee/tabby-webserver/src/repositories/mod.rs
@@ -1,21 +1,56 @@
 mod resolve;
 
+use std::sync::Arc;
+
 use anyhow::Result;
-use axum::{extract::Path, http::StatusCode, response::Response, routing, Json, Router};
+use axum::{
+    extract::{Path, State},
+    http::{Request, StatusCode},
+    middleware::{from_fn_with_state, Next},
+    response::{IntoResponse, Response},
+    routing, Json, Router,
+};
+use hyper::Body;
+use juniper_axum::extract::AuthBearer;
 use tabby_common::path::repositories_dir;
 use tracing::{instrument, warn};
 
 use crate::{
     repositories,
     repositories::resolve::{resolve_dir, resolve_file, resolve_meta, Meta, ResolveParams},
+    schema::{auth::AuthenticationService, ServiceLocator},
 };
 
-pub fn routes() -> Router {
+pub fn routes(locator: Arc<dyn ServiceLocator>) -> Router {
     Router::new()
         .route("/:name/resolve/", routing::get(repositories::resolve))
         .route("/:name/resolve/*path", routing::get(repositories::resolve))
         .route("/:name/meta/", routing::get(repositories::meta))
         .route("/:name/meta/*path", routing::get(repositories::meta))
+        .layer(from_fn_with_state(locator, require_login_middleware))
+}
+
+async fn require_login_middleware(
+    State(locator): State<Arc<dyn ServiceLocator>>,
+    AuthBearer(token): AuthBearer,
+    request: Request<Body>,
+    next: Next<Body>,
+) -> axum::response::Response {
+    let unauthorized = axum::response::Response::builder()
+        .status(StatusCode::UNAUTHORIZED)
+        .body(Body::empty())
+        .unwrap()
+        .into_response();
+
+    let Some(token) = token else {
+        return unauthorized;
+    };
+
+    let Ok(_) = locator.auth().verify_access_token(&token).await else {
+        return unauthorized;
+    };
+
+    next.run(request).await
 }
 
 #[instrument(skip(repo))]