lawrence/Play-DVV
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add postgres auth sync and stripe webhook verification

Browse Source
This commit is contained in:
L
2026-02-23 23:32:48 +00:00
parent 4ce94a5b17
commit a45a9b0392
5 changed files with 592 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

315
Cargo.lock generated
View File

@@ -47,6 +47,17 @@ dependencies = [
"rustversion", "rustversion",
] ]
[[package]]
name = "async-trait"
version = "0.1.89"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9035ad2d096bed7955a320ee7e2230574d28fd3c3a0f186cbea1ff3c7eed5dbb"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]] [[package]]
name = "atomic-waker" name = "atomic-waker"
version = "1.1.2" version = "1.1.2"
@@ -61,15 +72,20 @@ dependencies = [
"axum", "axum",
"chrono", "chrono",
"fastrand", "fastrand",
"hex",
"hmac",
"jsonwebtoken", "jsonwebtoken",
"metrics", "metrics",
"metrics-exporter-prometheus", "metrics-exporter-prometheus",
"redis", "redis",
"serde", "serde",
"serde_json", "serde_json",
"sha2",
"tokio", "tokio",
"tokio-postgres",
"tracing", "tracing",
"tracing-subscriber", "tracing-subscriber",
"uuid",
] ]
[[package]] [[package]]
@@ -173,12 +189,27 @@ version = "2.11.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af" checksum = "843867be96c8daad0d758b57df9392b6d8d271134fce549de6ce169ff98a92af"
[[package]]
name = "block-buffer"
version = "0.10.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
dependencies = [
"generic-array",
]
[[package]] [[package]]
name = "bumpalo" name = "bumpalo"
version = "3.20.2" version = "3.20.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb" checksum = "5d20789868f4b01b2f2caec9f5c4e0213b41e3e5702a50157d699ae31ced2fcb"
[[package]]
name = "byteorder"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
[[package]] [[package]]
name = "bytes" name = "bytes"
version = "1.11.1" version = "1.11.1"
@@ -278,6 +309,15 @@ version = "0.8.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b" checksum = "773648b94d0e5d620f64f280777445740e61fe701025087ec8b57f45c791888b"
[[package]]
name = "cpufeatures"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
dependencies = [
"libc",
]
[[package]] [[package]]
name = "crossbeam-epoch" name = "crossbeam-epoch"
version = "0.9.18" version = "0.9.18"
@@ -293,6 +333,16 @@ version = "0.8.21"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28"
[[package]]
name = "crypto-common"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
dependencies = [
"generic-array",
"typenum",
]
[[package]] [[package]]
name = "deranged" name = "deranged"
version = "0.5.8" version = "0.5.8"
@@ -302,6 +352,17 @@ dependencies = [
"powerfmt", "powerfmt",
] ]
[[package]]
name = "digest"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"crypto-common",
"subtle",
]
[[package]] [[package]]
name = "displaydoc" name = "displaydoc"
version = "0.2.5" version = "0.2.5"
@@ -335,6 +396,12 @@ dependencies = [
"windows-sys 0.61.2", "windows-sys 0.61.2",
] ]
[[package]]
name = "fallible-iterator"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4443176a9f2c162692bd3d352d745ef9413eec5782a80d8fd6f8a1ac692a07f7"
[[package]] [[package]]
name = "fastrand" name = "fastrand"
version = "2.3.0" version = "2.3.0"
@@ -387,6 +454,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d" checksum = "07bbe89c50d7a535e539b8c17bc0b49bdb77747034daa8087407d655f3f7cc1d"
dependencies = [ dependencies = [
"futures-core", "futures-core",
"futures-sink",
] ]
[[package]] [[package]]
@@ -420,6 +488,16 @@ dependencies = [
"slab", "slab",
] ]
[[package]]
name = "generic-array"
version = "0.14.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
]
[[package]] [[package]]
name = "getrandom" name = "getrandom"
version = "0.2.17" version = "0.2.17"
@@ -428,7 +506,7 @@ checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
dependencies = [ dependencies = [
"cfg-if", "cfg-if",
"libc", "libc",
"wasi", "wasi 0.11.1+wasi-snapshot-preview1",
] ]
[[package]] [[package]]
@@ -499,6 +577,21 @@ version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea" checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
name = "hex"
version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hmac"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6c49c37c09c17a53d937dfbb742eb3a961d65a994e6bcdcf37e7399d0cc8ab5e"
dependencies = [
"digest",
]
[[package]] [[package]]
name = "http" name = "http"
version = "1.4.0" version = "1.4.0"
@@ -814,6 +907,16 @@ version = "0.2.182"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112" checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
[[package]]
name = "libredox"
version = "0.1.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d0b95e02c851351f877147b7deea7b1afb1df71b63aa5f8270716e0c5720616"
dependencies = [
"bitflags",
"libc",
]
[[package]] [[package]]
name = "litemap" name = "litemap"
version = "0.8.1" version = "0.8.1"
@@ -850,6 +953,16 @@ version = "0.8.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3" checksum = "47e1ffaa40ddd1f3ed91f717a33c8c0ee23fff369e3aa8772b9605cc1d22f4c3"
[[package]]
name = "md-5"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d89e7ee0cfbedfc4da3340218492196241d89eefb6dab27de5df917a6d2e78cf"
dependencies = [
"cfg-if",
"digest",
]
[[package]] [[package]]
name = "memchr" name = "memchr"
version = "2.8.0" version = "2.8.0"
@@ -916,7 +1029,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc" checksum = "a69bcab0ad47271a0234d9422b131806bf3968021e5dc9328caf2d4cd58557fc"
dependencies = [ dependencies = [
"libc", "libc",
"wasi", "wasi 0.11.1+wasi-snapshot-preview1",
"windows-sys 0.61.2", "windows-sys 0.61.2",
] ]
@@ -963,6 +1076,24 @@ dependencies = [
"autocfg", "autocfg",
] ]
[[package]]
name = "objc2-core-foundation"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2a180dd8642fa45cdb7dd721cd4c11b1cadd4929ce112ebd8b9f5803cc79d536"
dependencies = [
"bitflags",
]
[[package]]
name = "objc2-system-configuration"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7216bd11cbda54ccabcab84d523dc93b858ec75ecfb3a7d89513fa22464da396"
dependencies = [
"objc2-core-foundation",
]
[[package]] [[package]]
name = "once_cell" name = "once_cell"
version = "1.21.3" version = "1.21.3"
@@ -1014,6 +1145,25 @@ version = "2.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220"
[[package]]
name = "phf"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
dependencies = [
"phf_shared",
"serde",
]
[[package]]
name = "phf_shared"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
dependencies = [
"siphasher",
]
[[package]] [[package]]
name = "pin-project-lite" name = "pin-project-lite"
version = "0.2.16" version = "0.2.16"
@@ -1032,6 +1182,38 @@ version = "1.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49" checksum = "c33a9471896f1c69cecef8d20cbe2f7accd12527ce60845ff44c153bb2a21b49"
[[package]]
name = "postgres-protocol"
version = "0.6.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3ee9dd5fe15055d2b6806f4736aa0c9637217074e224bbec46d4041b91bb9491"
dependencies = [
"base64",
"byteorder",
"bytes",
"fallible-iterator",
"hmac",
"md-5",
"memchr",
"rand",
"sha2",
"stringprep",
]
[[package]]
name = "postgres-types"
version = "0.2.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "54b858f82211e84682fecd373f68e1ceae642d8d751a1ebd13f33de6257b3e20"
dependencies = [
"bytes",
"chrono",
"fallible-iterator",
"postgres-protocol",
"serde_core",
"serde_json",
]
[[package]] [[package]]
name = "potential_utf" name = "potential_utf"
version = "0.1.4" version = "0.1.4"
@@ -1085,7 +1267,7 @@ dependencies = [
"libc", "libc",
"once_cell", "once_cell",
"raw-cpuid", "raw-cpuid",
"wasi", "wasi 0.11.1+wasi-snapshot-preview1",
"web-sys", "web-sys",
"winapi", "winapi",
] ]
@@ -1420,6 +1602,17 @@ version = "1.0.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbfa15b3dddfee50a0fff136974b3e1bde555604ba463834a7eb7deb6417705d" checksum = "bbfa15b3dddfee50a0fff136974b3e1bde555604ba463834a7eb7deb6417705d"
[[package]]
name = "sha2"
version = "0.10.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a7507d819769d01a365ab707794a4084392c824f54a7a6a7862f8c3d0892b283"
dependencies = [
"cfg-if",
"cpufeatures",
"digest",
]
[[package]] [[package]]
name = "sharded-slab" name = "sharded-slab"
version = "0.1.7" version = "0.1.7"
@@ -1466,6 +1659,12 @@ dependencies = [
"time", "time",
] ]
[[package]]
name = "siphasher"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b2aa850e253778c88a04c3d7323b043aeda9d3e30d5971937c1855769763678e"
[[package]] [[package]]
name = "sketches-ddsketch" name = "sketches-ddsketch"
version = "0.3.0" version = "0.3.0"
@@ -1500,6 +1699,17 @@ version = "1.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596"
[[package]]
name = "stringprep"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7b4df3d392d81bd458a8a621b8bffbd2302a12ffe288a9d931670948749463b1"
dependencies = [
"unicode-bidi",
"unicode-normalization",
"unicode-properties",
]
[[package]] [[package]]
name = "subtle" name = "subtle"
version = "2.6.1" version = "2.6.1"
@@ -1604,6 +1814,21 @@ dependencies = [
"zerovec", "zerovec",
] ]
[[package]]
name = "tinyvec"
version = "1.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bfa5fdc3bce6191a1dbc8c02d5c8bffcf557bafa17c124c5264a458f1b0613fa"
dependencies = [
"tinyvec_macros",
]
[[package]]
name = "tinyvec_macros"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20"
[[package]] [[package]]
name = "tokio" name = "tokio"
version = "1.49.0" version = "1.49.0"
@@ -1632,6 +1857,32 @@ dependencies = [
"syn", "syn",
] ]
[[package]]
name = "tokio-postgres"
version = "0.7.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dcea47c8f71744367793f16c2db1f11cb859d28f436bdb4ca9193eb1f787ee42"
dependencies = [
"async-trait",
"byteorder",
"bytes",
"fallible-iterator",
"futures-channel",
"futures-util",
"log",
"parking_lot",
"percent-encoding",
"phf",
"pin-project-lite",
"postgres-protocol",
"postgres-types",
"rand",
"socket2",
"tokio",
"tokio-util",
"whoami",
]
[[package]] [[package]]
name = "tokio-rustls" name = "tokio-rustls"
version = "0.26.4" version = "0.26.4"
@@ -1751,12 +2002,39 @@ version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b" checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
[[package]]
name = "typenum"
version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "562d481066bde0658276a35467c4af00bdc6ee726305698a55b86e61d7ad82bb"
[[package]]
name = "unicode-bidi"
version = "0.3.18"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c1cb5db39152898a79168971543b1cb5020dff7fe43c8dc468b0885f5e29df5"
[[package]] [[package]]
name = "unicode-ident" name = "unicode-ident"
version = "1.0.24" version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75" checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
[[package]]
name = "unicode-normalization"
version = "0.1.25"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5fd4f6878c9cb28d874b009da9e8d183b5abc80117c40bbd187a1fde336be6e8"
dependencies = [
"tinyvec",
]
[[package]]
name = "unicode-properties"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7df058c713841ad818f1dc5d3fd88063241cc61f49f5fbea4b951e8cf5a8d71d"
[[package]] [[package]]
name = "unicode-xid" name = "unicode-xid"
version = "0.2.6" version = "0.2.6"
@@ -1826,6 +2104,15 @@ version = "0.11.1+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b" checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
[[package]]
name = "wasi"
version = "0.14.7+wasi-0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "883478de20367e224c0090af9cf5f9fa85bed63a95c1abf3afc5c083ebc06e8c"
dependencies = [
"wasip2",
]
[[package]] [[package]]
name = "wasip2" name = "wasip2"
version = "1.0.2+wasi-0.2.9" version = "1.0.2+wasi-0.2.9"
@@ -1844,6 +2131,15 @@ dependencies = [
"wit-bindgen", "wit-bindgen",
] ]
[[package]]
name = "wasite"
version = "1.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "66fe902b4a6b8028a753d5424909b764ccf79b7a209eac9bf97e59cda9f71a42"
dependencies = [
"wasi 0.14.7+wasi-0.2.4",
]
[[package]] [[package]]
name = "wasm-bindgen" name = "wasm-bindgen"
version = "0.2.111" version = "0.2.111"
@@ -1933,6 +2229,19 @@ dependencies = [
"wasm-bindgen", "wasm-bindgen",
] ]
[[package]]
name = "whoami"
version = "2.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6a5b12f9df4f978d2cfdb1bd3bac52433f44393342d7ee9c25f5a1c14c0f45d"
dependencies = [
"libc",
"libredox",
"objc2-system-configuration",
"wasite",
"web-sys",
]
[[package]] [[package]]
name = "winapi" name = "winapi"
version = "0.3.9" version = "0.3.9"

4
Cargo.toml
View File

@@ -21,3 +21,7 @@ jsonwebtoken = "10"
chrono = { version = "0.4", features = ["serde", "clock"] } chrono = { version = "0.4", features = ["serde", "clock"] }
metrics = "0.24" metrics = "0.24"
metrics-exporter-prometheus = "0.17" metrics-exporter-prometheus = "0.17"
tokio-postgres = { version = "0.7", features = ["with-chrono-0_4", "with-serde_json-1"] }
hmac = "0.12"
sha2 = "0.10"
hex = "0.4"

5
auth-api/Cargo.toml
View File

@@ -17,3 +17,8 @@ tracing-subscriber.workspace = true
fastrand.workspace = true fastrand.workspace = true
metrics.workspace = true metrics.workspace = true
metrics-exporter-prometheus.workspace = true metrics-exporter-prometheus.workspace = true
tokio-postgres.workspace = true
hmac.workspace = true
sha2.workspace = true
hex.workspace = true
uuid.workspace = true

330
auth-api/src/main.rs
View File

@@ -1,24 +1,32 @@
use std::{net::SocketAddr, sync::Arc}; use std::{net::SocketAddr, sync::Arc, time::Instant};
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use axum::{ use axum::{
Json, Router, Json, Router,
extract::State, extract::State,
http::StatusCode, http::{HeaderMap, StatusCode},
response::IntoResponse, response::IntoResponse,
routing::{get, post}, routing::{get, post},
}; };
use chrono::{Duration, Utc}; use chrono::{Duration, TimeZone, Utc};
use hmac::{Hmac, Mac};
use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode}; use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode};
use metrics_exporter_prometheus::{PrometheusBuilder, PrometheusHandle}; use metrics_exporter_prometheus::{PrometheusBuilder, PrometheusHandle};
use redis::AsyncCommands; use redis::AsyncCommands;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use sha2::Sha256;
use tokio_postgres::{Client as PgClient, NoTls};
use tracing::{info, warn}; use tracing::{info, warn};
use uuid::Uuid;
type HmacSha256 = Hmac<Sha256>;
#[derive(Clone)] #[derive(Clone)]
struct AppState { struct AppState {
jwt_secret: Arc<String>, jwt_secret: Arc<String>,
stripe_webhook_secret: Option<Arc<String>>,
redis: Option<redis::aio::ConnectionManager>, redis: Option<redis::aio::ConnectionManager>,
pg: Option<Arc<PgClient>>,
metrics: PrometheusHandle, metrics: PrometheusHandle,
} }
@@ -67,6 +75,17 @@ struct StripeWebhookEvent {
tier: String, tier: String,
#[serde(default = "default_max_tunnels")] #[serde(default = "default_max_tunnels")]
max_tunnels: u32, max_tunnels: u32,
#[serde(default = "default_subscription_status")]
status: String,
provider_customer_id: Option<String>,
provider_subscription_id: Option<String>,
current_period_end: Option<i64>,
}
#[derive(Debug, Clone)]
struct PlanEntitlement {
tier: String,
max_tunnels: u32,
} }
#[tokio::main] #[tokio::main]
@@ -80,9 +99,11 @@ async fn main() -> Result<()> {
let bind = std::env::var("AUTH_BIND").unwrap_or_else(|_| "0.0.0.0:8080".into()); let bind = std::env::var("AUTH_BIND").unwrap_or_else(|_| "0.0.0.0:8080".into());
let jwt_secret = std::env::var("JWT_SECRET").unwrap_or_else(|_| "dev-secret-change-me".into()); let jwt_secret = std::env::var("JWT_SECRET").unwrap_or_else(|_| "dev-secret-change-me".into());
let stripe_webhook_secret = std::env::var("STRIPE_WEBHOOK_SECRET").ok().map(Arc::new);
let metrics = PrometheusBuilder::new() let metrics = PrometheusBuilder::new()
.install_recorder() .install_recorder()
.context("install prometheus recorder")?; .context("install prometheus recorder")?;
let redis = if let Ok(url) = std::env::var("REDIS_URL") { let redis = if let Ok(url) = std::env::var("REDIS_URL") {
let client = redis::Client::open(url.clone()).context("open redis client")?; let client = redis::Client::open(url.clone()).context("open redis client")?;
match redis::aio::ConnectionManager::new(client).await { match redis::aio::ConnectionManager::new(client).await {
@@ -99,9 +120,13 @@ async fn main() -> Result<()> {
None None
}; };
let pg = connect_postgres().await?;
let state = AppState { let state = AppState {
jwt_secret: Arc::new(jwt_secret), jwt_secret: Arc::new(jwt_secret),
stripe_webhook_secret,
redis, redis,
pg,
metrics, metrics,
}; };
@@ -122,6 +147,22 @@ async fn main() -> Result<()> {
Ok(()) Ok(())
} }
async fn connect_postgres() -> Result<Option<Arc<PgClient>>> {
let Some(url) = std::env::var("DATABASE_URL").ok() else {
return Ok(None);
};
let (client, conn) = tokio_postgres::connect(&url, NoTls)
.await
.context("connect postgres")?;
tokio::spawn(async move {
if let Err(e) = conn.await {
warn!(error = %e, "postgres connection task ended");
}
});
info!("auth-api connected to postgres");
Ok(Some(Arc::new(client)))
}
async fn healthz() -> &'static str { async fn healthz() -> &'static str {
"ok" "ok"
} }
@@ -135,7 +176,7 @@ async fn issue_dev_token(
State(state): State<AppState>, State(state): State<AppState>,
Json(req): Json<DevTokenRequest>, Json(req): Json<DevTokenRequest>,
) -> Result<Json<TokenResponse>, ApiError> { ) -> Result<Json<TokenResponse>, ApiError> {
let started = std::time::Instant::now(); let started = Instant::now();
let now = Utc::now(); let now = Utc::now();
let exp = now + Duration::hours(24); let exp = now + Duration::hours(24);
let claims = Claims { let claims = Claims {
@@ -154,20 +195,7 @@ async fn issue_dev_token(
) )
.map_err(ApiError::internal)?; .map_err(ApiError::internal)?;
if let Some(mut redis) = state.redis.clone() { sync_jwt_cache(&state, &claims).await?;
let key = format!("auth:jwt:jti:{}", claims.jti);
let ttl = (claims.exp as i64 - now.timestamp()).max(1);
let payload = serde_json::json!({
"user_id": claims.sub,
"plan_tier": claims.tier,
"max_tunnels": claims.max_tunnels
})
.to_string();
let _: () = redis
.set_ex(key, payload, ttl as u64)
.await
.map_err(ApiError::internal)?;
}
metrics::counter!("auth_jwt_issued_total").increment(1); metrics::counter!("auth_jwt_issued_total").increment(1);
metrics::histogram!("auth_issue_token_latency_ms") metrics::histogram!("auth_issue_token_latency_ms")
.record(started.elapsed().as_secs_f64() * 1000.0); .record(started.elapsed().as_secs_f64() * 1000.0);
@@ -183,72 +211,232 @@ async fn validate_token(
State(state): State<AppState>, State(state): State<AppState>,
Json(req): Json<ValidateRequest>, Json(req): Json<ValidateRequest>,
) -> Result<Json<ValidateResponse>, ApiError> { ) -> Result<Json<ValidateResponse>, ApiError> {
let started = std::time::Instant::now(); let started = Instant::now();
let decoded = decode::<Claims>( let decoded = decode::<Claims>(
&req.token, &req.token,
&DecodingKey::from_secret(state.jwt_secret.as_bytes()), &DecodingKey::from_secret(state.jwt_secret.as_bytes()),
&Validation::new(Algorithm::HS256), &Validation::new(Algorithm::HS256),
); );
match decoded { let response = match decoded {
Ok(tok) => { Ok(tok) => {
let c = tok.claims; let claims = tok.claims;
if let Some(mut redis) = state.redis.clone() { let ent = match load_plan_for_user(&state, &claims.sub).await? {
let key = format!("plan:user:{}", c.sub); Some(db_plan) => db_plan,
let payload = serde_json::json!({ None => PlanEntitlement {
"tier": c.tier, tier: claims.tier.clone(),
"max_tunnels": c.max_tunnels, max_tunnels: claims.max_tunnels,
"source": "auth-api" },
}) };
.to_string(); sync_plan_cache(&state, &claims.sub, &ent, "auth-validate").await?;
let _: () = redis.set_ex(key, payload, 300).await.map_err(ApiError::internal)?;
}
metrics::counter!("auth_token_validate_total", "result" => "valid").increment(1); metrics::counter!("auth_token_validate_total", "result" => "valid").increment(1);
metrics::histogram!("auth_validate_token_latency_ms") ValidateResponse {
.record(started.elapsed().as_secs_f64() * 1000.0);
Ok(Json(ValidateResponse {
valid: true, valid: true,
user_id: Some(c.sub), user_id: Some(claims.sub),
tier: Some(c.tier), tier: Some(ent.tier),
max_tunnels: Some(c.max_tunnels), max_tunnels: Some(ent.max_tunnels),
})) }
} }
Err(_) => Ok(Json(ValidateResponse { Err(_) => {
valid: false,
user_id: None,
tier: None,
max_tunnels: None,
})).map(|resp| {
metrics::counter!("auth_token_validate_total", "result" => "invalid").increment(1); metrics::counter!("auth_token_validate_total", "result" => "invalid").increment(1);
metrics::histogram!("auth_validate_token_latency_ms") ValidateResponse {
.record(started.elapsed().as_secs_f64() * 1000.0); valid: false,
resp user_id: None,
}), tier: None,
} max_tunnels: None,
}
}
};
metrics::histogram!("auth_validate_token_latency_ms")
.record(started.elapsed().as_secs_f64() * 1000.0);
Ok(Json(response))
} }
#[tracing::instrument(skip(state))] #[tracing::instrument(skip(state, headers, body))]
async fn stripe_webhook( async fn stripe_webhook(
State(state): State<AppState>, State(state): State<AppState>,
Json(event): Json<StripeWebhookEvent>, headers: HeaderMap,
body: String,
) -> Result<impl IntoResponse, ApiError> { ) -> Result<impl IntoResponse, ApiError> {
let started = std::time::Instant::now(); let started = Instant::now();
verify_stripe_signature(state.stripe_webhook_secret.as_deref().map(|s| s.as_str()), &headers, &body)?;
let event: StripeWebhookEvent = serde_json::from_str(&body).map_err(ApiError::bad_request)?;
let ent = PlanEntitlement {
tier: event.tier.clone(),
max_tunnels: event.max_tunnels,
};
if let Some(pg) = &state.pg {
upsert_subscription_from_webhook(pg, &event).await?;
}
sync_plan_cache(&state, &event.user_id, &ent, "stripe_webhook").await?;
metrics::counter!("stripe_webhook_events_total", "event_type" => event.event_type.clone())
.increment(1);
metrics::histogram!("stripe_webhook_latency_ms")
.record(started.elapsed().as_secs_f64() * 1000.0);
Ok(StatusCode::NO_CONTENT)
}
async fn sync_jwt_cache(state: &AppState, claims: &Claims) -> Result<(), ApiError> {
if let Some(mut redis) = state.redis.clone() { if let Some(mut redis) = state.redis.clone() {
let key = format!("plan:user:{}", event.user_id); let key = format!("auth:jwt:jti:{}", claims.jti);
let ttl = (claims.exp as i64 - Utc::now().timestamp()).max(1);
let payload = serde_json::json!({ let payload = serde_json::json!({
"tier": event.tier, "user_id": claims.sub,
"max_tunnels": event.max_tunnels, "plan_tier": claims.tier,
"source": "stripe_webhook", "max_tunnels": claims.max_tunnels
"last_event_type": event.event_type, })
"updated_at": Utc::now().timestamp(), .to_string();
let _: () = redis
.set_ex(key, payload, ttl as u64)
.await
.map_err(ApiError::internal)?;
}
Ok(())
}
async fn sync_plan_cache(
state: &AppState,
user_id: &str,
ent: &PlanEntitlement,
source: &str,
) -> Result<(), ApiError> {
if let Some(mut redis) = state.redis.clone() {
let key = format!("plan:user:{user_id}");
let payload = serde_json::json!({
"tier": ent.tier,
"max_tunnels": ent.max_tunnels,
"source": source,
"updated_at": Utc::now().timestamp()
}) })
.to_string(); .to_string();
let _: () = redis.set_ex(key, payload, 300).await.map_err(ApiError::internal)?; let _: () = redis.set_ex(key, payload, 300).await.map_err(ApiError::internal)?;
} }
metrics::counter!("stripe_webhook_events_total", "event_type" => event.event_type.clone()).increment(1); Ok(())
metrics::histogram!("stripe_webhook_latency_ms") }
.record(started.elapsed().as_secs_f64() * 1000.0);
Ok(StatusCode::NO_CONTENT) async fn load_plan_for_user(state: &AppState, user_id: &str) -> Result<Option<PlanEntitlement>, ApiError> {
let Some(pg) = &state.pg else {
return Ok(None);
};
let _ = Uuid::parse_str(user_id).map_err(ApiError::bad_request)?;
let row = pg
.query_opt(
r#"
select p.id as plan_id, p.max_tunnels
from subscriptions s
join plans p on p.id = s.plan_id
where s.user_id = $1::uuid and s.status in ('active', 'trialing')
order by s.updated_at desc
limit 1
"#,
&[&user_id],
)
.await
.map_err(ApiError::internal)?;
Ok(row.map(|r| PlanEntitlement {
tier: r.get::<_, String>("plan_id"),
max_tunnels: r.get::<_, i32>("max_tunnels") as u32,
}))
}
async fn upsert_subscription_from_webhook(pg: &PgClient, event: &StripeWebhookEvent) -> Result<(), ApiError> {
let _ = Uuid::parse_str(&event.user_id).map_err(ApiError::bad_request)?;
let period_end = event
.current_period_end
.and_then(|ts| Utc.timestamp_opt(ts, 0).single())
.map(|dt| dt.naive_utc());
let provider_sub_id = event
.provider_subscription_id
.clone()
.unwrap_or_else(|| format!("sub-dev-{}", fastrand::u64(..)));
pg.execute(
r#"
insert into subscriptions (
user_id, plan_id, provider, provider_customer_id, provider_subscription_id, status,
current_period_end, updated_at
)
values ($1::uuid, $2, 'stripe', $3, $4, $5, $6, now())
on conflict (provider_subscription_id)
do update set
user_id = excluded.user_id,
plan_id = excluded.plan_id,
provider_customer_id = excluded.provider_customer_id,
status = excluded.status,
current_period_end = excluded.current_period_end,
updated_at = now()
"#,
&[
&event.user_id,
&event.tier,
&event.provider_customer_id,
&provider_sub_id,
&event.status,
&period_end,
],
)
.await
.map_err(ApiError::internal)?;
Ok(())
}
fn verify_stripe_signature(
secret: Option<&str>,
headers: &HeaderMap,
body: &str,
) -> Result<(), ApiError> {
let Some(secret) = secret else {
return Ok(());
};
let header = headers
.get("stripe-signature")
.and_then(|h| h.to_str().ok())
.ok_or_else(|| ApiError::unauthorized("missing stripe-signature header"))?;
let mut timestamp: Option<i64> = None;
let mut sigs: Vec<&str> = Vec::new();
for part in header.split(',') {
let mut kv = part.trim().splitn(2, '=');
let k = kv.next().unwrap_or_default();
let v = kv.next().unwrap_or_default();
match k {
"t" => timestamp = v.parse::<i64>().ok(),
"v1" => sigs.push(v),
_ => {}
}
}
let ts = timestamp.ok_or_else(|| ApiError::unauthorized("invalid stripe signature timestamp"))?;
let now = Utc::now().timestamp();
if (now - ts).abs() > 300 {
return Err(ApiError::unauthorized("stale stripe signature"));
}
let signed_payload = format!("{ts}.{body}");
let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).map_err(ApiError::internal)?;
mac.update(signed_payload.as_bytes());
let expected = mac.finalize().into_bytes();
for sig in sigs {
let Ok(bytes) = hex::decode(sig) else { continue; };
let mut verify_mac = HmacSha256::new_from_slice(secret.as_bytes()).map_err(ApiError::internal)?;
verify_mac.update(signed_payload.as_bytes());
if verify_mac.verify_slice(&bytes).is_ok() {
return Ok(());
}
}
let _ = expected;
Err(ApiError::unauthorized("stripe signature verification failed"))
} }
#[derive(Debug)] #[derive(Debug)]
@@ -264,6 +452,20 @@ impl ApiError {
message: e.to_string(), message: e.to_string(),
} }
} }
fn bad_request<E: std::fmt::Display>(e: E) -> Self {
Self {
status: StatusCode::BAD_REQUEST,
message: e.to_string(),
}
}
fn unauthorized<E: Into<String>>(msg: E) -> Self {
Self {
status: StatusCode::UNAUTHORIZED,
message: msg.into(),
}
}
} }
impl IntoResponse for ApiError { impl IntoResponse for ApiError {
@@ -279,3 +481,7 @@ fn default_tier() -> String {
fn default_max_tunnels() -> u32 { fn default_max_tunnels() -> u32 {
1 1
} }
fn default_subscription_status() -> String {
"active".to_string()
}

3
db/schema.sql
View File

@@ -35,6 +35,9 @@ create table if not exists subscriptions (
); );
create index if not exists subscriptions_user_id_idx on subscriptions(user_id); create index if not exists subscriptions_user_id_idx on subscriptions(user_id);
create unique index if not exists subscriptions_provider_subscription_id_uidx
on subscriptions(provider_subscription_id)
where provider_subscription_id is not null;
create table if not exists tunnels ( create table if not exists tunnels (
id uuid primary key default gen_random_uuid(), id uuid primary key default gen_random_uuid(),