Merge pull request #40 from robn/auth-bearer

Add support for HTTP Bearer authentication

Author: elizagamedev

CHANGELOG.md

@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Added
+- Support for bearer token authentication (#40)
+
 ### Changed
 - mujmap now prints a more comprehensive guide on how to recover from a missing
   state file. (#15)

mujmap.toml.example

@@ -1,12 +1,13 @@
 ################################################################################
 ## Required config
 
-## Username for basic HTTP authentication.
+## Account username. Used for authentication to the server.
 
 username = "[email protected]"
 
-## Shell command which will print a password to stdout for basic HTTP
-## authentication.
+## Shell command which will print a password or token to stdout for
+## authentication. You service provider might call this an "app password" or
+## "API token".
 
 password_command = "pass [email protected]"
 

src/remote.rs

@@ -53,6 +53,9 @@ pub enum Error {
         source: ureq::Error,
     },
 
+    #[snafu(display("Session username doesn't match configured username: {}", username))]
+    UsernameMismatch { username: String },
+
     #[snafu(display("Could not complete API request: {}", source))]
     Request { source: ureq::Error },
 
@@ -99,37 +102,34 @@ pub type Result<T, E = Error> = std::result::Result<T, E>;
 
 struct HttpWrapper {
     /// Value of HTTP Authorization header.
-    authorization: String,
+    authorization: Option<String>,
     /// Persistent ureq agent to use for all HTTP requests.
     agent: ureq::Agent,
 }
 
 impl HttpWrapper {
-    fn new(username: &str, password: &str, timeout: u64) -> Self {
-        let safe_username = match username.find(':') {
-            Some(idx) => &username[..idx],
-            None => username,
-        };
-        let authorization = format!(
-            "Basic {}",
-            base64::encode(format!("{}:{}", safe_username, password))
-        );
+    fn new(authorization: Option<String>, timeout: u64) -> Self {
         let agent = ureq::AgentBuilder::new()
             .redirect_auth_headers(ureq::RedirectAuthHeaders::SameHost)
             .timeout(Duration::from_secs(timeout))
             .build();
 
         Self {
-            agent,
             authorization,
+            agent,
+        }
+    }
+
+    fn apply_authorization(&self, req: ureq::Request) -> ureq::Request {
+        match &self.authorization {
+            Some(authorization) => req.set("Authorization", authorization),
+            _ => req,
         }
     }
 
     fn get_session(&self, session_url: &str) -> Result<(String, jmap::Session), ureq::Error> {
         let response = self
-            .agent
-            .get(session_url)
-            .set("Authorization", &self.authorization)
+            .apply_authorization(self.agent.get(session_url))
             .call()?;
 
         let session_url = response.get_url().to_string();
@@ -139,9 +139,7 @@ impl HttpWrapper {
 
     fn get_reader(&self, url: &str) -> Result<impl Read + Send> {
         Ok(self
-            .agent
-            .get(url)
-            .set("Authorization", &self.authorization)
+            .apply_authorization(self.agent.get(url))
             .call()
             .context(ReadEmailBlobSnafu {})?
             .into_reader()
@@ -152,9 +150,7 @@ impl HttpWrapper {
 
     fn post_string<D: DeserializeOwned>(&self, url: &str, body: &str) -> Result<D> {
         let post = self
-            .agent
-            .post(url)
-            .set("Authorization", &self.authorization)
+            .apply_authorization(self.agent.post(url))
             .send_string(body)
             .context(RequestSnafu {})?;
         if log_enabled!(log::Level::Trace) {
@@ -168,9 +164,7 @@ impl HttpWrapper {
 
     fn post_json<S: Serialize, D: DeserializeOwned>(&self, url: &str, body: S) -> Result<D> {
         let post = self
-            .agent
-            .post(url)
-            .set("Authorization", &self.authorization)
+            .apply_authorization(self.agent.post(url))
             .send_json(body)
             .context(RequestSnafu {})?;
         if log_enabled!(log::Level::Trace) {
@@ -194,7 +188,8 @@ pub struct Remote {
 impl Remote {
     pub fn open(config: &Config) -> Result<Self> {
         let password = config.password().context(GetPasswordSnafu {})?;
-        match (&config.fqdn, &config.session_url) {
+
+        let remote = match (&config.fqdn, &config.session_url) {
             (Some(fqdn), _) => {
                 Self::open_host(&fqdn, config.username.as_str(), &password, config.timeout)
             }
@@ -211,10 +206,19 @@ impl Remote {
                     .context(NoDomainNameSnafu {})?;
                 Self::open_host(domain, config.username.as_str(), &password, config.timeout)
             }
-        }
+        }?;
+
+        ensure!(
+            remote.session.username == config.username,
+            UsernameMismatchSnafu {
+                username: remote.session.username
+            }
+        );
+
+        Ok(remote)
     }
 
-    pub fn open_host(fqdn: &str, username: &str, password: &str, timeout: u64) -> Result<Self> {
+    fn open_host(fqdn: &str, username: &str, password: &str, timeout: u64) -> Result<Self> {
         let resolver = Resolver::from_system_conf().context(ParseResolvConfSnafu {})?;
         let mut address = format!("_jmap._tcp.{}", fqdn);
         if !address.ends_with(".") {
@@ -224,8 +228,6 @@ impl Remote {
             .srv_lookup(address.as_str())
             .context(SrvLookupSnafu { address })?;
 
-        let http_wrapper = HttpWrapper::new(username, password, timeout);
-
         // Try all SRV names in order of priority.
         let mut last_err = None;
         for name in resolver_response
@@ -238,38 +240,89 @@ impl Remote {
             target.pop();
 
             let url = format!("https://{}:{}/.well-known/jmap", target, name.port());
-            match http_wrapper.get_session(url.as_str()) {
-                Ok((session_url, session)) => {
-                    return Ok(Remote {
-                        http_wrapper,
-                        session_url,
-                        session,
-                    })
-                }
-
-                Err(e) => last_err = Some((url, e)),
+            match Self::open_url(url.as_str(), username, password, timeout) {
+                Ok(s) => return Ok(s),
+                Err(e) => last_err = Some(e),
             };
         }
         // All of them failed! Return the last error.
-        let (session_url, error) = last_err.unwrap();
-        Err(error).context(OpenSessionSnafu { session_url })
+        Err(last_err.unwrap())
     }
 
-    pub fn open_url(
-        session_url: &str,
-        username: &str,
-        password: &str,
-        timeout: u64,
-    ) -> Result<Self> {
-        let http_wrapper = HttpWrapper::new(username, password, timeout);
-        let (session_url, session) = http_wrapper
-            .get_session(session_url)
-            .context(OpenSessionSnafu { session_url })?;
-        Ok(Remote {
-            http_wrapper,
-            session_url,
-            session,
-        })
+    fn open_url(session_url: &str, username: &str, password: &str, timeout: u64) -> Result<Self> {
+        let agent = ureq::AgentBuilder::new()
+            .redirect_auth_headers(ureq::RedirectAuthHeaders::SameHost)
+            .timeout(Duration::from_secs(timeout))
+            .build();
+
+        match agent.get(session_url).call() {
+            Ok(r) => {
+                // Server returned success without authentication. Surprising, but valid.
+                let session_url = r.get_url().to_string();
+                let session: jmap::Session = r.into_json().context(ResponseSnafu {})?;
+                Ok(Self {
+                    http_wrapper: HttpWrapper::new(None, timeout),
+                    session_url,
+                    session,
+                })
+            }
+
+            Err(ureq::Error::Status(code, ref r)) if code == 401 => {
+                fn encode_basic(username: &str, password: &str) -> String {
+                    let safe_username = match username.find(':') {
+                        Some(idx) => &username[..idx],
+                        None => username,
+                    };
+                    format!(
+                        "Basic {}",
+                        base64::encode(format!("{}:{}", safe_username, password))
+                    )
+                }
+
+                let authorization = match r.header("WWW-Authenticate") {
+                    Some(v) if v.starts_with("Basic") => {
+                        debug!("server offered Basic auth");
+                        Some(encode_basic(username, password))
+                    }
+
+                    Some(v) if v.starts_with("Bearer") => {
+                        debug!("server offered Bearer auth");
+                        Some(format!("Bearer {}", password))
+                    }
+
+                    // Server didn't offer any auth schemes but still requires authentication.
+                    // Probably it will accept Basic; try that.
+                    None => {
+                        debug!("server requires auth but didn't offer a scheme, assuming Basic");
+                        Some(encode_basic(username, password))
+                    }
+
+                    // No authorization, which will make the next call fail, and then we'll just
+                    // return an error.
+                    Some(v) => {
+                        debug!("server offered unsupported auth scheme: {}", v);
+                        None
+                    }
+                };
+
+                let url = r.get_url();
+
+                let mut req = agent.get(url);
+                if let Some(a) = &authorization {
+                    req = req.set("Authorization", a);
+                }
+
+                let r = req.call().context(OpenSessionSnafu { session_url })?;
+                let session: jmap::Session = r.into_json().context(ResponseSnafu {})?;
+                Ok(Self {
+                    http_wrapper: HttpWrapper::new(authorization, timeout),
+                    session_url: url.to_string(),
+                    session,
+                })
+            }
+
+            Err(e) => Err(e).context(OpenSessionSnafu { session_url }),
+        }
     }
 
     /// Return a list of all `Email` IDs that exist on the server and a state `String` returned by