Merge pull request #23 from tayloraswift/secure-procedural-endpoints

add authentication/authorization enforcement to all procedural endpoints

Author: tayloraswift

Assets/css/Admin.css

@@ -1,6 +1,6 @@
 <div align="center">
 
-<strong><em><code>unidoc</code></em></strong><br><small><code>0.2.6</code></small>
+<strong><em><code>unidoc</code></em></strong><br><small><code>0.2.7</code></small>
 
 [![ci build status](https://github.com/kelvin13/swift-unidoc/actions/workflows/build.yml/badge.svg)](https://github.com/kelvin13/swift-unidoc/actions/workflows/build.yml)
 

Assets/css/Admin.css.map

@@ -4,5 +4,5 @@ public
 protocol GitHubRateLimitError:Error, Equatable, Sendable
 {
     /// The UTC epoch second when the rate limit will reset.
-    var until:UnixTime { get }
+    var until:UnixInstant { get }
 }

README.md

@@ -7,10 +7,10 @@ extension GitHubClient
     struct RateLimitError:GitHubRateLimitError, Equatable, Sendable
     {
         public
-        let until:UnixTime
+        let until:UnixInstant
 
         @inlinable internal
-        init(until:UnixTime)
+        init(until:UnixInstant)
         {
             self.until = until
         }

Sources/GitHubAPI/GitHubRateLimitError.swift

@@ -22,6 +22,14 @@ struct ServerResource:Equatable, Sendable
         self.hash = hash
     }
 }
+extension ServerResource:ExpressibleByStringLiteral
+{
+    @inlinable public
+    init(stringLiteral:String)
+    {
+        self.init(content: .string(stringLiteral), type: .text(.plain, charset: .utf8))
+    }
+}
 extension ServerResource
 {
     /// Computes and populates the resource ``hash`` if it has not already been computed, and

Sources/GitHubClient/GitHubClient.RateLimitError.swift

@@ -3,13 +3,24 @@ import Media
 @frozen public
 enum ServerResponse:Equatable, Sendable
 {
-    case error      (ServerResource)
-    case forbidden  (ServerResource)
-    case ok         (ServerResource)
-    case multiple   (ServerResource)
-    case notFound   (ServerResource)
+    /// 200 OK.
+    case ok             (ServerResource)
+    /// 300 Multiple Choices.
+    case multiple       (ServerResource)
+    /// 400 Bad Request.
+    case badRequest     (ServerResource)
+    /// 401 Unauthorized.
+    case unauthorized   (ServerResource)
+    /// 403 Forbidden.
+    case forbidden      (ServerResource)
+    /// 404 Not Found.
+    case notFound       (ServerResource)
+    /// 409 Conflict.
+    case conflict       (ServerResource)
+    /// 500 Internal Server Error.
+    case error          (ServerResource)
 
-    case redirect   (ServerRedirect, cookies:[Cookie] = [])
+    case redirect       (ServerRedirect, cookies:[Cookie] = [])
 }
 extension ServerResponse
 {
@@ -26,12 +37,15 @@ extension ServerResponse
     {
         switch self
         {
-        case .redirect:                 return 0
-        case .error     (let resource): return resource.content.size
-        case .forbidden (let resource): return resource.content.size
-        case .ok        (let resource): return resource.content.size
-        case .multiple  (let resource): return resource.content.size
-        case .notFound  (let resource): return resource.content.size
+        case .redirect:                     return 0
+        case .ok            (let resource): return resource.content.size
+        case .multiple      (let resource): return resource.content.size
+        case .badRequest    (let resource): return resource.content.size
+        case .unauthorized  (let resource): return resource.content.size
+        case .forbidden     (let resource): return resource.content.size
+        case .notFound      (let resource): return resource.content.size
+        case .conflict      (let resource): return resource.content.size
+        case .error         (let resource): return resource.content.size
         }
     }
 }

Sources/HTTP/ServerResource.swift

@@ -24,23 +24,32 @@ extension ServerMessage
     {
         switch response
         {
+        case .ok(let resource):
+            self.init(resource: resource, using: allocator, as: .ok)
+
+        case .multiple(let resource):
+            self.init(resource: resource, using: allocator, as: .multipleChoices)
+
         case .redirect(let redirect, cookies: let cookies):
             self.init(redirect: redirect, cookies: cookies)
 
-        case .error(let resource):
-            self.init(resource: resource, using: allocator, as: .internalServerError)
+        case .badRequest(let resource):
+            self.init(resource: resource, using: allocator, as: .badRequest)
+
+        case .unauthorized(let resource):
+            self.init(resource: resource, using: allocator, as: .unauthorized)
 
         case .forbidden(let resource):
             self.init(resource: resource, using: allocator, as: .forbidden)
 
-        case .ok(let resource):
-            self.init(resource: resource, using: allocator, as: .ok)
-
-        case .multiple(let resource):
-            self.init(resource: resource, using: allocator, as: .multipleChoices)
-
         case .notFound(let resource):
             self.init(resource: resource, using: allocator, as: .notFound)
+
+        case .conflict(let resource):
+            self.init(resource: resource, using: allocator, as: .conflict)
+
+        case .error(let resource):
+            self.init(resource: resource, using: allocator, as: .internalServerError)
         }
     }
 

Sources/HTTP/ServerResponse.swift

@@ -0,0 +1,54 @@
+import BSONDecoding
+import MongoQL
+
+extension Account
+{
+    @frozen public
+    struct Cookie:Equatable, Hashable, Sendable
+    {
+        @usableFromInline internal
+        let id:Account.ID
+        @usableFromInline internal
+        let cookie:Int64
+
+        @inlinable internal
+        init(id:Account.ID, cookie:Int64)
+        {
+            self.id = id
+            self.cookie = cookie
+        }
+    }
+}
+extension Account.Cookie:CustomStringConvertible
+{
+    @inlinable public
+    var description:String { "\(self.id):\(UInt64.init(bitPattern: self.cookie))" }
+}
+extension Account.Cookie:LosslessStringConvertible
+{
+    @inlinable public
+    init?(_ description:some StringProtocol)
+    {
+        if  let colon:String.Index = description.firstIndex(of: ":"),
+            let id:Account.ID = .init(description[..<colon]),
+            let cookie:UInt64 = .init(description[description.index(after: colon)...])
+        {
+            self.init(id: id, cookie: .init(bitPattern: cookie))
+        }
+        else
+        {
+            return nil
+        }
+    }
+}
+extension Account.Cookie:BSONDocumentDecodable
+{
+    public
+    typealias CodingKey = Account.CodingKey
+
+    @inlinable public
+    init(bson:BSON.DocumentDecoder<CodingKey, some RandomAccessCollection<UInt8>>) throws
+    {
+        self.init(id: try bson[.id].decode(), cookie: try bson[.cookie].decode())
+    }
+}

Sources/HTTPServer/Channels/ServerMessage.swift

@@ -25,6 +25,12 @@ struct Account:Identifiable, Sendable
 }
 extension Account
 {
+    @inlinable public static
+    func machine(_ number:Int32 = 0) -> Self
+    {
+        .init(id: .machine(number), role: .machine)
+    }
+
     @inlinable public static
     func github(user:GitHub.User, role:Role) -> Self
     {
@@ -39,7 +45,7 @@ extension Account:MongoMasterCodingModel
         case id = "_id"
 
         /// The session cookie associated with this account, if logged in. This is generated
-        /// randomly in ``AccountDatabase.update(account:with:)``.
+        /// randomly in ``AccountDatabase.Users.update(account:with:)``.
         case cookie
 
         case role