Add log-out, fix user auto-log-out

Author: fvacek

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "qxhttpd"
-version = "0.1.0"
+version = "0.1.1"
 edition = "2024"
 
 [dependencies]

db/edb/migrations/20250424071515_simplify_changes_table.sql

@@ -0,0 +1,2 @@
+DELETE FROM changes;
+ALTER TABLE changes ADD COLUMN status_message TEXT;

src/auth.rs

@@ -7,9 +7,9 @@ use rocket::log::private::info;
 use rocket::response::{Debug, Redirect};
 use rocket_oauth2::{OAuth2, TokenResponse};
 use serde_json::Value;
-use crate::{QxSession, QxSessionId, SharedQxState};
+use crate::{MaybeSessionId, QxSession, QxSessionId, SharedQxState};
 
-#[derive(Clone, serde::Serialize)]
+#[derive(serde::Serialize, Clone, Debug)]
 pub struct UserInfo {
     name: String,
     pub(crate) email: String,
@@ -62,6 +62,14 @@ struct GoogleUserInfo {
     email: Value,
     picture: Value,
 }
+#[get("/logout")]
+async fn logout(session_id: MaybeSessionId, state: &State<SharedQxState>) -> Redirect {
+    if let Some(session_id) = session_id.0 {
+        state.write().await.sessions.remove(&session_id);
+    }
+    Redirect::to("/")
+}
+
 #[get("/login")]
 async fn login(state: &State<SharedQxState>) -> Redirect {
     // must be the same host as redirect_uri, both have to be localhost or 127.0.0.1
@@ -107,6 +115,9 @@ async fn google_auth(token: TokenResponse<GoogleUserInfo>, cookies: &CookieJar<'
     }
     let session_id = generate_session_id();
     info!("User log in, name: {}, email: {}, picture: {}", user_info.name, user_info.email, user_info.picture);
+
+    info!("insert session_id: {session_id:?}");
+    
     state.write().await.sessions.insert(QxSessionId(session_id.clone()), QxSession{ user_info });
     // Set a private cookie with the user's name, and redirect to the home page.
     cookies.add_private(
@@ -120,6 +131,7 @@ async fn google_auth(token: TokenResponse<GoogleUserInfo>, cookies: &CookieJar<'
 
 pub fn extend(rocket: Rocket<Build>) -> Rocket<Build> {
     rocket.mount("/", routes![
+            logout,
             login,
             google_login,
             google_auth,

src/changes.rs

@@ -15,7 +15,6 @@ use crate::qxdatetime::QxDateTime;
 use sqlx::{Encode, Sqlite};
 use sqlx::query::{Query};
 use sqlx::sqlite::{SqliteArgumentValue, SqliteArguments};
-use log::info;
 use crate::db::{get_event_db, DbPool};
 use crate::oc::OCheckListChange;
 use crate::util::{anyhow_to_custom_error, sqlx_to_anyhow, sqlx_to_custom_error};
@@ -274,7 +273,7 @@ async fn get_changes(event_id: EventId, from_id: Option<i64>, state: &State<Shar
 
 #[post("/api/event/<event_id>/changes/run-update-request", data = "<change>")]
 pub async fn add_run_update_request_change(event_id: EventId, session_id: QxSessionId, change: Json<QxRunChange>, state: &State<SharedQxState>) -> Result<(), Custom<String>> {
-    let user = user_info(session_id, state).await?;
+    let user = user_info(&session_id, state).await?;
     let change = change.into_inner();
     let data_type = DataType::RunUpdateRequest;
     let data = ChangeData::RunUpdateRequest(change.clone());
@@ -402,7 +401,7 @@ async fn api_get_changes(event_id: EventId, from_id: Option<i64>, data_type: Opt
 
     let query = query_builder.build_query_as::<ChangesRecord>();
     let records: Vec<_> = query.fetch_all(&edb).await.map_err(sqlx_to_custom_error)?;
-    info!("records: {:?}", records);
+    // info!("records: {:?}", records);
     Ok(records.into())
 }
 

src/event.rs

@@ -2,7 +2,6 @@ use std::fs::OpenOptions;
 use rocket::serde::json::Json;
 use std::io::{Cursor, Read};
 use anyhow::anyhow;
-use base64::engine::general_purpose;
 use image::ImageFormat;
 use rocket::form::{Contextual, Form};
 use rocket::http::{ContentType, Status};
@@ -121,7 +120,7 @@ struct EventFormValues<'v> {
 // need, do not use `Contextual`. Use the equivalent of `Form<Submit<'_>>`.
 #[post("/event", data = "<form>")]
 async fn post_event<'r>(form: Form<Contextual<'r, EventFormValues<'r>>>, session_id: QxSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Redirect, Custom<String>> {
-    let user = user_info(session_id, state).await?;
+    let user = user_info(&session_id, state).await?;
     let vals = form.value.as_ref().ok_or(Custom(Status::BadRequest, "Form data invalid".to_string()))?;
     let start_time = QxDateTime::parse_from_iso(vals.start_time)
         .map_err(|e| Custom(Status::BadRequest, format!("Unrecognized date-time string: {}, error: {e}", vals.start_time)))?;
@@ -149,32 +148,51 @@ async fn post_event<'r>(form: Form<Contextual<'r, EventFormValues<'r>>>, session
     let event_id = save_event(&event, db).await.map_err(|e| Custom(Status::BadRequest, e.to_string()))?;
     Ok(Redirect::to(format!("/event/{event_id}")))
 }
-pub async fn user_info(session_id: QxSessionId, state: &State<SharedQxState>) -> Result<UserInfo, Custom<String>> {
+pub async fn user_info(session_id: &QxSessionId, state: &State<SharedQxState>) -> Result<UserInfo, Custom<String>> {
     state.read().await
         .sessions.get(&session_id).map(|s| s.user_info.clone()).ok_or( Custom(Status::Unauthorized, "Invalid session ID".to_string()) )
 }
-pub async fn user_info_opt(session_id: MaybeSessionId, state: &State<SharedQxState>) -> anyhow::Result<Option<UserInfo>> {
-    match session_id {
-        MaybeSessionId::None => Ok(None),
-        MaybeSessionId::Some(session_id) => {
-            let user_info = state.read().await
-                .sessions.get(&session_id).map(|s| s.user_info.clone());
-            Ok(user_info)
+pub async fn user_info_opt(session_id: Option<&QxSessionId>, state: &State<SharedQxState>) -> anyhow::Result<Option<UserInfo>> {
+    match &session_id {
+        None => Ok(None),
+        Some(session_id) => {
+            get_user_info(session_id, state).await
         }
     }
 }
 
-pub async fn user_and_event_owner_opt(event_id: EventId, session_id: MaybeSessionId, state: &State<SharedQxState>, gdb: &State<DbPool>) -> anyhow::Result<Option<UserInfo>> {
+pub async fn get_user_info(session_id: &QxSessionId, state: &State<SharedQxState>) -> anyhow::Result<Option<UserInfo>> {
+    let user_info = state.read().await
+        .sessions.get(session_id).map(|s| s.user_info.clone());
+    Ok(user_info)
+}
+
+pub async fn event_owner_opt(event_id: EventId, session_id: MaybeSessionId, state: &State<SharedQxState>, gdb: &State<DbPool>) -> anyhow::Result<Option<UserInfo>> {
     let event = load_event(event_id, gdb).await?;
-    let user = user_info_opt(session_id, state).await?
+    let user = user_info_opt(session_id.0.as_ref(), state).await?
         .and_then(|user| if user.email == event.owner {Some(user)} else {None});
     Ok(user)
 }
 
-async fn event_edit_insert(event_id: Option<EventId>, session_id: QxSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Template, Custom<String>> {
-    let user = user_info(session_id, state).await?;
+pub fn is_event_owner(event: &EventRecord, user: Option<&UserInfo>) -> bool {
+    if let Some(user) = user {
+        user.email == event.owner
+    } else {
+        false
+    }
+}
+
+async fn event_edit_insert(event_id: Option<EventId>, session_id: &QxSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Template, Custom<String>> {
+    let user = get_user_info(session_id, state).await
+        .and_then(|u| if let Some(u) = u {Ok(u)} else {Err(anyhow!("Invalid session ID"))})
+        .map_err(anyhow_to_custom_error)?;
     let event = if let Some(event_id) = event_id {
-        load_event_info(event_id, db).await?
+        let event = load_event_info(event_id, db).await?;
+        if is_event_owner(&event, Some(&user)) {
+            event
+        } else {
+            return Err(Custom(Status::Unauthorized, "Event owner mismatch".to_string()))
+        }
     } else {
         EventRecord::new(&user.email)
     };
@@ -186,7 +204,7 @@ async fn event_edit_insert(event_id: Option<EventId>, session_id: QxSessionId, s
         let mut cursor = Cursor::new(&mut buffer);
         image.write_to(&mut cursor, ImageFormat::Png).unwrap();
         // Encode the image buffer to base64
-        general_purpose::STANDARD.encode(&buffer)
+        base64::engine::general_purpose::STANDARD.encode(&buffer)
     };
     Ok(Template::render("event-edit", context! {
         event_id,
@@ -205,15 +223,15 @@ async fn event_drop(event_id: EventId, db: &State<DbPool>) -> Result<(), anyhow:
 }
 #[get("/event/create")]
 async fn event_create(session_id: QxSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Template, Custom<String>> {
-    event_edit_insert(None, session_id, state, db).await
+    event_edit_insert(None, &session_id, state, db).await
 }
 #[get("/event/<event_id>/edit")]
 async fn event_edit(event_id: EventId, session_id: QxSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Template, Custom<String>> {
-    event_edit_insert(Some(event_id), session_id, state, db).await
+    event_edit_insert(Some(event_id), &session_id, state, db).await
 }
 #[get("/event/<event_id>/delete")]
 async fn event_delete(event_id: EventId, session_id: QxSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Redirect, Custom<String>> {
-    let user = user_info(session_id, state).await?;
+    let user = user_info(&session_id, state).await?;
     let event = load_event_info(event_id, db).await?;
     if event.owner == user.email {
         event_drop(event_id, db).await.map_err(|e| Custom(Status::InternalServerError, e.to_string()))?;
@@ -226,10 +244,12 @@ async fn event_delete(event_id: EventId, session_id: QxSessionId, state: &State<
 #[get("/event/<event_id>")]
 async fn get_event(event_id: EventId, session_id: MaybeSessionId, state: &State<SharedQxState>, gdb: &State<DbPool>) -> Result<Template, Custom<String>> {
     let event = load_event_info(event_id, gdb).await?;
-    let user = user_and_event_owner_opt(event_id, session_id, state, gdb).await.map_err(anyhow_to_custom_error)?;
+    let user = user_info_opt(session_id.0.as_ref(), state).await.map_err(anyhow_to_custom_error)?;
+    let is_event_owner = is_event_owner(&event, user.as_ref());
     let files = files::list_files(event_id, state).await?;
     Ok(Template::render("event", context! {
         user,
+        is_event_owner,
         event,
         files,
     }))
@@ -262,8 +282,10 @@ async fn post_api_event_current(api_token: QxApiToken, posted_event: Json<Posted
 
 #[get("/event/<event_id>/startlist?<class_name>")]
 async fn get_event_start_list(event_id: EventId, session_id: MaybeSessionId, class_name: Option<&str>, state: &State<SharedQxState>, gdb: &State<DbPool>) -> Result<Template, Custom<String>> {
+    info!("GET session_id: {session_id:?}");
     let event = load_event_info(event_id, gdb).await?;
-    let user = user_and_event_owner_opt(event_id, session_id, state, gdb).await.map_err(anyhow_to_custom_error)?;
+    let user = user_info_opt(session_id.0.as_ref(), state).await.map_err(anyhow_to_custom_error)?;
+    info!("GET user: {user:?}");
     let edb = get_event_db(event_id, state).await.map_err(anyhow_to_custom_error)?;
     let classes = sqlx::query_as::<_, ClassesRecord>("SELECT * FROM classes ORDER BY name")
         .fetch_all(&edb).await.map_err(sqlx_to_custom_error)?;
@@ -350,7 +372,7 @@ async fn upload_start_list(qx_api_token: QxApiToken, data: Data<'_>, content_typ
 }
 #[post("/api/event/<event_id>/upload/startlist", data = "<data>")]
 async fn upload_start_list_user(event_id: EventId, data: Data<'_>, content_type: &ContentType, session_id: MaybeSessionId, state: &State<SharedQxState>, gdb: &State<DbPool>) -> Result<String, Custom<String>> {
-    let Some(_user) = user_and_event_owner_opt(event_id, session_id, state, gdb).await.map_err(anyhow_to_custom_error)? else { 
+    let Some(_event_owner) = event_owner_opt(event_id, session_id, state, gdb).await.map_err(anyhow_to_custom_error)? else {
         return Err(Custom(Status::Unauthorized, String::from("Session expired or not valid")));
     };
     let event_info = load_event_info(event_id, gdb).await?;

src/main.rs

@@ -48,10 +48,11 @@ impl AppConfig {
         self.server_address == "127.0.0.1"
     }
 }
+#[derive(Clone, Debug)]
 struct QxSession {
     user_info: UserInfo,
 }
-#[derive(Eq, Hash, PartialEq)]
+#[derive(Eq, Hash, PartialEq, Clone, Debug)]
 struct QxSessionId(String);
 #[rocket::async_trait]
 impl<'r> request::FromRequest<'r> for QxSessionId {
@@ -68,10 +69,9 @@ impl<'r> request::FromRequest<'r> for QxSessionId {
     }
 }
 
-enum MaybeSessionId {
-    None,
-    Some(QxSessionId),
-}
+#[derive(Debug)]
+pub struct MaybeSessionId(Option<QxSessionId>);
+
 #[rocket::async_trait]
 impl<'r> request::FromRequest<'r> for MaybeSessionId {
     type Error = ();
@@ -81,9 +81,9 @@ impl<'r> request::FromRequest<'r> for MaybeSessionId {
             .await
             .expect("request cookies");
         if let Some(cookie) = cookies.get_private(QX_SESSION_ID) {
-            return request::Outcome::Success(Self::Some(QxSessionId(cookie.value().to_string())));
+            return request::Outcome::Success(Self(Some(QxSessionId(cookie.value().to_string()))));
         }
-        request::Outcome::Success(Self::None)
+        request::Outcome::Success(Self(None))
     }
 }
 
@@ -156,7 +156,7 @@ type SharedQxState = tokio::sync::RwLock<QxState>;
 
 #[get("/")]
 async fn index(sid: MaybeSessionId, state: &State<SharedQxState>, db: &State<DbPool>) -> Result<Template, Custom<String>> {
-    let user = user_info_opt(sid, state).await.map_err(anyhow_to_custom_error)?;
+    let user = user_info_opt(sid.0.as_ref(), state).await.map_err(anyhow_to_custom_error)?;
     let pool = &db.0;
     let events: Vec<EventRecord> = sqlx::query_as("SELECT * FROM events")
         .fetch_all(pool)

static/js/utils.js

@@ -56,9 +56,6 @@ function formatRunTable(changes) {
             else if (col_name === "time") {
                 cell_val = obtime(msecSinceUntil(row.dataset.start_time, row.dataset.finish_time));
             }
-            else if (col_name === "name") {
-                cell_val = `${row.dataset.last_name} ${row.dataset.first_name}`;
-            }
             else {
                 const val = row.dataset[col_name];
                 // console.log(i, j, col_name, val);

templates/event.html.hbs

@@ -2,7 +2,7 @@
 
     <h2>{{ event.name }}</h2>
     <div class="w3-bar">
-        {{#if user}}
+        {{#if is_event_owner}}
             <a href="/event/{{event.id}}/edit" class="w3-button w3-theme w3-round-large w3-border"><i class="fa fa-cog"></i> edit</a>
             <button onclick="document.getElementById('uploadStartListDialog').style.display='block'" class="w3-button w3-theme w3-round-large w3-border">Upload start list</button>
         {{/if}}

templates/nav.html.hbs

@@ -5,10 +5,15 @@
         <a href="/" class="w3-bar-item w3-button">Quick Exchange</a>
 <!--        <a href="#" class="w3-bar-item w3-button w3-hide-small w3-hover-white">About</a>-->
         {{#if user}}
-            <span class="w3-bar-item w3-right">{{user.name}}</span>
-            <img src="{{user.picture}}" alt="avatar" class="w3-circle w3-right"  width="40" height="40">
+            <div class="w3-dropdown-click w3-right">
+                <img src="{{user.picture}}" alt="avatar" class="w3-circle"  width="40" height="40">
+                <span onclick="toggleDropDown()" class="w3-button">{{user.name}}</span>
+                <div id="DropdownContent" class="w3-dropdown-content w3-bar-block w3-border">
+                    <a href="/logout" class="w3-bar-item w3-button">Log out</a>
+                </div>
+            </div>
         {{else}}
-            <a class="w3-bar-item w3-button w3-hover-black w3-right" href="/login">Login</a>
+            <a class="w3-bar-item w3-button w3-hover-black w3-right" href="/login">Log in</a>
         {{/if}}
     </div>
 <!--</div>-->
@@ -49,4 +54,13 @@
         mySidebar.style.display = "none";
         overlayBg.style.display = "none";
     }
+
+    function toggleDropDown() {
+        var x = document.getElementById("DropdownContent");
+        if (x.className.indexOf("w3-show") === -1) {
+            x.className += " w3-show";
+        } else {
+            x.className = x.className.replace(" w3-show", "");
+        }
+    }
 </script>