1#![deny(clippy::future_not_send)]
8#![allow(
9 clippy::unused_async,
11 clippy::too_many_arguments,
13 clippy::let_with_type_underscore,
16)]
17
18use std::{
19 convert::Infallible,
20 sync::{Arc, LazyLock},
21 time::Duration,
22};
23
24use axum::{
25 Extension, Router,
26 extract::{FromRef, FromRequestParts, OriginalUri, RawQuery, State},
27 http::Method,
28 response::{Html, IntoResponse},
29 routing::{get, post},
30};
31use headers::HeaderName;
32use hyper::{
33 StatusCode, Version,
34 header::{
35 ACCEPT, ACCEPT_LANGUAGE, AUTHORIZATION, CONTENT_LANGUAGE, CONTENT_LENGTH, CONTENT_TYPE,
36 },
37};
38use mas_axum_utils::{InternalError, cookies::CookieJar};
39use mas_data_model::SiteConfig;
40use mas_http::CorsLayerExt;
41use mas_keystore::{Encrypter, Keystore};
42use mas_matrix::HomeserverConnection;
43use mas_policy::Policy;
44use mas_router::{Route, UrlBuilder};
45use mas_storage::{BoxClock, BoxRepository, BoxRng};
46use mas_templates::{ErrorContext, NotFoundContext, TemplateContext, Templates};
47use opentelemetry::metrics::Meter;
48use sqlx::PgPool;
49use tower::util::AndThenLayer;
50use tower_http::cors::{Any, CorsLayer};
51
52use self::{graphql::ExtraRouterParameters, passwords::PasswordManager};
53
54mod admin;
55mod compat;
56mod graphql;
57mod health;
58mod oauth2;
59pub mod passwords;
60pub mod upstream_oauth2;
61mod views;
62
63mod activity_tracker;
64mod captcha;
65mod preferred_language;
66mod rate_limit;
67mod session;
68#[cfg(test)]
69mod test_utils;
70
71static METER: LazyLock<Meter> = LazyLock::new(|| {
72 let scope = opentelemetry::InstrumentationScope::builder(env!("CARGO_PKG_NAME"))
73 .with_version(env!("CARGO_PKG_VERSION"))
74 .with_schema_url(opentelemetry_semantic_conventions::SCHEMA_URL)
75 .build();
76
77 opentelemetry::global::meter_with_scope(scope)
78});
79
80#[macro_export]
83macro_rules! impl_from_error_for_route {
84 ($route_error:ty : $error:ty) => {
85 impl From<$error> for $route_error {
86 fn from(e: $error) -> Self {
87 Self::Internal(Box::new(e))
88 }
89 }
90 };
91 ($error:ty) => {
92 impl_from_error_for_route!(self::RouteError: $error);
93 };
94}
95
96pub use mas_axum_utils::{ErrorWrapper, cookies::CookieManager};
97
98pub use self::{
99 activity_tracker::{ActivityTracker, Bound as BoundActivityTracker},
100 admin::router as admin_api_router,
101 graphql::{
102 Schema as GraphQLSchema, schema as graphql_schema, schema_builder as graphql_schema_builder,
103 },
104 preferred_language::PreferredLanguage,
105 rate_limit::{Limiter, RequesterFingerprint},
106 upstream_oauth2::cache::MetadataCache,
107};
108
109pub fn healthcheck_router<S>() -> Router<S>
110where
111 S: Clone + Send + Sync + 'static,
112 PgPool: FromRef<S>,
113{
114 Router::new().route(mas_router::Healthcheck::route(), get(self::health::get))
115}
116
117pub fn graphql_router<S>(playground: bool, undocumented_oauth2_access: bool) -> Router<S>
118where
119 S: Clone + Send + Sync + 'static,
120 graphql::Schema: FromRef<S>,
121 BoundActivityTracker: FromRequestParts<S>,
122 BoxRepository: FromRequestParts<S>,
123 BoxClock: FromRequestParts<S>,
124 Encrypter: FromRef<S>,
125 CookieJar: FromRequestParts<S>,
126 Limiter: FromRef<S>,
127 RequesterFingerprint: FromRequestParts<S>,
128{
129 let mut router = Router::new()
130 .route(
131 mas_router::GraphQL::route(),
132 get(self::graphql::get).post(self::graphql::post),
133 )
134 .layer(Extension(ExtraRouterParameters {
137 undocumented_oauth2_access,
138 }))
139 .layer(
140 CorsLayer::new()
141 .allow_origin(Any)
142 .allow_methods(Any)
143 .allow_otel_headers([
144 AUTHORIZATION,
145 ACCEPT,
146 ACCEPT_LANGUAGE,
147 CONTENT_LANGUAGE,
148 CONTENT_TYPE,
149 ]),
150 );
151
152 if playground {
153 router = router.route(
154 mas_router::GraphQLPlayground::route(),
155 get(self::graphql::playground),
156 );
157 }
158
159 router
160}
161
162pub fn discovery_router<S>() -> Router<S>
163where
164 S: Clone + Send + Sync + 'static,
165 Keystore: FromRef<S>,
166 SiteConfig: FromRef<S>,
167 UrlBuilder: FromRef<S>,
168 BoxClock: FromRequestParts<S>,
169 BoxRng: FromRequestParts<S>,
170{
171 Router::new()
172 .route(
173 mas_router::OidcConfiguration::route(),
174 get(self::oauth2::discovery::get),
175 )
176 .route(
177 mas_router::Webfinger::route(),
178 get(self::oauth2::webfinger::get),
179 )
180 .layer(
181 CorsLayer::new()
182 .allow_origin(Any)
183 .allow_methods(Any)
184 .allow_otel_headers([
185 AUTHORIZATION,
186 ACCEPT,
187 ACCEPT_LANGUAGE,
188 CONTENT_LANGUAGE,
189 CONTENT_TYPE,
190 ])
191 .max_age(Duration::from_secs(60 * 60)),
192 )
193}
194
195pub fn api_router<S>() -> Router<S>
196where
197 S: Clone + Send + Sync + 'static,
198 Keystore: FromRef<S>,
199 UrlBuilder: FromRef<S>,
200 BoxRepository: FromRequestParts<S>,
201 ActivityTracker: FromRequestParts<S>,
202 BoundActivityTracker: FromRequestParts<S>,
203 Encrypter: FromRef<S>,
204 reqwest::Client: FromRef<S>,
205 SiteConfig: FromRef<S>,
206 Templates: FromRef<S>,
207 Arc<dyn HomeserverConnection>: FromRef<S>,
208 BoxClock: FromRequestParts<S>,
209 BoxRng: FromRequestParts<S>,
210 Policy: FromRequestParts<S>,
211{
212 Router::new()
214 .route(
215 mas_router::OAuth2Keys::route(),
216 get(self::oauth2::keys::get),
217 )
218 .route(
219 mas_router::OidcUserinfo::route(),
220 get(self::oauth2::userinfo::get).post(self::oauth2::userinfo::get),
221 )
222 .route(
223 mas_router::OAuth2Introspection::route(),
224 post(self::oauth2::introspection::post),
225 )
226 .route(
227 mas_router::OAuth2Revocation::route(),
228 post(self::oauth2::revoke::post),
229 )
230 .route(
231 mas_router::OAuth2TokenEndpoint::route(),
232 post(self::oauth2::token::post),
233 )
234 .route(
235 mas_router::OAuth2RegistrationEndpoint::route(),
236 post(self::oauth2::registration::post),
237 )
238 .route(
239 mas_router::OAuth2DeviceAuthorizationEndpoint::route(),
240 post(self::oauth2::device::authorize::post),
241 )
242 .layer(
243 CorsLayer::new()
244 .allow_origin(Any)
245 .allow_methods(Any)
246 .allow_otel_headers([
247 AUTHORIZATION,
248 ACCEPT,
249 ACCEPT_LANGUAGE,
250 CONTENT_LANGUAGE,
251 CONTENT_TYPE,
252 ])
253 .max_age(Duration::from_secs(60 * 60)),
254 )
255}
256
257#[allow(clippy::trait_duplication_in_bounds)]
258pub fn compat_router<S>() -> Router<S>
259where
260 S: Clone + Send + Sync + 'static,
261 UrlBuilder: FromRef<S>,
262 SiteConfig: FromRef<S>,
263 Arc<dyn HomeserverConnection>: FromRef<S>,
264 PasswordManager: FromRef<S>,
265 Limiter: FromRef<S>,
266 BoundActivityTracker: FromRequestParts<S>,
267 RequesterFingerprint: FromRequestParts<S>,
268 BoxRepository: FromRequestParts<S>,
269 BoxClock: FromRequestParts<S>,
270 BoxRng: FromRequestParts<S>,
271{
272 Router::new()
273 .route(
274 mas_router::CompatLogin::route(),
275 get(self::compat::login::get).post(self::compat::login::post),
276 )
277 .route(
278 mas_router::CompatLogout::route(),
279 post(self::compat::logout::post),
280 )
281 .route(
282 mas_router::CompatRefresh::route(),
283 post(self::compat::refresh::post),
284 )
285 .route(
286 mas_router::CompatLoginSsoRedirect::route(),
287 get(self::compat::login_sso_redirect::get),
288 )
289 .route(
290 mas_router::CompatLoginSsoRedirectIdp::route(),
291 get(self::compat::login_sso_redirect::get),
292 )
293 .route(
294 mas_router::CompatLoginSsoRedirectSlash::route(),
295 get(self::compat::login_sso_redirect::get),
296 )
297 .layer(
298 CorsLayer::new()
299 .allow_origin(Any)
300 .allow_methods(Any)
301 .allow_otel_headers([
302 AUTHORIZATION,
303 ACCEPT,
304 ACCEPT_LANGUAGE,
305 CONTENT_LANGUAGE,
306 CONTENT_TYPE,
307 HeaderName::from_static("x-requested-with"),
308 ])
309 .max_age(Duration::from_secs(60 * 60)),
310 )
311}
312
313#[allow(clippy::too_many_lines)]
314pub fn human_router<S>(templates: Templates) -> Router<S>
315where
316 S: Clone + Send + Sync + 'static,
317 UrlBuilder: FromRef<S>,
318 PreferredLanguage: FromRequestParts<S>,
319 BoxRepository: FromRequestParts<S>,
320 CookieJar: FromRequestParts<S>,
321 BoundActivityTracker: FromRequestParts<S>,
322 RequesterFingerprint: FromRequestParts<S>,
323 Encrypter: FromRef<S>,
324 Templates: FromRef<S>,
325 Keystore: FromRef<S>,
326 PasswordManager: FromRef<S>,
327 MetadataCache: FromRef<S>,
328 SiteConfig: FromRef<S>,
329 Limiter: FromRef<S>,
330 reqwest::Client: FromRef<S>,
331 Arc<dyn HomeserverConnection>: FromRef<S>,
332 BoxClock: FromRequestParts<S>,
333 BoxRng: FromRequestParts<S>,
334 Policy: FromRequestParts<S>,
335{
336 Router::new()
337 .route(
339 "/account",
340 get(
341 async |State(url_builder): State<UrlBuilder>, RawQuery(query): RawQuery| {
342 let prefix = url_builder.prefix().unwrap_or_default();
343 let route = mas_router::Account::route();
344 let destination = if let Some(query) = query {
345 format!("{prefix}{route}?{query}")
346 } else {
347 format!("{prefix}{route}")
348 };
349
350 axum::response::Redirect::to(&destination)
351 },
352 ),
353 )
354 .route(mas_router::Account::route(), get(self::views::app::get))
355 .route(
356 mas_router::AccountWildcard::route(),
357 get(self::views::app::get),
358 )
359 .route(
360 mas_router::AccountRecoveryFinish::route(),
361 get(self::views::app::get_anonymous),
362 )
363 .route(
364 mas_router::ChangePasswordDiscovery::route(),
365 get(async |State(url_builder): State<UrlBuilder>| {
366 url_builder.redirect(&mas_router::AccountPasswordChange)
367 }),
368 )
369 .route(mas_router::Index::route(), get(self::views::index::get))
370 .route(
371 mas_router::Login::route(),
372 get(self::views::login::get).post(self::views::login::post),
373 )
374 .route(mas_router::Logout::route(), post(self::views::logout::post))
375 .route(
376 mas_router::Register::route(),
377 get(self::views::register::get),
378 )
379 .route(
380 mas_router::PasswordRegister::route(),
381 get(self::views::register::password::get).post(self::views::register::password::post),
382 )
383 .route(
384 mas_router::RegisterVerifyEmail::route(),
385 get(self::views::register::steps::verify_email::get)
386 .post(self::views::register::steps::verify_email::post),
387 )
388 .route(
389 mas_router::RegisterDisplayName::route(),
390 get(self::views::register::steps::display_name::get)
391 .post(self::views::register::steps::display_name::post),
392 )
393 .route(
394 mas_router::RegisterFinish::route(),
395 get(self::views::register::steps::finish::get),
396 )
397 .route(
398 mas_router::AccountRecoveryStart::route(),
399 get(self::views::recovery::start::get).post(self::views::recovery::start::post),
400 )
401 .route(
402 mas_router::AccountRecoveryProgress::route(),
403 get(self::views::recovery::progress::get).post(self::views::recovery::progress::post),
404 )
405 .route(
406 mas_router::OAuth2AuthorizationEndpoint::route(),
407 get(self::oauth2::authorization::get),
408 )
409 .route(
410 mas_router::Consent::route(),
411 get(self::oauth2::authorization::consent::get)
412 .post(self::oauth2::authorization::consent::post),
413 )
414 .route(
415 mas_router::CompatLoginSsoComplete::route(),
416 get(self::compat::login_sso_complete::get).post(self::compat::login_sso_complete::post),
417 )
418 .route(
419 mas_router::UpstreamOAuth2Authorize::route(),
420 get(self::upstream_oauth2::authorize::get),
421 )
422 .route(
423 mas_router::UpstreamOAuth2Callback::route(),
424 get(self::upstream_oauth2::callback::handler)
425 .post(self::upstream_oauth2::callback::handler),
426 )
427 .route(
428 mas_router::UpstreamOAuth2Link::route(),
429 get(self::upstream_oauth2::link::get).post(self::upstream_oauth2::link::post),
430 )
431 .route(
432 mas_router::DeviceCodeLink::route(),
433 get(self::oauth2::device::link::get),
434 )
435 .route(
436 mas_router::DeviceCodeConsent::route(),
437 get(self::oauth2::device::consent::get).post(self::oauth2::device::consent::post),
438 )
439 .layer(AndThenLayer::new(
440 async move |response: axum::response::Response| {
441 let ext = response.extensions().get::<ErrorContext>();
443 if let Some(ctx) = ext {
444 if let Ok(res) = templates.render_error(ctx) {
445 let (mut parts, _original_body) = response.into_parts();
446 parts.headers.remove(CONTENT_TYPE);
447 parts.headers.remove(CONTENT_LENGTH);
448 return Ok((parts, Html(res)).into_response());
449 }
450 }
451
452 Ok::<_, Infallible>(response)
453 },
454 ))
455}
456
457pub async fn fallback(
463 State(templates): State<Templates>,
464 OriginalUri(uri): OriginalUri,
465 method: Method,
466 version: Version,
467 PreferredLanguage(locale): PreferredLanguage,
468) -> Result<impl IntoResponse, InternalError> {
469 let ctx = NotFoundContext::new(&method, version, &uri).with_language(locale);
470 let res = templates.render_not_found(&ctx)?;
473
474 Ok((StatusCode::NOT_FOUND, Html(res)))
475}