objective categorical abstract machine language personal data server
Allow session auth to xrpc endpoints
+27
-4
+27
-4
pegasus/lib/auth.ml
+27
-4
pegasus/lib/auth.ml
···
302
302
Lwt.return_error @@ Errors.auth_required "malformed JWT claims" )
303
303
) )
304
304
305
+
let session : verifier =
306
+
fun {req; db} ->
307
+
match%lwt Session.Raw.get_current_did req with
308
+
| Some did -> (
309
+
match%lwt Data_store.get_actor_by_identifier did db with
310
+
| Some {deactivated_at= None; _} ->
311
+
Lwt.return_ok (Access {did})
312
+
| Some {deactivated_at= Some _; _} ->
313
+
Lwt.return_error
314
+
@@ Errors.auth_required ~name:"AccountDeactivated"
315
+
"account is deactivated"
316
+
| None ->
317
+
Lwt.return_error @@ Errors.auth_required "invalid session" )
318
+
| None ->
319
+
Lwt.return_error @@ Errors.auth_required "no active session"
320
+
305
321
let refresh : verifier =
306
322
fun {req; db} ->
307
323
match parse_bearer req with
···
334
350
bearer ctx
335
351
| Some ("DPoP" :: _) ->
336
352
oauth ctx
337
-
| _ ->
338
-
Lwt.return_error
339
-
@@ Errors.auth_required ~name:"InvalidToken"
340
-
"unexpected authorization type"
353
+
| _ -> (
354
+
match%lwt session ctx with
355
+
| Ok creds ->
356
+
Lwt.return_ok creds
357
+
| Error _ ->
358
+
Lwt.return_error
359
+
@@ Errors.auth_required ~name:"InvalidToken"
360
+
"unexpected authorization type" )
341
361
342
362
let any : verifier =
343
363
fun ctx -> try authorization ctx with _ -> unauthenticated ctx
···
349
369
| DPoP
350
370
| OAuth
351
371
| Refresh
372
+
| Session
352
373
| Authorization
353
374
| Any
354
375
···
365
386
oauth
366
387
| Refresh ->
367
388
refresh
389
+
| Session ->
390
+
session
368
391
| Authorization ->
369
392
authorization
370
393
| Any ->