Add identity/:id/verify route to verify identity/token pairs

This commit adds a new route to the `/identity` HTTP block, `/identity/:identity/verify`, which requires a SpacetimeDB auth header. If the token in the authorization header is valid and corresponds to the identity in the path, it returns `NO_CONTENT`. If the token in the authorization header is valid but does not correspond to the identity in the path, it returns `BAD_REQUEST`. If the token in the authorization header is invalid or unsupplied, it returns `UNAUTHORIZED`.
clockworklabs · Aug 8, 2023 · 290c1a4 · 290c1a4
1 parent dec2955
commit 290c1a4
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/crates/client-api/src/routes/identity.rs b/crates/client-api/src/routes/identity.rs
@@ -191,6 +191,27 @@ pub async fn create_websocket_token(
     }
 }
 
+#[derive(Deserialize)]
+pub struct ValidateTokenParams {
+    identity: IdentityForUrl,
+}
+
+pub async fn validate_token(
+    Path(ValidateTokenParams { identity }): Path<ValidateTokenParams>,
+    auth: SpacetimeAuthHeader,
+) -> axum::response::Result<impl IntoResponse> {
+    let identity = Identity::from(identity);
+    if let Some(auth) = auth.auth {
+        if auth.identity == identity {
+            Ok(StatusCode::NO_CONTENT)
+        } else {
+            Err(StatusCode::BAD_REQUEST.into())
+        }
+    } else {
+        Err(StatusCode::UNAUTHORIZED.into())
+    }
+}
+
 pub fn router<S>() -> axum::Router<S>
 where
     S: ControlNodeDelegate + Clone + 'static,
@@ -200,6 +221,7 @@ where
     axum::Router::new()
         .route("/", get(get_identity).post(create_identity))
         .route("/websocket_token", post(create_websocket_token))
+        .route("/:identity/verify", get(validate_token))
         .route("/:identity/set-email", post(set_email))
         .route("/:identity/databases", get(get_databases))
 }