feat: pass username header

Author: Eraz1997

USAGE.md

@@ -46,6 +46,11 @@ For each service, Kiwi creates **a PostgreSQL database with credentials** and **
 - `KIWI_REDIS_URI`, with the URI of the Redis instance your service can access, already including username and password
 - `KIWI_REDIS_PREFIX`, with the prefix of the Redis keys your service can access inside the instance
 
+Moreover, each HTTP request is added the following headers
+
+- `X-Kiwi-User-Id`, containing the ID of the user in case they're authenticated. The header is omitted otherwise.
+- `X-Kiwi-Username`, containing the username of the user in case they're authenticated. The header is omitted otherwise.
+
 ### CI and Deployment 🧑‍🚀
 
 > [!NOTE]

backend/Cargo.toml

@@ -41,3 +41,4 @@ zxcvbn = "3.1.0"
 
 [lints.clippy]
 uninlined_format_args = "allow"
+too_many_arguments = "allow"

backend/src/constants.rs

@@ -2,3 +2,4 @@ pub static ACCESS_TOKEN_COOKIE_NAME: &str = "__kiwi_access_token";
 pub static REFRESH_TOKEN_COOKIE_NAME: &str = "__kiwi_refresh_token";
 pub static LOGOUT_REFRESH_TOKEN_COPY_NAME: &str = "__kiwi_logout_refresh_token_copy";
 pub static KIWI_USER_ID_HEADER_NAME: &str = "X-Kiwi-User-Id";
+pub static KIWI_USERNAME_HEADER_NAME: &str = "X-Kiwi-Username";

backend/src/managers/redis/models.rs

@@ -32,6 +32,7 @@ pub trait RedisItem: Sized {
 pub struct RedisAccessToken {
     pub access_token: String,
     pub user_id: i64,
+    pub username: String,
     pub sealing_key: String,
     pub role: UserRole,
 }
@@ -42,7 +43,10 @@ impl RedisItem for RedisAccessToken {
     }
 
     fn to_redis_value(&self) -> String {
-        format!("{}:{}:{}", self.user_id, self.sealing_key, self.role)
+        format!(
+            "{}:{}:{}:{}",
+            self.user_id, self.username, self.sealing_key, self.role
+        )
     }
 
     fn get_expiration(&self) -> Option<Expiration> {
@@ -63,13 +67,15 @@ impl RedisItem for RedisAccessToken {
             .ok_or(Error::serialisation())?
             .parse()
             .map_err(|_| Error::serialisation())?;
-        let sealing_key = values.get(1).ok_or(Error::serialisation())?.clone();
-        let role_raw = values.get(2).ok_or(Error::serialisation())?.clone();
+        let username = values.get(1).ok_or(Error::serialisation())?.clone();
+        let sealing_key = values.get(2).ok_or(Error::serialisation())?.clone();
+        let role_raw = values.get(3).ok_or(Error::serialisation())?.clone();
         let role = UserRole::from_str(&role_raw)?;
 
         Ok(RedisAccessToken {
             access_token: consumed_key,
             user_id,
+            username,
             sealing_key,
             role,
         })
@@ -78,6 +84,7 @@ impl RedisItem for RedisAccessToken {
 
 pub struct RedisActiveRefreshToken {
     pub user_id: i64,
+    pub username: String,
     pub sealing_key: String,
     pub role: UserRole,
 }
@@ -105,7 +112,10 @@ impl RedisItem for RedisRefreshToken {
     fn to_redis_value(&self) -> String {
         match &self.kind {
             RedisRefreshTokenKind::Active(data) => {
-                format!("active:{}:{}:{}", data.user_id, data.sealing_key, data.role,)
+                format!(
+                    "active:{}:{}:{}:{}",
+                    data.user_id, data.username, data.sealing_key, data.role,
+                )
             }
             RedisRefreshTokenKind::Refreshed(data) => format!(
                 "refreshed:{}:{}",
@@ -138,13 +148,15 @@ impl RedisItem for RedisRefreshToken {
             "active" => {
                 let raw_user_id = values.get(1).ok_or(Error::serialisation())?;
                 let user_id: i64 = raw_user_id.parse().map_err(|_| Error::serialisation())?;
-                let sealing_key = values.get(2).ok_or(Error::serialisation())?.to_owned();
-                let role_raw = values.get(3).ok_or(Error::serialisation())?.clone();
+                let username = values.get(2).ok_or(Error::serialisation())?.to_owned();
+                let sealing_key = values.get(3).ok_or(Error::serialisation())?.to_owned();
+                let role_raw = values.get(4).ok_or(Error::serialisation())?.clone();
                 let role = UserRole::from_str(&role_raw)?;
                 Ok(RedisRefreshToken {
                     refresh_token: consumed_key,
                     kind: RedisRefreshTokenKind::Active(RedisActiveRefreshToken {
                         user_id,
+                        username,
                         sealing_key,
                         role,
                     }),

backend/src/managers/redis/queries.rs

@@ -17,19 +17,22 @@ impl RedisManager {
         access_token: &str,
         refresh_token: &str,
         user_id: i64,
+        username: &str,
         sealing_key: &str,
         role: &UserRole,
     ) -> Result<(), Error> {
         let access_token_item = RedisAccessToken {
             access_token: access_token.to_string(),
             user_id,
+            username: username.to_string(),
             sealing_key: sealing_key.to_string(),
             role: role.clone(),
         };
         let refresh_token_item = RedisRefreshToken {
             refresh_token: refresh_token.to_string(),
             kind: RedisRefreshTokenKind::Active(RedisActiveRefreshToken {
                 user_id,
+                username: username.to_string(),
                 sealing_key: sealing_key.to_string(),
                 role: role.clone(),
             }),
@@ -66,6 +69,7 @@ impl RedisManager {
         let key = RedisAccessToken {
             access_token: access_token.to_string(),
             user_id: 0,
+            username: String::new(),
             sealing_key: String::new(),
             role: UserRole::Customer,
         }
@@ -88,6 +92,7 @@ impl RedisManager {
             refresh_token: refresh_token.to_string(),
             kind: RedisRefreshTokenKind::Active(RedisActiveRefreshToken {
                 user_id: 0,
+                username: String::new(),
                 sealing_key: String::new(),
                 role: UserRole::Customer,
             }),
@@ -109,6 +114,7 @@ impl RedisManager {
         fresh_access_token: &str,
         fresh_refresh_token: &str,
         user_id: i64,
+        username: &str,
         sealing_key: &str,
         role: &UserRole,
     ) -> Result<(), Error> {
@@ -122,13 +128,15 @@ impl RedisManager {
         let access_token_item = RedisAccessToken {
             access_token: fresh_access_token.to_string(),
             user_id,
+            username: username.to_string(),
             sealing_key: sealing_key.to_string(),
             role: role.clone(),
         };
         let refresh_token_item = RedisRefreshToken {
             refresh_token: fresh_refresh_token.to_string(),
             kind: RedisRefreshTokenKind::Active(RedisActiveRefreshToken {
                 user_id,
+                username: username.to_string(),
                 sealing_key: sealing_key.to_string(),
                 role: role.clone(),
             }),
@@ -172,6 +180,7 @@ impl RedisManager {
             refresh_token: refresh_token.to_string(),
             kind: RedisRefreshTokenKind::Active(RedisActiveRefreshToken {
                 user_id: 0,
+                username: String::new(),
                 sealing_key: String::new(),
                 role: UserRole::Customer,
             }),

backend/src/middlewares/authentication.rs

@@ -9,7 +9,7 @@ use axum_extra::extract::CookieJar;
 use urlencoding::encode;
 
 use crate::{
-    constants::{ACCESS_TOKEN_COOKIE_NAME, KIWI_USER_ID_HEADER_NAME},
+    constants::{ACCESS_TOKEN_COOKIE_NAME, KIWI_USER_ID_HEADER_NAME, KIWI_USERNAME_HEADER_NAME},
     error::Error,
     extractors::{Domain, FullOriginalUri},
     managers::redis::RedisManager,
@@ -26,6 +26,7 @@ pub async fn authentication_middleware(
 ) -> Response {
     // Remove any abused auth header
     request.headers_mut().remove(KIWI_USER_ID_HEADER_NAME);
+    request.headers_mut().remove(KIWI_USERNAME_HEADER_NAME);
 
     let service = request
         .uri()
@@ -59,10 +60,16 @@ pub async fn authentication_middleware(
 
             if !access_token_item.role.has_permissions(&required_role) {
                 Error::bad_permissions().into_response()
-            } else if let Ok(user_id_header_value) = HeaderValue::from_str(&user_id_string) {
+            } else if let (Ok(user_id_header_value), Ok(username_header_value)) = (
+                HeaderValue::from_str(&user_id_string),
+                HeaderValue::from_str(&access_token_item.username),
+            ) {
                 request
                     .headers_mut()
                     .append(KIWI_USER_ID_HEADER_NAME, user_id_header_value);
+                request
+                    .headers_mut()
+                    .append(KIWI_USERNAME_HEADER_NAME, username_header_value);
                 next.run(request).await
             } else {
                 Error::serialisation().into_response()

backend/src/routes/auth/api/mod.rs

@@ -70,6 +70,7 @@ async fn create_user(
         domain,
         redis_manager,
         user_data.id,
+        user_data.username,
         sealing_key,
         user_data.role,
         None,
@@ -103,6 +104,7 @@ async fn login(
         domain,
         redis_manager,
         user_data.id,
+        user_data.username,
         sealing_key,
         user_data.role,
         None,
@@ -170,6 +172,7 @@ async fn refresh_credentials(
                 domain,
                 redis_manager,
                 data.user_id,
+                data.username,
                 data.sealing_key,
                 data.role,
                 Some(refresh_token),
@@ -254,6 +257,7 @@ async fn generate_and_store_tokens(
     domain: String,
     redis_manager: RedisManager,
     user_id: i64,
+    username: String,
     sealing_key: String,
     role: UserRole,
     old_refresh_token: Option<String>,
@@ -268,13 +272,21 @@ async fn generate_and_store_tokens(
                 &access_token,
                 &refresh_token,
                 user_id,
+                &username,
                 &sealing_key,
                 &role,
             )
             .await?;
     } else {
         redis_manager
-            .store_active_auth_tokens(&access_token, &refresh_token, user_id, &sealing_key, &role)
+            .store_active_auth_tokens(
+                &access_token,
+                &refresh_token,
+                user_id,
+                &username,
+                &sealing_key,
+                &role,
+            )
             .await?;
     }