Feat: removed Basic authentication from newsletter endpoint and replaced it with session authentication

Author: Utilitycoder

Diff for: src/authentication/middleware.rs

@@ -1,21 +1,25 @@
 use crate::session_state::TypedSession;
+use crate::utils::{e500, see_other};
 use actix_web::body::MessageBody;
 use actix_web::dev::{ServiceRequest, ServiceResponse};
-use actix_web::FromRequest;
-use actix_web::HttpMessage;
+use actix_web::error::InternalError;
+use actix_web::{FromRequest, HttpMessage};
 use actix_web_lab::middleware::Next;
 use std::ops::Deref;
 use uuid::Uuid;
 
 #[derive(Copy, Clone, Debug)]
 pub struct UserId(Uuid);
+
 impl std::fmt::Display for UserId {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         self.0.fmt(f)
     }
 }
+
 impl Deref for UserId {
     type Target = Uuid;
+
     fn deref(&self) -> &Self::Target {
         &self.0
     }
@@ -31,7 +35,10 @@ pub async fn reject_anonymous_users(
     }?;
 
     match session.get_user_id().map_err(e500)? {
-        Some(_) => next.call(req).await,
+        Some(user_id) => {
+            req.extensions_mut().insert(UserId(user_id));
+            next.call(req).await
+        }
         None => {
             let response = see_other("/login");
             let e = anyhow::anyhow!("The user has not logged in");

Diff for: src/routes/admin/mod.rs

@@ -1,7 +1,9 @@
 mod dashboard;
 mod logout;
 mod password;
+mod newsletters;
 
 pub use dashboard::admin_dashboard;
 pub use logout::log_out;
 pub use password::*;
+pub use newsletters::*;

Diff for: src/routes/admin/newsletters/get.rs

@@ -0,0 +1,55 @@
+use actix_web::http::header::ContentType;
+use actix_web::HttpResponse;
+use actix_web_flash_messages::IncomingFlashMessages;
+use std::fmt::Write;
+
+pub async fn publish_newsletter_form(flash_messages: IncomingFlashMessages) -> Result<HttpResponse, actix_web::Error> {
+    let mut incoming_flash = String::new();
+    for message in flash_messages.iter() {
+        writeln!(incoming_flash, "<p><i>{}</i></p>", message.content()).unwrap();
+    }
+    Ok(HttpResponse::Ok()
+        .content_type(ContentType::html())
+        .body(format!(
+                r#"<!DOCTYPE html>
+                <html lang="en">
+                <head>
+                    <meta http-equiv="content-type" content="text/html; charset=utf-8">
+                    <title>Publish Newsletter Issue</title>
+                </head>
+                <body>
+                    {incoming_flash}
+                    <form action="/admin/newsletters" method="post">
+                        <label>Title:<br>
+                            <input
+                                type="text"
+                                placeholder="Enter the issue title"
+                                name="title"
+                            >
+                        </label>
+                        <br>
+                        <label>Plain text content:<br>
+                            <textarea
+                                placeholder="Enter the content in plain text"
+                                name="text_content"
+                                rows="20"
+                                cols="50"
+                            ></textarea>
+                        </label>
+                        <br>
+                        <label>HTML content:<br>
+                            <textarea
+                                placeholder="Enter the content in HTML format"
+                                name="html_content"
+                                rows="20"
+                                cols="50"
+                            ></textarea>
+                        </label>
+                        <br>
+                        <button type="submit">Publish</button>
+                    </form>
+                    <p><a href="/admin/dashboard">&lt;- Back</a></p>
+                </body>
+                </html>"#,
+        )))
+}

Diff for: src/routes/admin/newsletters/mod.rs

@@ -0,0 +1,5 @@
+mod get;
+mod post;
+
+pub use get::*;
+pub use post::*;

Diff for: src/routes/admin/newsletters/post.rs

@@ -0,0 +1,88 @@
+use crate::authentication::UserId;
+use crate::domain::SubscriberEmail;
+use crate::email_client::EmailClient;
+use crate::utils::{e500, see_other};
+use actix_web::web::ReqData;
+use actix_web::{web, HttpResponse};
+use actix_web_flash_messages::FlashMessage;
+use anyhow::Context;
+use sqlx::PgPool;
+
+#[derive(serde::Deserialize)]
+pub struct BodyData {
+    title: String,
+    content: Content,
+}
+
+#[derive(serde::Deserialize)]
+pub struct Content {
+    html: String,
+    text: String,
+}
+
+#[tracing::instrument(
+name = "Publish a newsletter issue", 
+    skip(body, pool, email_client, user_id),
+    fields(user_id = %*user_id)
+)]
+pub async fn publish_newsletter(
+    body: web::Form<BodyData>,
+    pool: web::Data<PgPool>,
+    email_client: web::Data<EmailClient>,
+    user_id: ReqData<UserId>,
+) -> Result<HttpResponse, actix_web::Error> {
+    let subscribers = get_confirmed_subscribers(&pool).await.map_err(e500)?;
+    for subscriber in subscribers {
+        match subscriber {
+            Ok(subscriber) => {
+                email_client
+                    .send_email(
+                        &subscriber.email,
+                        &body.title,
+                        &body.content.html,
+                        &body.content.text,
+                    )
+                    .await
+                    .with_context(|| {
+                        format!("Failed to send newsletter issue to {}", subscriber.email)
+                    }).map_err(e500)?;
+            }
+            Err(error) => {
+                tracing::warn!(
+                    error.cause_chain = ?error,
+                    error.message = %error,
+                    "Skipping a confirmed subscriber. \
+                    Their stored contact details are invalid",
+                );
+            }
+        }
+    }
+    FlashMessage::info("The newsletter issue has been published!").send();
+    Ok(see_other("/admin/newsletters"))
+}
+
+struct ConfirmedSubscriber {
+    email: SubscriberEmail,
+}
+
+#[tracing::instrument(name = "Get confirmed subscribers", skip(pool))]
+async fn get_confirmed_subscribers(
+    pool: &PgPool,
+) -> Result<Vec<Result<ConfirmedSubscriber, anyhow::Error>>, anyhow::Error> {
+    let confirmed_subscribers = sqlx::query!(
+        r#"
+        SELECT email
+        FROM subscriptions
+        WHERE status = 'confirmed'
+        "#,
+    )
+    .fetch_all(pool)
+    .await?
+    .into_iter()
+    .map(|r| match SubscriberEmail::parse(r.email) {
+        Ok(email) => Ok(ConfirmedSubscriber { email }),
+        Err(error) => Err(anyhow::anyhow!(error)),
+    })
+    .collect();
+    Ok(confirmed_subscribers)
+}

Diff for: src/routes/admin/password/post.rs

@@ -1,13 +1,11 @@
+use crate::authentication::UserId;
 use crate::authentication::{validate_credentials, AuthError, Credentials};
 use crate::routes::admin::dashboard::get_username;
-use crate::session_state::TypedSession;
 use crate::utils::{e500, see_other};
-use actix_web::error::InternalError;
 use actix_web::{web, HttpResponse};
 use actix_web_flash_messages::FlashMessage;
 use secrecy::{ExposeSecret, Secret};
 use sqlx::PgPool;
-use uuid::Uuid;
 
 #[derive(serde::Deserialize)]
 pub struct FormData {
@@ -16,23 +14,12 @@ pub struct FormData {
     new_password_check: Secret<String>,
 }
 
-async fn reject_anonymous_users(session: TypedSession) -> Result<Uuid, actix_web::Error> {
-    match session.get_user_id().map_err(e500)? {
-        Some(user_id) => Ok(user_id),
-        None => {
-            let response = see_other("/login");
-            let e = anyhow::anyhow!("The user has not logged in");
-            Err(InternalError::from_response(e, response).into())
-        }
-    }
-}
-
 pub async fn change_password(
     form: web::Form<FormData>,
-    session: TypedSession,
     pool: web::Data<PgPool>,
+    user_id: web::ReqData<UserId>,
 ) -> Result<HttpResponse, actix_web::Error> {
-    let user_id = reject_anonymous_users(session).await?;
+    let user_id = user_id.into_inner();
 
     if form.new_password.expose_secret() != form.new_password_check.expose_secret() {
         FlashMessage::error(
@@ -42,7 +29,7 @@ pub async fn change_password(
         return Ok(see_other("/admin/password"));
     };
 
-    let username = get_username(user_id, &pool).await.map_err(e500)?;
+    let username = get_username(*user_id, &pool).await.map_err(e500)?;
 
     let credentials = Credentials {
         username,
@@ -58,7 +45,7 @@ pub async fn change_password(
         };
     };
 
-    crate::authentication::change_password(user_id, form.0.new_password, &pool)
+    crate::authentication::change_password(*user_id, form.0.new_password, &pool)
         .await
         .map_err(e500)?;
     FlashMessage::error("Your password has been changed.").send();

Diff for: src/routes/mod.rs

@@ -2,14 +2,12 @@ mod admin;
 mod health_check;
 mod home;
 mod login;
-mod newsletters;
 mod subscriptions;
 mod subscriptions_confirm;
 
 pub use admin::*;
 pub use health_check::*;
 pub use home::*;
 pub use login::*;
-pub use newsletters::*;
 pub use subscriptions::*;
 pub use subscriptions_confirm::*;