disable token auth, move docs.rs call to async job

syphar · syphar · commit a6b1e6444453 · 2025-05-14T19:39:10.000+02:00
diff --git a/src/controllers/version/docs.rs b/src/controllers/version/docs.rs
@@ -1,14 +1,13 @@
 //! Endpoint for triggering a docs.rs rebuild
 
 use super::CrateVersionPath;
-use super::update::authenticate;
 use crate::app::AppState;
-use crate::rate_limiter::LimitedAction;
-use crate::util::HeaderMapExt;
+use crate::auth::AuthCheck;
 use crate::util::errors::{AppResult, forbidden};
-use axum::body::Body;
-use axum::response::Response;
-use http::HeaderValue;
+use crate::worker::jobs;
+use axum::response::{IntoResponse as _, Response};
+use crates_io_worker::BackgroundJob as _;
+use http::StatusCode;
 use http::request::Parts;
 
 /// Trigger a rebuild for the crate documentation on docs.rs.
@@ -17,7 +16,6 @@ use http::request::Parts;
     path = "/api/v1/crates/{name}/{version}/rebuild_docs",
     params(CrateVersionPath),
     security(
-        ("api_token" = []),
         ("cookie" = []),
     ),
     tag = "versions",
@@ -28,43 +26,22 @@ pub async fn rebuild_version_docs(
     path: CrateVersionPath,
     req: Parts,
 ) -> AppResult<Response> {
-    let Some(ref docs_rs_api_token) = app.config.docs_rs_api_token else {
+    if app.config.docs_rs_api_token.is_none() {
         return Err(forbidden("docs.rs integration is not configured"));
     };
 
-    let mut conn = app.db_read().await?;
-    // FIXME: which scope to use?
-    let auth = authenticate(&req, &mut conn, &path.name).await?;
+    let mut conn = app.db_write().await?;
+    AuthCheck::only_cookie().check(&req, &mut conn).await?;
 
-    // FIXME: rate limiting needed here? which Action?
-    app.rate_limiter
-        .check_rate_limit(auth.user_id(), LimitedAction::YankUnyank, &mut conn)
-        .await?;
+    // validate if version & crate exist
+    path.load_version_and_crate(&mut conn).await?;
 
-    let target_url = app
-        .config
-        .docs_rs_url
-        .join(&format!("/crate/{}/{}/rebuild", path.name, path.version))
-        .unwrap(); // FIXME: handle error
+    if let Err(error) = jobs::DocsRsQueueRebuild::new(path.name, path.version)
+        .enqueue(&mut conn)
+        .await
+    {
+        warn!("docs_rs_queue_rebuild: Failed to enqueue background job: {error}");
+    }
 
-    let client = reqwest::Client::new();
-    let response = client
-        .post(target_url.as_str())
-        .bearer_auth(docs_rs_api_token)
-        .send()
-        .await?;
-
-    const APPLICATION_JSON: HeaderValue = HeaderValue::from_static("application/json");
-
-    Ok(Response::builder()
-        .status(response.status())
-        .header(
-            "content-type",
-            response
-                .headers()
-                .get("content-type")
-                .unwrap_or(&APPLICATION_JSON),
-        )
-        .body(Body::from_stream(response.bytes_stream()))
-        .unwrap())
+    Ok(StatusCode::CREATED.into_response())
 }
diff --git a/src/docs_rs.rs b/src/docs_rs.rs
@@ -0,0 +1,100 @@
+use async_trait::async_trait;
+use http::StatusCode;
+use mockall::automock;
+use url::Url;
+
+#[derive(Debug, thiserror::Error)]
+pub enum DocsRsError {
+    /// The rebuild couldn't be triggered.
+    /// The reason is passed in the given error message.
+    #[error("Bad request: {0}")]
+    BadRequest(String),
+    /// The request was rate limited by the server.
+    /// This is the NGINX level rate limit for requests coming from a single IP.
+    /// This is _not_ the rate limit that docs.rs might apply for rebuilds of the same crate
+    /// (AKA: "rebuild too often").
+    #[error("rate limited")]
+    RateLimited,
+    #[error(transparent)]
+    Permission(anyhow::Error),
+    /// crate or version not found on docs.rs.
+    /// This can be temporary directly after a release until the docs.rs registry watcher
+    /// queued the build for the release.
+    #[error("crate or version not found on docs.rs")]
+    NotFound,
+    #[error(transparent)]
+    Other(anyhow::Error),
+}
+
+#[automock]
+#[async_trait]
+pub trait DocsRsClient: Send + Sync {
+    async fn rebuild_docs(&self, name: &str, version: &str) -> Result<(), DocsRsError>;
+}
+
+pub(crate) struct RealDocsRsClient {
+    client: reqwest::Client,
+    base_url: Url,
+    api_token: String,
+}
+
+impl RealDocsRsClient {
+    pub fn new(base_url: impl Into<Url>, api_token: impl Into<String>) -> Self {
+        Self {
+            client: reqwest::Client::new(),
+            base_url: base_url.into(),
+            api_token: api_token.into(),
+        }
+    }
+}
+
+#[async_trait]
+impl DocsRsClient for RealDocsRsClient {
+    async fn rebuild_docs(&self, name: &str, version: &str) -> Result<(), DocsRsError> {
+        let target_url = self
+            .base_url
+            .join(&format!("/crate/{name}/{version}/rebuild"))
+            .map_err(|err| DocsRsError::Other(err.into()))?;
+
+        let response = self
+            .client
+            .post(target_url)
+            .bearer_auth(&self.api_token)
+            .send()
+            .await
+            .map_err(|err| DocsRsError::Other(err.into()))?;
+
+        match response.status() {
+            StatusCode::CREATED => Ok(()),
+            StatusCode::NOT_FOUND => Err(DocsRsError::NotFound),
+            StatusCode::TOO_MANY_REQUESTS => Err(DocsRsError::RateLimited),
+            StatusCode::BAD_REQUEST => {
+                #[derive(Deserialize)]
+                struct BadRequestResponse {
+                    message: String,
+                }
+
+                let error_response: BadRequestResponse = response
+                    .json()
+                    .await
+                    .map_err(|err| DocsRsError::Other(err.into()))?;
+
+                Err(DocsRsError::BadRequest(error_response.message))
+            }
+            _ => Err(DocsRsError::Other(anyhow::anyhow!(
+                "Unexpected response from docs.rs: {}\n{}",
+                response.status(),
+                response.text().await.unwrap_or_default()
+            ))),
+        }
+    }
+}
+
+/// Builds an [DocsRsClient] implementation based on the [config::Server]
+pub fn docs_rs_client(config: &crate::config::Server) -> Box<dyn DocsRsClient + Send + Sync> {
+    if let Some(api_token) = &config.docs_rs_api_token {
+        Box::new(RealDocsRsClient::new(config.docs_rs_url.clone(), api_token))
+    } else {
+        Box::new(MockDocsRsClient::new())
+    }
+}
diff --git a/src/lib.rs b/src/lib.rs
@@ -33,6 +33,7 @@ pub mod cloudfront;
 pub mod config;
 pub mod controllers;
 pub mod db;
+pub mod docs_rs;
 pub mod email;
 pub mod external_urls;
 pub mod fastly;
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -26,6 +26,7 @@ use std::sync::LazyLock;
 use std::{rc::Rc, sync::Arc, time::Duration};
 use tokio::runtime::Handle;
 use tokio::task::block_in_place;
+use url::Url;
 
 struct TestAppInner {
     app: Arc<App>,
@@ -477,6 +478,8 @@ fn simple_config() -> config::Server {
         og_image_base_url: None,
         html_render_cache_max_capacity: 1024,
         content_security_policy: None,
+        docs_rs_url: Url::parse("https://docs.rs").unwrap(),
+        docs_rs_api_token: None,
     }
 }
 
diff --git a/src/worker/jobs/docs_rs_queue_rebuild.rs b/src/worker/jobs/docs_rs_queue_rebuild.rs
@@ -0,0 +1,31 @@
+use crate::docs_rs::docs_rs_client;
+use crate::worker::Environment;
+use crates_io_worker::BackgroundJob;
+use std::sync::Arc;
+
+/// A background job that queues a docs rebuild for a specific release
+#[derive(Serialize, Deserialize)]
+pub struct DocsRsQueueRebuild {
+    name: String,
+    version: String,
+}
+
+impl DocsRsQueueRebuild {
+    pub fn new(name: String, version: String) -> Self {
+        Self { name, version }
+    }
+}
+
+impl BackgroundJob for DocsRsQueueRebuild {
+    const JOB_NAME: &'static str = "docs_rs_queue_rebuild";
+    const DEDUPLICATED: bool = true;
+
+    type Context = Arc<Environment>;
+
+    async fn run(&self, ctx: Self::Context) -> anyhow::Result<()> {
+        let client = docs_rs_client(&ctx.config);
+        client.rebuild_docs(&self.name, &self.version).await?;
+
+        Ok(())
+    }
+}
diff --git a/src/worker/jobs/mod.rs b/src/worker/jobs/mod.rs
@@ -1,6 +1,7 @@
 mod archive_version_downloads;
 mod daily_db_maintenance;
 mod delete_crate;
+mod docs_rs_queue_rebuild;
 mod downloads;
 pub mod dump_db;
 mod expiry_notification;
@@ -17,6 +18,7 @@ mod update_default_version;
 pub use self::archive_version_downloads::ArchiveVersionDownloads;
 pub use self::daily_db_maintenance::DailyDbMaintenance;
 pub use self::delete_crate::DeleteCrateFromStorage;
+pub use self::docs_rs_queue_rebuild::DocsRsQueueRebuild;
 pub use self::downloads::{
     CleanProcessedLogFiles, ProcessCdnLog, ProcessCdnLogQueue, UpdateDownloads,
 };
diff --git a/src/worker/mod.rs b/src/worker/mod.rs
@@ -24,6 +24,7 @@ impl RunnerExt for Runner<Arc<Environment>> {
             .register_job_type::<jobs::CleanProcessedLogFiles>()
             .register_job_type::<jobs::DailyDbMaintenance>()
             .register_job_type::<jobs::DeleteCrateFromStorage>()
+            .register_job_type::<jobs::DocsRsQueueRebuild>()
             .register_job_type::<jobs::DumpDb>()
             .register_job_type::<jobs::IndexVersionDownloadsArchive>()
             .register_job_type::<jobs::InvalidateCdns>()

Original file line number	Diff line number	Diff line change
`@@ -26,6 +26,7 @@ use std::sync::LazyLock;`
`26`	`26`	`use std::{rc::Rc, sync::Arc, time::Duration};`
`27`	`27`	`use tokio::runtime::Handle;`
`28`	`28`	`use tokio::task::block_in_place;`
	`29`	`+use url::Url;`
`29`	`30`
`30`	`31`	`struct TestAppInner {`
`31`	`32`	`app: Arc<App>,`
`@@ -477,6 +478,8 @@ fn simple_config() -> config::Server {`
`477`	`478`	`og_image_base_url: None,`
`478`	`479`	`html_render_cache_max_capacity: 1024,`
`479`	`480`	`content_security_policy: None,`
	`481`	`+ docs_rs_url: Url::parse("https://docs.rs").unwrap(),`
	`482`	`+ docs_rs_api_token: None,`
`480`	`483`	`}`
`481`	`484`	`}`
`482`	`485`