fix: check the password on leader

xline/src/server/auth_server.rs

@@ -1,3 +1,4 @@
+use std::marker::PhantomData;
 use std::sync::Arc;
 
 use curp::{client::Client, cmd::generate_propose_id};
@@ -27,7 +28,7 @@ use crate::{
         AuthUserRevokeRoleRequest, AuthUserRevokeRoleResponse, AuthenticateRequest,
         AuthenticateResponse, RequestWrapper, ResponseWrapper,
     },
-    storage::{storage_api::StorageApi, AuthStore},
+    storage::storage_api::StorageApi,
 };
 
 /// Auth Server
@@ -36,12 +37,12 @@ pub(crate) struct AuthServer<S>
 where
     S: StorageApi,
 {
-    /// Auth storage
-    storage: Arc<AuthStore<S>>,
     /// Consensus client
     client: Arc<Client<Command>>,
     /// Server name
     name: String,
+    /// Phantom
+    phantom: PhantomData<S>,
 }
 
 /// Get token from metadata
@@ -57,15 +58,11 @@ where
     S: StorageApi,
 {
     /// New `AuthServer`
-    pub(crate) fn new(
-        storage: Arc<AuthStore<S>>,
-        client: Arc<Client<Command>>,
-        name: String,
-    ) -> Self {
+    pub(crate) fn new(client: Arc<Client<Command>>, name: String) -> Self {
         Self {
-            storage,
             client,
             name,
+            phantom: PhantomData,
         }
     }
 
@@ -97,17 +94,6 @@ where
         hashed_password.to_string()
     }
 
-    /// Check password in storage
-    pub(crate) fn check_password(
-        &self,
-        username: &str,
-        password: &str,
-    ) -> Result<i64, tonic::Status> {
-        self.storage
-            .check_password(username, password)
-            .map_err(Into::into)
-    }
-
     /// Propose request and make a response
     async fn handle_req<Req, Res>(
         &self,
@@ -162,28 +148,7 @@ where
         request: tonic::Request<AuthenticateRequest>,
     ) -> Result<tonic::Response<AuthenticateResponse>, tonic::Status> {
         debug!("Receive AuthenticateRequest {:?}", request);
-        loop {
-            let checked_revision =
-                self.check_password(&request.get_ref().name, &request.get_ref().password)?;
-            let mut authenticate_req = request.get_ref().clone();
-            authenticate_req.password = String::new();
-
-            let (res, sync_res) = self
-                .propose(tonic::Request::new(authenticate_req), false)
-                .await?;
-
-            if checked_revision == self.storage.revision() {
-                if let Some(sync_res) = sync_res {
-                    let revision = sync_res.revision();
-                    debug!("Get revision {:?} for AuthDisableResponse", revision);
-                    let mut res: AuthenticateResponse = res.into_inner().into();
-                    if let Some(mut header) = res.header.as_mut() {
-                        header.revision = revision;
-                    }
-                    return Ok(tonic::Response::new(res));
-                }
-            }
-        }
+        self.handle_req(request, false).await
     }
 
     async fn user_add(

xline/src/server/lease_server.rs

@@ -111,7 +111,7 @@ where
         let token = get_token(request.metadata());
         let wrapper = RequestWithToken::new_with_token(request.into_inner().into(), token);
         let cmd = command_from_request_wrapper(
-            generate_propose_id(self.cluster_info.self_name()),
+            generate_propose_id(self.cluster_info.self_name().as_str()),
             wrapper,
             Some(self.lease_storage.as_ref()),
         );

xline/src/server/xline_server.rs

@@ -376,12 +376,12 @@ impl XlineServer {
             ),
             LeaseServer::new(
                 lease_storage,
-                Arc::clone(&auth_storage),
+                auth_storage,
                 Arc::clone(&client),
                 id_gen,
                 Arc::clone(&self.cluster_info),
             ),
-            AuthServer::new(auth_storage, client, self.cluster_info.self_name()),
+            AuthServer::new(client, self.cluster_info.self_name()),
             WatchServer::new(
                 watcher,
                 Arc::clone(&header_gen),

xline/src/storage/auth_store/store.rs

@@ -283,6 +283,7 @@ where
         if !self.is_enabled() {
             return Err(ExecuteError::AuthNotEnabled);
         }
+        self.check_password(&req.name, &req.password)?;
         let token = self.assign(&req.name)?;
         Ok(AuthenticateResponse {
             header: Some(self.header_gen.gen_auth_header()),
@@ -868,7 +869,7 @@ where
         &self,
         username: &str,
         password: &str,
-    ) -> Result<i64, ExecuteError> {
+    ) -> Result<(), ExecuteError> {
         if !self.is_enabled() {
             return Err(ExecuteError::AuthNotEnabled);
         }
@@ -885,7 +886,7 @@ where
             .verify_password(password.as_bytes(), &hash)
             .map_err(|_ignore| ExecuteError::AuthFailed)?;
 
-        Ok(self.revision())
+        Ok(())
     }
 
     /// Check if the request need admin permission