1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
use std::time::{SystemTime, UNIX_EPOCH};
use axum::extract::{Json, State, FromRequestParts};
use axum::response::IntoResponse;
use axum::http::{StatusCode, request::Parts};
use axum_extra::extract::CookieJar;
use axum_extra::extract::cookie::{Cookie, SameSite};
use jsonwebtoken::{DecodingKey, EncodingKey, Header, Validation, decode, encode};
use serde::{Deserialize, Serialize};
use time::Duration;
use argon2::{Argon2, PasswordHash, PasswordVerifier, password_hash::{
Error, PasswordHasher, SaltString, rand_core::OsRng
}};
use crate::AppState;
use crate::routes::errors::RouteError;
#[derive(Serialize, Deserialize)]
pub struct Claims {
pub sub: String,
pub exp: usize,
pub iat: usize,
pub is_admin: bool,
}
pub struct AuthUser(pub Claims);
impl FromRequestParts<AppState> for AuthUser {
type Rejection = RouteError;
async fn from_request_parts(
parts: &mut Parts,
state: &AppState,
) -> Result<Self, Self::Rejection> {
let jar = CookieJar::from_request_parts(parts, state).await.unwrap();
let token = jar.get("token")
.map(|c| c.value().to_string())
.ok_or(RouteError::AuthorizationFailure())?;
let key = DecodingKey::from_secret(state.secret.as_ref());
let data = decode::<Claims>(token, &key, &Validation::default())
.map_err(|_| RouteError::AuthorizationFailure())?;
Ok(AuthUser(data.claims))
}
}
pub fn hash_password(password: &str) -> Result<String, Error> {
let argon2 = Argon2::default();
let salt = SaltString::generate(&mut OsRng);
Ok(argon2.hash_password(password.as_bytes(), &salt)?.to_string())
}
pub fn check_password(password: &str, password_hash: &str) -> Result<bool, Error> {
let argon2 = Argon2::default();
let hash = PasswordHash::new(password_hash)?;
Ok(argon2.verify_password(password.as_bytes(), &hash).is_ok())
}
#[derive(Deserialize)]
pub struct LoginRequest {
email: String,
password: String,
}
pub async fn login(
jar: CookieJar,
State(state): State<AppState>,
Json(request): Json<LoginRequest>
) -> Result<impl IntoResponse, RouteError> {
let user = match state.database.fetch_user_by_email(&request.email) {
Err(_) => return Err(RouteError::Internal("database action failed".into())),
Ok(None) => return Err(RouteError::UnregisteredEmail(request.email)),
Ok(Some(user)) => user
};
match check_password(&request.password, user.password_hash()) {
Err(_) => return Err(RouteError::Internal("failed to check password".into())),
Ok(false) => return Err(RouteError::AuthorizationFailure()),
Ok(true) => {},
}
let now = SystemTime::now()
.duration_since(UNIX_EPOCH)
.map_err(|_| RouteError::Internal("failed to access system clock".into()))?
.as_secs() as usize;
let claims = Claims {
sub: user.email().to_string(),
iat: now,
exp: now + 60 * 60 * 24,
is_admin: false
};
let key = EncodingKey::from_secret(state.secret.as_ref());
let token = encode(&Header::default(), &claims, &key)
.map_err(|e| RouteError::Internal(format!("failed to encode jwt: {e}")))?;
let cookie = Cookie::build(("token", token))
.path("/")
.max_age(Duration::hours(24))
.same_site(SameSite::Strict)
.http_only(true)
.build();
Ok(jar.add(cookie))
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_password_hashing() {
let passwords = vec!["password", "test1", "random"];
for password in &passwords {
let hash = hash_password(password).unwrap();
assert!(check_password(password, &hash).unwrap());
}
}
}
|
