1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
use std::time::{SystemTime, UNIX_EPOCH};
use axum::extract::{Json, State, FromRequestParts};
use axum::response::IntoResponse;
use axum::http::{request::Parts};
use axum_extra::extract::CookieJar;
use axum_extra::extract::cookie::{Cookie, SameSite};
use jsonwebtoken::{DecodingKey, EncodingKey, Header, Validation, decode, encode};
use serde::{Deserialize, Serialize};
use time::Duration;
use argon2::{Argon2, PasswordHash, PasswordVerifier, password_hash::{
Error, PasswordHasher, SaltString, rand_core::OsRng
}};
use crate::AppState;
use crate::routes::errors::RouteError;
#[derive(Serialize, Deserialize)]
pub struct Claims {
pub sub: String,
pub exp: usize,
pub iat: usize,
pub username: String,
pub is_admin: bool,
}
pub struct AuthUser(pub Claims);
impl FromRequestParts<AppState> for AuthUser {
type Rejection = RouteError;
async fn from_request_parts(
parts: &mut Parts,
state: &AppState,
) -> Result<Self, Self::Rejection> {
let jar = CookieJar::from_request_parts(parts, state).await.unwrap();
let token = jar.get("token")
.map(|c| c.value().to_string())
.ok_or(RouteError::AuthorizationFailure())?;
let key = DecodingKey::from_secret(state.secret.as_ref());
let data = decode::<Claims>(token, &key, &Validation::default())
.map_err(|_| RouteError::AuthorizationFailure())?;
Ok(AuthUser(data.claims))
}
}
pub fn hash_password(password: &str) -> Result<String, Error> {
let argon2 = Argon2::default();
let salt = SaltString::generate(&mut OsRng);
Ok(argon2.hash_password(password.as_bytes(), &salt)?.to_string())
}
pub fn check_password(password: &str, password_hash: &str) -> Result<bool, Error> {
let argon2 = Argon2::default();
let hash = PasswordHash::new(password_hash)?;
Ok(argon2.verify_password(password.as_bytes(), &hash).is_ok())
}
#[derive(Deserialize)]
pub struct LoginRequest {
email: String,
password: String,
}
pub async fn login(
jar: CookieJar,
State(state): State<AppState>,
Json(request): Json<LoginRequest>
) -> Result<impl IntoResponse, RouteError> {
let user = match state.database.fetch_user_by_email(&request.email) {
Err(_) => return Err(RouteError::Internal("database action failed".into())),
Ok(None) => return Err(RouteError::UnregisteredEmail(request.email)),
Ok(Some(user)) => user
};
match check_password(&request.password, user.password_hash()) {
Err(_) => return Err(RouteError::Internal("failed to check password".into())),
Ok(false) => return Err(RouteError::AuthorizationFailure()),
Ok(true) => {},
}
let now = SystemTime::now()
.duration_since(UNIX_EPOCH)
.map_err(|_| RouteError::Internal("failed to access system clock".into()))?
.as_secs() as usize;
let claims = Claims {
sub: user.email().to_string(),
iat: now,
exp: now + 60 * 60 * 24,
username: user.username().to_string(),
is_admin: false
};
let key = EncodingKey::from_secret(state.secret.as_ref());
let token = encode(&Header::default(), &claims, &key)
.map_err(|e| RouteError::Internal(format!("failed to encode jwt: {e}")))?;
let cookie = Cookie::build(("token", token))
.path("/")
.max_age(Duration::hours(24))
.same_site(SameSite::Strict)
.http_only(true)
.build();
Ok(jar.add(cookie))
}
pub async fn logout(
jar: CookieJar,
) -> Result<impl IntoResponse, RouteError> {
Ok(jar.remove(Cookie::from("token")))
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_password_hashing() {
let passwords = vec!["password", "test1", "random"];
for password in &passwords {
let hash = hash_password(password).unwrap();
assert!(check_password(password, &hash).unwrap());
}
}
}
|
