fabi/EventSnap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement authentication flow

Browse Source 
Backend:
- AppConfig, AppError, AppState modules for shared infrastructure
- JWT creation/verification with HS256 (jsonwebtoken crate)
- Session management: SHA-256 token hashing, DB-backed sessions
- Auth middleware: AuthUser, RequireHost, RequireAdmin extractors
- POST /api/v1/join: name-only registration, 4-digit PIN + bcrypt hash
- POST /api/v1/recover: PIN-based recovery with 3-attempt lockout (15 min)
- POST /api/v1/admin/login: bcrypt password verification
- DELETE /api/v1/session: logout (session invalidation)
- Migration 006: user PIN lockout columns (failed_pin_attempts, pin_locked_until)
- Models: Event, User (with role enum), Session with all CRUD methods

Frontend:
- api.ts: typed fetch wrapper with automatic Bearer token injection
- auth.ts: JWT/PIN localStorage management with Svelte store
- /join: name entry form with PIN display modal and copy button
- /recover: name + PIN recovery form with saved PIN pre-fill
- /feed: placeholder gallery page with logout
- Root layout: auth initialization on mount
- Root page: redirect to /join or /feed based on auth state

All responses use German language strings as specified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
fabi
2026-03-31 21:44:03 +02:00
parent e976f0f670
commit 8b9d916265
23 changed files with 1118 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

232
backend/src/auth/handlers.rs Normal file
View File

@@ -0,0 +1,232 @@
use axum::extract::State;
use axum::http::StatusCode;
use axum::Json;
use chrono::{Duration, Utc};
use rand::Rng;
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use crate::auth::jwt;
use crate::auth::middleware::AuthUser;
use crate::error::AppError;
use crate::models::event::Event;
use crate::models::session::Session;
use crate::models::user::{User, UserRole};
use crate::state::AppState;
#[derive(Deserialize)]
pub struct JoinRequest {
pub display_name: String,
}
#[derive(Serialize)]
pub struct JoinResponse {
pub jwt: String,
pub pin: String,
pub user_id: Uuid,
pub is_new: bool,
}
pub async fn join(
State(state): State<AppState>,
Json(body): Json<JoinRequest>,
) -> Result<(StatusCode, Json<JoinResponse>), AppError> {
let display_name = body.display_name.trim();
if display_name.is_empty() || display_name.len() > 50 {
return Err(AppError::BadRequest(
"Name muss zwischen 1 und 50 Zeichen lang sein.".into(),
));
}
let event = Event::find_or_create(
&state.pool,
&state.config.event_slug,
&state.config.event_name,
)
.await?;
// Generate a 4-digit PIN
let pin: String = format!("{:04}", rand::rng().random_range(0..10000u32));
let pin_hash =
bcrypt::hash(&pin, 12).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let user = User::create(&state.pool, event.id, display_name, &pin_hash).await?;
let token = jwt::create_token(
user.id,
event.id,
user.role.clone(),
&state.config.jwt_secret,
state.config.session_expiry_days,
)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let token_hash = jwt::hash_token(&token);
let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
Ok((
StatusCode::CREATED,
Json(JoinResponse {
jwt: token,
pin,
user_id: user.id,
is_new: true,
}),
))
}
#[derive(Deserialize)]
pub struct RecoverRequest {
pub display_name: String,
pub pin: String,
}
#[derive(Serialize)]
pub struct RecoverResponse {
pub jwt: String,
pub user_id: Uuid,
}
pub async fn recover(
State(state): State<AppState>,
Json(body): Json<RecoverRequest>,
) -> Result<Json<RecoverResponse>, AppError> {
let display_name = body.display_name.trim();
let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
.await?
.ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
let users =
User::find_by_event_and_name(&state.pool, event.id, display_name).await?;
if users.is_empty() {
return Err(AppError::NotFound(
"Kein Benutzer mit diesem Namen gefunden.".into(),
));
}
for user in &users {
// Check PIN lockout
if let Some(locked_until) = user.pin_locked_until {
if Utc::now() < locked_until {
return Err(AppError::TooManyRequests(
"Zu viele Versuche. Bitte warte 15 Minuten.".into(),
));
}
}
let pin_matches = bcrypt::verify(&body.pin, &user.recovery_pin_hash)
.unwrap_or(false);
if pin_matches {
// Reset failed attempts on success
User::reset_pin_attempts(&state.pool, user.id).await?;
let token = jwt::create_token(
user.id,
event.id,
user.role.clone(),
&state.config.jwt_secret,
state.config.session_expiry_days,
)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let token_hash = jwt::hash_token(&token);
let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
return Ok(Json(RecoverResponse {
jwt: token,
user_id: user.id,
}));
}
// Wrong PIN — increment failure count
let attempts = User::increment_failed_pin(&state.pool, user.id).await?;
if attempts >= 3 {
let lockout = Utc::now() + Duration::minutes(15);
User::lock_pin(&state.pool, user.id, lockout).await?;
}
}
Err(AppError::Unauthorized("PIN ist falsch.".into()))
}
#[derive(Deserialize)]
pub struct AdminLoginRequest {
pub password: String,
}
#[derive(Serialize)]
pub struct AdminLoginResponse {
pub jwt: String,
}
pub async fn admin_login(
State(state): State<AppState>,
Json(body): Json<AdminLoginRequest>,
) -> Result<Json<AdminLoginResponse>, AppError> {
if state.config.admin_password_hash.is_empty() {
return Err(AppError::Forbidden(
"Admin-Login ist nicht konfiguriert.".into(),
));
}
let valid = bcrypt::verify(&body.password, &state.config.admin_password_hash)
.unwrap_or(false);
if !valid {
return Err(AppError::Unauthorized("Falsches Passwort.".into()));
}
let event = Event::find_or_create(
&state.pool,
&state.config.event_slug,
&state.config.event_name,
)
.await?;
// Find or create the admin user for this event
let admin_name = "Admin";
let users = User::find_by_event_and_name(&state.pool, event.id, admin_name).await?;
let admin_user = if let Some(u) = users.into_iter().find(|u| u.role == UserRole::Admin) {
u
} else {
// Create admin user with a dummy PIN (admin authenticates via password)
let dummy_hash = bcrypt::hash("0000", 4)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let user = User::create(&state.pool, event.id, admin_name, &dummy_hash).await?;
sqlx::query("UPDATE \"user\" SET role = 'admin' WHERE id = $1")
.bind(user.id)
.execute(&state.pool)
.await?;
User::find_by_id(&state.pool, user.id)
.await?
.ok_or_else(|| AppError::Internal(anyhow::anyhow!("admin user creation failed")))?
};
let token = jwt::create_token(
admin_user.id,
event.id,
UserRole::Admin,
&state.config.jwt_secret,
1, // Admin sessions expire after 1 day
)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let token_hash = jwt::hash_token(&token);
let expires_at = Utc::now() + Duration::days(1);
Session::create(&state.pool, admin_user.id, &token_hash, expires_at).await?;
Ok(Json(AdminLoginResponse { jwt: token }))
}
pub async fn logout(
State(state): State<AppState>,
auth: AuthUser,
) -> Result<StatusCode, AppError> {
Session::delete_by_token_hash(&state.pool, &auth.token_hash).await?;
Ok(StatusCode::NO_CONTENT)
}