fabi/EventSnap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: fabi:v0.1.0
Branches Tags
fabi:main fabi:feat/html-viewer-export fabi:feat/camera-capture-wip
fabi:v0.12.0 fabi:v0.11.0 fabi:v0.10.0 fabi:v0.9.0 fabi:v0.8.0 fabi:v0.7.0 fabi:v0.6.0 fabi:v0.5.0 fabi:v0.4.0 fabi:v0.3.0 fabi:v0.2.0 fabi:v0.1.0
...
compare: fabi:v0.2.0
Branches Tags
fabi:main fabi:feat/html-viewer-export fabi:feat/camera-capture-wip
fabi:v0.12.0 fabi:v0.11.0 fabi:v0.10.0 fabi:v0.9.0 fabi:v0.8.0 fabi:v0.7.0 fabi:v0.6.0 fabi:v0.5.0 fabi:v0.4.0 fabi:v0.3.0 fabi:v0.2.0 fabi:v0.1.0

1 Commits
v0.1.0 ... v0.2.0

Author SHA1 Message Date
fabi
8b9d916265 feat: implement authentication flow 
Backend:
- AppConfig, AppError, AppState modules for shared infrastructure
- JWT creation/verification with HS256 (jsonwebtoken crate)
- Session management: SHA-256 token hashing, DB-backed sessions
- Auth middleware: AuthUser, RequireHost, RequireAdmin extractors
- POST /api/v1/join: name-only registration, 4-digit PIN + bcrypt hash
- POST /api/v1/recover: PIN-based recovery with 3-attempt lockout (15 min)
- POST /api/v1/admin/login: bcrypt password verification
- DELETE /api/v1/session: logout (session invalidation)
- Migration 006: user PIN lockout columns (failed_pin_attempts, pin_locked_until)
- Models: Event, User (with role enum), Session with all CRUD methods

Frontend:
- api.ts: typed fetch wrapper with automatic Bearer token injection
- auth.ts: JWT/PIN localStorage management with Svelte store
- /join: name entry form with PIN display modal and copy button
- /recover: name + PIN recovery form with saved PIN pre-fill
- /feed: placeholder gallery page with logout
- Root layout: auth initialization on mount
- Root page: redirect to /join or /feed based on auth state

All responses use German language strings as specified.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-31 21:44:03 +02:00
23 changed files with 1118 additions and 11 deletions
Expand all files Collapse all files

2
backend/Cargo.lock generated
View File

@@ -898,8 +898,10 @@ dependencies = [
"jsonwebtoken",
"minijinja",
"oxipng",
"rand 0.9.2",
"serde",
"serde_json",
"sha2",
"sqlx",
"sysinfo",
"tokio",

2
backend/Cargo.toml
View File

@@ -16,6 +16,8 @@ jsonwebtoken = "9"
bcrypt = "0.15"
uuid = { version = "1", features = ["v4", "serde"] }
chrono = { version = "0.4", features = ["serde"] }
sha2 = "0.10"
rand = "0.9"
anyhow = "1"
tracing = "0.1"
tracing-subscriber = { version = "0.3", features = ["env-filter"] }

2
backend/migrations/006_user_pin_lockout.down.sql Normal file
View File

@@ -0,0 +1,2 @@
ALTER TABLE "user" DROP COLUMN IF EXISTS pin_locked_until;
ALTER TABLE "user" DROP COLUMN IF EXISTS failed_pin_attempts;

2
backend/migrations/006_user_pin_lockout.up.sql Normal file
View File

@@ -0,0 +1,2 @@
ALTER TABLE "user" ADD COLUMN failed_pin_attempts SMALLINT NOT NULL DEFAULT 0;
ALTER TABLE "user" ADD COLUMN pin_locked_until TIMESTAMPTZ;

232
backend/src/auth/handlers.rs Normal file
View File

@@ -0,0 +1,232 @@
use axum::extract::State;
use axum::http::StatusCode;
use axum::Json;
use chrono::{Duration, Utc};
use rand::Rng;
use serde::{Deserialize, Serialize};
use uuid::Uuid;
use crate::auth::jwt;
use crate::auth::middleware::AuthUser;
use crate::error::AppError;
use crate::models::event::Event;
use crate::models::session::Session;
use crate::models::user::{User, UserRole};
use crate::state::AppState;
#[derive(Deserialize)]
pub struct JoinRequest {
pub display_name: String,
}
#[derive(Serialize)]
pub struct JoinResponse {
pub jwt: String,
pub pin: String,
pub user_id: Uuid,
pub is_new: bool,
}
pub async fn join(
State(state): State<AppState>,
Json(body): Json<JoinRequest>,
) -> Result<(StatusCode, Json<JoinResponse>), AppError> {
let display_name = body.display_name.trim();
if display_name.is_empty() || display_name.len() > 50 {
return Err(AppError::BadRequest(
"Name muss zwischen 1 und 50 Zeichen lang sein.".into(),
));
}
let event = Event::find_or_create(
&state.pool,
&state.config.event_slug,
&state.config.event_name,
)
.await?;
// Generate a 4-digit PIN
let pin: String = format!("{:04}", rand::rng().random_range(0..10000u32));
let pin_hash =
bcrypt::hash(&pin, 12).map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let user = User::create(&state.pool, event.id, display_name, &pin_hash).await?;
let token = jwt::create_token(
user.id,
event.id,
user.role.clone(),
&state.config.jwt_secret,
state.config.session_expiry_days,
)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let token_hash = jwt::hash_token(&token);
let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
Ok((
StatusCode::CREATED,
Json(JoinResponse {
jwt: token,
pin,
user_id: user.id,
is_new: true,
}),
))
}
#[derive(Deserialize)]
pub struct RecoverRequest {
pub display_name: String,
pub pin: String,
}
#[derive(Serialize)]
pub struct RecoverResponse {
pub jwt: String,
pub user_id: Uuid,
}
pub async fn recover(
State(state): State<AppState>,
Json(body): Json<RecoverRequest>,
) -> Result<Json<RecoverResponse>, AppError> {
let display_name = body.display_name.trim();
let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
.await?
.ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
let users =
User::find_by_event_and_name(&state.pool, event.id, display_name).await?;
if users.is_empty() {
return Err(AppError::NotFound(
"Kein Benutzer mit diesem Namen gefunden.".into(),
));
}
for user in &users {
// Check PIN lockout
if let Some(locked_until) = user.pin_locked_until {
if Utc::now() < locked_until {
return Err(AppError::TooManyRequests(
"Zu viele Versuche. Bitte warte 15 Minuten.".into(),
));
}
}
let pin_matches = bcrypt::verify(&body.pin, &user.recovery_pin_hash)
.unwrap_or(false);
if pin_matches {
// Reset failed attempts on success
User::reset_pin_attempts(&state.pool, user.id).await?;
let token = jwt::create_token(
user.id,
event.id,
user.role.clone(),
&state.config.jwt_secret,
state.config.session_expiry_days,
)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let token_hash = jwt::hash_token(&token);
let expires_at = Utc::now() + Duration::days(state.config.session_expiry_days);
Session::create(&state.pool, user.id, &token_hash, expires_at).await?;
return Ok(Json(RecoverResponse {
jwt: token,
user_id: user.id,
}));
}
// Wrong PIN — increment failure count
let attempts = User::increment_failed_pin(&state.pool, user.id).await?;
if attempts >= 3 {
let lockout = Utc::now() + Duration::minutes(15);
User::lock_pin(&state.pool, user.id, lockout).await?;
}
}
Err(AppError::Unauthorized("PIN ist falsch.".into()))
}
#[derive(Deserialize)]
pub struct AdminLoginRequest {
pub password: String,
}
#[derive(Serialize)]
pub struct AdminLoginResponse {
pub jwt: String,
}
pub async fn admin_login(
State(state): State<AppState>,
Json(body): Json<AdminLoginRequest>,
) -> Result<Json<AdminLoginResponse>, AppError> {
if state.config.admin_password_hash.is_empty() {
return Err(AppError::Forbidden(
"Admin-Login ist nicht konfiguriert.".into(),
));
}
let valid = bcrypt::verify(&body.password, &state.config.admin_password_hash)
.unwrap_or(false);
if !valid {
return Err(AppError::Unauthorized("Falsches Passwort.".into()));
}
let event = Event::find_or_create(
&state.pool,
&state.config.event_slug,
&state.config.event_name,
)
.await?;
// Find or create the admin user for this event
let admin_name = "Admin";
let users = User::find_by_event_and_name(&state.pool, event.id, admin_name).await?;
let admin_user = if let Some(u) = users.into_iter().find(|u| u.role == UserRole::Admin) {
u
} else {
// Create admin user with a dummy PIN (admin authenticates via password)
let dummy_hash = bcrypt::hash("0000", 4)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let user = User::create(&state.pool, event.id, admin_name, &dummy_hash).await?;
sqlx::query("UPDATE \"user\" SET role = 'admin' WHERE id = $1")
.bind(user.id)
.execute(&state.pool)
.await?;
User::find_by_id(&state.pool, user.id)
.await?
.ok_or_else(|| AppError::Internal(anyhow::anyhow!("admin user creation failed")))?
};
let token = jwt::create_token(
admin_user.id,
event.id,
UserRole::Admin,
&state.config.jwt_secret,
1, // Admin sessions expire after 1 day
)
.map_err(|e| AppError::Internal(anyhow::anyhow!(e)))?;
let token_hash = jwt::hash_token(&token);
let expires_at = Utc::now() + Duration::days(1);
Session::create(&state.pool, admin_user.id, &token_hash, expires_at).await?;
Ok(Json(AdminLoginResponse { jwt: token }))
}
pub async fn logout(
State(state): State<AppState>,
auth: AuthUser,
) -> Result<StatusCode, AppError> {
Session::delete_by_token_hash(&state.pool, &auth.token_hash).await?;
Ok(StatusCode::NO_CONTENT)
}

53
backend/src/auth/jwt.rs Normal file
View File

@@ -0,0 +1,53 @@
use chrono::{Duration, Utc};
use jsonwebtoken::{DecodingKey, EncodingKey, Header, Validation};
use serde::{Deserialize, Serialize};
use sha2::{Digest, Sha256};
use uuid::Uuid;
use crate::models::user::UserRole;
#[derive(Debug, Serialize, Deserialize)]
pub struct Claims {
pub sub: Uuid,
pub event_id: Uuid,
pub role: UserRole,
pub exp: i64,
pub iat: i64,
}
pub fn create_token(
user_id: Uuid,
event_id: Uuid,
role: UserRole,
secret: &str,
expiry_days: i64,
) -> Result<String, jsonwebtoken::errors::Error> {
let now = Utc::now();
let claims = Claims {
sub: user_id,
event_id,
role,
iat: now.timestamp(),
exp: (now + Duration::days(expiry_days)).timestamp(),
};
jsonwebtoken::encode(
&Header::default(),
&claims,
&EncodingKey::from_secret(secret.as_bytes()),
)
}
pub fn verify_token(token: &str, secret: &str) -> Result<Claims, jsonwebtoken::errors::Error> {
let data = jsonwebtoken::decode::<Claims>(
token,
&DecodingKey::from_secret(secret.as_bytes()),
&Validation::default(),
)?;
Ok(data.claims)
}
pub fn hash_token(token: &str) -> String {
let mut hasher = Sha256::new();
hasher.update(token.as_bytes());
format!("{:x}", hasher.finalize())
}

96
backend/src/auth/middleware.rs Normal file
View File

@@ -0,0 +1,96 @@
use axum::extract::{FromRequestParts, State};
use axum::http::request::Parts;
use uuid::Uuid;
use crate::auth::jwt;
use crate::error::AppError;
use crate::models::session::Session;
use crate::models::user::UserRole;
use crate::state::AppState;
#[derive(Debug, Clone)]
pub struct AuthUser {
pub user_id: Uuid,
pub event_id: Uuid,
pub role: UserRole,
pub token_hash: String,
}
impl FromRequestParts<AppState> for AuthUser {
type Rejection = AppError;
async fn from_request_parts(
parts: &mut Parts,
state: &AppState,
) -> Result<Self, Self::Rejection> {
let header = parts
.headers
.get("authorization")
.and_then(|v| v.to_str().ok())
.ok_or_else(|| AppError::Unauthorized("Token fehlt.".into()))?;
let token = header
.strip_prefix("Bearer ")
.ok_or_else(|| AppError::Unauthorized("Ungültiges Token-Format.".into()))?;
let claims = jwt::verify_token(token, &state.config.jwt_secret)
.map_err(|_| AppError::Unauthorized("Token ungültig oder abgelaufen.".into()))?;
let token_hash = jwt::hash_token(token);
let session = Session::find_by_token_hash(&state.pool, &token_hash)
.await
.map_err(|e| AppError::Internal(e.into()))?
.ok_or_else(|| AppError::Unauthorized("Sitzung nicht gefunden oder abgelaufen.".into()))?;
// Update last_seen_at in the background (fire-and-forget)
let pool = state.pool.clone();
let session_id = session.id;
tokio::spawn(async move {
let _ = Session::touch(&pool, session_id).await;
});
Ok(Self {
user_id: claims.sub,
event_id: claims.event_id,
role: claims.role,
token_hash,
})
}
}
/// Extractor that requires at least Host role.
pub struct RequireHost(pub AuthUser);
impl FromRequestParts<AppState> for RequireHost {
type Rejection = AppError;
async fn from_request_parts(
parts: &mut Parts,
state: &AppState,
) -> Result<Self, Self::Rejection> {
let auth = AuthUser::from_request_parts(parts, state).await?;
match auth.role {
UserRole::Host | UserRole::Admin => Ok(Self(auth)),
_ => Err(AppError::Forbidden("Nur für Hosts und Admins.".into())),
}
}
}
/// Extractor that requires Admin role.
pub struct RequireAdmin(pub AuthUser);
impl FromRequestParts<AppState> for RequireAdmin {
type Rejection = AppError;
async fn from_request_parts(
parts: &mut Parts,
state: &AppState,
) -> Result<Self, Self::Rejection> {
let auth = AuthUser::from_request_parts(parts, state).await?;
match auth.role {
UserRole::Admin => Ok(Self(auth)),
_ => Err(AppError::Forbidden("Nur für Admins.".into())),
}
}
}

3
backend/src/auth/mod.rs Normal file
View File

@@ -0,0 +1,3 @@
pub mod handlers;
pub mod jwt;
pub mod middleware;

43
backend/src/config.rs Normal file
View File

@@ -0,0 +1,43 @@
use std::path::PathBuf;
use anyhow::{Context, Result};
#[derive(Clone, Debug)]
pub struct AppConfig {
pub database_url: String,
pub jwt_secret: String,
pub session_expiry_days: i64,
pub admin_password_hash: String,
pub event_name: String,
pub event_slug: String,
pub media_path: PathBuf,
pub app_port: u16,
}
impl AppConfig {
pub fn from_env() -> Result<Self> {
Ok(Self {
database_url: std::env::var("DATABASE_URL")
.context("DATABASE_URL must be set")?,
jwt_secret: std::env::var("JWT_SECRET")
.context("JWT_SECRET must be set")?,
session_expiry_days: std::env::var("SESSION_EXPIRY_DAYS")
.unwrap_or_else(|_| "30".to_string())
.parse()
.context("SESSION_EXPIRY_DAYS must be a number")?,
admin_password_hash: std::env::var("ADMIN_PASSWORD_HASH")
.unwrap_or_default(),
event_name: std::env::var("EVENT_NAME")
.unwrap_or_else(|_| "EventSnap".to_string()),
event_slug: std::env::var("EVENT_SLUG")
.context("EVENT_SLUG must be set")?,
media_path: PathBuf::from(
std::env::var("MEDIA_PATH").unwrap_or_else(|_| "/media".to_string()),
),
app_port: std::env::var("APP_PORT")
.unwrap_or_else(|_| "3000".to_string())
.parse()
.context("APP_PORT must be a number")?,
})
}
}

65
backend/src/error.rs Normal file
View File

@@ -0,0 +1,65 @@
use axum::http::StatusCode;
use axum::response::{IntoResponse, Response};
use serde_json::json;
#[derive(Debug)]
pub enum AppError {
BadRequest(String),
Unauthorized(String),
Forbidden(String),
NotFound(String),
TooManyRequests(String),
Internal(anyhow::Error),
}
impl AppError {
fn status_and_code(&self) -> (StatusCode, &str) {
match self {
Self::BadRequest(_) => (StatusCode::BAD_REQUEST, "bad_request"),
Self::Unauthorized(_) => (StatusCode::UNAUTHORIZED, "unauthorized"),
Self::Forbidden(_) => (StatusCode::FORBIDDEN, "forbidden"),
Self::NotFound(_) => (StatusCode::NOT_FOUND, "not_found"),
Self::TooManyRequests(_) => (StatusCode::TOO_MANY_REQUESTS, "too_many_requests"),
Self::Internal(_) => (StatusCode::INTERNAL_SERVER_ERROR, "internal_error"),
}
}
fn message(&self) -> String {
match self {
Self::BadRequest(msg)
| Self::Unauthorized(msg)
| Self::Forbidden(msg)
| Self::NotFound(msg)
| Self::TooManyRequests(msg) => msg.clone(),
Self::Internal(err) => {
tracing::error!("internal error: {err:#}");
"Ein interner Fehler ist aufgetreten.".to_string()
}
}
}
}
impl IntoResponse for AppError {
fn into_response(self) -> Response {
let (status, code) = self.status_and_code();
let message = self.message();
let body = json!({
"error": code,
"message": message,
"status": status.as_u16(),
});
(status, axum::Json(body)).into_response()
}
}
impl From<anyhow::Error> for AppError {
fn from(err: anyhow::Error) -> Self {
Self::Internal(err)
}
}
impl From<sqlx::Error> for AppError {
fn from(err: sqlx::Error) -> Self {
Self::Internal(err.into())
}
}

32
backend/src/main.rs
View File

@@ -1,7 +1,17 @@
use anyhow::Result;
use axum::routing::{delete, post};
use axum::Router;
use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
mod auth;
mod config;
mod db;
mod error;
mod models;
mod state;
use config::AppConfig;
use state::AppState;
#[tokio::main]
async fn main() -> Result<()> {
@@ -14,18 +24,22 @@ async fn main() -> Result<()> {
.with(tracing_subscriber::fmt::layer())
.init();
let database_url =
std::env::var("DATABASE_URL").expect("DATABASE_URL must be set");
let port: u16 = std::env::var("APP_PORT")
.unwrap_or_else(|_| "3000".to_string())
.parse()?;
let config = AppConfig::from_env()?;
let pool = db::create_pool(&config.database_url).await?;
let state = AppState::new(pool, config.clone());
let _pool = db::create_pool(&database_url).await?;
let api = Router::new()
.route("/api/v1/join", post(auth::handlers::join))
.route("/api/v1/recover", post(auth::handlers::recover))
.route("/api/v1/admin/login", post(auth::handlers::admin_login))
.route("/api/v1/session", delete(auth::handlers::logout));
let router = axum::Router::new()
.route("/health", axum::routing::get(|| async { "ok" }));
let router = Router::new()
.route("/health", axum::routing::get(|| async { "ok" }))
.merge(api)
.with_state(state);
let listener = tokio::net::TcpListener::bind(("0.0.0.0", port)).await?;
let listener = tokio::net::TcpListener::bind(("0.0.0.0", config.app_port)).await?;
tracing::info!("listening on {}", listener.local_addr()?);
axum::serve(listener, router).await?;

47
backend/src/models/event.rs Normal file
View File

@@ -0,0 +1,47 @@
use chrono::{DateTime, Utc};
use sqlx::PgPool;
use uuid::Uuid;
#[derive(Debug, sqlx::FromRow)]
pub struct Event {
pub id: Uuid,
pub slug: String,
pub name: String,
pub cover_image_path: Option<String>,
pub is_active: bool,
pub uploads_locked_at: Option<DateTime<Utc>>,
pub export_released_at: Option<DateTime<Utc>>,
pub export_zip_ready: bool,
pub export_html_ready: bool,
pub created_at: DateTime<Utc>,
}
impl Event {
pub async fn find_by_slug(pool: &PgPool, slug: &str) -> Result<Option<Self>, sqlx::Error> {
sqlx::query_as::<_, Self>("SELECT * FROM event WHERE slug = $1")
.bind(slug)
.fetch_optional(pool)
.await
}
pub async fn create(pool: &PgPool, slug: &str, name: &str) -> Result<Self, sqlx::Error> {
sqlx::query_as::<_, Self>(
"INSERT INTO event (slug, name) VALUES ($1, $2) RETURNING *",
)
.bind(slug)
.bind(name)
.fetch_one(pool)
.await
}
pub async fn find_or_create(
pool: &PgPool,
slug: &str,
name: &str,
) -> Result<Self, sqlx::Error> {
if let Some(event) = Self::find_by_slug(pool, slug).await? {
return Ok(event);
}
Self::create(pool, slug, name).await
}
}

3
backend/src/models/mod.rs Normal file
View File

@@ -0,0 +1,3 @@
pub mod event;
pub mod session;
pub mod user;

64
backend/src/models/session.rs Normal file
View File

@@ -0,0 +1,64 @@
use chrono::{DateTime, Utc};
use sqlx::PgPool;
use uuid::Uuid;
#[derive(Debug, sqlx::FromRow)]
pub struct Session {
pub id: Uuid,
pub user_id: Uuid,
pub token_hash: String,
pub expires_at: DateTime<Utc>,
pub last_seen_at: DateTime<Utc>,
pub created_at: DateTime<Utc>,
}
impl Session {
pub async fn create(
pool: &PgPool,
user_id: Uuid,
token_hash: &str,
expires_at: DateTime<Utc>,
) -> Result<Self, sqlx::Error> {
sqlx::query_as::<_, Self>(
"INSERT INTO session (user_id, token_hash, expires_at)
VALUES ($1, $2, $3)
RETURNING *",
)
.bind(user_id)
.bind(token_hash)
.bind(expires_at)
.fetch_one(pool)
.await
}
pub async fn find_by_token_hash(
pool: &PgPool,
token_hash: &str,
) -> Result<Option<Self>, sqlx::Error> {
sqlx::query_as::<_, Self>(
"SELECT * FROM session WHERE token_hash = $1 AND expires_at > NOW()",
)
.bind(token_hash)
.fetch_optional(pool)
.await
}
pub async fn touch(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
sqlx::query("UPDATE session SET last_seen_at = NOW() WHERE id = $1")
.bind(id)
.execute(pool)
.await?;
Ok(())
}
pub async fn delete_by_token_hash(
pool: &PgPool,
token_hash: &str,
) -> Result<(), sqlx::Error> {
sqlx::query("DELETE FROM session WHERE token_hash = $1")
.bind(token_hash)
.execute(pool)
.await?;
Ok(())
}
}

102
backend/src/models/user.rs Normal file
View File

@@ -0,0 +1,102 @@
use chrono::{DateTime, Utc};
use serde::{Deserialize, Serialize};
use sqlx::PgPool;
use uuid::Uuid;
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize, sqlx::Type)]
#[sqlx(type_name = "user_role", rename_all = "lowercase")]
pub enum UserRole {
Guest,
Host,
Admin,
}
#[derive(Debug, sqlx::FromRow)]
pub struct User {
pub id: Uuid,
pub event_id: Uuid,
pub display_name: String,
pub role: UserRole,
pub is_banned: bool,
pub uploads_hidden: bool,
pub recovery_pin_hash: String,
pub total_upload_bytes: i64,
pub failed_pin_attempts: i16,
pub pin_locked_until: Option<DateTime<Utc>>,
pub created_at: DateTime<Utc>,
}
impl User {
pub async fn create(
pool: &PgPool,
event_id: Uuid,
display_name: &str,
pin_hash: &str,
) -> Result<Self, sqlx::Error> {
sqlx::query_as::<_, Self>(
"INSERT INTO \"user\" (event_id, display_name, recovery_pin_hash)
VALUES ($1, $2, $3)
RETURNING *",
)
.bind(event_id)
.bind(display_name)
.bind(pin_hash)
.fetch_one(pool)
.await
}
pub async fn find_by_id(pool: &PgPool, id: Uuid) -> Result<Option<Self>, sqlx::Error> {
sqlx::query_as::<_, Self>("SELECT * FROM \"user\" WHERE id = $1")
.bind(id)
.fetch_optional(pool)
.await
}
pub async fn find_by_event_and_name(
pool: &PgPool,
event_id: Uuid,
display_name: &str,
) -> Result<Vec<Self>, sqlx::Error> {
sqlx::query_as::<_, Self>(
"SELECT * FROM \"user\" WHERE event_id = $1 AND display_name = $2",
)
.bind(event_id)
.bind(display_name)
.fetch_all(pool)
.await
}
pub async fn increment_failed_pin(pool: &PgPool, id: Uuid) -> Result<i16, sqlx::Error> {
let row: (i16,) = sqlx::query_as(
"UPDATE \"user\"
SET failed_pin_attempts = failed_pin_attempts + 1
WHERE id = $1
RETURNING failed_pin_attempts",
)
.bind(id)
.fetch_one(pool)
.await?;
Ok(row.0)
}
pub async fn lock_pin(pool: &PgPool, id: Uuid, until: DateTime<Utc>) -> Result<(), sqlx::Error> {
sqlx::query(
"UPDATE \"user\" SET pin_locked_until = $2 WHERE id = $1",
)
.bind(id)
.bind(until)
.execute(pool)
.await?;
Ok(())
}
pub async fn reset_pin_attempts(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
sqlx::query(
"UPDATE \"user\" SET failed_pin_attempts = 0, pin_locked_until = NULL WHERE id = $1",
)
.bind(id)
.execute(pool)
.await?;
Ok(())
}
}

28
backend/src/state.rs Normal file
View File

@@ -0,0 +1,28 @@
use sqlx::PgPool;
use tokio::sync::broadcast;
use crate::config::AppConfig;
#[derive(Clone, Debug)]
pub struct SseEvent {
pub event_type: String,
pub data: String,
}
#[derive(Clone)]
pub struct AppState {
pub pool: PgPool,
pub config: AppConfig,
pub sse_tx: broadcast::Sender<SseEvent>,
}
impl AppState {
pub fn new(pool: PgPool, config: AppConfig) -> Self {
let (sse_tx, _) = broadcast::channel(256);
Self {
pool,
config,
sse_tx,
}
}
}

57
frontend/src/lib/api.ts Normal file
View File

@@ -0,0 +1,57 @@
import { getToken, clearAuth } from './auth';
const BASE = '/api/v1';
export class ApiError extends Error {
status: number;
code: string;
constructor(status: number, code: string, message: string) {
super(message);
this.status = status;
this.code = code;
}
}
async function request<T>(
method: string,
path: string,
body?: unknown
): Promise<T> {
const headers: Record<string, string> = {};
const token = getToken();
if (token) {
headers['Authorization'] = `Bearer ${token}`;
}
if (body !== undefined) {
headers['Content-Type'] = 'application/json';
}
const res = await fetch(`${BASE}${path}`, {
method,
headers,
body: body !== undefined ? JSON.stringify(body) : undefined
});
if (res.status === 204) {
return undefined as T;
}
const data = await res.json();
if (!res.ok) {
if (res.status === 401) {
clearAuth();
}
throw new ApiError(res.status, data.error ?? 'unknown', data.message ?? 'Fehler');
}
return data as T;
}
export const api = {
get: <T>(path: string) => request<T>('GET', path),
post: <T>(path: string, body?: unknown) => request<T>('POST', path, body),
patch: <T>(path: string, body?: unknown) => request<T>('PATCH', path, body),
delete: <T>(path: string) => request<T>('DELETE', path)
};

44
frontend/src/lib/auth.ts Normal file
View File

@@ -0,0 +1,44 @@
import { writable } from 'svelte/store';
import { browser } from '$app/environment';
const TOKEN_KEY = 'eventsnap_jwt';
const PIN_KEY = 'eventsnap_pin';
const USER_ID_KEY = 'eventsnap_user_id';
export const isAuthenticated = writable(false);
export function getToken(): string | null {
if (!browser) return null;
return localStorage.getItem(TOKEN_KEY);
}
export function getPin(): string | null {
if (!browser) return null;
return localStorage.getItem(PIN_KEY);
}
export function getUserId(): string | null {
if (!browser) return null;
return localStorage.getItem(USER_ID_KEY);
}
export function setAuth(jwt: string, pin: string | null, userId: string): void {
if (!browser) return;
localStorage.setItem(TOKEN_KEY, jwt);
if (pin) localStorage.setItem(PIN_KEY, pin);
localStorage.setItem(USER_ID_KEY, userId);
isAuthenticated.set(true);
}
export function clearAuth(): void {
if (!browser) return;
localStorage.removeItem(TOKEN_KEY);
localStorage.removeItem(USER_ID_KEY);
// PIN is intentionally kept so the user can recover
isAuthenticated.set(false);
}
export function initAuth(): void {
if (!browser) return;
isAuthenticated.set(!!getToken());
}

6
frontend/src/routes/+layout.svelte
View File

@@ -1,8 +1,14 @@
<script lang="ts">
import favicon from '$lib/assets/favicon.svg';
import '../app.css';
import { initAuth } from '$lib/auth';
import { onMount } from 'svelte';
let { children } = $props();
onMount(() => {
initAuth();
});
</script>
<svelte:head>

16
frontend/src/routes/+page.svelte
View File

@@ -1,2 +1,14 @@
<h1>Welcome to SvelteKit</h1>
<p>Visit <a href="https://svelte.dev/docs/kit">svelte.dev/docs/kit</a> to read the documentation</p>
<script lang="ts">
import { goto } from '$app/navigation';
import { getToken } from '$lib/auth';
import { browser } from '$app/environment';
import { onMount } from 'svelte';
onMount(() => {
if (getToken()) {
goto('/feed');
} else {
goto('/join');
}
});
</script>

37
frontend/src/routes/feed/+page.svelte Normal file
View File

@@ -0,0 +1,37 @@
<script lang="ts">
import { goto } from '$app/navigation';
import { getToken, clearAuth } from '$lib/auth';
import { api } from '$lib/api';
import { onMount } from 'svelte';
onMount(() => {
if (!getToken()) {
goto('/join');
}
});
async function handleLogout() {
try {
await api.delete('/session');
} catch {
// Ignore errors — clear local state regardless
}
clearAuth();
goto('/join');
}
</script>
<div class="min-h-screen bg-gray-50 p-4">
<div class="mx-auto max-w-2xl">
<div class="mb-6 flex items-center justify-between">
<h1 class="text-xl font-bold text-gray-900">Galerie</h1>
<button
onclick={handleLogout}
class="rounded-md bg-gray-200 px-3 py-1 text-sm text-gray-700 hover:bg-gray-300"
>
Abmelden
</button>
</div>
<p class="text-gray-600">Die Galerie wird bald hier angezeigt.</p>
</div>
</div>

110
frontend/src/routes/join/+page.svelte Normal file
View File

@@ -0,0 +1,110 @@
<script lang="ts">
import { goto } from '$app/navigation';
import { api, ApiError } from '$lib/api';
import { setAuth } from '$lib/auth';
let displayName = $state('');
let error = $state('');
let loading = $state(false);
let showPinModal = $state(false);
let pin = $state('');
let copied = $state(false);
async function handleJoin() {
if (!displayName.trim()) return;
loading = true;
error = '';
try {
const res = await api.post<{
jwt: string;
pin: string;
user_id: string;
is_new: boolean;
}>('/join', { display_name: displayName.trim() });
setAuth(res.jwt, res.pin, res.user_id);
pin = res.pin;
showPinModal = true;
} catch (e) {
if (e instanceof ApiError) {
error = e.message;
} else {
error = 'Ein Fehler ist aufgetreten.';
}
} finally {
loading = false;
}
}
function copyPin() {
navigator.clipboard.writeText(pin);
copied = true;
setTimeout(() => (copied = false), 2000);
}
function goToFeed() {
goto('/feed');
}
</script>
<div class="flex min-h-screen items-center justify-center bg-gray-50 px-4">
<div class="w-full max-w-sm">
<h1 class="mb-2 text-center text-2xl font-bold text-gray-900">Willkommen!</h1>
<p class="mb-6 text-center text-gray-600">Gib deinen Namen ein, um dem Event beizutreten.</p>
<form onsubmit={(e) => { e.preventDefault(); handleJoin(); }}>
<input
type="text"
bind:value={displayName}
placeholder="Dein Name"
maxlength={50}
class="mb-3 w-full rounded-lg border border-gray-300 px-4 py-3 text-lg focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-200"
/>
{#if error}
<p class="mb-3 text-sm text-red-600">{error}</p>
{/if}
<button
type="submit"
disabled={loading || !displayName.trim()}
class="w-full rounded-lg bg-blue-600 px-4 py-3 text-lg font-medium text-white transition hover:bg-blue-700 disabled:opacity-50"
>
{loading ? 'Wird geladen...' : 'Beitreten'}
</button>
</form>
<p class="mt-4 text-center text-sm text-gray-500">
Schon dabei?
<a href="/recover" class="text-blue-600 hover:underline">Mit PIN wiederherstellen</a>
</p>
</div>
</div>
{#if showPinModal}
<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 px-4">
<div class="w-full max-w-sm rounded-xl bg-white p-6 shadow-lg">
<h2 class="mb-2 text-xl font-bold text-gray-900">Dein Wiederherstellungs-PIN</h2>
<p class="mb-4 text-sm text-gray-600">
Merke dir diesen PIN! Du brauchst ihn, um dein Konto auf einem anderen Gerät wiederherzustellen.
</p>
<div class="mb-4 flex items-center justify-center gap-3 rounded-lg bg-gray-100 p-4">
<span class="text-4xl font-mono font-bold tracking-widest text-gray-900">{pin}</span>
<button
onclick={copyPin}
class="rounded-md bg-gray-200 px-3 py-1 text-sm font-medium text-gray-700 hover:bg-gray-300"
>
{copied ? 'Kopiert!' : 'Kopieren'}
</button>
</div>
<button
onclick={goToFeed}
class="w-full rounded-lg bg-blue-600 px-4 py-3 font-medium text-white transition hover:bg-blue-700"
>
Weiter zur Galerie
</button>
</div>
</div>
{/if}

83
frontend/src/routes/recover/+page.svelte Normal file
View File

@@ -0,0 +1,83 @@
<script lang="ts">
import { goto } from '$app/navigation';
import { api, ApiError } from '$lib/api';
import { setAuth, getPin } from '$lib/auth';
import { browser } from '$app/environment';
let displayName = $state('');
let pin = $state('');
let error = $state('');
let loading = $state(false);
// Pre-fill PIN from localStorage if available
if (browser) {
const savedPin = getPin();
if (savedPin) pin = savedPin;
}
async function handleRecover() {
if (!displayName.trim() || !pin.trim()) return;
loading = true;
error = '';
try {
const res = await api.post<{
jwt: string;
user_id: string;
}>('/recover', { display_name: displayName.trim(), pin: pin.trim() });
setAuth(res.jwt, pin.trim(), res.user_id);
goto('/feed');
} catch (e) {
if (e instanceof ApiError) {
error = e.message;
} else {
error = 'Ein Fehler ist aufgetreten.';
}
} finally {
loading = false;
}
}
</script>
<div class="flex min-h-screen items-center justify-center bg-gray-50 px-4">
<div class="w-full max-w-sm">
<h1 class="mb-2 text-center text-2xl font-bold text-gray-900">Konto wiederherstellen</h1>
<p class="mb-6 text-center text-gray-600">Gib deinen Namen und deinen PIN ein.</p>
<form onsubmit={(e) => { e.preventDefault(); handleRecover(); }}>
<input
type="text"
bind:value={displayName}
placeholder="Dein Name"
maxlength={50}
class="mb-3 w-full rounded-lg border border-gray-300 px-4 py-3 text-lg focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-200"
/>
<input
type="text"
bind:value={pin}
placeholder="4-stelliger PIN"
maxlength={4}
inputmode="numeric"
pattern="[0-9]*"
class="mb-3 w-full rounded-lg border border-gray-300 px-4 py-3 text-center text-2xl font-mono tracking-widest focus:border-blue-500 focus:outline-none focus:ring-2 focus:ring-blue-200"
/>
{#if error}
<p class="mb-3 text-sm text-red-600">{error}</p>
{/if}
<button
type="submit"
disabled={loading || !displayName.trim() || pin.length < 4}
class="w-full rounded-lg bg-blue-600 px-4 py-3 text-lg font-medium text-white transition hover:bg-blue-700 disabled:opacity-50"
>
{loading ? 'Wird geladen...' : 'Wiederherstellen'}
</button>
</form>
<p class="mt-4 text-center text-sm text-gray-500">
Noch kein Konto?
<a href="/join" class="text-blue-600 hover:underline">Neu beitreten</a>
</p>
</div>
</div>