feat: argon2id passwords, session cookies, bot bearer tokens

Adds the full auth flow. Reads stay public; writes (currently only POST /api/v1/mangas) require a CurrentUser. Both browsers and bot scripts hit the same endpoints — they just present credentials differently. Migration 0002_auth.sql introduces users.password_hash, a sessions table, and an api_tokens table. Sessions and api_tokens store only sha256(raw_token) — the raw value lives in the cookie or the Authorization header. New endpoints under /api/v1/auth/: - POST /register — argon2id hash, creates a session, sets cookie. - POST /login — verifies, rotates to a fresh session (old ones expire naturally so other devices stay signed in). - POST /logout — deletes the server-side session row + clears the cookie via Max-Age=0. - GET /me — current user via the new CurrentUser extractor. - POST /tokens — issue a bot bearer token; raw value returned exactly once at creation. - DELETE /tokens/{id} — owner-only: 404 if unknown, 403 if it exists but belongs to another user, 204 on success. The CurrentUser axum extractor resolves cookie first, then Authorization: Bearer; failure → AppError::Unauthenticated (401). New AppError variants Unauthenticated/Forbidden/Conflict carry the matching envelope codes; the top-level match in `code()` stays exhaustive. Backend integration coverage in tests/api_auth.rs: register sets a HttpOnly SameSite=Lax cookie and never leaks password_hash; duplicate username → 409; weak password → 400; login rotates the cookie; wrong password / unknown user → 401; /me with vs without cookie; logout invalidates the cookie; bot-token roundtrip via Bearer; user A cannot delete user B's token (403); unknown delete → 404. Frontend: - lib/api/auth.ts — typed wrappers; me() returns null on 401. - lib/session.svelte.ts — per-tab user state with a seq counter to guard against an in-flight /me clobbering a fresh setUser. - lib/api/client.ts — request<T> returns undefined for 204. - routes/login + routes/register — forms with action="javascript:void(0)" so the no-JS path is a no-op (avoids the hydration-race where a pre-attach click would submit via the browser default). - routes/+layout.svelte — session-aware nav: spinner → user + Logout, or Login / Register. - e2e/auth-flow.spec.ts — login flips the layout, logout flips back; bad credentials surface the API error message. Config grows AuthConfig (cookie_secure, cookie_domain, session_ttl_days) and CORS_ALLOWED_ORIGINS. CORS middleware is mounted in app::build and stays a no-op (same-origin) until origins are listed. Lockstep version bump to 0.3.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 22:04:25 +02:00
parent ce9a01793f
commit 383cfbed3b
36 changed files with 1901 additions and 13 deletions
--- a/backend/src/config.rs
+++ b/backend/src/config.rs
@@ -1,10 +1,29 @@
 use std::path::PathBuf;

+#[derive(Clone, Debug)]
+pub struct AuthConfig {
+    pub cookie_secure: bool,
+    pub cookie_domain: Option<String>,
+    pub session_ttl_days: i64,
+}
+
+impl Default for AuthConfig {
+    fn default() -> Self {
+        Self {
+            cookie_secure: true,
+            cookie_domain: None,
+            session_ttl_days: 30,
+        }
+    }
+}
+
 #[derive(Clone, Debug)]
 pub struct Config {
    pub database_url: String,
    pub bind_address: String,
    pub storage_dir: PathBuf,
+    pub auth: AuthConfig,
+    pub cors_allowed_origins: Vec<String>,
 }

 impl Config {
@@ -17,6 +36,37 @@ impl Config {
            storage_dir: std::env::var("STORAGE_DIR")
                .unwrap_or_else(|_| "./data/storage".to_string())
                .into(),
+            auth: AuthConfig {
+                cookie_secure: env_bool("COOKIE_SECURE", true),
+                cookie_domain: std::env::var("COOKIE_DOMAIN")
+                    .ok()
+                    .filter(|s| !s.is_empty()),
+                session_ttl_days: env_i64("SESSION_TTL_DAYS", 30),
+            },
+            cors_allowed_origins: std::env::var("CORS_ALLOWED_ORIGINS")
+                .ok()
+                .map(|s| {
+                    s.split(',')
+                        .map(|o| o.trim().to_string())
+                        .filter(|o| !o.is_empty())
+                        .collect()
+                })
+                .unwrap_or_default(),
        })
    }
 }
+
+fn env_bool(name: &str, default: bool) -> bool {
+    match std::env::var(name).ok().as_deref() {
+        Some("1") | Some("true") | Some("TRUE") | Some("yes") => true,
+        Some("0") | Some("false") | Some("FALSE") | Some("no") => false,
+        _ => default,
+    }
+}
+
+fn env_i64(name: &str, default: i64) -> i64 {
+    std::env::var(name)
+        .ok()
+        .and_then(|s| s.parse().ok())
+        .unwrap_or(default)
+}