fabi/Mangalord
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: argon2id passwords, session cookies, bot bearer tokens

Browse Source 
Adds the full auth flow. Reads stay public; writes (currently only POST
/api/v1/mangas) require a CurrentUser. Both browsers and bot scripts hit
the same endpoints — they just present credentials differently.

Migration 0002_auth.sql introduces users.password_hash, a sessions
table, and an api_tokens table. Sessions and api_tokens store only
sha256(raw_token) — the raw value lives in the cookie or the
Authorization header.

New endpoints under /api/v1/auth/:
- POST /register — argon2id hash, creates a session, sets cookie.
- POST /login — verifies, rotates to a fresh session (old ones expire
  naturally so other devices stay signed in).
- POST /logout — deletes the server-side session row + clears the
  cookie via Max-Age=0.
- GET  /me — current user via the new CurrentUser extractor.
- POST /tokens — issue a bot bearer token; raw value returned exactly
  once at creation.
- DELETE /tokens/{id} — owner-only: 404 if unknown, 403 if it exists
  but belongs to another user, 204 on success.

The CurrentUser axum extractor resolves cookie first, then
Authorization: Bearer; failure → AppError::Unauthenticated (401). New
AppError variants Unauthenticated/Forbidden/Conflict carry the matching
envelope codes; the top-level match in `code()` stays exhaustive.

Backend integration coverage in tests/api_auth.rs: register sets a
HttpOnly SameSite=Lax cookie and never leaks password_hash; duplicate
username → 409; weak password → 400; login rotates the cookie; wrong
password / unknown user → 401; /me with vs without cookie; logout
invalidates the cookie; bot-token roundtrip via Bearer; user A cannot
delete user B's token (403); unknown delete → 404.

Frontend:
- lib/api/auth.ts — typed wrappers; me() returns null on 401.
- lib/session.svelte.ts — per-tab user state with a seq counter to
  guard against an in-flight /me clobbering a fresh setUser.
- lib/api/client.ts — request<T> returns undefined for 204.
- routes/login + routes/register — forms with action="javascript:void(0)"
  so the no-JS path is a no-op (avoids the hydration-race where a
  pre-attach click would submit via the browser default).
- routes/+layout.svelte — session-aware nav: spinner → user + Logout,
  or Login / Register.
- e2e/auth-flow.spec.ts — login flips the layout, logout flips back;
  bad credentials surface the API error message.

Config grows AuthConfig (cookie_secure, cookie_domain, session_ttl_days)
and CORS_ALLOWED_ORIGINS. CORS middleware is mounted in app::build and
stays a no-op (same-origin) until origins are listed.

Lockstep version bump to 0.3.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-16 22:04:25 +02:00
parent ce9a01793f
commit 383cfbed3b
36 changed files with 1901 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

281
backend/tests/api_auth.rs Normal file
View File

@@ -0,0 +1,281 @@
mod common;
use axum::http::{header, StatusCode};
use serde_json::json;
use sqlx::PgPool;
use tower::ServiceExt;
fn creds(username: &str) -> serde_json::Value {
json!({ "username": username, "password": "hunter2hunter2" })
}
#[sqlx::test(migrations = "./migrations")]
async fn register_creates_user_and_sets_session_cookie(pool: PgPool) {
let h = common::harness(pool);
let resp = h
.app
.oneshot(common::post_json(
"/api/v1/auth/register",
creds("alice"),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CREATED);
let cookie_header = resp
.headers()
.get(header::SET_COOKIE)
.expect("Set-Cookie present")
.to_str()
.unwrap()
.to_string();
assert!(cookie_header.starts_with("mangalord_session="));
assert!(cookie_header.contains("HttpOnly"));
assert!(cookie_header.contains("SameSite=Lax"));
assert!(cookie_header.contains("Path=/"));
// In the test harness cookie_secure is false; production has Secure.
assert!(!cookie_header.contains("Secure"));
let body = common::body_json(resp).await;
assert_eq!(body["user"]["username"], "alice");
assert!(body["user"]["id"].as_str().is_some());
assert!(
body["user"].get("password_hash").is_none(),
"password_hash must never leak to the API"
);
}
#[sqlx::test(migrations = "./migrations")]
async fn register_rejects_duplicate_username_with_conflict(pool: PgPool) {
let h = common::harness(pool);
let _ = h
.app
.clone()
.oneshot(common::post_json("/api/v1/auth/register", creds("alice")))
.await
.unwrap();
let resp = h
.app
.oneshot(common::post_json("/api/v1/auth/register", creds("alice")))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CONFLICT);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "conflict");
}
#[sqlx::test(migrations = "./migrations")]
async fn register_rejects_short_password(pool: PgPool) {
let h = common::harness(pool);
let resp = h
.app
.oneshot(common::post_json(
"/api/v1/auth/register",
json!({ "username": "alice", "password": "short" }),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "invalid_input");
}
#[sqlx::test(migrations = "./migrations")]
async fn login_succeeds_and_rotates_session(pool: PgPool) {
let h = common::harness(pool);
let _ = h
.app
.clone()
.oneshot(common::post_json("/api/v1/auth/register", creds("alice")))
.await
.unwrap();
let resp = h
.app
.oneshot(common::post_json("/api/v1/auth/login", creds("alice")))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let cookie = common::extract_session_cookie(&resp).expect("login sets a cookie");
assert!(cookie.starts_with("mangalord_session="));
}
#[sqlx::test(migrations = "./migrations")]
async fn login_rejects_wrong_password(pool: PgPool) {
let h = common::harness(pool);
let _ = h
.app
.clone()
.oneshot(common::post_json("/api/v1/auth/register", creds("alice")))
.await
.unwrap();
let resp = h
.app
.oneshot(common::post_json(
"/api/v1/auth/login",
json!({ "username": "alice", "password": "wrongpassword" }),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "unauthenticated");
}
#[sqlx::test(migrations = "./migrations")]
async fn login_rejects_unknown_user(pool: PgPool) {
let h = common::harness(pool);
let resp = h
.app
.oneshot(common::post_json("/api/v1/auth/login", creds("ghost")))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
}
#[sqlx::test(migrations = "./migrations")]
async fn me_returns_user_with_valid_cookie(pool: PgPool) {
let h = common::harness(pool);
let (username, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::get_with_cookie("/api/v1/auth/me", &cookie))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body = common::body_json(resp).await;
assert_eq!(body["user"]["username"], username);
}
#[sqlx::test(migrations = "./migrations")]
async fn me_returns_401_without_cookie(pool: PgPool) {
let h = common::harness(pool);
let resp = h
.app
.oneshot(common::get("/api/v1/auth/me"))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
}
#[sqlx::test(migrations = "./migrations")]
async fn logout_clears_session(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
"/api/v1/auth/logout",
json!({}),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
// Same cookie no longer works.
let resp = h
.app
.oneshot(common::get_with_cookie("/api/v1/auth/me", &cookie))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
}
#[sqlx::test(migrations = "./migrations")]
async fn create_and_use_bot_token(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
"/api/v1/auth/tokens",
json!({ "name": "ci-bot" }),
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CREATED);
let body = common::body_json(resp).await;
assert_eq!(body["name"], "ci-bot");
let bearer = body["bearer"]
.as_str()
.expect("raw bearer in response")
.to_string();
assert!(body["token_hash"].is_null(), "token_hash must not leak");
// Use the bearer to hit /me — should authenticate.
let resp = h
.app
.oneshot(common::get_with_bearer("/api/v1/auth/me", &bearer))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
#[sqlx::test(migrations = "./migrations")]
async fn user_a_cannot_delete_user_b_token(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie_a) = common::register_user(&h.app).await;
let (_, cookie_b) = common::register_user(&h.app).await;
let resp = h
.app
.clone()
.oneshot(common::post_json_with_cookie(
"/api/v1/auth/tokens",
json!({ "name": "alice-bot" }),
&cookie_a,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::CREATED);
let body = common::body_json(resp).await;
let token_id = body["id"].as_str().unwrap().to_string();
// User B attempts to delete user A's token → 403.
let resp = h
.app
.clone()
.oneshot(common::delete_with_cookie(
&format!("/api/v1/auth/tokens/{token_id}"),
&cookie_b,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::FORBIDDEN);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "forbidden");
// User A succeeds.
let resp = h
.app
.oneshot(common::delete_with_cookie(
&format!("/api/v1/auth/tokens/{token_id}"),
&cookie_a,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NO_CONTENT);
}
#[sqlx::test(migrations = "./migrations")]
async fn delete_unknown_token_is_404(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::delete_with_cookie(
"/api/v1/auth/tokens/00000000-0000-0000-0000-000000000000",
&cookie,
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
}

28
backend/tests/api_mangas.rs
View File

@@ -20,13 +20,15 @@ async fn list_is_empty_initially(pool: PgPool) {
#[sqlx::test(migrations = "./migrations")]
async fn create_then_list_roundtrip(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let created = h
.app
.clone()
.oneshot(common::post_json(
.oneshot(common::post_json_with_cookie(
"/api/v1/mangas",
json!({ "title": "Berserk", "author": "Kentaro Miura", "description": null }),
&cookie,
))
.await
.unwrap();
@@ -46,6 +48,7 @@ async fn create_then_list_roundtrip(pool: PgPool) {
#[sqlx::test(migrations = "./migrations")]
async fn search_filters_by_title_and_author(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
for (title, author) in [
("One Piece", "Eiichiro Oda"),
@@ -55,9 +58,10 @@ async fn search_filters_by_title_and_author(pool: PgPool) {
let _ = h
.app
.clone()
.oneshot(common::post_json(
.oneshot(common::post_json_with_cookie(
"/api/v1/mangas",
json!({ "title": title, "author": author }),
&cookie,
))
.await
.unwrap();
@@ -96,11 +100,13 @@ async fn search_filters_by_title_and_author(pool: PgPool) {
#[sqlx::test(migrations = "./migrations")]
async fn create_rejects_empty_title_with_envelope(pool: PgPool) {
let h = common::harness(pool);
let (_, cookie) = common::register_user(&h.app).await;
let resp = h
.app
.oneshot(common::post_json(
.oneshot(common::post_json_with_cookie(
"/api/v1/mangas",
json!({ "title": " ", "author": null }),
&cookie,
))
.await
.unwrap();
@@ -111,6 +117,22 @@ async fn create_rejects_empty_title_with_envelope(pool: PgPool) {
assert!(!msg.is_empty(), "message should be non-empty");
}
#[sqlx::test(migrations = "./migrations")]
async fn create_requires_authentication(pool: PgPool) {
let h = common::harness(pool);
let resp = h
.app
.oneshot(common::post_json(
"/api/v1/mangas",
json!({ "title": "Berserk" }),
))
.await
.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
let body = common::body_json(resp).await;
assert_eq!(body["error"]["code"], "unauthenticated");
}
#[sqlx::test(migrations = "./migrations")]
async fn get_unknown_id_is_404_with_envelope(pool: PgPool) {
let h = common::harness(pool);

104
backend/tests/common/mod.rs
View File

@@ -6,13 +6,16 @@
use std::sync::Arc;
use axum::body::Body;
use axum::http::Request;
use axum::http::{header, Request};
use axum::Router;
use http_body_util::BodyExt;
use serde_json::json;
use sqlx::PgPool;
use tempfile::TempDir;
use tower::ServiceExt;
use mangalord::app::{router, AppState};
use mangalord::config::AuthConfig;
use mangalord::storage::LocalStorage;
pub struct Harness {
@@ -26,6 +29,7 @@ pub fn harness(pool: PgPool) -> Harness {
let state = AppState {
db: pool,
storage: Arc::new(LocalStorage::new(storage_dir.path())),
auth: AuthConfig { cookie_secure: false, ..AuthConfig::default() },
};
Harness { app: router(state), _storage_dir: storage_dir }
}
@@ -39,11 +43,107 @@ pub fn get(uri: &str) -> Request<Body> {
Request::builder().uri(uri).body(Body::empty()).unwrap()
}
pub fn get_with_cookie(uri: &str, cookie: &str) -> Request<Body> {
Request::builder()
.uri(uri)
.header(header::COOKIE, cookie)
.body(Body::empty())
.unwrap()
}
pub fn get_with_bearer(uri: &str, token: &str) -> Request<Body> {
Request::builder()
.uri(uri)
.header(header::AUTHORIZATION, format!("Bearer {token}"))
.body(Body::empty())
.unwrap()
}
pub fn post_json(uri: &str, body: serde_json::Value) -> Request<Body> {
Request::builder()
.method("POST")
.uri(uri)
.header("content-type", "application/json")
.header(header::CONTENT_TYPE, "application/json")
.body(Body::from(body.to_string()))
.unwrap()
}
pub fn post_json_with_cookie(
uri: &str,
body: serde_json::Value,
cookie: &str,
) -> Request<Body> {
Request::builder()
.method("POST")
.uri(uri)
.header(header::CONTENT_TYPE, "application/json")
.header(header::COOKIE, cookie)
.body(Body::from(body.to_string()))
.unwrap()
}
pub fn post_json_with_bearer(
uri: &str,
body: serde_json::Value,
token: &str,
) -> Request<Body> {
Request::builder()
.method("POST")
.uri(uri)
.header(header::CONTENT_TYPE, "application/json")
.header(header::AUTHORIZATION, format!("Bearer {token}"))
.body(Body::from(body.to_string()))
.unwrap()
}
pub fn delete_with_cookie(uri: &str, cookie: &str) -> Request<Body> {
Request::builder()
.method("DELETE")
.uri(uri)
.header(header::COOKIE, cookie)
.body(Body::empty())
.unwrap()
}
/// Extracts the `mangalord_session` cookie from a response's Set-Cookie
/// headers as a `name=value` pair suitable for use in a follow-up `Cookie`
/// request header. Returns `None` if no such cookie was set.
pub fn extract_session_cookie(response: &axum::response::Response) -> Option<String> {
response
.headers()
.get_all(header::SET_COOKIE)
.iter()
.find_map(|v| {
let s = v.to_str().ok()?;
if s.starts_with("mangalord_session=") {
let end = s.find(';').unwrap_or(s.len());
Some(s[..end].to_string())
} else {
None
}
})
}
/// Register a brand-new user and return (username, session cookie value).
/// The username is unique per call so tests can run in parallel against a
/// single DB without colliding.
pub async fn register_user(app: &Router) -> (String, String) {
// 12-hex-digit suffix keeps the username under the 32-char cap.
let suffix: String = uuid::Uuid::new_v4().simple().to_string().chars().take(12).collect();
let username = format!("u-{suffix}");
let resp = app
.clone()
.oneshot(post_json(
"/api/v1/auth/register",
json!({ "username": username, "password": "hunter2hunter2" }),
))
.await
.unwrap();
assert_eq!(
resp.status(),
axum::http::StatusCode::CREATED,
"register failed in test harness"
);
let cookie = extract_session_cookie(&resp).expect("session cookie on register");
(username, cookie)
}