383cfbed3b
Adds the full auth flow. Reads stay public; writes (currently only POST
/api/v1/mangas) require a CurrentUser. Both browsers and bot scripts hit
the same endpoints — they just present credentials differently.
Migration 0002_auth.sql introduces users.password_hash, a sessions
table, and an api_tokens table. Sessions and api_tokens store only
sha256(raw_token) — the raw value lives in the cookie or the
Authorization header.
New endpoints under /api/v1/auth/:
- POST /register — argon2id hash, creates a session, sets cookie.
- POST /login — verifies, rotates to a fresh session (old ones expire
naturally so other devices stay signed in).
- POST /logout — deletes the server-side session row + clears the
cookie via Max-Age=0.
- GET /me — current user via the new CurrentUser extractor.
- POST /tokens — issue a bot bearer token; raw value returned exactly
once at creation.
- DELETE /tokens/{id} — owner-only: 404 if unknown, 403 if it exists
but belongs to another user, 204 on success.
The CurrentUser axum extractor resolves cookie first, then
Authorization: Bearer; failure → AppError::Unauthenticated (401). New
AppError variants Unauthenticated/Forbidden/Conflict carry the matching
envelope codes; the top-level match in `code()` stays exhaustive.
Backend integration coverage in tests/api_auth.rs: register sets a
HttpOnly SameSite=Lax cookie and never leaks password_hash; duplicate
username → 409; weak password → 400; login rotates the cookie; wrong
password / unknown user → 401; /me with vs without cookie; logout
invalidates the cookie; bot-token roundtrip via Bearer; user A cannot
delete user B's token (403); unknown delete → 404.
Frontend:
- lib/api/auth.ts — typed wrappers; me() returns null on 401.
- lib/session.svelte.ts — per-tab user state with a seq counter to
guard against an in-flight /me clobbering a fresh setUser.
- lib/api/client.ts — request<T> returns undefined for 204.
- routes/login + routes/register — forms with action="javascript:void(0)"
so the no-JS path is a no-op (avoids the hydration-race where a
pre-attach click would submit via the browser default).
- routes/+layout.svelte — session-aware nav: spinner → user + Logout,
or Login / Register.
- e2e/auth-flow.spec.ts — login flips the layout, logout flips back;
bad credentials surface the API error message.
Config grows AuthConfig (cookie_secure, cookie_domain, session_ttl_days)
and CORS_ALLOWED_ORIGINS. CORS middleware is mounted in app::build and
stays a no-op (same-origin) until origins are listed.
Lockstep version bump to 0.3.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
152 lines
4.7 KiB
Rust
152 lines
4.7 KiB
Rust
mod common;
|
|
|
|
use axum::http::StatusCode;
|
|
use serde_json::json;
|
|
use sqlx::PgPool;
|
|
use tower::ServiceExt;
|
|
|
|
#[sqlx::test(migrations = "./migrations")]
|
|
async fn list_is_empty_initially(pool: PgPool) {
|
|
let h = common::harness(pool);
|
|
let resp = h.app.oneshot(common::get("/api/v1/mangas")).await.unwrap();
|
|
assert_eq!(resp.status(), StatusCode::OK);
|
|
let body = common::body_json(resp).await;
|
|
assert_eq!(body["items"], json!([]));
|
|
assert_eq!(body["page"]["limit"], 50);
|
|
assert_eq!(body["page"]["offset"], 0);
|
|
assert!(body["page"]["total"].is_null());
|
|
}
|
|
|
|
#[sqlx::test(migrations = "./migrations")]
|
|
async fn create_then_list_roundtrip(pool: PgPool) {
|
|
let h = common::harness(pool);
|
|
let (_, cookie) = common::register_user(&h.app).await;
|
|
|
|
let created = h
|
|
.app
|
|
.clone()
|
|
.oneshot(common::post_json_with_cookie(
|
|
"/api/v1/mangas",
|
|
json!({ "title": "Berserk", "author": "Kentaro Miura", "description": null }),
|
|
&cookie,
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(created.status(), StatusCode::OK);
|
|
let body = common::body_json(created).await;
|
|
assert_eq!(body["title"], "Berserk");
|
|
assert_eq!(body["author"], "Kentaro Miura");
|
|
assert!(body["id"].as_str().is_some());
|
|
|
|
let listed = h.app.oneshot(common::get("/api/v1/mangas")).await.unwrap();
|
|
let listed_body = common::body_json(listed).await;
|
|
let items = listed_body["items"].as_array().unwrap();
|
|
assert_eq!(items.len(), 1);
|
|
assert_eq!(items[0]["title"], "Berserk");
|
|
}
|
|
|
|
#[sqlx::test(migrations = "./migrations")]
|
|
async fn search_filters_by_title_and_author(pool: PgPool) {
|
|
let h = common::harness(pool);
|
|
let (_, cookie) = common::register_user(&h.app).await;
|
|
|
|
for (title, author) in [
|
|
("One Piece", "Eiichiro Oda"),
|
|
("Berserk", "Kentaro Miura"),
|
|
("Vinland Saga", "Makoto Yukimura"),
|
|
] {
|
|
let _ = h
|
|
.app
|
|
.clone()
|
|
.oneshot(common::post_json_with_cookie(
|
|
"/api/v1/mangas",
|
|
json!({ "title": title, "author": author }),
|
|
&cookie,
|
|
))
|
|
.await
|
|
.unwrap();
|
|
}
|
|
|
|
let resp = h
|
|
.app
|
|
.clone()
|
|
.oneshot(common::get("/api/v1/mangas?search=miura"))
|
|
.await
|
|
.unwrap();
|
|
let body = common::body_json(resp).await;
|
|
let titles: Vec<&str> = body["items"]
|
|
.as_array()
|
|
.unwrap()
|
|
.iter()
|
|
.map(|m| m["title"].as_str().unwrap())
|
|
.collect();
|
|
assert_eq!(titles, vec!["Berserk"]);
|
|
|
|
let resp = h
|
|
.app
|
|
.oneshot(common::get("/api/v1/mangas?search=saga"))
|
|
.await
|
|
.unwrap();
|
|
let body = common::body_json(resp).await;
|
|
let titles: Vec<&str> = body["items"]
|
|
.as_array()
|
|
.unwrap()
|
|
.iter()
|
|
.map(|m| m["title"].as_str().unwrap())
|
|
.collect();
|
|
assert_eq!(titles, vec!["Vinland Saga"]);
|
|
}
|
|
|
|
#[sqlx::test(migrations = "./migrations")]
|
|
async fn create_rejects_empty_title_with_envelope(pool: PgPool) {
|
|
let h = common::harness(pool);
|
|
let (_, cookie) = common::register_user(&h.app).await;
|
|
let resp = h
|
|
.app
|
|
.oneshot(common::post_json_with_cookie(
|
|
"/api/v1/mangas",
|
|
json!({ "title": " ", "author": null }),
|
|
&cookie,
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
|
|
let body = common::body_json(resp).await;
|
|
assert_eq!(body["error"]["code"], "invalid_input");
|
|
let msg = body["error"]["message"].as_str().expect("message is string");
|
|
assert!(!msg.is_empty(), "message should be non-empty");
|
|
}
|
|
|
|
#[sqlx::test(migrations = "./migrations")]
|
|
async fn create_requires_authentication(pool: PgPool) {
|
|
let h = common::harness(pool);
|
|
let resp = h
|
|
.app
|
|
.oneshot(common::post_json(
|
|
"/api/v1/mangas",
|
|
json!({ "title": "Berserk" }),
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
|
|
let body = common::body_json(resp).await;
|
|
assert_eq!(body["error"]["code"], "unauthenticated");
|
|
}
|
|
|
|
#[sqlx::test(migrations = "./migrations")]
|
|
async fn get_unknown_id_is_404_with_envelope(pool: PgPool) {
|
|
let h = common::harness(pool);
|
|
let resp = h
|
|
.app
|
|
.oneshot(common::get(
|
|
"/api/v1/mangas/00000000-0000-0000-0000-000000000000",
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(resp.status(), StatusCode::NOT_FOUND);
|
|
let body = common::body_json(resp).await;
|
|
assert_eq!(body["error"]["code"], "not_found");
|
|
let msg = body["error"]["message"].as_str().expect("message is string");
|
|
assert!(!msg.is_empty(), "message should be non-empty");
|
|
}
|