383cfbed3b
Adds the full auth flow. Reads stay public; writes (currently only POST
/api/v1/mangas) require a CurrentUser. Both browsers and bot scripts hit
the same endpoints — they just present credentials differently.
Migration 0002_auth.sql introduces users.password_hash, a sessions
table, and an api_tokens table. Sessions and api_tokens store only
sha256(raw_token) — the raw value lives in the cookie or the
Authorization header.
New endpoints under /api/v1/auth/:
- POST /register — argon2id hash, creates a session, sets cookie.
- POST /login — verifies, rotates to a fresh session (old ones expire
naturally so other devices stay signed in).
- POST /logout — deletes the server-side session row + clears the
cookie via Max-Age=0.
- GET /me — current user via the new CurrentUser extractor.
- POST /tokens — issue a bot bearer token; raw value returned exactly
once at creation.
- DELETE /tokens/{id} — owner-only: 404 if unknown, 403 if it exists
but belongs to another user, 204 on success.
The CurrentUser axum extractor resolves cookie first, then
Authorization: Bearer; failure → AppError::Unauthenticated (401). New
AppError variants Unauthenticated/Forbidden/Conflict carry the matching
envelope codes; the top-level match in `code()` stays exhaustive.
Backend integration coverage in tests/api_auth.rs: register sets a
HttpOnly SameSite=Lax cookie and never leaks password_hash; duplicate
username → 409; weak password → 400; login rotates the cookie; wrong
password / unknown user → 401; /me with vs without cookie; logout
invalidates the cookie; bot-token roundtrip via Bearer; user A cannot
delete user B's token (403); unknown delete → 404.
Frontend:
- lib/api/auth.ts — typed wrappers; me() returns null on 401.
- lib/session.svelte.ts — per-tab user state with a seq counter to
guard against an in-flight /me clobbering a fresh setUser.
- lib/api/client.ts — request<T> returns undefined for 204.
- routes/login + routes/register — forms with action="javascript:void(0)"
so the no-JS path is a no-op (avoids the hydration-race where a
pre-attach click would submit via the browser default).
- routes/+layout.svelte — session-aware nav: spinner → user + Logout,
or Login / Register.
- e2e/auth-flow.spec.ts — login flips the layout, logout flips back;
bad credentials surface the API error message.
Config grows AuthConfig (cookie_secure, cookie_domain, session_ttl_days)
and CORS_ALLOWED_ORIGINS. CORS middleware is mounted in app::build and
stays a no-op (same-origin) until origins are listed.
Lockstep version bump to 0.3.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
150 lines
4.5 KiB
Rust
150 lines
4.5 KiB
Rust
// Shared test helpers. Each integration test binary picks the subset it needs,
|
|
// so dead-code lints on the unused helpers fire per-binary; suppress at the
|
|
// module level.
|
|
#![allow(dead_code)]
|
|
|
|
use std::sync::Arc;
|
|
|
|
use axum::body::Body;
|
|
use axum::http::{header, Request};
|
|
use axum::Router;
|
|
use http_body_util::BodyExt;
|
|
use serde_json::json;
|
|
use sqlx::PgPool;
|
|
use tempfile::TempDir;
|
|
use tower::ServiceExt;
|
|
|
|
use mangalord::app::{router, AppState};
|
|
use mangalord::config::AuthConfig;
|
|
use mangalord::storage::LocalStorage;
|
|
|
|
pub struct Harness {
|
|
pub app: Router,
|
|
// Kept alive for the lifetime of the test so the temp dir is not dropped.
|
|
pub _storage_dir: TempDir,
|
|
}
|
|
|
|
pub fn harness(pool: PgPool) -> Harness {
|
|
let storage_dir = tempfile::tempdir().expect("tempdir");
|
|
let state = AppState {
|
|
db: pool,
|
|
storage: Arc::new(LocalStorage::new(storage_dir.path())),
|
|
auth: AuthConfig { cookie_secure: false, ..AuthConfig::default() },
|
|
};
|
|
Harness { app: router(state), _storage_dir: storage_dir }
|
|
}
|
|
|
|
pub async fn body_json(response: axum::response::Response) -> serde_json::Value {
|
|
let bytes = response.into_body().collect().await.unwrap().to_bytes();
|
|
serde_json::from_slice(&bytes).expect("body is JSON")
|
|
}
|
|
|
|
pub fn get(uri: &str) -> Request<Body> {
|
|
Request::builder().uri(uri).body(Body::empty()).unwrap()
|
|
}
|
|
|
|
pub fn get_with_cookie(uri: &str, cookie: &str) -> Request<Body> {
|
|
Request::builder()
|
|
.uri(uri)
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::empty())
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn get_with_bearer(uri: &str, token: &str) -> Request<Body> {
|
|
Request::builder()
|
|
.uri(uri)
|
|
.header(header::AUTHORIZATION, format!("Bearer {token}"))
|
|
.body(Body::empty())
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_json(uri: &str, body: serde_json::Value) -> Request<Body> {
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_json_with_cookie(
|
|
uri: &str,
|
|
body: serde_json::Value,
|
|
cookie: &str,
|
|
) -> Request<Body> {
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_json_with_bearer(
|
|
uri: &str,
|
|
body: serde_json::Value,
|
|
token: &str,
|
|
) -> Request<Body> {
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.header(header::AUTHORIZATION, format!("Bearer {token}"))
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn delete_with_cookie(uri: &str, cookie: &str) -> Request<Body> {
|
|
Request::builder()
|
|
.method("DELETE")
|
|
.uri(uri)
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::empty())
|
|
.unwrap()
|
|
}
|
|
|
|
/// Extracts the `mangalord_session` cookie from a response's Set-Cookie
|
|
/// headers as a `name=value` pair suitable for use in a follow-up `Cookie`
|
|
/// request header. Returns `None` if no such cookie was set.
|
|
pub fn extract_session_cookie(response: &axum::response::Response) -> Option<String> {
|
|
response
|
|
.headers()
|
|
.get_all(header::SET_COOKIE)
|
|
.iter()
|
|
.find_map(|v| {
|
|
let s = v.to_str().ok()?;
|
|
if s.starts_with("mangalord_session=") {
|
|
let end = s.find(';').unwrap_or(s.len());
|
|
Some(s[..end].to_string())
|
|
} else {
|
|
None
|
|
}
|
|
})
|
|
}
|
|
|
|
/// Register a brand-new user and return (username, session cookie value).
|
|
/// The username is unique per call so tests can run in parallel against a
|
|
/// single DB without colliding.
|
|
pub async fn register_user(app: &Router) -> (String, String) {
|
|
// 12-hex-digit suffix keeps the username under the 32-char cap.
|
|
let suffix: String = uuid::Uuid::new_v4().simple().to_string().chars().take(12).collect();
|
|
let username = format!("u-{suffix}");
|
|
let resp = app
|
|
.clone()
|
|
.oneshot(post_json(
|
|
"/api/v1/auth/register",
|
|
json!({ "username": username, "password": "hunter2hunter2" }),
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(
|
|
resp.status(),
|
|
axum::http::StatusCode::CREATED,
|
|
"register failed in test harness"
|
|
);
|
|
let cookie = extract_session_cookie(&resp).expect("session cookie on register");
|
|
(username, cookie)
|
|
}
|