69eca21fb5
Adds the pre-1.0 password-change story flagged by the audit. Browser
users and bot owners both go through PATCH /api/v1/auth/me/password
with the current + new password in the body.
Implementation in `api::auth::change_password`:
- CurrentUser-gated: 401 if unauthenticated.
- Verifies current_password against the stored argon2 hash. Wrong
current → 401 unauthenticated, matching the login contract.
- new_password runs through the same `validate_password` used at
registration (≥8 chars). Weak → 400 invalid_input.
- On success, wraps the swap in a single transaction:
- UPDATE users.password_hash with a fresh argon2 hash.
- DELETE every session for this user (signs out other devices —
any cookie stolen before the change is dead now).
- INSERT a new session and mint a fresh cookie so the caller stays
logged in.
- 204 + Set-Cookie on success.
Bot tokens (api_tokens) are intentionally left alone. They're explicit
opt-in credentials that the user can already audit and revoke
individually via DELETE /auth/tokens/{id}; rotating them on every
password change would surprise CI scripts.
Repo refactor: `repo::session::create` accepts `impl PgExecutor<'_>`
(same pattern feat/uploads used for chapters), and a new
`session::delete_all_for_user` covers the "sign out everywhere"
write. The existing `delete_by_token_hash` (used by logout) is
unchanged.
Coverage in tests/api_auth.rs (4 cases):
- change_password_rotates_sessions_and_swaps_credentials — happy path
asserts the new cookie differs from the original, that both the
original cookie AND a second-device cookie become invalid, that the
new cookie keeps working, that login with the old password fails
(401) and login with the new password succeeds.
- change_password_rejects_wrong_current_with_401 — wrong current
password returns 401 unauthenticated.
- change_password_rejects_weak_new_password — new_password "short"
returns 400 invalid_input.
- change_password_requires_authentication — no cookie returns 401.
README updated with the new endpoint in the auth table.
Lockstep version bump to 0.10.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
381 lines
11 KiB
Rust
381 lines
11 KiB
Rust
// Shared test helpers. Each integration test binary picks the subset it needs,
|
|
// so dead-code lints on the unused helpers fire per-binary; suppress at the
|
|
// module level.
|
|
#![allow(dead_code)]
|
|
|
|
use std::sync::Arc;
|
|
|
|
use axum::body::Body;
|
|
use axum::http::{header, Request};
|
|
use axum::Router;
|
|
use http_body_util::BodyExt;
|
|
use serde_json::json;
|
|
use sqlx::PgPool;
|
|
use tempfile::TempDir;
|
|
use tower::ServiceExt;
|
|
|
|
use mangalord::app::{router, AppState};
|
|
use mangalord::config::{AuthConfig, UploadConfig};
|
|
use mangalord::storage::{LocalStorage, Storage, StorageError, StreamingFile};
|
|
|
|
use async_trait::async_trait;
|
|
use std::sync::atomic::{AtomicUsize, Ordering};
|
|
|
|
pub struct Harness {
|
|
pub app: Router,
|
|
// Kept alive for the lifetime of the test so the temp dir is not dropped.
|
|
pub _storage_dir: TempDir,
|
|
}
|
|
|
|
pub fn harness(pool: PgPool) -> Harness {
|
|
let storage_dir = tempfile::tempdir().expect("tempdir");
|
|
let storage = Arc::new(LocalStorage::new(storage_dir.path()));
|
|
harness_inner(pool, storage, storage_dir)
|
|
}
|
|
|
|
/// Variant of `harness` that swaps in a `Storage` that errors on the
|
|
/// `fail_on_put_index`-th `put` call (0-indexed). Used to exercise the
|
|
/// upload handlers' transactional rollback path without resorting to
|
|
/// fault injection at lower layers.
|
|
pub fn harness_with_failing_storage(pool: PgPool, fail_on_put_index: usize) -> Harness {
|
|
let storage_dir = tempfile::tempdir().expect("tempdir");
|
|
let inner = LocalStorage::new(storage_dir.path());
|
|
let storage = Arc::new(FailingStorage::new(inner, fail_on_put_index));
|
|
harness_inner(pool, storage, storage_dir)
|
|
}
|
|
|
|
fn harness_inner(
|
|
pool: PgPool,
|
|
storage: Arc<dyn Storage>,
|
|
storage_dir: TempDir,
|
|
) -> Harness {
|
|
let state = AppState {
|
|
db: pool,
|
|
storage,
|
|
auth: AuthConfig { cookie_secure: false, ..AuthConfig::default() },
|
|
upload: UploadConfig {
|
|
// Keep file caps small in tests so the size-cap path is cheap to
|
|
// exercise without producing tens of MBs of bytes.
|
|
max_request_bytes: 4 * 1024 * 1024,
|
|
max_file_bytes: 256 * 1024,
|
|
},
|
|
};
|
|
Harness { app: router(state), _storage_dir: storage_dir }
|
|
}
|
|
|
|
/// Wraps a real `Storage` and fails on the N-th `put` call so tests can
|
|
/// assert that handlers roll their DB writes back when storage errors
|
|
/// mid-upload. Reads and other operations delegate to `inner`.
|
|
pub struct FailingStorage {
|
|
inner: LocalStorage,
|
|
counter: AtomicUsize,
|
|
fail_on_put_index: usize,
|
|
}
|
|
|
|
impl FailingStorage {
|
|
pub fn new(inner: LocalStorage, fail_on_put_index: usize) -> Self {
|
|
Self {
|
|
inner,
|
|
counter: AtomicUsize::new(0),
|
|
fail_on_put_index,
|
|
}
|
|
}
|
|
}
|
|
|
|
#[async_trait]
|
|
impl Storage for FailingStorage {
|
|
async fn put(&self, key: &str, bytes: &[u8]) -> Result<(), StorageError> {
|
|
let n = self.counter.fetch_add(1, Ordering::SeqCst);
|
|
if n == self.fail_on_put_index {
|
|
return Err(StorageError::Io(std::io::Error::other(
|
|
"FailingStorage: injected put failure",
|
|
)));
|
|
}
|
|
self.inner.put(key, bytes).await
|
|
}
|
|
async fn get(&self, key: &str) -> Result<Vec<u8>, StorageError> {
|
|
self.inner.get(key).await
|
|
}
|
|
async fn get_stream(&self, key: &str) -> Result<StreamingFile, StorageError> {
|
|
self.inner.get_stream(key).await
|
|
}
|
|
async fn delete(&self, key: &str) -> Result<(), StorageError> {
|
|
self.inner.delete(key).await
|
|
}
|
|
async fn exists(&self, key: &str) -> Result<bool, StorageError> {
|
|
self.inner.exists(key).await
|
|
}
|
|
}
|
|
|
|
pub async fn body_json(response: axum::response::Response) -> serde_json::Value {
|
|
let bytes = response.into_body().collect().await.unwrap().to_bytes();
|
|
serde_json::from_slice(&bytes).expect("body is JSON")
|
|
}
|
|
|
|
pub fn get(uri: &str) -> Request<Body> {
|
|
Request::builder().uri(uri).body(Body::empty()).unwrap()
|
|
}
|
|
|
|
pub fn get_with_cookie(uri: &str, cookie: &str) -> Request<Body> {
|
|
Request::builder()
|
|
.uri(uri)
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::empty())
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn get_with_bearer(uri: &str, token: &str) -> Request<Body> {
|
|
Request::builder()
|
|
.uri(uri)
|
|
.header(header::AUTHORIZATION, format!("Bearer {token}"))
|
|
.body(Body::empty())
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_json(uri: &str, body: serde_json::Value) -> Request<Body> {
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_json_with_cookie(
|
|
uri: &str,
|
|
body: serde_json::Value,
|
|
cookie: &str,
|
|
) -> Request<Body> {
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_json_with_bearer(
|
|
uri: &str,
|
|
body: serde_json::Value,
|
|
token: &str,
|
|
) -> Request<Body> {
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.header(header::AUTHORIZATION, format!("Bearer {token}"))
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn patch_json(uri: &str, body: serde_json::Value) -> Request<Body> {
|
|
Request::builder()
|
|
.method("PATCH")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn patch_json_with_cookie(
|
|
uri: &str,
|
|
body: serde_json::Value,
|
|
cookie: &str,
|
|
) -> Request<Body> {
|
|
Request::builder()
|
|
.method("PATCH")
|
|
.uri(uri)
|
|
.header(header::CONTENT_TYPE, "application/json")
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::from(body.to_string()))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn delete_with_cookie(uri: &str, cookie: &str) -> Request<Body> {
|
|
Request::builder()
|
|
.method("DELETE")
|
|
.uri(uri)
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::empty())
|
|
.unwrap()
|
|
}
|
|
|
|
/// Extracts the `mangalord_session` cookie from a response's Set-Cookie
|
|
/// headers as a `name=value` pair suitable for use in a follow-up `Cookie`
|
|
/// request header. Returns `None` if no such cookie was set.
|
|
pub fn extract_session_cookie(response: &axum::response::Response) -> Option<String> {
|
|
response
|
|
.headers()
|
|
.get_all(header::SET_COOKIE)
|
|
.iter()
|
|
.find_map(|v| {
|
|
let s = v.to_str().ok()?;
|
|
if s.starts_with("mangalord_session=") {
|
|
let end = s.find(';').unwrap_or(s.len());
|
|
Some(s[..end].to_string())
|
|
} else {
|
|
None
|
|
}
|
|
})
|
|
}
|
|
|
|
/// Minimal multipart builder for tests. Real clients would use a real
|
|
/// library; we hand-roll a small one so the test crate stays free of
|
|
/// http-client dependencies.
|
|
pub struct MultipartBuilder {
|
|
boundary: String,
|
|
body: Vec<u8>,
|
|
}
|
|
|
|
impl Default for MultipartBuilder {
|
|
fn default() -> Self {
|
|
Self::new()
|
|
}
|
|
}
|
|
|
|
impl MultipartBuilder {
|
|
pub fn new() -> Self {
|
|
Self {
|
|
boundary: format!("----mangalord-test-{}", uuid::Uuid::new_v4().simple()),
|
|
body: Vec::new(),
|
|
}
|
|
}
|
|
|
|
pub fn add_json(mut self, name: &str, value: serde_json::Value) -> Self {
|
|
self.write_part_header(name, None, Some("application/json"));
|
|
self.body.extend(value.to_string().as_bytes());
|
|
self.body.extend(b"\r\n");
|
|
self
|
|
}
|
|
|
|
pub fn add_file(
|
|
mut self,
|
|
name: &str,
|
|
filename: &str,
|
|
content_type: &str,
|
|
bytes: &[u8],
|
|
) -> Self {
|
|
self.write_part_header(name, Some(filename), Some(content_type));
|
|
self.body.extend(bytes);
|
|
self.body.extend(b"\r\n");
|
|
self
|
|
}
|
|
|
|
fn write_part_header(
|
|
&mut self,
|
|
name: &str,
|
|
filename: Option<&str>,
|
|
ct: Option<&str>,
|
|
) {
|
|
self.body
|
|
.extend(format!("--{}\r\n", self.boundary).as_bytes());
|
|
let disposition = if let Some(fname) = filename {
|
|
format!(
|
|
"Content-Disposition: form-data; name=\"{name}\"; filename=\"{fname}\"\r\n"
|
|
)
|
|
} else {
|
|
format!("Content-Disposition: form-data; name=\"{name}\"\r\n")
|
|
};
|
|
self.body.extend(disposition.as_bytes());
|
|
if let Some(ct) = ct {
|
|
self.body.extend(format!("Content-Type: {ct}\r\n").as_bytes());
|
|
}
|
|
self.body.extend(b"\r\n");
|
|
}
|
|
|
|
fn finalize(self) -> (String, Vec<u8>) {
|
|
let mut body = self.body;
|
|
body.extend(format!("--{}--\r\n", self.boundary).as_bytes());
|
|
(self.boundary, body)
|
|
}
|
|
}
|
|
|
|
pub fn post_multipart(uri: &str, builder: MultipartBuilder) -> Request<Body> {
|
|
let (boundary, body) = builder.finalize();
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(
|
|
header::CONTENT_TYPE,
|
|
format!("multipart/form-data; boundary={boundary}"),
|
|
)
|
|
.body(Body::from(body))
|
|
.unwrap()
|
|
}
|
|
|
|
pub fn post_multipart_with_cookie(
|
|
uri: &str,
|
|
builder: MultipartBuilder,
|
|
cookie: &str,
|
|
) -> Request<Body> {
|
|
let (boundary, body) = builder.finalize();
|
|
Request::builder()
|
|
.method("POST")
|
|
.uri(uri)
|
|
.header(
|
|
header::CONTENT_TYPE,
|
|
format!("multipart/form-data; boundary={boundary}"),
|
|
)
|
|
.header(header::COOKIE, cookie)
|
|
.body(Body::from(body))
|
|
.unwrap()
|
|
}
|
|
|
|
/// Realistic PNG file header bytes — enough for `infer` to identify.
|
|
pub fn fake_png_bytes() -> Vec<u8> {
|
|
vec![0x89, 0x50, 0x4e, 0x47, 0x0d, 0x0a, 0x1a, 0x0a, 0, 0, 0, 0]
|
|
}
|
|
|
|
/// Realistic JPEG file header bytes — enough for `infer` to identify.
|
|
pub fn fake_jpeg_bytes() -> Vec<u8> {
|
|
vec![
|
|
0xff, 0xd8, 0xff, 0xe0, 0, 0x10, b'J', b'F', b'I', b'F', 0, 0,
|
|
]
|
|
}
|
|
|
|
/// Create a manga via the upload API and return its id. Used by tests
|
|
/// that need a manga to exist before they exercise chapters / etc.
|
|
pub async fn seed_manga_via_api(app: &Router, cookie: &str, title: &str) -> uuid::Uuid {
|
|
let resp = app
|
|
.clone()
|
|
.oneshot(post_multipart_with_cookie(
|
|
"/api/v1/mangas",
|
|
MultipartBuilder::new().add_json("metadata", serde_json::json!({ "title": title })),
|
|
cookie,
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(
|
|
resp.status(),
|
|
axum::http::StatusCode::CREATED,
|
|
"seed_manga_via_api failed"
|
|
);
|
|
let body = body_json(resp).await;
|
|
uuid::Uuid::parse_str(body["id"].as_str().unwrap()).unwrap()
|
|
}
|
|
|
|
/// Register a brand-new user and return (username, session cookie value).
|
|
/// The username is unique per call so tests can run in parallel against a
|
|
/// single DB without colliding.
|
|
pub async fn register_user(app: &Router) -> (String, String) {
|
|
// 12-hex-digit suffix keeps the username under the 32-char cap.
|
|
let suffix: String = uuid::Uuid::new_v4().simple().to_string().chars().take(12).collect();
|
|
let username = format!("u-{suffix}");
|
|
let resp = app
|
|
.clone()
|
|
.oneshot(post_json(
|
|
"/api/v1/auth/register",
|
|
json!({ "username": username, "password": "hunter2hunter2" }),
|
|
))
|
|
.await
|
|
.unwrap();
|
|
assert_eq!(
|
|
resp.status(),
|
|
axum::http::StatusCode::CREATED,
|
|
"register failed in test harness"
|
|
);
|
|
let cookie = extract_session_cookie(&resp).expect("session cookie on register");
|
|
(username, cookie)
|
|
}
|