383cfbed3b
Adds the full auth flow. Reads stay public; writes (currently only POST
/api/v1/mangas) require a CurrentUser. Both browsers and bot scripts hit
the same endpoints — they just present credentials differently.
Migration 0002_auth.sql introduces users.password_hash, a sessions
table, and an api_tokens table. Sessions and api_tokens store only
sha256(raw_token) — the raw value lives in the cookie or the
Authorization header.
New endpoints under /api/v1/auth/:
- POST /register — argon2id hash, creates a session, sets cookie.
- POST /login — verifies, rotates to a fresh session (old ones expire
naturally so other devices stay signed in).
- POST /logout — deletes the server-side session row + clears the
cookie via Max-Age=0.
- GET /me — current user via the new CurrentUser extractor.
- POST /tokens — issue a bot bearer token; raw value returned exactly
once at creation.
- DELETE /tokens/{id} — owner-only: 404 if unknown, 403 if it exists
but belongs to another user, 204 on success.
The CurrentUser axum extractor resolves cookie first, then
Authorization: Bearer; failure → AppError::Unauthenticated (401). New
AppError variants Unauthenticated/Forbidden/Conflict carry the matching
envelope codes; the top-level match in `code()` stays exhaustive.
Backend integration coverage in tests/api_auth.rs: register sets a
HttpOnly SameSite=Lax cookie and never leaks password_hash; duplicate
username → 409; weak password → 400; login rotates the cookie; wrong
password / unknown user → 401; /me with vs without cookie; logout
invalidates the cookie; bot-token roundtrip via Bearer; user A cannot
delete user B's token (403); unknown delete → 404.
Frontend:
- lib/api/auth.ts — typed wrappers; me() returns null on 401.
- lib/session.svelte.ts — per-tab user state with a seq counter to
guard against an in-flight /me clobbering a fresh setUser.
- lib/api/client.ts — request<T> returns undefined for 204.
- routes/login + routes/register — forms with action="javascript:void(0)"
so the no-JS path is a no-op (avoids the hydration-race where a
pre-attach click would submit via the browser default).
- routes/+layout.svelte — session-aware nav: spinner → user + Logout,
or Login / Register.
- e2e/auth-flow.spec.ts — login flips the layout, logout flips back;
bad credentials surface the API error message.
Config grows AuthConfig (cookie_secure, cookie_domain, session_ttl_days)
and CORS_ALLOWED_ORIGINS. CORS middleware is mounted in app::build and
stays a no-op (same-origin) until origins are listed.
Lockstep version bump to 0.3.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
143 lines
4.9 KiB
TypeScript
143 lines
4.9 KiB
TypeScript
import {
|
|
describe,
|
|
it,
|
|
expect,
|
|
vi,
|
|
beforeEach,
|
|
afterEach,
|
|
type MockInstance
|
|
} from 'vitest';
|
|
import {
|
|
register,
|
|
login,
|
|
logout,
|
|
me,
|
|
createToken,
|
|
deleteToken
|
|
} from './auth';
|
|
|
|
function ok(body: unknown, status = 200): Response {
|
|
return new Response(JSON.stringify(body), {
|
|
status,
|
|
headers: { 'content-type': 'application/json' }
|
|
});
|
|
}
|
|
|
|
function noContent(): Response {
|
|
return new Response(null, { status: 204 });
|
|
}
|
|
|
|
function envelope(status: number, code: string, message: string): Response {
|
|
return new Response(JSON.stringify({ error: { code, message } }), {
|
|
status,
|
|
headers: { 'content-type': 'application/json' }
|
|
});
|
|
}
|
|
|
|
const userFixture = {
|
|
id: 'user-1',
|
|
username: 'alice',
|
|
created_at: '2026-01-01T00:00:00Z'
|
|
};
|
|
|
|
describe('auth api client', () => {
|
|
let fetchSpy: MockInstance<typeof globalThis.fetch>;
|
|
|
|
beforeEach(() => {
|
|
fetchSpy = vi.spyOn(globalThis, 'fetch');
|
|
});
|
|
afterEach(() => {
|
|
vi.restoreAllMocks();
|
|
});
|
|
|
|
it('register POSTs JSON to /v1/auth/register and returns the user', async () => {
|
|
fetchSpy.mockResolvedValueOnce(ok({ user: userFixture }, 201));
|
|
const user = await register({ username: 'alice', password: 'hunter2hunter2' });
|
|
expect(user).toEqual(userFixture);
|
|
const url = fetchSpy.mock.calls[0][0] as string;
|
|
expect(url).toMatch(/\/v1\/auth\/register$/);
|
|
const init = fetchSpy.mock.calls[0][1] as RequestInit;
|
|
expect(init.method).toBe('POST');
|
|
expect(JSON.parse(init.body as string)).toEqual({
|
|
username: 'alice',
|
|
password: 'hunter2hunter2'
|
|
});
|
|
});
|
|
|
|
it('register surfaces 409 conflict via ApiError.code', async () => {
|
|
fetchSpy.mockResolvedValueOnce(envelope(409, 'conflict', 'username is already taken'));
|
|
await expect(
|
|
register({ username: 'alice', password: 'hunter2hunter2' })
|
|
).rejects.toMatchObject({ status: 409, code: 'conflict' });
|
|
});
|
|
|
|
it('login POSTs JSON to /v1/auth/login and returns the user', async () => {
|
|
fetchSpy.mockResolvedValueOnce(ok({ user: userFixture }));
|
|
const user = await login({ username: 'alice', password: 'hunter2hunter2' });
|
|
expect(user).toEqual(userFixture);
|
|
const url = fetchSpy.mock.calls[0][0] as string;
|
|
expect(url).toMatch(/\/v1\/auth\/login$/);
|
|
});
|
|
|
|
it('login surfaces 401 unauthenticated via ApiError.code', async () => {
|
|
fetchSpy.mockResolvedValueOnce(envelope(401, 'unauthenticated', 'unauthenticated'));
|
|
await expect(
|
|
login({ username: 'alice', password: 'wrong' })
|
|
).rejects.toMatchObject({ status: 401, code: 'unauthenticated' });
|
|
});
|
|
|
|
it('logout POSTs to /v1/auth/logout and handles 204', async () => {
|
|
fetchSpy.mockResolvedValueOnce(noContent());
|
|
await expect(logout()).resolves.toBeUndefined();
|
|
const url = fetchSpy.mock.calls[0][0] as string;
|
|
expect(url).toMatch(/\/v1\/auth\/logout$/);
|
|
const init = fetchSpy.mock.calls[0][1] as RequestInit;
|
|
expect(init.method).toBe('POST');
|
|
});
|
|
|
|
it('me returns the user on 200', async () => {
|
|
fetchSpy.mockResolvedValueOnce(ok({ user: userFixture }));
|
|
await expect(me()).resolves.toEqual(userFixture);
|
|
});
|
|
|
|
it('me returns null on 401 (anonymous user)', async () => {
|
|
fetchSpy.mockResolvedValueOnce(envelope(401, 'unauthenticated', 'unauthenticated'));
|
|
await expect(me()).resolves.toBeNull();
|
|
});
|
|
|
|
it('me re-throws non-401 errors', async () => {
|
|
fetchSpy.mockResolvedValueOnce(envelope(500, 'internal_error', 'internal error'));
|
|
await expect(me()).rejects.toMatchObject({ status: 500 });
|
|
});
|
|
|
|
it('createToken POSTs to /v1/auth/tokens and returns CreatedToken with bearer', async () => {
|
|
fetchSpy.mockResolvedValueOnce(
|
|
ok(
|
|
{
|
|
id: 't1',
|
|
user_id: 'user-1',
|
|
name: 'ci-bot',
|
|
created_at: '2026-01-01T00:00:00Z',
|
|
last_used_at: null,
|
|
bearer: 'raw-token-abc'
|
|
},
|
|
201
|
|
)
|
|
);
|
|
const t = await createToken('ci-bot');
|
|
expect(t.name).toBe('ci-bot');
|
|
expect(t.bearer).toBe('raw-token-abc');
|
|
const url = fetchSpy.mock.calls[0][0] as string;
|
|
expect(url).toMatch(/\/v1\/auth\/tokens$/);
|
|
});
|
|
|
|
it('deleteToken DELETEs to /v1/auth/tokens/{id} and handles 204', async () => {
|
|
fetchSpy.mockResolvedValueOnce(noContent());
|
|
await expect(deleteToken('t1')).resolves.toBeUndefined();
|
|
const url = fetchSpy.mock.calls[0][0] as string;
|
|
expect(url).toMatch(/\/v1\/auth\/tokens\/t1$/);
|
|
const init = fetchSpy.mock.calls[0][1] as RequestInit;
|
|
expect(init.method).toBe('DELETE');
|
|
});
|
|
});
|