GW_MC/YANPM
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: GW_MC:documentation
Branches Tags
GW_MC:master GW_MC:feature/upstream-service GW_MC:feature/agent-client GW_MC:feature/agent GW_MC:feature/frontend-login GW_MC:documentation
..
compare: GW_MC:86fb222d187f70cd11f8cc3862930a0452665662
Branches Tags
GW_MC:master GW_MC:feature/upstream-service GW_MC:feature/agent-client GW_MC:feature/agent GW_MC:feature/frontend-login GW_MC:documentation

16 Commits
documentat ... 86fb222d18

Author SHA1 Message Date
GW_MC
86fb222d18 added serving openapi options 2025-12-18 22:19:16 +08:00
GW_MC
08b1a055a4 feat: add admin user initialization endpoint with request handling 2025-12-18 22:10:50 +08:00
GW_MC
8f2193bed2 Fix invalid query for settings and users 2025-12-18 22:10:10 +08:00
GW_MC
ed4a091d6e update swagger and api-client 2025-12-18 18:26:27 +08:00
GW_MC
ccd8bc7aa1 Include require auth middleware and login route 2025-12-18 18:26:10 +08:00
GW_MC
b0c11c7c67 feat: add admin initialization and database migration tasks 2025-12-15 15:54:52 +08:00
GW_MC
3354154b87 feat: implement authentication module with JWT support and user management 2025-12-15 15:54:16 +08:00
GW_MC
1233f3b736 fix: implement Display trait for ServiceError enum 2025-12-15 15:50:43 +08:00
GW_MC
b17d111c5d remove unused session table 2025-12-15 14:20:28 +08:00
GW_MC
9447b64a76 feat: add argon2, jsonwebtoken, and update uuid dependencies 2025-12-07 21:35:50 +08:00
GW_MC
6cd37d6758 use ref of transaction 2025-12-07 21:35:10 +08:00
GW_MC
6a88e401f6 Add debug and BadRequest error 2025-12-07 21:33:01 +08:00
GW_MC
30e500ec44 Added macro for handling both transaction and pooled connection 2025-12-07 19:09:37 +08:00
GW_MC
e758452509 Include user table, identity and session table 2025-12-07 19:08:22 +08:00
GW_MC
9c139d6007 refactor: replace IntoServiceError trait with direct ServiceError conversions 2025-12-07 14:40:11 +08:00
GW_MC
ce404670d6 Merge pull request 'Basic Documentation' (#8) from documentation into master
All checks were successful
Verify / verify-generated-code (push) Successful in 53s
Details
Verify / verify-openapi-spec (push) Successful in 6s
Details
Verify / verify-frontend-api-client (push) Successful in 8s
Details
Test / test-frontend (push) Successful in 21s
Details
Test / frontend-build (push) Successful in 24s
Details
Test / lint (push) Successful in 1m9s
Details
Test / test (push) Successful in 1m14s
Details 
Reviewed-on: #8
 2025-12-05 22:50:20 +08:00
45 changed files with 2433 additions and 74 deletions
Expand all files Collapse all files

373
Cargo.lock generated
View File

@@ -93,6 +93,18 @@ dependencies = [
"windows-sys 0.60.2",
]
[[package]]
name = "argon2"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072"
dependencies = [
"base64ct",
"blake2",
"cpufeatures",
"password-hash",
]
[[package]]
name = "arraydeque"
version = "0.5.1"
@@ -212,6 +224,28 @@ dependencies = [
"tracing",
]
[[package]]
name = "axum-extra"
version = "0.12.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dbfe9f610fe4e99cf0cfcd03ccf8c63c28c616fe714d80475ef731f3b13dd21b"
dependencies = [
"axum",
"axum-core",
"bytes",
"cookie",
"futures-core",
"futures-util",
"http",
"http-body",
"http-body-util",
"mime",
"pin-project-lite",
"tower-layer",
"tower-service",
"tracing",
]
[[package]]
name = "axum-macros"
version = "0.5.0"
@@ -223,6 +257,12 @@ dependencies = [
"syn 2.0.110",
]
[[package]]
name = "base16ct"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"
[[package]]
name = "base64"
version = "0.21.7"
@@ -282,6 +322,15 @@ dependencies = [
"wyz",
]
[[package]]
name = "blake2"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
dependencies = [
"digest",
]
[[package]]
name = "block-buffer"
version = "0.10.4"
@@ -580,6 +629,17 @@ dependencies = [
"unicode-segmentation",
]
[[package]]
name = "cookie"
version = "0.18.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
dependencies = [
"percent-encoding",
"time",
"version_check",
]
[[package]]
name = "core-foundation"
version = "0.9.4"
@@ -651,6 +711,18 @@ version = "0.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "460fbee9c2c2f33933d720630a6a0bac33ba7053db5344fac858d4b8952d77d5"
[[package]]
name = "crypto-bigint"
version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
dependencies = [
"generic-array",
"rand_core 0.6.4",
"subtle",
"zeroize",
]
[[package]]
name = "crypto-common"
version = "0.1.7"
@@ -661,6 +733,33 @@ dependencies = [
"typenum",
]
[[package]]
name = "curve25519-dalek"
version = "4.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
dependencies = [
"cfg-if",
"cpufeatures",
"curve25519-dalek-derive",
"digest",
"fiat-crypto",
"rustc_version",
"subtle",
"zeroize",
]
[[package]]
name = "curve25519-dalek-derive"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
dependencies = [
"proc-macro2",
"quote",
"syn 2.0.110",
]
[[package]]
name = "darling"
version = "0.20.11"
@@ -841,6 +940,44 @@ version = "1.0.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0881ea181b1df73ff77ffaaf9c7544ecc11e82fba9b5f27b262a3c73a332555"
[[package]]
name = "ecdsa"
version = "0.16.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
dependencies = [
"der",
"digest",
"elliptic-curve",
"rfc6979",
"signature",
"spki",
]
[[package]]
name = "ed25519"
version = "2.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
dependencies = [
"pkcs8",
"signature",
]
[[package]]
name = "ed25519-dalek"
version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
dependencies = [
"curve25519-dalek",
"ed25519",
"serde",
"sha2",
"subtle",
"zeroize",
]
[[package]]
name = "either"
version = "1.15.0"
@@ -850,6 +987,27 @@ dependencies = [
"serde",
]
[[package]]
name = "elliptic-curve"
version = "0.13.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
dependencies = [
"base16ct",
"crypto-bigint",
"digest",
"ff",
"generic-array",
"group",
"hkdf",
"pem-rfc7468",
"pkcs8",
"rand_core 0.6.4",
"sec1",
"subtle",
"zeroize",
]
[[package]]
name = "encoding_rs"
version = "0.8.35"
@@ -925,6 +1083,22 @@ version = "2.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37909eebbb50d72f9059c3b6d82c0463f2ff062c9e95845c43a6c9c0355411be"
[[package]]
name = "ff"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
dependencies = [
"rand_core 0.6.4",
"subtle",
]
[[package]]
name = "fiat-crypto"
version = "0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
[[package]]
name = "filetime"
version = "0.2.26"
@@ -1104,6 +1278,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
"zeroize",
]
[[package]]
@@ -1135,6 +1310,17 @@ version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280"
[[package]]
name = "group"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
dependencies = [
"ff",
"rand_core 0.6.4",
"subtle",
]
[[package]]
name = "h2"
version = "0.4.12"
@@ -1612,6 +1798,29 @@ dependencies = [
"serde",
]
[[package]]
name = "jsonwebtoken"
version = "10.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c76e1c7d7df3e34443b3621b459b066a7b79644f059fc8b2db7070c825fd417e"
dependencies = [
"base64 0.22.1",
"ed25519-dalek",
"getrandom 0.2.16",
"hmac",
"js-sys",
"p256",
"p384",
"pem",
"rand 0.8.5",
"rsa",
"serde",
"serde_json",
"sha2",
"signature",
"simple_asn1",
]
[[package]]
name = "lazy_static"
version = "1.5.0"
@@ -1797,7 +2006,7 @@ dependencies = [
"num-integer",
"num-iter",
"num-traits",
"rand",
"rand 0.8.5",
"smallvec",
"zeroize",
]
@@ -1937,6 +2146,30 @@ dependencies = [
"syn 2.0.110",
]
[[package]]
name = "p256"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
dependencies = [
"ecdsa",
"elliptic-curve",
"primeorder",
"sha2",
]
[[package]]
name = "p384"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
dependencies = [
"ecdsa",
"elliptic-curve",
"primeorder",
"sha2",
]
[[package]]
name = "parking"
version = "2.2.1"
@@ -1991,6 +2224,17 @@ dependencies = [
"syn 2.0.110",
]
[[package]]
name = "password-hash"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
dependencies = [
"base64ct",
"rand_core 0.6.4",
"subtle",
]
[[package]]
name = "path-clean"
version = "1.0.1"
@@ -2003,6 +2247,16 @@ version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3"
[[package]]
name = "pem"
version = "3.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
dependencies = [
"base64 0.22.1",
"serde_core",
]
[[package]]
name = "pem-rfc7468"
version = "0.7.0"
@@ -2153,6 +2407,15 @@ dependencies = [
"syn 2.0.110",
]
[[package]]
name = "primeorder"
version = "0.13.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
dependencies = [
"elliptic-curve",
]
[[package]]
name = "proc-macro-crate"
version = "3.4.0"
@@ -2254,8 +2517,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
"rand_chacha 0.3.1",
"rand_core 0.6.4",
]
[[package]]
name = "rand"
version = "0.9.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6db2770f06117d490610c7488547d543617b21bfa07796d7a12f6f1bd53850d1"
dependencies = [
"rand_chacha 0.9.0",
"rand_core 0.9.3",
]
[[package]]
@@ -2265,7 +2538,17 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
"rand_core 0.6.4",
]
[[package]]
name = "rand_chacha"
version = "0.9.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3022b5f1df60f26e1ffddd6c66e8aa15de382ae63b3a0c1bfc0e4d3e3f325cb"
dependencies = [
"ppv-lite86",
"rand_core 0.9.3",
]
[[package]]
@@ -2277,6 +2560,15 @@ dependencies = [
"getrandom 0.2.16",
]
[[package]]
name = "rand_core"
version = "0.9.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99d9a13982dcf210057a8a78572b2217b667c3beacbf3a0d8b454f6f82837d38"
dependencies = [
"getrandom 0.3.4",
]
[[package]]
name = "redox_syscall"
version = "0.3.5"
@@ -2353,6 +2645,16 @@ dependencies = [
"bytecheck",
]
[[package]]
name = "rfc6979"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
dependencies = [
"hmac",
"subtle",
]
[[package]]
name = "ring"
version = "0.17.14"
@@ -2423,7 +2725,7 @@ dependencies = [
"num-traits",
"pkcs1",
"pkcs8",
"rand_core",
"rand_core 0.6.4",
"signature",
"spki",
"subtle",
@@ -2450,12 +2752,21 @@ dependencies = [
"borsh",
"bytes",
"num-traits",
"rand",
"rand 0.8.5",
"rkyv",
"serde",
"serde_json",
]
[[package]]
name = "rustc_version"
version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92"
dependencies = [
"semver",
]
[[package]]
name = "rustix"
version = "1.1.2"
@@ -2765,6 +3076,20 @@ version = "4.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1c107b6f4780854c8b126e228ea8869f4d7b71260f962fefb57b996b8959ba6b"
[[package]]
name = "sec1"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
dependencies = [
"base16ct",
"der",
"generic-array",
"pkcs8",
"subtle",
"zeroize",
]
[[package]]
name = "security-framework"
version = "2.11.1"
@@ -2801,6 +3126,12 @@ dependencies = [
"libc",
]
[[package]]
name = "semver"
version = "1.0.27"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d767eb0aabc880b29956c35734170f26ed551a859dbd361d140cdbeca61ab1e2"
[[package]]
name = "serde"
version = "1.0.228"
@@ -2987,7 +3318,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
dependencies = [
"digest",
"rand_core",
"rand_core 0.6.4",
]
[[package]]
@@ -2996,6 +3327,18 @@ version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e3a9fe34e3e7a50316060351f37187a3f546bce95496156754b601a5fa71b76e"
[[package]]
name = "simple_asn1"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
dependencies = [
"num-bigint",
"num-traits",
"thiserror",
"time",
]
[[package]]
name = "slab"
version = "0.4.11"
@@ -3164,7 +3507,7 @@ dependencies = [
"memchr",
"once_cell",
"percent-encoding",
"rand",
"rand 0.8.5",
"rsa",
"rust_decimal",
"serde",
@@ -3208,7 +3551,7 @@ dependencies = [
"memchr",
"num-bigint",
"once_cell",
"rand",
"rand 0.8.5",
"rust_decimal",
"serde",
"serde_json",
@@ -3847,12 +4190,14 @@ dependencies = [
[[package]]
name = "uuid"
version = "1.18.1"
version = "1.19.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2f87b8aa10b915a06587d0dec516c282ff295b475d94abf425d62b57710070a2"
checksum = "e2e054861b4bd027cd373e18e8d8d8e6548085000e41290d95ce0c373a654b4a"
dependencies = [
"getrandom 0.3.4",
"js-sys",
"serde",
"rand 0.9.2",
"serde_core",
"wasm-bindgen",
]
@@ -4350,13 +4695,16 @@ checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
name = "yet-another-nginx-proxy-manager"
version = "0.1.0"
dependencies = [
"argon2",
"async-trait",
"axum",
"axum-extra",
"chrono",
"clap",
"config",
"database",
"include_dir",
"jsonwebtoken",
"migration",
"mime_guess",
"once_cell",
@@ -4368,6 +4716,7 @@ dependencies = [
"tracing",
"tracing-subscriber",
"utoipa",
"uuid",
]
[[package]]

7
apps/api/Cargo.toml
View File

@@ -7,7 +7,8 @@ edition = "2024"
database = { path = "../../public/database" }
migration = { path = "../../public/migration" }
axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"]}
axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
axum-extra = { version = "0.12.2", features = ["cookie"] }
async-trait = { version = "0.1.89" }
chrono = { version = "0.4.42", features = ["clock", "std", "oldtime", "wasmbind", "serde"] }
config = { version = "0.15.19", features = ["toml", "json", "yaml", "ini", "ron", "json5", "convert-case", "async"] }
@@ -23,3 +24,7 @@ mime_guess = { version = "2.0.5" }
utoipa = { version = "5.4.0", features = ["macros", "axum_extras", "chrono", "decimal", "uuid", "time", "openapi_extensions"] }
clap = { version = "4.5.53" }
once_cell = { version = "1.21.3" }
argon2 = { version = "0.5.3", features = ["std"] }
jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
uuid = { version = "1.19.0", features = ["v4", "serde", "fast-rng"] }

42
apps/api/src/cmd/start_server.rs
View File

@@ -12,7 +12,13 @@ use crate::{
configs::{ProgramSettings, get_program_settings, logging::LoggingSettings},
log,
routes::{self, AppService, AppState},
services::settings::SettingsService,
services::{
auth::{
authentication::{AuthenticationServiceImpl, strategies::password::PasswordStrategy},
user::UserServiceImpl,
},
settings::SettingsService,
},
tasks,
};
@@ -58,6 +64,9 @@ pub async fn start_server() {
tasks::startup::run_startup_tasks(&settings)
.await
.inspect_err(|err| {
tracing::error!("Failed to run startup tasks: {}", err);
})
.expect("Failed to run startup tasks");
// setup database connection pool
@@ -78,7 +87,21 @@ pub async fn start_server() {
// build the axum app and run the server...
info!("Starting application...");
let app: Router = routes::get_root_router(Arc::new(get_app_state(&db_connection)));
let mut app: Router =
routes::get_root_router(Arc::new(get_app_state(&db_connection, &settings)));
if settings.server.serve_openapi {
info!("Enabling OpenAPI documentation endpoint at /openapi.json");
app = app.route(
"/openapi.json",
axum::routing::get(|| async {
use utoipa::OpenApi;
let doc = routes::ApiDoc::openapi();
doc.to_pretty_json()
.expect("Failed to serialize OpenAPI doc to JSON")
}),
);
}
let address = format!("{}:{}", settings.server.address, settings.server.port);
info!("Starting server at http://{}", address);
@@ -115,11 +138,24 @@ fn get_global_tracing_subscriber_builder(
}
}
fn get_app_state(db_connection: &Arc<sea_orm::DatabaseConnection>) -> AppState {
fn get_app_state(
db_connection: &Arc<sea_orm::DatabaseConnection>,
settings: &ProgramSettings,
) -> AppState {
AppState {
database_connection: db_connection.clone(),
service: Arc::new(AppService {
settings: Arc::new(SettingsService::new(db_connection.clone())),
auth_state: routes::AuthState {
strategy: routes::AuthStrategy {
password: Arc::new(PasswordStrategy::new(db_connection.clone())),
},
authentication: Arc::new(AuthenticationServiceImpl::new(
settings.auth.jwt_secret.clone(),
)),
user: Arc::new(UserServiceImpl::new(db_connection.clone())),
},
user: Arc::new(UserServiceImpl::new(db_connection.clone())),
}),
}
}

4
apps/api/src/configs.rs
View File

@@ -1,3 +1,4 @@
pub mod auth;
pub mod database;
pub mod logging;
pub mod server;
@@ -17,6 +18,7 @@ pub struct ProgramSettings {
pub logging: logging::LoggingSettings,
pub database: database::DatabaseSettings,
pub server: server::ServerSettings,
pub auth: auth::AuthSettings,
}
impl FromConfig for ProgramSettings {
@@ -25,6 +27,7 @@ impl FromConfig for ProgramSettings {
logging: logging::LoggingSettings::from_config(_config)?,
database: database::DatabaseSettings::from_config(_config)?,
server: server::ServerSettings::from_config(_config)?,
auth: auth::AuthSettings::from_config(_config)?,
};
config.validate()?;
Ok(config)
@@ -34,6 +37,7 @@ impl FromConfig for ProgramSettings {
self.logging.validate()?;
self.database.validate()?;
self.server.validate()?;
self.auth.validate()?;
Ok(())
}
}

51
apps/api/src/configs/auth.rs Normal file
View File

@@ -0,0 +1,51 @@
use config::{Config, ConfigError};
use tracing::warn;
use crate::configs::key::{
AUTH_DEFAULT_ADMIN_PASSWORD_KEY, AUTH_DEFAULT_ADMIN_USERNAME_KEY, AUTH_JWT_SECRET_KEY,
};
use super::FromConfig;
#[derive(Debug, Clone)]
pub struct AuthSettings {
pub jwt_secret: Option<String>,
pub default_admin_username: Option<String>,
pub default_admin_password: Option<String>,
}
impl FromConfig for AuthSettings {
fn from_config(_config: &Config) -> Result<Self, String> {
Ok(AuthSettings {
jwt_secret: _config
.get_string(AUTH_JWT_SECRET_KEY)
.inspect_err(|err| {
match err {
ConfigError::NotFound(_) => {
warn!(
"{} not found in configuration, A random secret will be generated at runtime.",
AUTH_JWT_SECRET_KEY
);
}
_ => {
warn!(
"Failed to read {} from configuration, A random secret will be generated at runtime: {}",
AUTH_JWT_SECRET_KEY, err
);
}
};
})
.ok(),
default_admin_username: _config
.get_string(AUTH_DEFAULT_ADMIN_USERNAME_KEY)
.ok(),
default_admin_password: _config
.get_string(AUTH_DEFAULT_ADMIN_PASSWORD_KEY)
.ok(),
})
}
fn validate(&self) -> Result<(), String> {
Ok(())
}
}

5
apps/api/src/configs/key.rs
View File

@@ -3,7 +3,12 @@ pub(crate) const LOGGING_UTC_KEY: &str = "LOGGING.UTC";
//
pub(crate) const SERVER_ADDRESS_KEY: &str = "SERVER.ADDRESS";
pub(crate) const SERVER_PORT_KEY: &str = "SERVER.PORT";
pub(crate) const SERVER_SERVE_OPENAPI_KEY: &str = "SERVER.SERVE_OPENAPI";
//
pub(crate) const DATABASE_URL_KEY: &str = "DATABASE.URL";
pub(crate) const DATABASE_MAX_CONNECTIONS_KEY: &str = "DATABASE.MAX_CONNECTIONS";
pub(crate) const DATABASE_MIGRATE_ON_STARTUP_KEY: &str = "DATABASE.MIGRATION.MIGRATE_ON_STARTUP";
//
pub(crate) const AUTH_JWT_SECRET_KEY: &str = "AUTH.JWT_SECRET";
pub(crate) const AUTH_DEFAULT_ADMIN_USERNAME_KEY: &str = "AUTH.DEFAULT_ADMIN_USERNAME";
pub(crate) const AUTH_DEFAULT_ADMIN_PASSWORD_KEY: &str = "AUTH.DEFAULT_ADMIN_PASSWORD";

14
apps/api/src/configs/server.rs
View File

@@ -3,6 +3,8 @@ use std::net::IpAddr;
use config::{Config, ConfigError};
use tracing::warn;
use crate::configs::key::SERVER_SERVE_OPENAPI_KEY;
use super::{
FromConfig,
key::{SERVER_ADDRESS_KEY, SERVER_PORT_KEY},
@@ -12,6 +14,7 @@ use super::{
pub struct ServerSettings {
pub address: IpAddr,
pub port: u16,
pub serve_openapi: bool,
}
impl FromConfig for ServerSettings {
@@ -43,6 +46,17 @@ impl FromConfig for ServerSettings {
);
DEFAULT_PORT
}) as u16,
serve_openapi: _config
.get_bool(SERVER_SERVE_OPENAPI_KEY)
.unwrap_or_else(|err| {
const DEFAULT_SERVE_OPENAPI: bool = false;
warn!(
"{} not set or invalid in configuration, defaulting to {}. Error: {}",
SERVER_SERVE_OPENAPI_KEY, DEFAULT_SERVE_OPENAPI, err
);
DEFAULT_SERVE_OPENAPI
}),
})
}

44
apps/api/src/errors/service_error.rs
View File

@@ -1,15 +1,39 @@
pub type ServiceError = Box<dyn std::error::Error + Send + Sync>;
use sea_orm::DbErr;
#[allow(dead_code)] // TODO: remove when used
pub trait IntoServiceError {
fn into_service_error(self) -> ServiceError;
#[derive(Debug)]
pub enum ServiceError {
NotFound(String),
DatabaseError(String),
Unauthorized(String),
InternalError(String),
BadRequest(String),
}
impl<T> IntoServiceError for T
where
T: std::error::Error + Send + Sync + 'static,
{
fn into_service_error(self) -> ServiceError {
Box::new(self)
impl From<Box<dyn std::error::Error + Send + Sync + 'static>> for ServiceError {
fn from(err: Box<dyn std::error::Error + Send + Sync + 'static>) -> Self {
ServiceError::InternalError(err.to_string())
}
}
impl std::fmt::Display for ServiceError {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
match self {
ServiceError::NotFound(msg) => write!(f, "Not Found: {}", msg),
ServiceError::DatabaseError(msg) => write!(f, "Database Error: {}", msg),
ServiceError::Unauthorized(msg) => write!(f, "Unauthorized: {}", msg),
ServiceError::InternalError(msg) => write!(f, "Internal Error: {}", msg),
ServiceError::BadRequest(msg) => write!(f, "Bad Request: {}", msg),
}
}
}
impl std::error::Error for ServiceError {}
impl From<DbErr> for ServiceError {
fn from(err: DbErr) -> Self {
match err {
DbErr::RecordNotFound(msg) => ServiceError::NotFound(msg),
_ => ServiceError::DatabaseError(err.to_string()),
}
}
}

2
apps/api/src/helpers.rs Normal file
View File

@@ -0,0 +1,2 @@
pub mod constants;
pub mod database;

3
apps/api/src/helpers/constants.rs Normal file
View File

@@ -0,0 +1,3 @@
pub const ADMIN_INIT_SECRET_KEY: &str = "admin_init_secret";
//
pub const JWT_COOKIE_NAME: &str = "session_jwt";

13
apps/api/src/helpers/database.rs Normal file
View File

@@ -0,0 +1,13 @@
#[macro_export]
macro_rules! with_conn {
// Usage: with_conn!(&connection, tx_option, ident, |conn|-> { ... })
($conn:expr, $tx:expr, $ident:ident, $body:block) => {{
if let Some(t) = &$tx {
let $ident = t;
$body
} else {
let $ident = &$conn;
$body
}
}};
}

3
apps/api/src/main.rs
View File

@@ -1,6 +1,9 @@
#![forbid(unsafe_code)]
mod cmd;
mod configs;
mod errors;
mod helpers;
mod log;
mod middlewares;
mod routes;

11
apps/api/src/middlewares.rs
View File

@@ -1,16 +1,21 @@
pub mod request_info;
pub mod require_auth;
use std::{sync::Arc, time::Duration};
use axum::{
BoxError, Router,
error_handling::HandleErrorLayer,
http::{Method, StatusCode, Uri},
};
use std::time::Duration;
use tower::{ServiceBuilder, timeout::TimeoutLayer};
use tracing::warn;
use crate::routes::AppState;
pub const TIMEOUT_DURATION_SECS: u64 = 30;
pub fn apply_root_middleware(router: Router) -> Router {
pub fn apply_root_middleware(router: Router, _state: Arc<AppState>) -> Router {
let timeout_layer = TimeoutLayer::new(Duration::from_secs(TIMEOUT_DURATION_SECS));
let service_builder = ServiceBuilder::new()

6
apps/api/src/middlewares/request_info.rs Normal file
View File

@@ -0,0 +1,6 @@
use uuid::Uuid;
#[derive(Clone, Debug)]
pub struct RequestInfo {
pub user_id: Option<Uuid>,
}

68
apps/api/src/middlewares/require_auth.rs Normal file
View File

@@ -0,0 +1,68 @@
use std::sync::Arc;
use axum::{
extract::State,
http::{Request, StatusCode},
middleware::Next,
response::Response,
};
use axum_extra::extract::cookie::CookieJar;
use uuid::Uuid;
use crate::{
errors::service_error::ServiceError, helpers::constants::JWT_COOKIE_NAME,
middlewares::request_info::RequestInfo, routes::AppState,
};
pub async fn require_auth(
cookies: CookieJar,
State(state): State<Arc<AppState>>,
req: Request<axum::body::Body>,
next: Next,
) -> Result<Response, StatusCode> {
// get jwt from cookies
let auth_service = &state.service.auth_state.authentication;
let token = if let Some(cookie) = cookies.get(JWT_COOKIE_NAME) {
cookie.value().to_string()
} else {
return handle_unauthenticated().await;
};
// validate jwt
let is_valid = auth_service.is_valid_jwt(&token, None).await;
let user_id = match is_valid {
Ok(Some(claims)) => claims
.sub
.parse::<Uuid>()
.map_err(|_| StatusCode::UNAUTHORIZED)?,
Ok(None) => return handle_unauthenticated().await,
Err(err) => {
tracing::error!("Error validating JWT: {}", err);
return Err(StatusCode::INTERNAL_SERVER_ERROR);
}
};
// ensure user exists
if let Err(err) = state.service.user.get_user_by_id(user_id, None).await {
match err {
ServiceError::NotFound(_) => return handle_unauthenticated().await,
_ => {
tracing::error!("Error fetching user by ID: {}", err);
return Err(StatusCode::INTERNAL_SERVER_ERROR);
}
}
}
let mut req = req;
let user = req
.extensions_mut()
.get_or_insert_with(|| RequestInfo { user_id: None });
user.user_id = Some(user_id);
Ok(next.run(req).await)
}
async fn handle_unauthenticated() -> Result<Response, StatusCode> {
// TODO: log unauthenticated access attempts
Err(StatusCode::UNAUTHORIZED)
}

33
apps/api/src/routes.rs
View File

@@ -8,7 +8,16 @@ use std::sync::Arc;
use axum::{Extension, Router};
use migration::sea_orm::DatabaseConnection;
use crate::{middlewares, services::settings::SettingsStore};
use crate::{
middlewares,
services::{
auth::{
authentication::{AuthenticationService, strategies::password::PasswordStrategy},
user::UserService,
},
settings::SettingsStore,
},
};
#[derive(Clone)]
pub struct AppState {
@@ -22,21 +31,35 @@ pub struct AppState {
pub type ServiceState<T> = Arc<T>;
pub struct AuthStrategy {
pub password: ServiceState<PasswordStrategy>,
}
pub struct AuthState {
pub strategy: AuthStrategy,
pub authentication: ServiceState<dyn AuthenticationService>,
pub user: ServiceState<dyn UserService>,
}
pub struct AppService {
#[allow(dead_code)] // TODO: remove when used
// #[allow(dead_code)] // TODO: remove when used
pub settings: ServiceState<dyn SettingsStore>,
pub auth_state: AuthState,
// #[allow(dead_code)] // TODO: remove when used
pub user: ServiceState<dyn UserService>,
}
pub fn get_root_router(state: impl Into<Arc<AppState>>) -> Router {
let mut router = Router::new();
let state = state.into();
router = router
.nest("/api", api::get_api_router())
.nest("/api", api::get_api_router(state.clone()))
.merge(view::get_view_router());
router = middlewares::apply_root_middleware(router);
router = middlewares::apply_root_middleware(router, state.clone());
router = router.layer(Extension(state.into()));
router = router.layer(Extension(state.clone()));
router
}

10
apps/api/src/routes/api.rs
View File

@@ -1,13 +1,21 @@
mod auth;
mod health;
mod openapi;
mod restricted;
use std::sync::Arc;
use crate::routes::AppState;
pub use self::openapi::ApiDoc;
use axum::{Router, response::IntoResponse, routing::any};
pub fn get_api_router() -> Router {
pub fn get_api_router(state: Arc<AppState>) -> Router {
Router::new()
.nest("/health", health::get_health_router())
.merge(auth::get_basic_auth_router(state.clone()))
.merge(restricted::get_restricted_router(state.clone()))
// explicit fallback for unmatched API routes
.route("/{*wildcard}", any(api_fallback_handler))
}

18
apps/api/src/routes/api/auth.rs Normal file
View File

@@ -0,0 +1,18 @@
pub mod init_admin;
pub mod login;
use std::sync::Arc;
use axum::{
Router,
routing::{get, post},
};
use crate::routes::AppState;
pub fn get_basic_auth_router(state: Arc<AppState>) -> Router {
Router::new()
.route("/auth/login", post(login::login))
.route("/auth/init_admin", post(init_admin::init_admin))
.with_state(state)
}

143
apps/api/src/routes/api/auth/init_admin.rs Normal file
View File

@@ -0,0 +1,143 @@
use std::sync::Arc;
use axum::{
Json,
extract::State,
http::StatusCode,
response::{IntoResponse, Response},
};
use database::generated::entities::user;
use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, TransactionTrait};
use serde::{Deserialize, Serialize};
use serde_json::{Value, from_value};
use tracing::{debug, error, info, warn};
use crate::{
helpers::constants::ADMIN_INIT_SECRET_KEY,
routes::{AppState, api::openapi::tag::AUTH_TAG},
services::auth::user::NewUser,
};
/// Login request payload
#[derive(Serialize, Deserialize, utoipa::ToSchema)]
pub struct AdminInitRequest {
username: String,
password: String,
// The secret key required to initialize the admin user
setup_secret: String,
}
/// Initializes the admin user
///
/// Initializes the admin user if no admin user exists and the correct setup secret is provided.
#[utoipa::path(
post,
path = "/api/auth/init_admin",
request_body = AdminInitRequest,
responses(
(status = 200, description = "Admin user initialized successfully"),
(status = 400, description = "Invalid request payload"),
(status = 401, description = "Unauthorized: Admin user already exists or invalid setup secret"),
(status = 500, description = "Internal server error"),
),
tag = AUTH_TAG,
)]
pub async fn init_admin(
State(state): State<Arc<AppState>>,
Json(payload): Json<Value>,
) -> Response {
if user::Entity::find()
.filter(user::Column::IsAdmin.eq(true))
.filter(user::Column::IsActive.eq(true))
.one(state.database_connection.as_ref())
.await
.map_err(|err| {
error!("Failed to query for existing admin user: {}", err);
StatusCode::INTERNAL_SERVER_ERROR
})
.unwrap_or(None)
.is_some()
{
warn!("Admin user already exists. Skipping admin initialization.");
return (StatusCode::UNAUTHORIZED).into_response();
}
let init_request: AdminInitRequest = match from_value(payload) {
Ok(req) => req,
Err(e) => {
warn!("Invalid login request: {}", e);
return (StatusCode::BAD_REQUEST).into_response();
}
};
let admin_secret = match state
.service
.settings
.get_setting(ADMIN_INIT_SECRET_KEY)
.await
{
Ok(secret) => secret,
Err(e) => {
error!(
"Failed to retrieve admin initialization secret. Invalid internal state?: {}",
e
);
return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
}
};
if init_request.setup_secret != admin_secret {
info!("{},{}", init_request.setup_secret, admin_secret);
warn!("Invalid admin initialization secret provided.");
return (StatusCode::UNAUTHORIZED).into_response();
}
let mut tx = match state.database_connection.begin().await {
Ok(tx) => tx,
Err(e) => {
error!("Failed to start transaction: {}", e);
return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
}
};
let user = match state
.service
.user
.create_user(
NewUser {
username: init_request.username,
is_admin: true,
},
Some(&mut tx),
)
.await
{
Ok(user) => user,
Err(e) => {
error!("Failed to initialize admin user: {}", e);
return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
}
};
debug!("Created admin user with ID: {}", user.id);
match state
.service
.auth_state
.strategy
.password
.create_identity(user.id, &init_request.password, Some(&mut tx))
.await
{
Ok(_) => {}
Err(e) => {
error!("Failed to create admin user identity: {}", e);
return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
}
};
tx.commit().await.unwrap_or_else(|e| {
error!("Failed to commit transaction: {}", e);
});
(StatusCode::OK).into_response()
}

98
apps/api/src/routes/api/auth/login.rs Normal file
View File

@@ -0,0 +1,98 @@
use std::sync::Arc;
use axum::{
Json,
body::Body,
extract::State,
http::{StatusCode, header::SET_COOKIE},
response::{IntoResponse, Response},
};
use serde::{Deserialize, Serialize};
use serde_json::{Value, from_value};
use tracing::{error, warn};
use crate::routes::{AppState, api::openapi::tag::AUTH_TAG};
/// Login request payload
#[derive(Serialize, Deserialize, utoipa::ToSchema)]
pub struct LoginRequest {
username: String,
password: String,
}
/// Login endpoint
///
/// Authenticates a user and returns a JWT in an HttpOnly cookie.
#[utoipa::path(
post,
path = "/api/auth/login",
request_body = LoginRequest,
responses(
(status = 200, description = "User authenticated successfully", body = ()),
(status = 401, description = "Authentication failed"),
(status = 500, description = "Internal server error"),
),
tag = AUTH_TAG,
)]
pub async fn login(State(state): State<Arc<AppState>>, Json(payload): Json<Value>) -> Response {
let login_request: LoginRequest = match from_value(payload) {
Ok(req) => req,
Err(e) => {
warn!("Invalid login request: {}", e);
return (StatusCode::BAD_REQUEST).into_response();
}
};
let user_id = match state
.service
.auth_state
.strategy
.password
.authenticate(&login_request.username, &login_request.password, None)
.await
{
Ok(user_id) => user_id,
Err(e) => {
warn!(
"Authentication failed for user {}: {}",
login_request.username, e
);
return (StatusCode::UNAUTHORIZED).into_response();
}
};
let (jwt, claims) = match state
.service
.auth_state
.authentication
.generate_jwt(user_id, 3600)
.await
{
Ok(token) => token,
Err(e) => {
error!("Error generating JWT for user {}: {}", user_id, e);
return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
}
};
let response_builder = Response::builder()
.status(StatusCode::OK)
// add jwt as cookie
.header(
SET_COOKIE,
format!(
"token={}; HttpOnly; Path=/; Max-Age={}; SameSite=Strict;",
jwt,
claims.exp - claims.iat
),
)
.body(Body::from(()));
match response_builder {
Ok(resp) => resp,
Err(e) => {
error!("Error building response: {}", e);
return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
}
}
}

14
apps/api/src/routes/api/openapi.rs
View File

@@ -1,18 +1,26 @@
pub mod tag {
/// Health tag constant
pub const HEALTH_TAG: &str = "Health";
pub const AUTH_TAG: &str = "Authentication";
}
#[derive(utoipa::OpenApi)]
#[openapi(
paths(
crate::routes::api::health::info::get_health_info
crate::routes::api::health::info::get_health_info,
// Authentication paths
crate::routes::api::auth::login::login,
crate::routes::api::auth::init_admin::init_admin,
),
components(
schemas(crate::routes::api::health::info::HealthInfo) // Register any schemas used in your paths
schemas(crate::routes::api::health::info::HealthInfo),
// Authentication schemas
schemas(crate::routes::api::auth::login::LoginRequest),
schemas(crate::routes::api::auth::init_admin::AdminInitRequest),
),
tags(
(name = tag::HEALTH_TAG, description = "Health information API")
(name = tag::HEALTH_TAG, description = "Health information API"),
(name = tag::AUTH_TAG, description = "Authentication API")
)
)]
pub struct ApiDoc;

15
apps/api/src/routes/api/restricted.rs Normal file
View File

@@ -0,0 +1,15 @@
use std::sync::Arc;
use axum::{Router, routing::get};
use crate::{middlewares::require_auth::require_auth, routes::AppState};
pub fn get_restricted_router(state: Arc<AppState>) -> Router {
Router::new()
//
//
.layer(axum::middleware::from_fn_with_state(
state.clone(),
require_auth,
))
}

1
apps/api/src/services.rs
View File

@@ -1 +1,2 @@
pub mod auth;
pub mod settings;

2
apps/api/src/services/auth.rs Normal file
View File

@@ -0,0 +1,2 @@
pub mod authentication;
pub mod user;

274
apps/api/src/services/auth/authentication.rs Normal file
View File

@@ -0,0 +1,274 @@
pub mod strategies;
use std::{collections::HashSet, sync::Arc};
use argon2::password_hash::{SaltString, rand_core::OsRng};
use jsonwebtoken::{
DecodingKey, EncodingKey, Header, Validation, decode, encode,
errors::ErrorKind::{ExpiredSignature, InvalidSubject, InvalidToken},
};
use sea_orm::prelude::Uuid;
use serde::{Deserialize, Serialize};
use tokio::sync::RwLock;
use crate::errors::service_error::ServiceError;
// Number of requests between invalidation cache cleanups
const INVALIDATE_CACHE_CLEANUP_INTERVAL_REQUESTS: usize = 100; // Cleanup every 100 for invalidation checks
#[derive(Serialize, Deserialize, Clone)]
pub struct Claims {
// Subject - user ID
pub sub: String,
// Issued at as UNIX timestamp
pub iat: u64,
// Expiration time as UNIX timestamp
pub exp: u64,
}
#[async_trait::async_trait]
pub trait AuthenticationService: Send + Sync {
async fn generate_jwt(
&self,
user_id: Uuid,
duration_secs: u64,
) -> Result<(String, Claims), ServiceError>;
async fn is_valid_jwt(
&self,
token: &str,
target_sub: Option<String>,
) -> Result<Option<Claims>, ServiceError>;
async fn parse_jwt(&self, token: &str) -> Result<Claims, ServiceError>;
async fn invalidate_jwt(&self, token: &str) -> Result<(), ServiceError>;
async fn refresh_jwt(&self, token: &str, duration_secs: u64) -> Result<String, ServiceError>;
async fn logout(&self, token: &str) -> Result<(), ServiceError>;
async fn cleanup_invalidation_cache(&self);
}
#[derive(Eq, Hash, PartialEq)]
struct InvalidationEntry {
token: String,
invalidated_at: u64,
valid_until: u64,
}
pub struct AuthenticationServiceImpl {
secret: String,
invalidation_cache: Arc<RwLock<HashSet<InvalidationEntry>>>,
cache_cleanup_counter: Arc<RwLock<usize>>,
}
impl AuthenticationServiceImpl {
pub fn new(secret: Option<String>) -> Self {
let secret = secret.unwrap_or_else(|| {
// generate a random secret if none is provided
SaltString::generate(&mut OsRng).as_str().to_owned()
});
Self {
secret,
invalidation_cache: Arc::new(RwLock::new(HashSet::new())),
cache_cleanup_counter: Arc::new(RwLock::new(0)),
}
}
}
#[async_trait::async_trait]
impl AuthenticationService for AuthenticationServiceImpl {
async fn generate_jwt(
&self,
user_id: Uuid,
duration_secs: u64,
) -> Result<(String, Claims), ServiceError> {
let header = Header::default();
let expiration = chrono::Utc::now()
.checked_add_signed(chrono::Duration::seconds(duration_secs as i64))
.ok_or(ServiceError::InternalError(
"Invalid expiration time".into(),
))?
.timestamp() as u64;
let claims = Claims {
sub: user_id.to_string(),
iat: chrono::Utc::now().timestamp() as u64,
exp: expiration,
};
let token = encode(
&header,
&claims,
&EncodingKey::from_secret(self.secret.as_ref()),
)
.map_err(|e| ServiceError::InternalError(format!("JWT generation error: {}", e)))?;
Ok((token, claims))
}
async fn is_valid_jwt(
&self,
token: &str,
target_sub: Option<String>,
) -> Result<Option<Claims>, ServiceError> {
let mut validation = Validation::default();
if let Some(expected_sub) = target_sub {
validation.sub = Some(expected_sub);
}
let decoding_key = DecodingKey::from_secret(self.secret.as_ref());
match decode::<Claims>(token, &decoding_key, &validation) {
Ok(data) => Ok(Some(data.claims)),
Err(err) => match *err.kind() {
InvalidToken | InvalidSubject | ExpiredSignature => Ok(None),
_ => Err(ServiceError::InternalError(format!(
"JWT validation error: {}",
err
))),
},
}
}
async fn parse_jwt(&self, token: &str) -> Result<Claims, ServiceError> {
let decoding_key = DecodingKey::from_secret(self.secret.as_ref());
let token_data = decode::<Claims>(token, &decoding_key, &Validation::default())
.map_err(|e| ServiceError::InternalError(format!("JWT parsing error: {}", e)))?;
Ok(token_data.claims)
}
async fn invalidate_jwt(&self, token: &str) -> Result<(), ServiceError> {
let claims = self.parse_jwt(token).await?;
let valid_until = claims.exp;
let invalidated_at = chrono::Utc::now().timestamp() as u64;
let entry = InvalidationEntry {
token: token.to_string(),
invalidated_at,
valid_until,
};
{
self.invalidation_cache.write().await.insert(entry);
}
//
if self.cache_cleanup_counter.read().await.wrapping_add(1)
% INVALIDATE_CACHE_CLEANUP_INTERVAL_REQUESTS
== 0
{
self.cleanup_invalidation_cache().await;
}
//
Ok(())
}
async fn refresh_jwt(&self, token: &str, duration_secs: u64) -> Result<String, ServiceError> {
let claims = self.parse_jwt(token).await?;
let user_id = Uuid::parse_str(&claims.sub).map_err(|e| {
ServiceError::InternalError(format!("Invalid user ID in JWT claims: {}", e))
})?;
let (new_token, _) = self.generate_jwt(user_id, duration_secs).await?;
Ok(new_token)
}
async fn logout(&self, token: &str) -> Result<(), ServiceError> {
self.invalidate_jwt(token).await
}
async fn cleanup_invalidation_cache(&self) {
let now = chrono::Utc::now().timestamp() as u64;
let mut cache = self.invalidation_cache.write().await;
cache.retain(|entry| entry.valid_until > now);
}
}
#[cfg(test)]
mod tests {
use super::*;
use tokio::time::{Duration, sleep};
#[tokio::test]
async fn test_jwt_generation_and_validation() {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let user_id = Uuid::new_v4();
let (token, _) = service
.generate_jwt(user_id, 60)
.await
.expect("generate jwt");
let valid = service
.is_valid_jwt(&token, None)
.await
.expect("validate jwt");
assert!(valid.is_some(), "Generated token should be valid");
let claims = service.parse_jwt(&token).await.expect("parse jwt");
assert_eq!(claims.sub, user_id.to_string());
}
#[tokio::test]
async fn test_jwt_validation_with_wrong_subject() {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let user_id = Uuid::new_v4();
let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
let other_sub = Uuid::new_v4().to_string();
let valid = service.is_valid_jwt(&token, Some(other_sub)).await.unwrap();
assert!(
valid.is_none(),
"Token should be invalid for a different subject"
);
}
#[tokio::test]
async fn test_parse_jwt_invalid_token() {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let res = service.parse_jwt("not_a_token").await;
assert!(matches!(res, Err(ServiceError::InternalError(_))));
}
#[tokio::test]
async fn test_refresh_jwt() {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let user_id = Uuid::new_v4();
let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
let new_token = service.refresh_jwt(&token, 120).await.unwrap();
let claims = service.parse_jwt(&new_token).await.unwrap();
assert_eq!(claims.sub, user_id.to_string());
assert_eq!(claims.exp - claims.iat, 120);
}
#[tokio::test]
async fn test_is_valid_jwt_expired() {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let user_id = Uuid::new_v4();
let (token, _) = service.generate_jwt(user_id, 1).await.unwrap();
sleep(Duration::from_secs(2)).await;
let valid = service.is_valid_jwt(&token, None).await.unwrap();
assert!(valid.is_none(), "Token should be expired and thus invalid");
}
#[tokio::test]
async fn test_invalidate_and_cleanup() {
let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
let user_id = Uuid::new_v4();
let (token, _) = service.generate_jwt(user_id, 1).await.unwrap();
service.invalidate_jwt(&token).await.unwrap();
// ensure entry is present
{
let cache = service.invalidation_cache.read().await;
assert!(cache.iter().any(|e| e.token == token));
}
// wait until token validity ends and cleanup
sleep(Duration::from_secs(2)).await;
service.cleanup_invalidation_cache().await;
let cache = service.invalidation_cache.read().await;
assert!(
cache.is_empty(),
"Cleanup should remove expired invalidation entries"
);
}
}

1
apps/api/src/services/auth/authentication/strategies.rs Normal file
View File

@@ -0,0 +1 @@
pub mod password;

454
apps/api/src/services/auth/authentication/strategies/password.rs Normal file
View File

@@ -0,0 +1,454 @@
use std::sync::Arc;
use crate::{errors::service_error::ServiceError, with_conn};
use argon2::{
Argon2,
password_hash::{PasswordHash, PasswordHasher, PasswordVerifier, SaltString, rand_core::OsRng},
};
use database::generated::entities::{user, user_identity};
use sea_orm::{
ColumnTrait, DatabaseConnection, DatabaseTransaction, EntityTrait, IntoActiveModel,
QueryFilter, prelude::Uuid,
};
pub struct PasswordStrategy {
connection: Arc<DatabaseConnection>,
}
const MAX_PASSWORD_LENGTH: usize = 32;
const PASSWORD_PROVIDER: &str = "password";
impl PasswordStrategy {
pub fn new(connection: Arc<DatabaseConnection>) -> Self {
Self { connection }
}
pub async fn authenticate(
&self,
username: &str,
password: &str,
tx: Option<&mut DatabaseTransaction>,
) -> Result<Uuid, ServiceError> {
// Find user by username
let user = with_conn!(&*self.connection, tx, conn, {
user::Entity::find()
.filter(user::Column::Name.eq(username))
.one(*conn)
.await?
.ok_or_else(|| {
ServiceError::Unauthorized("Invalid username or password".to_string())
})?
});
// Get user's identity
let identity = with_conn!(&*self.connection, tx, conn, {
user_identity::Entity::find()
.filter(user_identity::Column::UserId.eq(user.id))
.one(*conn)
.await?
.ok_or_else(|| {
ServiceError::Unauthorized("Invalid username or password".to_string())
})?
});
// Check if revoked
if identity.is_revoked {
return Err(ServiceError::Unauthorized("Account is revoked".to_string()));
}
// Verify password
let password_hash = identity
.password_hash
.ok_or_else(|| ServiceError::InternalError("Invalid password hash".to_string()))?;
let parsed_hash = PasswordHash::new(&password_hash)
.map_err(|_| ServiceError::InternalError("Invalid password hash".to_string()))?;
Argon2::default()
.verify_password(password.as_bytes(), &parsed_hash)
.map_err(|_| ServiceError::Unauthorized("Invalid username or password".to_string()))?;
Ok(user.id)
}
pub async fn revoke_identity(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<(), ServiceError> {
let mut identity = with_conn!(&*self.connection, tx, conn, {
user_identity::Entity::find()
.filter(user_identity::Column::UserId.eq(user_id))
.one(*conn)
.await?
.ok_or_else(|| ServiceError::NotFound("User identity not found".to_string()))?
});
identity.is_revoked = true;
with_conn!(&*self.connection, tx, conn, {
user_identity::Entity::update(identity.into_active_model())
.exec(*conn)
.await
.map_err(ServiceError::from)
})?;
Ok(())
}
pub async fn create_identity(
&self,
user_id: Uuid,
password: &str,
tx: Option<&mut DatabaseTransaction>,
) -> Result<(), ServiceError> {
Self::is_valid_password(password).map_err(ServiceError::BadRequest)?;
let password_hash = Argon2::default()
.hash_password(password.as_bytes(), &SaltString::generate(&mut OsRng))
.map_err(|_| ServiceError::InternalError("Failed to hash password".to_string()))?
.to_string();
let new_identity = user_identity::ActiveModel {
id: sea_orm::ActiveValue::Set(Uuid::new_v4()),
user_id: sea_orm::ActiveValue::Set(user_id),
provider: sea_orm::ActiveValue::Set(PASSWORD_PROVIDER.to_string()),
password_hash: sea_orm::ActiveValue::Set(Some(password_hash)),
metadata: sea_orm::ActiveValue::Set(None),
is_revoked: sea_orm::ActiveValue::Set(false),
..Default::default()
};
with_conn!(&*self.connection, tx, conn, {
user_identity::Entity::insert(new_identity)
.exec(*conn)
.await
.map_err(ServiceError::from)
})?;
Ok(())
}
pub async fn update_password(
&self,
user_id: Uuid,
new_password: &str,
tx: Option<&mut DatabaseTransaction>,
) -> Result<(), ServiceError> {
Self::is_valid_password(new_password).map_err(ServiceError::BadRequest)?;
let password_hash = Argon2::default()
.hash_password(new_password.as_bytes(), &SaltString::generate(&mut OsRng))
.map_err(|_| ServiceError::InternalError("Failed to hash password".to_string()))?
.to_string();
let mut identity = with_conn!(&*self.connection, tx, conn, {
user_identity::Entity::find()
.filter(user_identity::Column::UserId.eq(user_id))
.one(*conn)
.await?
.ok_or_else(|| ServiceError::NotFound("User identity not found".to_string()))?
});
identity.password_hash = Some(password_hash);
identity.password_changed_at = Some(chrono::Utc::now());
with_conn!(&*self.connection, tx, conn, {
user_identity::Entity::update(identity.into_active_model())
.exec(*conn)
.await
.map_err(ServiceError::from)
})?;
Ok(())
}
fn is_valid_password(password: &str) -> Result<(), String> {
if password.is_empty() {
return Err("Password cannot be empty".to_string());
}
if password.len() > MAX_PASSWORD_LENGTH {
return Err(format!(
"Password cannot be longer than {} characters",
MAX_PASSWORD_LENGTH
));
}
Ok(())
}
}
#[cfg(test)]
mod test {
use super::*;
use database::generated::entities::{user, user_identity};
use sea_orm::MockDatabase;
#[test]
fn ensure_send_sync() {
fn assert_send_sync<T: Send + Sync>() {}
assert_send_sync::<PasswordStrategy>();
}
#[test]
fn password_validation() {
let valid_password = "ValidPassword123!";
let long_password = "a".repeat(129);
assert!(PasswordStrategy::is_valid_password(valid_password).is_ok());
assert!(PasswordStrategy::is_valid_password(long_password.as_str()).is_err());
}
#[tokio::test]
async fn authenticate_user_not_found() {
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy
.authenticate("nonexistent_user", "password", None)
.await;
assert!(matches!(result, Err(ServiceError::Unauthorized(_))));
}
#[tokio::test]
async fn authenticate_invalid_password() {
let user_id = Uuid::new_v4();
let password_hash = Argon2::default()
.hash_password(
"CorrectPassword".as_bytes(),
&SaltString::generate(&mut OsRng),
)
.unwrap()
.to_string();
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![vec![user::Model {
id: user_id,
name: "test_user".to_string(),
is_active: true,
is_admin: false,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
deleted_at: None,
last_login_at: None,
}]])
.append_query_results(vec![vec![user_identity::Model {
id: Uuid::new_v4(),
user_id,
email: None,
provider: PASSWORD_PROVIDER.to_string(),
password_hash: Some(password_hash),
metadata: None,
is_revoked: false,
revoked_at: None,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
password_changed_at: None,
}]])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy
.authenticate("test_user", "InvalidPassword", None)
.await;
assert!(matches!(result, Err(ServiceError::Unauthorized(_))));
}
#[tokio::test]
async fn authenticate_success() {
let user_id = Uuid::new_v4();
let password_hash = Argon2::default()
.hash_password(
"CorrectPassword".as_bytes(),
&SaltString::generate(&mut OsRng),
)
.unwrap()
.to_string();
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![vec![user::Model {
id: user_id,
name: "test_user".to_string(),
is_active: true,
is_admin: false,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
deleted_at: None,
last_login_at: None,
}]])
.append_query_results(vec![vec![user_identity::Model {
id: Uuid::new_v4(),
user_id,
email: None,
provider: PASSWORD_PROVIDER.to_string(),
password_hash: Some(password_hash),
metadata: None,
is_revoked: false,
revoked_at: None,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
password_changed_at: None,
}]])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy
.authenticate("test_user", "CorrectPassword", None)
.await;
assert!(matches!(result, Ok(id) if id == user_id));
}
#[tokio::test]
async fn revoke_identity_not_found() {
let user_id = Uuid::new_v4();
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy.revoke_identity(user_id, None).await;
assert!(matches!(result, Err(ServiceError::NotFound(_))));
}
#[tokio::test]
async fn revoke_identity_success() {
let user_id = Uuid::new_v4();
let identity = user_identity::Model {
id: Uuid::new_v4(),
user_id,
email: None,
provider: PASSWORD_PROVIDER.to_string(),
password_hash: None,
metadata: None,
is_revoked: false,
revoked_at: None,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
password_changed_at: None,
};
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![
vec![identity.clone()],
vec![user_identity::Model {
is_revoked: true,
..identity
}],
])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy.revoke_identity(user_id, None).await;
assert!(result.is_ok());
}
#[tokio::test]
async fn create_identity_invalid_password() {
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite).into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy.create_identity(Uuid::new_v4(), "", None).await;
assert!(matches!(result, Err(ServiceError::BadRequest(_))));
}
#[tokio::test]
async fn create_identity_success() {
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![vec![user_identity::Model {
id: Uuid::new_v4(),
user_id: Uuid::new_v4(),
email: None,
provider: PASSWORD_PROVIDER.to_string(),
password_hash: Some("somehash".to_string()),
metadata: None,
is_revoked: false,
revoked_at: None,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
password_changed_at: None,
}]])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy
.create_identity(Uuid::new_v4(), "ValidPass1!", None)
.await;
assert!(
result.is_ok(),
"Failed to create identity, error: {:?}",
result.err()
);
}
#[tokio::test]
async fn update_password_not_found() {
let user_id = Uuid::new_v4();
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy.update_password(user_id, "NewPass1!", None).await;
assert!(matches!(result, Err(ServiceError::NotFound(_))));
}
#[tokio::test]
async fn update_password_success() {
let user_id = Uuid::new_v4();
let identity = user_identity::Model {
id: Uuid::new_v4(),
user_id,
email: None,
provider: PASSWORD_PROVIDER.to_string(),
password_hash: Some("oldhash".to_string()),
metadata: None,
is_revoked: false,
revoked_at: None,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
password_changed_at: None,
};
let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
.append_query_results(vec![
vec![identity],
vec![user_identity::Model {
id: Uuid::new_v4(),
user_id,
email: None,
provider: PASSWORD_PROVIDER.to_string(),
password_hash: Some("newhash".to_string()),
metadata: None,
is_revoked: false,
revoked_at: None,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
password_changed_at: None,
}],
])
.into_connection();
let strategy = PasswordStrategy::new(Arc::new(db));
let result = strategy.update_password(user_id, "NewPass1!", None).await;
assert!(
result.is_ok(),
"Failed to update password, error: {:?}",
result.err()
);
}
}

208
apps/api/src/services/auth/user.rs Normal file
View File

@@ -0,0 +1,208 @@
use std::sync::Arc;
use database::generated::entities::user::{
self, ActiveModel as UserActiveModel, Model as UserModel,
};
use sea_orm::{
ActiveModelTrait, ActiveValue, ColumnTrait, DatabaseConnection, DatabaseTransaction, DbErr,
EntityTrait, IntoActiveModel, QueryFilter, prelude::Uuid,
};
use crate::{errors::service_error::ServiceError, with_conn};
#[async_trait::async_trait]
pub trait UserService: Send + Sync {
async fn get_user_by_id(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<User, ServiceError>;
async fn is_admin(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<bool, ServiceError>;
async fn user_exists(
&self,
username: &str,
tx: Option<&mut DatabaseTransaction>,
) -> Result<bool, ServiceError>;
async fn create_user(
&self,
user: NewUser,
tx: Option<&mut DatabaseTransaction>,
) -> Result<User, ServiceError>;
async fn update_user(
&self,
user_id: Uuid,
user: UpdateUser,
tx: Option<&mut DatabaseTransaction>,
) -> Result<User, ServiceError>;
async fn delete_user(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<(), ServiceError>;
}
pub struct User {
pub id: Uuid,
pub username: String,
pub is_admin: bool,
}
impl From<UserModel> for User {
fn from(model: UserModel) -> Self {
Self {
id: model.id,
username: model.name,
is_admin: model.is_admin,
}
}
}
pub struct NewUser {
pub username: String,
pub is_admin: bool,
}
pub struct UpdateUser {
pub username: Option<String>,
pub is_admin: Option<bool>,
pub is_active: Option<bool>,
}
impl UpdateUser {
fn apply_to_active_model(&self, model: &mut UserActiveModel) {
if let Some(username) = &self.username {
model.name = ActiveValue::Set(username.clone());
}
if let Some(is_admin) = self.is_admin {
model.is_admin = ActiveValue::Set(is_admin);
}
if let Some(is_active) = self.is_active {
model.is_active = ActiveValue::Set(is_active);
}
}
}
pub struct UserServiceImpl {
connection: Arc<DatabaseConnection>,
}
impl UserServiceImpl {
pub fn new(connection: Arc<DatabaseConnection>) -> Self {
Self { connection }
}
async fn get_user_by_id_from_db(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<UserModel, ServiceError> {
let user = with_conn!(&*self.connection, tx, conn, {
user::Entity::find_by_id(user_id).one(*conn).await
});
match user {
Err(err) => Err(ServiceError::from(err)),
Ok(None) => Err(ServiceError::NotFound(format!(
"User with id '{}' not found",
user_id
))),
Ok(Some(record)) => Ok(record),
}
}
}
#[async_trait::async_trait]
impl UserService for UserServiceImpl {
async fn get_user_by_id(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<User, ServiceError> {
let user = self.get_user_by_id_from_db(user_id, tx).await?;
Ok(User::from(user))
}
async fn is_admin(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<bool, ServiceError> {
let user = self.get_user_by_id(user_id, tx).await?;
Ok(user.is_admin)
}
async fn user_exists(
&self,
username: &str,
tx: Option<&mut DatabaseTransaction>,
) -> Result<bool, ServiceError> {
let user = with_conn!(&*self.connection, tx, conn, {
user::Entity::find()
.filter(user::Column::Name.eq(username))
.one(*conn)
.await
});
match user {
Err(err) => match err {
DbErr::RecordNotFound(_) => Ok(false),
_ => Err(ServiceError::from(err)),
},
Ok(None) => Ok(false),
Ok(Some(_)) => Ok(true),
}
}
async fn create_user(
&self,
user: NewUser,
tx: Option<&mut DatabaseTransaction>,
) -> Result<User, ServiceError> {
let user_active_model = UserActiveModel {
id: ActiveValue::Set(Uuid::new_v4()),
name: ActiveValue::Set(user.username),
is_admin: ActiveValue::Set(user.is_admin),
is_active: ActiveValue::Set(true),
..Default::default()
};
let user_model = with_conn!(&*self.connection, tx, conn, {
user_active_model.insert(*conn).await
})?;
Ok(User::from(user_model))
}
async fn update_user(
&self,
user_id: Uuid,
update_user: UpdateUser,
tx: Option<&mut DatabaseTransaction>,
) -> Result<User, ServiceError> {
let existing_user = self.get_user_by_id_from_db(user_id, tx).await?;
let mut user_active_model = existing_user.into_active_model();
update_user.apply_to_active_model(&mut user_active_model);
let user_model = user_active_model.update(&*self.connection).await?;
Ok(User::from(user_model))
}
async fn delete_user(
&self,
user_id: Uuid,
tx: Option<&mut DatabaseTransaction>,
) -> Result<(), ServiceError> {
let user = self.get_user_by_id_from_db(user_id, tx).await?;
let user_active_model = user.into_active_model();
user_active_model.delete(&*self.connection).await?;
Ok(())
}
}

27
apps/api/src/services/settings.rs
View File

@@ -7,7 +7,7 @@ use sea_orm::{
IntoActiveModel, QueryFilter,
};
use crate::errors::service_error::{IntoServiceError, ServiceError};
use crate::errors::service_error::ServiceError;
#[async_trait::async_trait]
pub trait SettingsStore: Send + Sync {
@@ -37,11 +37,11 @@ impl SettingsStore for SettingsService {
.await;
match setting {
Err(err) => Err(err.into_service_error()),
Ok(None) => Err(
DbErr::RecordNotFound(format!("Setting with key '{}' not found", key))
.into_service_error(),
),
Err(err) => Err(ServiceError::from(err)),
Ok(None) => Err(ServiceError::from(DbErr::RecordNotFound(format!(
"Setting with key '{}' not found",
key
)))),
Ok(Some(record)) => Ok(record.value),
}
}
@@ -62,7 +62,7 @@ impl SettingsStore for SettingsService {
new_record
.insert(&*self.connection)
.await
.map_err(|err| err.into_service_error())
.map_err(ServiceError::from)
};
match existing {
@@ -71,19 +71,20 @@ impl SettingsStore for SettingsService {
handle_not_found(key.to_string(), value).await?;
}
_ => {
return Err(Box::new(err));
return Err(ServiceError::from(err));
}
},
Ok(None) => {
handle_not_found(key.to_string(), value).await?;
}
Ok(Some(mut record)) => {
record.value = value;
record
.into_active_model()
Ok(Some(record)) => {
let mut record_active_model = record.into_active_model();
record_active_model.value = ActiveValue::Set(value);
record_active_model.updated_at = ActiveValue::Set(chrono::Utc::now());
record_active_model
.update(&*self.connection)
.await
.map_err(|err| err.into_service_error())?;
.map_err(ServiceError::from)?;
}
}

33
apps/api/src/tasks/startup.rs
View File

@@ -1,25 +1,34 @@
use migration::migrate_database;
use tracing::{debug, info};
mod db_migrate;
mod init_admin;
use std::sync::Arc;
use sea_orm::ConnectOptions;
use tracing::info;
use crate::configs::ProgramSettings;
use database::get_connection;
pub async fn run_startup_tasks(config: &ProgramSettings) -> Result<(), Box<dyn std::error::Error>> {
// Here you can add any startup tasks you want to run when the application starts.
info!("Running startup tasks...");
let db_options = |options: &mut ConnectOptions| {
options.max_connections(config.database.max_connections);
};
let db_connection = Arc::new(
get_connection(&config.database.url, Some(db_options))
.await
.map_err(|err| format!("Failed to establish database connection: {}", err))?,
);
if config.database.migrate_on_startup {
run_database_migrations(&config.database.url).await?;
db_migrate::run_database_migrations(&config.database.url).await?;
} else {
info!("Database migration on startup is disabled. Skipping migration.");
}
init_admin::init_admin(config, db_connection.clone()).await?;
Ok(())
}
async fn run_database_migrations(db_url: &str) -> Result<(), Box<dyn std::error::Error>> {
// Logic to run database migrations
info!("Running database migrations...");
debug!("Database URL: {}", db_url);
migrate_database(db_url).await.map_err(Box::new)?;
info!("Database migrations completed.");
Ok(())
}

11
apps/api/src/tasks/startup/db_migrate.rs Normal file
View File

@@ -0,0 +1,11 @@
use migration::migrate_database;
use tracing::{debug, info};
pub async fn run_database_migrations(db_url: &str) -> Result<(), Box<dyn std::error::Error>> {
// Logic to run database migrations
info!("Running database migrations...");
debug!("Database URL: {}", db_url);
migrate_database(db_url).await.map_err(Box::new)?;
info!("Database migrations completed.");
Ok(())
}

116
apps/api/src/tasks/startup/init_admin.rs Normal file
View File

@@ -0,0 +1,116 @@
use std::sync::Arc;
use argon2::password_hash::{SaltString, rand_core::OsRng};
use database::generated::entities::user;
use sea_orm::{ColumnTrait, DatabaseConnection, EntityTrait, QueryFilter, TransactionTrait};
use tracing::{debug, info, warn};
use crate::configs::ProgramSettings;
use crate::helpers::constants::ADMIN_INIT_SECRET_KEY;
use crate::services::{
auth::{
authentication::strategies::password::PasswordStrategy,
user::{NewUser, UserService, UserServiceImpl},
},
settings::{SettingsService, SettingsStore},
};
pub async fn init_admin(
config: &ProgramSettings,
db: Arc<DatabaseConnection>,
) -> Result<(), Box<dyn std::error::Error>> {
// if admin user already exists, skip
let admin_exists = user::Entity::find()
.filter(user::Column::IsAdmin.eq(true))
.filter(user::Column::IsActive.eq(true))
.one(db.as_ref())
.await
.map_err(|err| format!("Failed to query for existing admin user: {}", err))?
.is_some();
if admin_exists {
debug!("Admin user already exists. Skipping admin initialization.");
return Ok(());
}
// if config contains admin init settings, run admin init
if let (Some(username), Some(password)) = (
&config.auth.default_admin_username,
&config.auth.default_admin_password,
) {
let r = _init_admin(username, password, db.clone()).await;
if let Err(e) = r {
warn!("Failed to initialize admin user: {}", e);
info!("Defaulting to manual creation from dashboard.");
} else {
return Ok(());
}
}
// else generate a random secret to be used when initializing admin from dashboard
let secret = generate_admin_init_secret(db.clone()).await?;
info!(
"Admin initialization secret generated. Use this secret to initialize the admin user from the dashboard: {}. This secret will only be shown once and is only valid until the admin user is created or the application is restarted.",
secret
);
Ok(())
}
async fn generate_admin_init_secret(
db: Arc<DatabaseConnection>,
) -> Result<String, Box<dyn std::error::Error>> {
let secret = SaltString::generate(&mut OsRng).as_str().to_owned();
// Store the secret in a settings table
let setting = SettingsService::new(db.clone());
setting
.set_setting(ADMIN_INIT_SECRET_KEY, secret.clone())
.await
.map_err(|err| format!("Failed to store admin init secret: {}", err))?;
Ok(secret)
}
async fn _init_admin(
username: &str,
password: &str,
db: Arc<DatabaseConnection>,
) -> Result<(), Box<dyn std::error::Error>> {
info!("Initializing admin user...");
// Check if an admin user already exists
let admin_exists = user::Entity::find()
.filter(user::Column::IsAdmin.eq(true))
.one(db.as_ref())
.await?
.is_some();
if admin_exists {
debug!("Admin user already exists. Skipping initialization.");
return Ok(());
}
info!("No admin user found. Creating default admin user...");
let user_service = UserServiceImpl::new(db.clone());
let password_strategy = PasswordStrategy::new(db.clone());
let user = NewUser {
username: username.to_string(),
is_admin: true,
};
let mut tx = db.begin().await?;
// create user
let user = user_service.create_user(user, Some(&mut tx)).await?;
// create temporary password
password_strategy
.create_identity(user.id, password, Some(&mut tx))
.await?;
//
tx.commit().await?;
info!(
"Default admin user created successfully, username: {}",
username
);
Ok(())
}

112
apps/api/swagger.json
View File

@@ -9,6 +9,78 @@
"version": "0.1.0"
},
"paths": {
"/api/auth/init_admin": {
"post": {
"tags": [
"Authentication"
],
"summary": "Initializes the admin user",
"description": "Initializes the admin user if no admin user exists and the correct setup secret is provided.",
"operationId": "init_admin",
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/AdminInitRequest"
}
}
},
"required": true
},
"responses": {
"200": {
"description": "Admin user initialized successfully"
},
"400": {
"description": "Invalid request payload"
},
"401": {
"description": "Unauthorized: Admin user already exists or invalid setup secret"
},
"500": {
"description": "Internal server error"
}
}
}
},
"/api/auth/login": {
"post": {
"tags": [
"Authentication"
],
"summary": "Login endpoint",
"description": "Authenticates a user and returns a JWT in an HttpOnly cookie.",
"operationId": "login",
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/LoginRequest"
}
}
},
"required": true
},
"responses": {
"200": {
"description": "User authenticated successfully",
"content": {
"application/json": {
"schema": {
"default": null
}
}
}
},
"401": {
"description": "Authentication failed"
},
"500": {
"description": "Internal server error"
}
}
}
},
"/api/health/info": {
"get": {
"tags": [
@@ -37,6 +109,26 @@
},
"components": {
"schemas": {
"AdminInitRequest": {
"type": "object",
"description": "Login request payload",
"required": [
"username",
"password",
"setup_secret"
],
"properties": {
"password": {
"type": "string"
},
"setup_secret": {
"type": "string"
},
"username": {
"type": "string"
}
}
},
"HealthInfo": {
"type": "object",
"description": "System health information",
@@ -70,6 +162,22 @@
"description": "Application version"
}
}
},
"LoginRequest": {
"type": "object",
"description": "Login request payload",
"required": [
"username",
"password"
],
"properties": {
"password": {
"type": "string"
},
"username": {
"type": "string"
}
}
}
}
},
@@ -77,6 +185,10 @@
{
"name": "Health",
"description": "Health information API"
},
{
"name": "Authentication",
"description": "Authentication API"
}
]
}

56
apps/frontend/app/generated/api-client/api-client.ts
View File

@@ -1,11 +1,13 @@
export namespace Schemas {
// <Schemas>
export type AdminInitRequest = { password: string; setup_secret: string; username: string };
export type HealthInfo = {
errors?: (Array<string> | null) | undefined;
status: string;
up_since: string;
version: string;
};
export type LoginRequest = { password: string; username: string };
// </Schemas>
}
@@ -13,6 +15,24 @@ export namespace Schemas {
export namespace Endpoints {
// <Endpoints>
export type post_Init_admin = {
method: "POST";
path: "/api/auth/init_admin";
requestFormat: "json";
parameters: {
body: Schemas.AdminInitRequest;
};
responses: { 200: unknown; 400: unknown; 401: unknown; 500: unknown };
};
export type post_Login = {
method: "POST";
path: "/api/auth/login";
requestFormat: "json";
parameters: {
body: Schemas.LoginRequest;
};
responses: { 200: unknown; 401: unknown; 500: unknown };
};
export type get_Get_health_info = {
method: "GET";
path: "/api/health/info";
@@ -26,6 +46,10 @@ export namespace Endpoints {
// <EndpointByMethod>
export type EndpointByMethod = {
post: {
"/api/auth/init_admin": Endpoints.post_Init_admin;
"/api/auth/login": Endpoints.post_Login;
};
get: {
"/api/health/info": Endpoints.get_Get_health_info;
};
@@ -34,6 +58,7 @@ export type EndpointByMethod = {
// </EndpointByMethod>
// <EndpointByMethod.Shorthands>
export type PostEndpoints = EndpointByMethod["post"];
export type GetEndpoints = EndpointByMethod["get"];
// </EndpointByMethod.Shorthands>
@@ -267,6 +292,37 @@ export class ApiClient {
return;
};
// <ApiClient.post>
post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
path: Path,
...params: MaybeOptionalArg<
TEndpoint extends { parameters: infer UParams }
? NotNever<UParams> extends true
? UParams & { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
: { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
: { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
>
): Promise<Extract<InferResponseByStatus<TEndpoint, SuccessStatusCode>, { data: {} }>["data"]>;
post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
path: Path,
...params: MaybeOptionalArg<
TEndpoint extends { parameters: infer UParams }
? NotNever<UParams> extends true
? UParams & { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
: { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
: { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
>
): Promise<SafeApiResponse<TEndpoint>>;
post<Path extends keyof PostEndpoints, _TEndpoint extends PostEndpoints[Path]>(
path: Path,
...params: MaybeOptionalArg<any>
): Promise<any> {
return this.request("post", path, ...params);
}
// </ApiClient.post>
// <ApiClient.get>
get<Path extends keyof GetEndpoints, TEndpoint extends GetEndpoints[Path]>(
path: Path,

31
apps/frontend/app/generated/api-client/tanstack-client.ts
View File

@@ -41,6 +41,7 @@ const createQueryKey = <TOptions extends EndpointParameters>(
};
// <EndpointByMethod.Shorthands>
export type PostEndpoints = EndpointByMethod["post"];
export type GetEndpoints = EndpointByMethod["get"];
// </EndpointByMethod.Shorthands>
@@ -69,6 +70,36 @@ type InferResponseData<TEndpoint, TStatusCode> =
export class TanstackQueryApiClient {
constructor(public client: ApiClient) {}
// <ApiClient.post>
post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
path: Path,
...params: MaybeOptionalArg<TEndpoint["parameters"]>
) {
const queryKey = createQueryKey(path as string, params[0]);
const query = {
/** type-only property if you need easy access to the endpoint params */
"~endpoint": {} as TEndpoint,
queryKey,
queryFn: {} as "You need to pass .queryOptions to the useQuery hook",
queryOptions: queryOptions({
queryFn: async ({ queryKey, signal }) => {
const requestParams = {
...(params[0] || {}),
...(queryKey[0] || {}),
overrides: { signal },
withResponse: false as const,
};
const res = await this.client.post(path, requestParams as never);
return res as InferResponseData<TEndpoint, SuccessStatusCode>;
},
queryKey: queryKey,
}),
};
return query;
}
// </ApiClient.post>
// <ApiClient.get>
get<Path extends keyof GetEndpoints, TEndpoint extends GetEndpoints[Path]>(
path: Path,

1
public/database/src/generated/entities/mod.rs
View File

@@ -4,3 +4,4 @@ pub mod prelude;
pub mod config;
pub mod user;
pub mod user_identity;

1
public/database/src/generated/entities/prelude.rs
View File

@@ -2,3 +2,4 @@
pub use super::config::Entity as Config;
pub use super::user::Entity as User;
pub use super::user_identity::Entity as UserIdentity;

29
public/database/src/generated/entities/session.rs Normal file
View File

@@ -0,0 +1,29 @@
//! `SeaORM` Entity, @generated by sea-orm-codegen 2.0.0-rc.18
use sea_orm::entity::prelude::*;
use serde::{Deserialize, Serialize};
#[sea_orm::model]
#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel, Serialize, Deserialize)]
#[sea_orm(table_name = "session")]
pub struct Model {
#[sea_orm(primary_key, auto_increment = false)]
pub id: Uuid,
pub user_id: Uuid,
#[sea_orm(unique)]
pub refresh_token_hash: Option<String>,
pub expires_at: DateTimeUtc,
pub revoked_at: Option<DateTimeUtc>,
pub created_at: DateTimeUtc,
pub updated_at: DateTimeUtc,
#[sea_orm(
belongs_to,
from = "user_id",
to = "id",
on_update = "Cascade",
on_delete = "Cascade"
)]
pub user: HasOne<super::user::Entity>,
}
impl ActiveModelBehavior for ActiveModel {}

7
public/database/src/generated/entities/user.rs
View File

@@ -12,10 +12,13 @@ pub struct Model {
#[sea_orm(unique)]
pub name: String,
pub is_admin: bool,
pub password_hash: String,
pub salt: String,
pub is_active: bool,
pub created_at: DateTimeUtc,
pub updated_at: DateTimeUtc,
pub last_login_at: Option<DateTimeUtc>,
pub deleted_at: Option<DateTimeUtc>,
#[sea_orm(has_many)]
pub user_identities: HasMany<super::user_identity::Entity>,
}
impl ActiveModelBehavior for ActiveModel {}

35
public/database/src/generated/entities/user_identity.rs Normal file
View File

@@ -0,0 +1,35 @@
//! `SeaORM` Entity, @generated by sea-orm-codegen 2.0.0-rc.18
use sea_orm::entity::prelude::*;
use serde::{Deserialize, Serialize};
#[sea_orm::model]
#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel, Serialize, Deserialize)]
#[sea_orm(table_name = "user_identity")]
pub struct Model {
#[sea_orm(primary_key, auto_increment = false)]
pub id: Uuid,
#[sea_orm(unique_key = "provider")]
pub user_id: Uuid,
#[sea_orm(unique_key = "provider")]
pub provider: String,
pub email: Option<String>,
pub password_hash: Option<String>,
pub is_revoked: bool,
#[sea_orm(column_type = "JsonBinary", nullable)]
pub metadata: Option<Json>,
pub password_changed_at: Option<DateTimeUtc>,
pub revoked_at: Option<DateTimeUtc>,
pub created_at: DateTimeUtc,
pub updated_at: DateTimeUtc,
#[sea_orm(
belongs_to,
from = "user_id",
to = "id",
on_update = "Cascade",
on_delete = "Cascade"
)]
pub user: HasOne<super::user::Entity>,
}
impl ActiveModelBehavior for ActiveModel {}

5
public/migration/src/lib.rs
View File

@@ -10,8 +10,9 @@ pub struct Migrator;
impl MigratorTrait for Migrator {
fn migrations() -> Vec<Box<dyn MigrationTrait>> {
vec![
Box::new(m20251011_000001_create_user_table::Migration),
Box::new(m20251011_000002_create_config_table::Migration),
Box::new(m20251011_000001_create_config_table::Migration),
Box::new(m20251011_000002_create_user_table::Migration),
Box::new(m20251011_000003_create_user_identity_table::Migration),
]
}
}

5
public/migration/src/migrations.rs
View File

@@ -1,2 +1,3 @@
pub mod m20251011_000001_create_user_table;
pub mod m20251011_000002_create_config_table;
pub mod m20251011_000001_create_config_table;
pub mod m20251011_000002_create_user_table;
pub mod m20251011_000003_create_user_identity_table;

0
public/migration/src/migrations/m20251011_000002_create_config_table.rs → public/migration/src/migrations/m20251011_000001_create_config_table.rs
View File

19
public/migration/src/migrations/m20251011_000001_create_user_table.rs → public/migration/src/migrations/m20251011_000002_create_user_table.rs
View File

@@ -3,16 +3,19 @@ use sea_orm_migration::{prelude::*, schema::*};
#[derive(DeriveMigrationName)]
pub struct Migration;
#[forbid(dead_code)]
#[derive(DeriveIden)]
enum User {
pub enum User {
Table,
Id,
//
Name,
IsAdmin,
PasswordHash,
Salt,
IsActive,
//
LastLoginAt,
//
DeletedAt,
CreatedAt,
UpdatedAt,
}
@@ -33,8 +36,12 @@ impl MigrationTrait for Migration {
.default(false)
.not_null(),
)
.col(ColumnDef::new(User::PasswordHash).string().not_null())
.col(ColumnDef::new(User::Salt).string().not_null())
.col(
ColumnDef::new(User::IsActive)
.boolean()
.default(true)
.not_null(),
)
.col(
ColumnDef::new(User::CreatedAt)
.timestamp()
@@ -47,6 +54,8 @@ impl MigrationTrait for Migration {
.default(SimpleExpr::Keyword(Keyword::CurrentTimestamp))
.not_null(),
)
.col(ColumnDef::new(User::LastLoginAt).timestamp().null())
.col(ColumnDef::new(User::DeletedAt).timestamp().null())
.to_owned(),
)
.await

102
public/migration/src/migrations/m20251011_000003_create_user_identity_table.rs Normal file
View File

@@ -0,0 +1,102 @@
use sea_orm_migration::{prelude::*, schema::*};
#[derive(DeriveMigrationName)]
pub struct Migration;
#[forbid(dead_code)]
#[derive(DeriveIden)]
pub enum UserIdentity {
Table,
Id,
UserId,
Provider, // e.g. "password". Extensible for plugins like OAuth in the future
//
Email, // optional
PasswordHash, // optional for non-password providers
IsRevoked, // default false
//
Metadata, // for custom provider metadata
//
PasswordChangedAt,
RevokedAt,
//
CreatedAt,
UpdatedAt,
}
#[async_trait::async_trait]
impl MigrationTrait for Migration {
async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
let _ = manager
.create_table(
Table::create()
.table(UserIdentity::Table)
.if_not_exists()
.col(pk_uuid(UserIdentity::Id))
//
.col(ColumnDef::new(UserIdentity::UserId).uuid().not_null())
.foreign_key(
ForeignKey::create()
.name("fk-user-identity-user-id")
.from(UserIdentity::Table, UserIdentity::UserId)
.to(
super::m20251011_000002_create_user_table::User::Table,
super::m20251011_000002_create_user_table::User::Id,
)
.on_delete(ForeignKeyAction::Cascade)
.on_update(ForeignKeyAction::Cascade),
)
.col(ColumnDef::new(UserIdentity::Provider).string().not_null())
//
.col(ColumnDef::new(UserIdentity::Email).string().null())
.col(ColumnDef::new(UserIdentity::PasswordHash).string().null())
.col(
ColumnDef::new(UserIdentity::IsRevoked)
.boolean()
.default(false)
.not_null(),
)
.col(ColumnDef::new(UserIdentity::Metadata).json_binary().null())
//
.col(
ColumnDef::new(UserIdentity::PasswordChangedAt)
.timestamp()
.null(),
)
.col(ColumnDef::new(UserIdentity::RevokedAt).timestamp().null())
//
.col(
ColumnDef::new(UserIdentity::CreatedAt)
.timestamp()
.default(SimpleExpr::Keyword(Keyword::CurrentTimestamp))
.not_null(),
)
.col(
ColumnDef::new(UserIdentity::UpdatedAt)
.timestamp()
.default(SimpleExpr::Keyword(Keyword::CurrentTimestamp))
.not_null(),
)
.to_owned(),
)
.await;
manager
.create_index(
Index::create()
.name("idx-user-identity-user-id-provider")
.table(UserIdentity::Table)
.col(UserIdentity::UserId)
.col(UserIdentity::Provider)
.unique()
.to_owned(),
)
.await
}
async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
manager
.drop_table(Table::drop().table(UserIdentity::Table).to_owned())
.await
}
}