Shanty/web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added auth

Browse Source
This commit is contained in:
Connor Johnstone
2026-03-19 14:02:33 -04:00
parent 93392db27c
commit 421ec3199b
21 changed files with 719 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

203
src/routes/auth.rs Normal file
View File

@@ -0,0 +1,203 @@
use actix_session::Session;
use actix_web::{web, HttpResponse};
use serde::Deserialize;
use shanty_db::entities::user::UserRole;
use shanty_db::queries;
use crate::auth;
use crate::error::ApiError;
use crate::state::AppState;
pub fn configure(cfg: &mut web::ServiceConfig) {
cfg.service(web::resource("/auth/setup-required").route(web::get().to(setup_required)))
.service(web::resource("/auth/setup").route(web::post().to(setup)))
.service(web::resource("/auth/login").route(web::post().to(login)))
.service(web::resource("/auth/logout").route(web::post().to(logout)))
.service(web::resource("/auth/me").route(web::get().to(me)))
.service(
web::resource("/auth/users")
.route(web::get().to(list_users))
.route(web::post().to(create_user)),
)
.service(web::resource("/auth/users/{id}").route(web::delete().to(delete_user)));
}
#[derive(Deserialize)]
struct SetupRequest {
username: String,
password: String,
}
#[derive(Deserialize)]
struct LoginRequest {
username: String,
password: String,
}
#[derive(Deserialize)]
struct CreateUserRequest {
username: String,
password: String,
}
/// Check if initial setup is required (no users in database).
async fn setup_required(state: web::Data<AppState>) -> Result<HttpResponse, ApiError> {
let count = queries::users::count(state.db.conn()).await?;
Ok(HttpResponse::Ok().json(serde_json::json!({ "required": count == 0 })))
}
/// Create the first admin user. Only works when no users exist.
async fn setup(
state: web::Data<AppState>,
session: Session,
body: web::Json<SetupRequest>,
) -> Result<HttpResponse, ApiError> {
let count = queries::users::count(state.db.conn()).await?;
if count > 0 {
return Err(ApiError::BadRequest("setup already completed".into()));
}
if body.username.trim().is_empty() || body.password.len() < 4 {
return Err(ApiError::BadRequest(
"username required, password must be at least 4 characters".into(),
));
}
let password_hash = auth::hash_password(&body.password)?;
let user = queries::users::create(
state.db.conn(),
body.username.trim(),
&password_hash,
UserRole::Admin,
)
.await?;
// Adopt any orphaned wanted items from before auth was added
let adopted = queries::users::adopt_orphaned_wanted_items(state.db.conn(), user.id).await?;
if adopted > 0 {
tracing::info!(count = adopted, user_id = user.id, "adopted orphaned wanted items");
}
auth::set_session(&session, user.id, &user.username, "admin");
tracing::info!(username = %user.username, "admin user created via setup");
Ok(HttpResponse::Ok().json(serde_json::json!({
"id": user.id,
"username": user.username,
"role": "admin",
})))
}
/// Log in with username and password.
async fn login(
state: web::Data<AppState>,
session: Session,
body: web::Json<LoginRequest>,
) -> Result<HttpResponse, ApiError> {
let user = queries::users::find_by_username(state.db.conn(), &body.username)
.await?
.ok_or_else(|| ApiError::Unauthorized("invalid username or password".into()))?;
if !auth::verify_password(&body.password, &user.password_hash) {
return Err(ApiError::Unauthorized(
"invalid username or password".into(),
));
}
let role = match user.role {
UserRole::Admin => "admin",
UserRole::User => "user",
};
auth::set_session(&session, user.id, &user.username, role);
tracing::info!(username = %user.username, "user logged in");
Ok(HttpResponse::Ok().json(serde_json::json!({
"id": user.id,
"username": user.username,
"role": role,
})))
}
/// Log out (clear session).
async fn logout(session: Session) -> Result<HttpResponse, ApiError> {
session.purge();
Ok(HttpResponse::Ok().json(serde_json::json!({ "status": "logged out" })))
}
/// Get current user info from session.
async fn me(session: Session) -> Result<HttpResponse, ApiError> {
let (user_id, username, role) = auth::require_auth(&session)?;
Ok(HttpResponse::Ok().json(serde_json::json!({
"id": user_id,
"username": username,
"role": role,
})))
}
/// List all users (admin only).
async fn list_users(
state: web::Data<AppState>,
session: Session,
) -> Result<HttpResponse, ApiError> {
auth::require_admin(&session)?;
let users = queries::users::list(state.db.conn()).await?;
Ok(HttpResponse::Ok().json(users))
}
/// Create a new user (admin only).
async fn create_user(
state: web::Data<AppState>,
session: Session,
body: web::Json<CreateUserRequest>,
) -> Result<HttpResponse, ApiError> {
auth::require_admin(&session)?;
if body.username.trim().is_empty() || body.password.len() < 4 {
return Err(ApiError::BadRequest(
"username required, password must be at least 4 characters".into(),
));
}
if queries::users::find_by_username(state.db.conn(), body.username.trim())
.await?
.is_some()
{
return Err(ApiError::BadRequest("username already taken".into()));
}
let password_hash = auth::hash_password(&body.password)?;
let user = queries::users::create(
state.db.conn(),
body.username.trim(),
&password_hash,
UserRole::User,
)
.await?;
tracing::info!(username = %user.username, "user created by admin");
Ok(HttpResponse::Ok().json(serde_json::json!({
"id": user.id,
"username": user.username,
"role": "user",
})))
}
/// Delete a user (admin only).
async fn delete_user(
state: web::Data<AppState>,
session: Session,
path: web::Path<i32>,
) -> Result<HttpResponse, ApiError> {
let (admin_id, _, _) = auth::require_admin(&session)?;
let user_id = path.into_inner();
if user_id == admin_id {
return Err(ApiError::BadRequest("cannot delete yourself".into()));
}
queries::users::delete(state.db.conn(), user_id).await?;
tracing::info!(user_id = user_id, "user deleted by admin");
Ok(HttpResponse::NoContent().finish())
}