Flash messages using axum-messages

2025-08-30 01:15:54 +02:00
parent 3ae50830f4
commit de1fc4a825
23 changed files with 819 additions and 45 deletions
--- a/src/authentication.rs
+++ b/src/authentication.rs
@@ -0,0 +1,93 @@
+use anyhow::Context;
+use argon2::{Argon2, PasswordHash, PasswordVerifier};
+use secrecy::{ExposeSecret, SecretString};
+use sqlx::PgPool;
+use uuid::Uuid;
+
+use crate::telemetry::spawn_blocking_with_tracing;
+
+pub struct Credentials {
+    pub username: String,
+    pub password: SecretString,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum AuthError {
+    #[error(transparent)]
+    UnexpectedError(#[from] anyhow::Error),
+    #[error("Invalid credentials.")]
+    InvalidCredentials(#[source] anyhow::Error),
+}
+
+#[tracing::instrument(
+    name = "Validate credentials",
+    skip(username, password, connection_pool)
+)]
+pub async fn validate_credentials(
+    Credentials { username, password }: Credentials,
+    connection_pool: &PgPool,
+) -> Result<Uuid, AuthError> {
+    let mut user_id = None;
+    let mut expected_password_hash = SecretString::from(
+        "$argon2id$v=19$m=15000,t=2,p=1$\
+gZiV/M1gPc22ElAH/Jh1Hw$\
+CWOrkoo7oJBQ/iyh7uJ0LO2aLEfrHwTWllSAxT0zRno"
+            .to_string(),
+    );
+    if let Some((stored_user_id, stored_expected_password_hash)) =
+        get_stored_credentials(&username, connection_pool)
+            .await
+            .map_err(AuthError::UnexpectedError)?
+    {
+        user_id = Some(stored_user_id);
+        expected_password_hash = stored_expected_password_hash;
+    }
+
+    spawn_blocking_with_tracing(|| verify_password_hash(expected_password_hash, password))
+        .await
+        .context("Failed to spawn blocking task.")
+        .map_err(AuthError::UnexpectedError)??;
+
+    user_id
+        .ok_or_else(|| anyhow::anyhow!("Unknown username."))
+        .map_err(AuthError::InvalidCredentials)
+}
+
+#[tracing::instrument(
+    name = "Verify password",
+    skip(expected_password_hash, password_candidate)
+)]
+fn verify_password_hash(
+    expected_password_hash: SecretString,
+    password_candidate: SecretString,
+) -> Result<(), AuthError> {
+    let expected_password_hash = PasswordHash::new(expected_password_hash.expose_secret())
+        .context("Failed to parse hash in PHC string format.")?;
+    Argon2::default()
+        .verify_password(
+            password_candidate.expose_secret().as_bytes(),
+            &expected_password_hash,
+        )
+        .context("Password verification failed.")
+        .map_err(AuthError::InvalidCredentials)
+}
+
+#[tracing::instrument(name = "Get stored credentials", skip(username, connection_pool))]
+async fn get_stored_credentials(
+    username: &str,
+    connection_pool: &PgPool,
+) -> Result<Option<(Uuid, SecretString)>, anyhow::Error> {
+    let row = sqlx::query!(
+        r#"
+        SELECT user_id, password_hash
+        FROM users
+        WHERE username = $1
+    "#,
+        username,
+    )
+    .fetch_optional(connection_pool)
+    .await
+    .context("Failed to perform a query to retrieve stored credentials.")?
+    .map(|row| (row.user_id, SecretString::from(row.password_hash)));
+    Ok(row)
+}