auth in infra

notes-infra/src/auth/axum_login.rs

@@ -0,0 +1,110 @@
+use std::sync::Arc;
+
+use axum_login::{AuthnBackend, UserId};
+use password_auth::verify_password;
+use serde::{Deserialize, Serialize};
+use tower_sessions::SessionManagerLayer;
+use uuid::Uuid;
+
+use notes_domain::{User, UserRepository};
+
+use crate::session_store::InfraSessionStore;
+
+/// Wrapper around domain User to implement AuthUser
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthUser(pub User);
+
+impl axum_login::AuthUser for AuthUser {
+    type Id = Uuid;
+
+    fn id(&self) -> Self::Id {
+        self.0.id
+    }
+
+    fn session_auth_hash(&self) -> &[u8] {
+        // Use password hash to invalidate sessions if password changes
+        self.0
+            .password_hash
+            .as_ref()
+            .map(|s| s.as_bytes())
+            .unwrap_or(&[])
+    }
+}
+
+#[derive(Clone)]
+pub struct AuthBackend {
+    pub user_repo: Arc<dyn UserRepository>,
+}
+
+impl AuthBackend {
+    pub fn new(user_repo: Arc<dyn UserRepository>) -> Self {
+        Self { user_repo }
+    }
+}
+
+#[derive(Clone, Debug, Deserialize)]
+pub struct Credentials {
+    pub email: notes_domain::Email,
+    pub password: notes_domain::Password,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum AuthError {
+    #[error(transparent)]
+    Anyhow(#[from] anyhow::Error),
+}
+
+impl AuthnBackend for AuthBackend {
+    type User = AuthUser;
+    type Credentials = Credentials;
+    type Error = AuthError;
+
+    async fn authenticate(
+        &self,
+        creds: Self::Credentials,
+    ) -> Result<Option<Self::User>, Self::Error> {
+        let user = self
+            .user_repo
+            .find_by_email(creds.email.as_ref())
+            .await
+            .map_err(|e| AuthError::Anyhow(anyhow::anyhow!(e)))?;
+
+        if let Some(user) = user {
+            if let Some(hash) = &user.password_hash {
+                // Verify password
+                if verify_password(creds.password.as_ref(), hash).is_ok() {
+                    return Ok(Some(AuthUser(user)));
+                }
+            }
+        }
+
+        Ok(None)
+    }
+
+    async fn get_user(&self, user_id: &UserId<Self>) -> Result<Option<Self::User>, Self::Error> {
+        let user = self
+            .user_repo
+            .find_by_id(*user_id)
+            .await
+            .map_err(|e| AuthError::Anyhow(anyhow::anyhow!(e)))?;
+
+        Ok(user.map(AuthUser))
+    }
+}
+
+pub type AuthSession = axum_login::AuthSession<AuthBackend>;
+pub type AuthManagerLayer = axum_login::AuthManagerLayer<AuthBackend, InfraSessionStore>;
+
+pub async fn setup_auth_layer(
+    session_layer: SessionManagerLayer<InfraSessionStore>,
+    user_repo: Arc<dyn UserRepository>,
+) -> Result<AuthManagerLayer, AuthError> {
+    let backend = AuthBackend::new(user_repo);
+
+    let auth_layer = axum_login::AuthManagerLayerBuilder::new(backend, session_layer).build();
+    Ok(auth_layer)
+}
+
+pub fn hash_password(password: &str) -> String {
+    password_auth::generate_hash(password)
+}