пароль на семьи

backend/src/lib.rs

@@ -22,7 +22,7 @@ pub mod auth;
 pub mod middleware;
 
 pub use auth::AuthBackend;
-pub use middleware::require_admin;
+pub use middleware::{require_admin, require_family_access};
 
 #[derive(OpenApi)]
 #[openapi(
@@ -101,16 +101,16 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
 
     let session_layer = SessionManagerLayer::new(session_store)
         .with_secure(false)
-        .with_expiry(Expiry::OnInactivity(Duration::days(1)));
+        .with_expiry(Expiry::OnInactivity(Duration::days(7)));
 
     let backend = auth::AuthBackend { db: db.clone() };
-    let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer).build();
+    let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer.clone()).build();
 
     let admin_family_routes = Router::new()
         .route("/families", post(routes::family::create_family))
         .route("/families/:id", delete(routes::family::delete_family))
-        .layer(auth_layer.clone())
         .route_layer(axum_middleware::from_fn(middleware::require_admin))
+        .layer(auth_layer.clone())
         .with_state(db.clone());
 
     let auth_routes = Router::new()
@@ -119,10 +119,7 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
         .layer(auth_layer)
         .with_state(db.clone());
 
-    let public_routes = Router::new()
-        .route("/families", get(routes::family::get_all_families))
-        .route("/families/:id", get(routes::family::get_family))
-        .route("/families/:id", put(routes::family::update_family))
+    let family_protected_routes = Router::new()
         .route("/families/:family_id/categories", post(routes::category::create_category))
         .route("/families/:family_id/categories", get(routes::category::get_categories_by_family))
         .route("/families/:family_id/categories/:category_id", get(routes::category::get_category))
@@ -134,11 +131,22 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
         .route("/families/:family_id/categories/:category_id/expenses/:expense_id", put(routes::expense::update_expense))
         .route("/families/:family_id/categories/:category_id/expenses/:expense_id", delete(routes::expense::delete_expense))
         .route("/families/:family_id/categories/:category_id/remaining", get(routes::expense::get_remaining_limit))
+        .route_layer(axum_middleware::from_fn(middleware::require_family_access))
+        .layer(session_layer.clone())
+        .with_state(db.clone());
+
+    let public_routes = Router::new()
+        .route("/families", get(routes::family::get_all_families))
+        .route("/families/:id", get(routes::family::get_family))
+        .route("/families/:id", put(routes::family::update_family))
+        .route("/families/:id/verify", post(routes::family::verify_family_password))
+        .layer(session_layer)
         .with_state(db);
 
     let api_routes = Router::new()
         .merge(admin_family_routes)
         .merge(auth_routes)
+        .merge(family_protected_routes)
         .merge(public_routes);
 
     let swagger_ui = SwaggerUi::new("/swagger-ui")
@@ -148,6 +156,8 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
         .allow_origin([
             "http://localhost:3000".parse::<HeaderValue>().unwrap(),
             "http://localhost:5173".parse::<HeaderValue>().unwrap(),
+            "http://localhost:5174".parse::<HeaderValue>().unwrap(),
+            "http://localhost:5175".parse::<HeaderValue>().unwrap(),
             "http://localhost:8080".parse::<HeaderValue>().unwrap(),
         ])
         .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS])