Arrelin/family_budget
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

пароль на семьи

Browse Source
This commit is contained in:
arrelin
2025-12-15 16:51:09 +03:00
parent 1e393c79b5
commit 27d8d8ff4c
12 changed files with 330 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
backend/src/lib.rs
View File

@@ -22,7 +22,7 @@ pub mod auth;
pub mod middleware; pub mod middleware;
pub use auth::AuthBackend; pub use auth::AuthBackend;
pub use middleware::require_admin; pub use middleware::{require_admin, require_family_access};
#[derive(OpenApi)] #[derive(OpenApi)]
#[openapi( #[openapi(
@@ -101,16 +101,16 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
let session_layer = SessionManagerLayer::new(session_store) let session_layer = SessionManagerLayer::new(session_store)
.with_secure(false) .with_secure(false)
.with_expiry(Expiry::OnInactivity(Duration::days(1))); .with_expiry(Expiry::OnInactivity(Duration::days(7)));
let backend = auth::AuthBackend { db: db.clone() }; let backend = auth::AuthBackend { db: db.clone() };
let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer).build(); let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer.clone()).build();
let admin_family_routes = Router::new() let admin_family_routes = Router::new()
.route("/families", post(routes::family::create_family)) .route("/families", post(routes::family::create_family))
.route("/families/:id", delete(routes::family::delete_family)) .route("/families/:id", delete(routes::family::delete_family))
.layer(auth_layer.clone())
.route_layer(axum_middleware::from_fn(middleware::require_admin)) .route_layer(axum_middleware::from_fn(middleware::require_admin))
.layer(auth_layer.clone())
.with_state(db.clone()); .with_state(db.clone());
let auth_routes = Router::new() let auth_routes = Router::new()
@@ -119,10 +119,7 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
.layer(auth_layer) .layer(auth_layer)
.with_state(db.clone()); .with_state(db.clone());
let public_routes = Router::new() let family_protected_routes = Router::new()
.route("/families", get(routes::family::get_all_families))
.route("/families/:id", get(routes::family::get_family))
.route("/families/:id", put(routes::family::update_family))
.route("/families/:family_id/categories", post(routes::category::create_category)) .route("/families/:family_id/categories", post(routes::category::create_category))
.route("/families/:family_id/categories", get(routes::category::get_categories_by_family)) .route("/families/:family_id/categories", get(routes::category::get_categories_by_family))
.route("/families/:family_id/categories/:category_id", get(routes::category::get_category)) .route("/families/:family_id/categories/:category_id", get(routes::category::get_category))
@@ -134,11 +131,22 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
.route("/families/:family_id/categories/:category_id/expenses/:expense_id", put(routes::expense::update_expense)) .route("/families/:family_id/categories/:category_id/expenses/:expense_id", put(routes::expense::update_expense))
.route("/families/:family_id/categories/:category_id/expenses/:expense_id", delete(routes::expense::delete_expense)) .route("/families/:family_id/categories/:category_id/expenses/:expense_id", delete(routes::expense::delete_expense))
.route("/families/:family_id/categories/:category_id/remaining", get(routes::expense::get_remaining_limit)) .route("/families/:family_id/categories/:category_id/remaining", get(routes::expense::get_remaining_limit))
.route_layer(axum_middleware::from_fn(middleware::require_family_access))
.layer(session_layer.clone())
.with_state(db.clone());
let public_routes = Router::new()
.route("/families", get(routes::family::get_all_families))
.route("/families/:id", get(routes::family::get_family))
.route("/families/:id", put(routes::family::update_family))
.route("/families/:id/verify", post(routes::family::verify_family_password))
.layer(session_layer)
.with_state(db); .with_state(db);
let api_routes = Router::new() let api_routes = Router::new()
.merge(admin_family_routes) .merge(admin_family_routes)
.merge(auth_routes) .merge(auth_routes)
.merge(family_protected_routes)
.merge(public_routes); .merge(public_routes);
let swagger_ui = SwaggerUi::new("/swagger-ui") let swagger_ui = SwaggerUi::new("/swagger-ui")
@@ -148,6 +156,8 @@ pub async fn create_app(db: DatabaseConnection) -> Result<Router, DbErr> {
.allow_origin([ .allow_origin([
"http://localhost:3000".parse::<HeaderValue>().unwrap(), "http://localhost:3000".parse::<HeaderValue>().unwrap(),
"http://localhost:5173".parse::<HeaderValue>().unwrap(), "http://localhost:5173".parse::<HeaderValue>().unwrap(),
"http://localhost:5174".parse::<HeaderValue>().unwrap(),
"http://localhost:5175".parse::<HeaderValue>().unwrap(),
"http://localhost:8080".parse::<HeaderValue>().unwrap(), "http://localhost:8080".parse::<HeaderValue>().unwrap(),
]) ])
.allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS]) .allow_methods([Method::GET, Method::POST, Method::PUT, Method::DELETE, Method::OPTIONS])

36
backend/src/middleware.rs
View File

@@ -5,6 +5,7 @@ use axum::{
response::Response, response::Response,
}; };
use axum_login::AuthSession; use axum_login::AuthSession;
use tower_sessions::Session;
use crate::auth::AuthBackend; use crate::auth::AuthBackend;
@@ -21,3 +22,38 @@ pub async fn require_admin(
Ok(next.run(request).await) Ok(next.run(request).await)
} }
pub async fn require_family_access(
session: Session,
request: Request,
next: Next,
) -> Result<Response, StatusCode> {
let path = request.uri().path();
let family_id = extract_family_id_from_path(path)
.ok_or(StatusCode::BAD_REQUEST)?;
let authorized_families: Vec<i32> = session
.get("authorized_families")
.await
.unwrap_or(None)
.unwrap_or_default();
if !authorized_families.contains(&family_id) {
return Err(StatusCode::FORBIDDEN);
}
Ok(next.run(request).await)
}
fn extract_family_id_from_path(path: &str) -> Option<i32> {
let segments: Vec<&str> = path.split('/').collect();
if let Some(families_idx) = segments.iter().position(|&s| s == "families") {
if families_idx + 1 < segments.len() {
return segments[families_idx + 1].parse::<i32>().ok();
}
}
None
}

40
backend/src/migration/m20241215_000001_add_family_password.rs Normal file
View File

@@ -0,0 +1,40 @@
use sea_orm_migration::prelude::*;
#[derive(DeriveMigrationName)]
pub struct Migration;
#[async_trait::async_trait]
impl MigrationTrait for Migration {
async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
manager
.alter_table(
Table::alter()
.table(Family::Table)
.add_column(
ColumnDef::new(Family::PasswordHash)
.string()
.not_null()
.default("")
)
.to_owned(),
)
.await
}
async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
manager
.alter_table(
Table::alter()
.table(Family::Table)
.drop_column(Family::PasswordHash)
.to_owned(),
)
.await
}
}
#[derive(DeriveIden)]
enum Family {
Table,
PasswordHash,
}

2
backend/src/migration/mod.rs
View File

@@ -3,6 +3,7 @@ pub use sea_orm_migration::prelude::*;
mod m20241209_000001_create_tables; mod m20241209_000001_create_tables;
mod m20241209_000002_create_users; mod m20241209_000002_create_users;
mod m20241209_000003_seed_admin; mod m20241209_000003_seed_admin;
mod m20241215_000001_add_family_password;
pub struct Migrator; pub struct Migrator;
@@ -13,6 +14,7 @@ impl MigratorTrait for Migrator {
Box::new(m20241209_000001_create_tables::Migration), Box::new(m20241209_000001_create_tables::Migration),
Box::new(m20241209_000002_create_users::Migration), Box::new(m20241209_000002_create_users::Migration),
Box::new(m20241209_000003_seed_admin::Migration), Box::new(m20241209_000003_seed_admin::Migration),
Box::new(m20241215_000001_add_family_password::Migration),
] ]
} }
} }

2
backend/src/models/family.rs
View File

@@ -8,6 +8,8 @@ pub struct Model {
#[sea_orm(primary_key)] #[sea_orm(primary_key)]
pub id: i32, pub id: i32,
pub name: String, pub name: String,
#[serde(skip_serializing)]
pub password_hash: String,
} }
#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)] #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]

65
backend/src/routes/family.rs
View File

@@ -4,16 +4,30 @@ use axum::{
Json, Json,
}; };
use sea_orm::DatabaseConnection; use sea_orm::DatabaseConnection;
use serde::Deserialize; use serde::{Deserialize, Serialize};
use utoipa::ToSchema; use utoipa::ToSchema;
use tower_sessions::Session;
use crate::models::family::Model as FamilyModel; use crate::models::family::Model as FamilyModel;
use crate::services::FamilyService; use crate::services::FamilyService;
#[derive(Debug, Deserialize, ToSchema)] #[derive(Debug, Deserialize, ToSchema)]
#[schema(example = json!({"name": "Smith Family"}))] #[schema(example = json!({"name": "Smith Family", "password": "secret123"}))]
pub struct CreateFamilyRequest { pub struct CreateFamilyRequest {
pub name: String, pub name: String,
pub password: String,
}
#[derive(Debug, Deserialize, ToSchema)]
#[schema(example = json!({"password": "secret123"}))]
pub struct VerifyFamilyPasswordRequest {
pub password: String,
}
#[derive(Debug, Serialize, ToSchema)]
#[schema(example = json!({"valid": true}))]
pub struct VerifyFamilyPasswordResponse {
pub valid: bool,
} }
#[derive(Debug, Deserialize, ToSchema)] #[derive(Debug, Deserialize, ToSchema)]
@@ -36,7 +50,7 @@ pub async fn create_family(
State(db): State<DatabaseConnection>, State(db): State<DatabaseConnection>,
Json(payload): Json<CreateFamilyRequest>, Json(payload): Json<CreateFamilyRequest>,
) -> Result<Json<FamilyModel>, StatusCode> { ) -> Result<Json<FamilyModel>, StatusCode> {
FamilyService::create(&db, payload.name) FamilyService::create(&db, payload.name, payload.password)
.await .await
.map(Json) .map(Json)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR) .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
@@ -129,3 +143,48 @@ pub async fn delete_family(
.map(|_| StatusCode::NO_CONTENT) .map(|_| StatusCode::NO_CONTENT)
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR) .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)
} }
#[utoipa::path(
post,
path = "/families/{id}/verify",
tag = "families",
params(
("id" = i32, Path, description = "Family ID")
),
request_body = VerifyFamilyPasswordRequest,
responses(
(status = 200, description = "Password verified", body = VerifyFamilyPasswordResponse),
(status = 401, description = "Invalid password"),
(status = 500, description = "Internal server error")
)
)]
pub async fn verify_family_password(
State(db): State<DatabaseConnection>,
Path(id): Path<i32>,
session: Session,
Json(payload): Json<VerifyFamilyPasswordRequest>,
) -> Result<Json<VerifyFamilyPasswordResponse>, StatusCode> {
let valid = FamilyService::verify_password(&db, id, payload.password)
.await
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
if valid {
let mut authorized_families: Vec<i32> = session
.get("authorized_families")
.await
.unwrap_or(None)
.unwrap_or_default();
if !authorized_families.contains(&id) {
authorized_families.push(id);
session
.insert("authorized_families", authorized_families)
.await
.map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
}
Ok(Json(VerifyFamilyPasswordResponse { valid: true }))
} else {
Err(StatusCode::UNAUTHORIZED)
}
}

28
backend/src/services/family_service.rs
View File

@@ -1,18 +1,44 @@
use sea_orm::*; use sea_orm::*;
use argon2::{
password_hash::{rand_core::OsRng, PasswordHasher, SaltString, PasswordVerifier, PasswordHash},
Argon2,
};
use crate::models::family::{self, Entity as Family, Model as FamilyModel}; use crate::models::family::{self, Entity as Family, Model as FamilyModel};
pub struct FamilyService; pub struct FamilyService;
impl FamilyService { impl FamilyService {
pub async fn create(db: &DatabaseConnection, name: String) -> Result<FamilyModel, DbErr> { pub async fn create(db: &DatabaseConnection, name: String, password: String) -> Result<FamilyModel, DbErr> {
let salt = SaltString::generate(&mut OsRng);
let argon2 = Argon2::default();
let password_hash = argon2
.hash_password(password.as_bytes(), &salt)
.map_err(|_| DbErr::Custom("Failed to hash password".to_string()))?
.to_string();
let family = family::ActiveModel { let family = family::ActiveModel {
name: Set(name), name: Set(name),
password_hash: Set(password_hash),
..Default::default() ..Default::default()
}; };
family.insert(db).await family.insert(db).await
} }
pub async fn verify_password(db: &DatabaseConnection, id: i32, password: String) -> Result<bool, DbErr> {
let family = Family::find_by_id(id)
.one(db)
.await?
.ok_or(DbErr::RecordNotFound("Family not found".to_string()))?;
let parsed_hash = PasswordHash::new(&family.password_hash)
.map_err(|_| DbErr::Custom("Invalid password hash".to_string()))?;
Ok(Argon2::default()
.verify_password(password.as_bytes(), &parsed_hash)
.is_ok())
}
pub async fn find_by_id(db: &DatabaseConnection, id: i32) -> Result<Option<FamilyModel>, DbErr> { pub async fn find_by_id(db: &DatabaseConnection, id: i32) -> Result<Option<FamilyModel>, DbErr> {
Family::find_by_id(id).one(db).await Family::find_by_id(id).one(db).await
} }

5
frontend/src/api/client.ts
View File

@@ -9,6 +9,8 @@ import type {
CreateFamilyRequest, CreateFamilyRequest,
CreateCategoryRequest, CreateCategoryRequest,
CreateExpenseRequest, CreateExpenseRequest,
VerifyFamilyPasswordRequest,
VerifyFamilyPasswordResponse,
} from '../types'; } from '../types';
const API_BASE_URL = import.meta.env.VITE_API_BASE_URL || 'http://localhost:3000'; const API_BASE_URL = import.meta.env.VITE_API_BASE_URL || 'http://localhost:3000';
@@ -41,6 +43,9 @@ export const familyApi = {
delete: (id: number) => delete: (id: number) =>
apiClient.delete(`/families/${id}`), apiClient.delete(`/families/${id}`),
verifyPassword: (id: number, data: VerifyFamilyPasswordRequest) =>
apiClient.post<VerifyFamilyPasswordResponse>(`/families/${id}/verify`, data),
}; };
export const categoryApi = { export const categoryApi = {

22
frontend/src/pages/AdminPanel.tsx
View File

@@ -13,6 +13,7 @@ export default function AdminPanel() {
const [loginError, setLoginError] = useState(''); const [loginError, setLoginError] = useState('');
const [newFamilyName, setNewFamilyName] = useState(''); const [newFamilyName, setNewFamilyName] = useState('');
const [newFamilyPassword, setNewFamilyPassword] = useState('');
const [families, setFamilies] = useState<Array<{ id: number; name: string }>>([]); const [families, setFamilies] = useState<Array<{ id: number; name: string }>>([]);
useEffect(() => { useEffect(() => {
@@ -64,11 +65,15 @@ export default function AdminPanel() {
}; };
const handleCreateFamily = async () => { const handleCreateFamily = async () => {
if (!newFamilyName.trim()) return; if (!newFamilyName.trim() || !newFamilyPassword.trim()) {
alert('Заполните название и пароль семьи');
return;
}
try { try {
await familyApi.create({ name: newFamilyName }); await familyApi.create({ name: newFamilyName, password: newFamilyPassword });
setNewFamilyName(''); setNewFamilyName('');
setNewFamilyPassword('');
loadFamilies(); loadFamilies();
} catch (err) { } catch (err) {
alert('Ошибка создания семьи'); alert('Ошибка создания семьи');
@@ -168,17 +173,24 @@ export default function AdminPanel() {
Создать новую семью Создать новую семью
</h2> </h2>
<div className="flex gap-2"> <div className="space-y-3">
<input <input
type="text" type="text"
placeholder="Название семьи" placeholder="Название семьи"
value={newFamilyName} value={newFamilyName}
onChange={(e) => setNewFamilyName(e.target.value)} onChange={(e) => setNewFamilyName(e.target.value)}
className="flex-1 px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent" className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent"
/>
<input
type="password"
placeholder="Пароль семьи"
value={newFamilyPassword}
onChange={(e) => setNewFamilyPassword(e.target.value)}
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent"
/> />
<button <button
onClick={handleCreateFamily} onClick={handleCreateFamily}
className="px-6 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 transition" className="w-full px-6 py-2 bg-green-600 text-white rounded-lg hover:bg-green-700 transition"
> >
Создать Создать
</button> </button>

19
frontend/src/pages/FamilyView.tsx
View File

@@ -97,18 +97,25 @@ export default function FamilyView() {
const handleResetLimit = async (categoryId: number) => { const handleResetLimit = async (categoryId: number) => {
if (!familyId) return; if (!familyId) return;
const newLimit = prompt('Введите новый лимит:'); if (!confirm('Удалить все траты по этой категории?')) return;
if (!newLimit) return;
try { try {
await categoryApi.resetLimit( const expensesResponse = await expenseApi.getAllByCategory(
parseInt(familyId),
categoryId
);
for (const expense of expensesResponse.data) {
await expenseApi.delete(
parseInt(familyId), parseInt(familyId),
categoryId, categoryId,
parseFloat(newLimit) expense.id
); );
}
loadCategories(); loadCategories();
} catch (err) { } catch (err) {
alert('Ошибка сброса лимита'); alert('Ошибка сброса трат');
console.error(err); console.error(err);
} }
}; };
@@ -280,7 +287,7 @@ export default function FamilyView() {
onClick={() => handleResetLimit(category.id)} onClick={() => handleResetLimit(category.id)}
className="px-4 py-1 bg-yellow-500 text-white rounded hover:bg-yellow-600" className="px-4 py-1 bg-yellow-500 text-white rounded hover:bg-yellow-600"
> >
Сбросить лимит Обнулить траты
</button> </button>
<button <button
onClick={() => handleDeleteCategory(category.id)} onClick={() => handleDeleteCategory(category.id)}

98
frontend/src/pages/Home.tsx
View File

@@ -1,6 +1,6 @@
import { useEffect, useState } from 'react'; import { useEffect, useState } from 'react';
import { useNavigate } from 'react-router-dom'; import { useNavigate } from 'react-router-dom';
import { familyApi } from '../api/client'; import { familyApi, categoryApi } from '../api/client';
import { useStore } from '../store/useStore'; import { useStore } from '../store/useStore';
import type { Family } from '../types'; import type { Family } from '../types';
@@ -10,6 +10,11 @@ export default function Home() {
const [loading, setLoading] = useState(true); const [loading, setLoading] = useState(true);
const [error, setError] = useState(''); const [error, setError] = useState('');
const [showPasswordDialog, setShowPasswordDialog] = useState(false);
const [selectedFamilyForAuth, setSelectedFamilyForAuth] = useState<Family | null>(null);
const [familyPassword, setFamilyPassword] = useState('');
const [passwordError, setPasswordError] = useState('');
useEffect(() => { useEffect(() => {
loadFamilies(); loadFamilies();
}, []); }, []);
@@ -27,9 +32,54 @@ export default function Home() {
} }
}; };
const handleSelectFamily = (family: Family) => { const handleSelectFamily = async (family: Family) => {
try {
await categoryApi.getAllByFamily(family.id);
setSelectedFamily(family); setSelectedFamily(family);
navigate(`/family/${family.id}`); navigate(`/family/${family.id}`);
} catch (err: any) {
if (err.response?.status === 403) {
setSelectedFamilyForAuth(family);
setShowPasswordDialog(true);
setPasswordError('');
setFamilyPassword('');
} else {
setError('Ошибка доступа к семье');
}
}
};
const handleVerifyPassword = async () => {
if (!selectedFamilyForAuth || !familyPassword.trim()) {
setPasswordError('Введите пароль');
return;
}
try {
const response = await familyApi.verifyPassword(selectedFamilyForAuth.id, {
password: familyPassword,
});
if (response.data.valid) {
setSelectedFamily(selectedFamilyForAuth);
setShowPasswordDialog(false);
navigate(`/family/${selectedFamilyForAuth.id}`);
}
} catch (err: any) {
if (err.response?.status === 401) {
setPasswordError('Неверный пароль');
} else {
setPasswordError('Ошибка проверки пароля');
}
console.error(err);
}
};
const handleCancelPasswordDialog = () => {
setShowPasswordDialog(false);
setSelectedFamilyForAuth(null);
setFamilyPassword('');
setPasswordError('');
}; };
const handleGoToAdmin = () => { const handleGoToAdmin = () => {
@@ -90,6 +140,50 @@ export default function Home() {
</div> </div>
)} )}
</div> </div>
{showPasswordDialog && selectedFamilyForAuth && (
<div className="fixed inset-0 bg-black bg-opacity-50 flex items-center justify-center p-4 z-50">
<div className="bg-white rounded-lg shadow-xl p-8 max-w-md w-full">
<h2 className="text-2xl font-bold text-gray-900 mb-4">
Введите пароль для семьи
</h2>
<p className="text-gray-600 mb-6">
{selectedFamilyForAuth.name}
</p>
{passwordError && (
<div className="mb-4 p-3 bg-red-100 border border-red-400 text-red-700 rounded">
{passwordError}
</div>
)}
<input
type="password"
placeholder="Пароль"
value={familyPassword}
onChange={(e) => setFamilyPassword(e.target.value)}
onKeyDown={(e) => e.key === 'Enter' && handleVerifyPassword()}
className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-blue-500 focus:border-transparent mb-4"
autoFocus
/>
<div className="flex gap-2">
<button
onClick={handleVerifyPassword}
className="flex-1 px-4 py-2 bg-blue-600 text-white rounded-lg hover:bg-blue-700 transition"
>
Войти
</button>
<button
onClick={handleCancelPasswordDialog}
className="flex-1 px-4 py-2 bg-gray-300 text-gray-700 rounded-lg hover:bg-gray-400 transition"
>
Отмена
</button>
</div>
</div>
</div>
)}
</div> </div>
</div> </div>
); );

9
frontend/src/types/index.ts
View File

@@ -36,6 +36,15 @@ export interface LoginResponse {
export interface CreateFamilyRequest { export interface CreateFamilyRequest {
name: string; name: string;
password: string;
}
export interface VerifyFamilyPasswordRequest {
password: string;
}
export interface VerifyFamilyPasswordResponse {
valid: boolean;
} }
export interface CreateCategoryRequest { export interface CreateCategoryRequest {