family_budget/backend/src/auth.rs

use axum_login::{AuthUser, AuthnBackend, UserId};
use sea_orm::{DatabaseConnection, EntityTrait, ColumnTrait, QueryFilter};
use argon2::{
    password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
    Argon2,
};

use crate::models::{user, User};

#[derive(Debug, Clone)]
pub struct AuthBackend {
    pub db: DatabaseConnection,
}

impl AuthUser for user::Model {
    type Id = i32;

    fn id(&self) -> Self::Id {
        self.id
    }

    fn session_auth_hash(&self) -> &[u8] {
        self.password_hash.as_deref().unwrap_or("oauth").as_bytes()
    }
}

#[derive(Debug, thiserror::Error)]
pub enum Error {
    #[error("Database error: {0}")]
    Database(#[from] sea_orm::DbErr),
    #[error("Password hashing error")]
    PasswordHash,
    #[error("Invalid credentials")]
    InvalidCredentials,
}

#[derive(Debug, Clone)]
pub struct Credentials {
    pub username: String,
    pub password: String,
}

impl AuthnBackend for AuthBackend {
    type User = user::Model;
    type Credentials = Credentials;
    type Error = Error;

    fn authenticate(
        &self,
        creds: Self::Credentials,
    ) -> impl Future<Output = Result<Option<Self::User>, Self::Error>> + Send {
        let db = self.db.clone();
        async move {
            let user = User::find()
                .filter(user::Column::Username.eq(&creds.username))
                .one(&db)
                .await?;

            if let Some(user) = user {
                let password_hash = user.password_hash.as_ref().ok_or(Error::InvalidCredentials)?;
                let parsed_hash = PasswordHash::new(password_hash)
                    .map_err(|_| Error::PasswordHash)?;

                let is_valid = Argon2::default()
                    .verify_password(creds.password.as_bytes(), &parsed_hash)
                    .is_ok();

                if is_valid {
                    Ok(Some(user))
                } else {
                    Err(Error::InvalidCredentials)
                }
            } else {
                Err(Error::InvalidCredentials)
            }
        }
    }

    fn get_user(
        &self,
        user_id: &UserId<Self>,
    ) -> impl Future<Output = Result<Option<Self::User>, Self::Error>> + Send {
        let db = self.db.clone();
        let user_id = *user_id;
        async move {
            let user = User::find_by_id(user_id).one(&db).await?;
            Ok(user)
        }
    }
}

pub fn hash_password(password: &str) -> Result<String, Error> {
    let salt = SaltString::generate(&mut OsRng);
    let argon2 = Argon2::default();

    argon2
        .hash_password(password.as_bytes(), &salt)
        .map(|hash| hash.to_string())
        .map_err(|_| Error::PasswordHash)
}