filipriec/kompress_eshop
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

oauth2

Browse Source
This commit is contained in:
Priec
2026-06-18 18:26:40 +02:00
parent 7da4109584
commit 42bab82960
25 changed files with 1250 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

708
Cargo.lock generated
View File

File diff suppressed because it is too large Load Diff

3
Cargo.toml
View File

@@ -46,6 +46,9 @@ unic-langid = { version = "0.9" }
axum-extra = { version = "0.10", features = ["form"] }
bytes = { version = "1" }
axum-casbin = "1.3.0"
loco-oauth2 = "0.5.0"
passwords = "3.1.16"
tower-sessions = "0.14"
[[bin]]
name = "kompress-eshop-cli"

2
assets/i18n/en/main.ftl
View File

@@ -66,6 +66,8 @@ login-email = Email
login-password = Password
login-no-account = Don't have an account?
login-have-account = Already have an account?
auth-or = or
auth-google = Continue with Google
nav-login = Sign in
nav-register = Register
register-title = Create account

2
assets/i18n/sk/main.ftl
View File

@@ -66,6 +66,8 @@ login-email = E-mail
login-password = Heslo
login-no-account = Nemáte účet?
login-have-account = Už máte účet?
auth-or = alebo
auth-google = Pokračovať cez Google
nav-login = Prihlásiť sa
nav-register = Registrácia
register-title = Vytvoriť účet

2
assets/static/css/app.css
View File

File diff suppressed because one or more lines are too long

7
assets/views/auth/login.html
View File

@@ -46,6 +46,13 @@
{{ ui::button(label=t(key="login-auth", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
</form>
<div class="mt-5 flex items-center gap-3 text-xs text-on-surface/50 dark:text-on-surface-dark/50">
<span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
{{ t(key="auth-or", lang=lang | default(value='sk')) }}
<span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
</div>
{{ ui::button(label=t(key="auth-google", lang=lang | default(value='sk')), href="/api/oauth2/google", variant="outline-secondary", attrs='hx-boost="false"', extra="mt-4 w-full", icon='<svg class="size-4" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"><path fill="#FFC107" d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z"/><path fill="#FF3D00" d="m6.306 14.691 6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z"/><path fill="#4CAF50" d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.91 11.91 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z"/><path fill="#1976D2" d="M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002 6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z"/></svg>') }}
<p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
{{ t(key="login-no-account", lang=lang | default(value='sk')) }}
<a href="/register"

7
assets/views/auth/register.html
View File

@@ -54,6 +54,13 @@
{{ ui::button(label=t(key="register-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
</form>
<div class="mt-5 flex items-center gap-3 text-xs text-on-surface/50 dark:text-on-surface-dark/50">
<span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
{{ t(key="auth-or", lang=lang | default(value='sk')) }}
<span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
</div>
{{ ui::button(label=t(key="auth-google", lang=lang | default(value='sk')), href="/api/oauth2/google", variant="outline-secondary", attrs='hx-boost="false"', extra="mt-4 w-full", icon='<svg class="size-4" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"><path fill="#FFC107" d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z"/><path fill="#FF3D00" d="m6.306 14.691 6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z"/><path fill="#4CAF50" d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.91 11.91 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z"/><path fill="#1976D2" d="M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002 6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z"/></svg>') }}
<p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
{{ t(key="login-have-account", lang=lang | default(value='sk')) }}
<a href="/login"

27
config/development.yaml
View File

@@ -125,3 +125,30 @@ settings:
# Bank-transfer payment details shown on the order confirmation.
bank_iban: {{ get_env(name="BANK_IBAN", default="SK00 0000 0000 0000 0000 0000") }}
bank_account_name: {{ get_env(name="BANK_ACCOUNT_NAME", default="Kompress s.r.o.") }}
# loco-oauth2: social login. Credentials come from .env (create them in the
# Google Cloud console and register the redirect_url below as an authorized
# redirect URI). Until OAUTH_CLIENT_ID/SECRET are set, the "Continue with
# Google" button will fail at the consent screen — the rest of auth is unaffected.
initializers:
oauth2:
# Key for the loco-oauth2 private cookie jar (>= 64 bytes). Override in prod.
secret_key: {{ get_env(name="OAUTH_PRIVATE_KEY", default="144, 76, 183, 1, 15, 184, 233, 174, 214, 251, 190, 186, 122, 61, 74, 84, 225, 110, 189, 115, 10, 251, 133, 128, 52, 46, 15, 66, 85, 1, 245, 73, 27, 113, 189, 15, 209, 205, 61, 100, 73, 31, 18, 58, 235, 105, 141, 36, 70, 92, 231, 151, 27, 32, 243, 117, 30, 244, 110, 89, 233, 196, 137, 130") }}
authorization_code:
- client_identifier: google
client_credentials:
client_id: {{ get_env(name="OAUTH_CLIENT_ID", default="oauth_client_id") }}
client_secret: {{ get_env(name="OAUTH_CLIENT_SECRET", default="oauth_client_secret") }}
url_config:
auth_url: {{ get_env(name="OAUTH_AUTH_URL", default="https://accounts.google.com/o/oauth2/auth") }}
token_url: {{ get_env(name="OAUTH_TOKEN_URL", default="https://www.googleapis.com/oauth2/v3/token") }}
redirect_url: {{ get_env(name="OAUTH_REDIRECT_URL", default="http://localhost:5150/api/oauth2/google/callback/cookie") }}
profile_url: {{ get_env(name="OAUTH_PROFILE_URL", default="https://openidconnect.googleapis.com/v1/userinfo") }}
scopes:
- "https://www.googleapis.com/auth/userinfo.email"
- "https://www.googleapis.com/auth/userinfo.profile"
cookie_config:
# After loco-oauth2 sets its session cookie it redirects here, where we
# mint our own auth_token cookie (see controllers/oauth2.rs::complete).
protected_url: {{ get_env(name="OAUTH_PROTECTED_URL", default="http://localhost:5150/api/oauth2/protected") }}
timeout_seconds: 600

22
config/production.yaml
View File

@@ -55,3 +55,25 @@ auth:
settings:
admin_email: "{{ get_env(name="ADMIN_EMAIL", default="") }}"
uploads_root: "{{ get_env(name="UPLOADS_ROOT", default="data/uploads") }}"
# loco-oauth2 social login. All values must come from the environment in prod;
# OAUTH_REDIRECT_URL / OAUTH_PROTECTED_URL must use the real public origin.
initializers:
oauth2:
secret_key: "{{ get_env(name="OAUTH_PRIVATE_KEY") }}"
authorization_code:
- client_identifier: google
client_credentials:
client_id: "{{ get_env(name="OAUTH_CLIENT_ID") }}"
client_secret: "{{ get_env(name="OAUTH_CLIENT_SECRET") }}"
url_config:
auth_url: "{{ get_env(name="OAUTH_AUTH_URL", default="https://accounts.google.com/o/oauth2/auth") }}"
token_url: "{{ get_env(name="OAUTH_TOKEN_URL", default="https://www.googleapis.com/oauth2/v3/token") }}"
redirect_url: "{{ get_env(name="OAUTH_REDIRECT_URL") }}"
profile_url: "{{ get_env(name="OAUTH_PROFILE_URL", default="https://openidconnect.googleapis.com/v1/userinfo") }}"
scopes:
- "https://www.googleapis.com/auth/userinfo.email"
- "https://www.googleapis.com/auth/userinfo.profile"
cookie_config:
protected_url: "{{ get_env(name="OAUTH_PROTECTED_URL") }}"
timeout_seconds: 600

104
docs/integrations/google-oauth.md Normal file
View File

@@ -0,0 +1,104 @@
# Google OAuth2 sign-in
"Continue with Google" on `/login` and `/register` is wired through
[`loco-oauth2`](https://github.com/yinho999/loco-oauth2). The code is complete
and compiles; this doc is the checklist to make the live flow work. Until the
credentials below are set, the button reaches Google and fails at the consent
screen — the rest of auth (password login, registration, verification) is
unaffected.
## How the flow works (for context)
1. User clicks **Continue with Google**`GET /api/oauth2/google` redirects to
Google's consent screen.
2. Google redirects back to `GET /api/oauth2/google/callback/cookie`.
loco-oauth2 exchanges the code, fetches the profile, upserts the user
(`OAuth2UserTrait::upsert_with_oauth`), stores an `o_auth2_sessions` row, sets
its own private session cookie, and redirects to `protected_url`.
3. `protected_url` = `GET /api/oauth2/protected` (our bridge,
`controllers/oauth2.rs::complete`). It mints **our** `auth_token` JWT cookie
and redirects: admins (email == `ADMIN_EMAIL`) → `/admin/dashboard`,
everyone else → `/`.
From there the user is a normal logged-in user (same JWT cookie as a password
login; the Casbin layer and guards treat them identically).
## 1. Create Google OAuth credentials
1. Go to <https://console.cloud.google.com/> → create/select a project.
2. **APIs & Services → OAuth consent screen**: configure it (External), add the
`.../auth/userinfo.email` and `.../auth/userinfo.profile` scopes, and add
your Google account as a **test user** while the app is in "Testing".
3. **APIs & Services → Credentials → Create Credentials → OAuth client ID**:
- Application type: **Web application**.
- **Authorized redirect URIs** — add exactly (must match the config's
`redirect_url`, no trailing slash):
- dev: `http://localhost:5150/api/oauth2/google/callback/cookie`
- prod: `https://YOUR_DOMAIN/api/oauth2/google/callback/cookie`
4. Copy the generated **Client ID** and **Client secret**.
## 2. Set environment variables (`.env`)
Read by `config/development.yaml``initializers.oauth2` (and the prod
equivalent). dotenvy loads `.env` on boot.
```bash
# Required
OAUTH_CLIENT_ID=xxxxxxxx.apps.googleusercontent.com
OAUTH_CLIENT_SECRET=xxxxxxxx
# Required in PRODUCTION (dev has working defaults)
OAUTH_PRIVATE_KEY="comma,separated,bytes >= 64 long" # key for loco-oauth2's private cookie jar
OAUTH_REDIRECT_URL=https://YOUR_DOMAIN/api/oauth2/google/callback/cookie
OAUTH_PROTECTED_URL=https://YOUR_DOMAIN/api/oauth2/protected
```
Notes:
- **dev** ships defaults for everything except `OAUTH_CLIENT_ID` /
`OAUTH_CLIENT_SECRET`, so locally you only need those two.
- `OAUTH_PRIVATE_KEY` must be ≥ 64 bytes (the dev default is a sample key — do
**not** reuse it in production). Generate a fresh one, e.g.
`python3 -c "import os;print(','.join(str(b) for b in os.urandom(64)))"`.
- `OAUTH_REDIRECT_URL` here and the Authorized redirect URI in the Google
console must be byte-for-byte identical.
## 3. Run / test
```bash
nix develop -c cargo loco start # MUST be inside nix develop (OpenSSL link, see memory)
```
- `auto_migrate: true` (dev) creates the `o_auth2_sessions` table on boot.
- Open `http://localhost:5150/login`**Continue with Google** → consent →
you should land back on `/` logged in (cart/nav reflect the session).
## 4. Production checklist
- [ ] Separate OAuth client (or at least the prod redirect URI) in Google.
- [ ] OAuth consent screen **published** (not just "Testing"), or real users
get blocked.
- [ ] `OAUTH_PRIVATE_KEY` set to a fresh ≥64-byte key (not the dev sample).
- [ ] `OAUTH_REDIRECT_URL` / `OAUTH_PROTECTED_URL` use the real `https://` origin.
- [ ] `server.host` / public origin correct so cookies + redirects resolve.
## Troubleshooting
| Symptom | Cause / fix |
|---|---|
| `redirect_uri_mismatch` at Google | Authorized redirect URI ≠ `OAUTH_REDIRECT_URL`. Make them identical (scheme, host, port, path, no trailing slash). |
| 403 / "access blocked: app not verified" | Add your account as a test user, or publish the consent screen. |
| `openssl-sys ... Could not find directory` at build | You ran `cargo` outside the dev shell. Use `nix develop -c cargo ...`. |
| Callback 500 / "could not create oauth2 store" | `initializers.oauth2` missing/invalid, or `OAUTH_PRIVATE_KEY` < 64 bytes. |
| Logged into Google but not into the app | The bridge (`/api/oauth2/protected`) didn't run check `protected_url` (`OAUTH_PROTECTED_URL`) points at it. |
## Where things live
- Config: `config/development.yaml` / `config/production.yaml`
`initializers.oauth2`
- Client store + session initializers: `src/initializers/oauth2.rs`,
`src/initializers/oauth2_session.rs`
- Routes + bridge handler: `src/controllers/oauth2.rs`
- User upsert (random password per advisory LOC-2025-04): `src/models/users.rs`
(`OAuth2UserTrait`)
- Session table: `src/models/o_auth2_sessions.rs` +
`migration/.../m20260618_000001_o_auth2_sessions.rs`

3
flake.nix
View File

@@ -86,7 +86,10 @@
buildInputs = [
rust
pkgs.pkg-config
# OpenSSL for crypto dependencies (loco-oauth2 -> oauth2/reqwest
# use native-tls); .dev provides headers + pkg-config metadata.
pkgs.openssl
pkgs.openssl.dev
pkgs.cmake
pkgs.llvmPackages.clang
pkgs.llvmPackages.libclang.lib

2
migration/src/lib.rs
View File

@@ -30,6 +30,7 @@ mod m20260616_160000_add_parent_to_categories;
mod m20260617_000001_add_carrier_to_shipping_methods;
mod m20260617_000002_add_shipment_to_orders;
mod m20260617_000003_add_phone_to_orders;
mod m20260618_000001_o_auth2_sessions;
pub struct Migrator;
#[async_trait::async_trait]
@@ -64,6 +65,7 @@ impl MigratorTrait for Migrator {
Box::new(m20260617_000001_add_carrier_to_shipping_methods::Migration),
Box::new(m20260617_000002_add_shipment_to_orders::Migration),
Box::new(m20260617_000003_add_phone_to_orders::Migration),
Box::new(m20260618_000001_o_auth2_sessions::Migration),
// inject-above (do not remove this comment)
]
}

29
migration/src/m20260618_000001_o_auth2_sessions.rs Normal file
View File

@@ -0,0 +1,29 @@
use loco_rs::schema::*;
use sea_orm_migration::prelude::*;
#[derive(DeriveMigrationName)]
pub struct Migration;
#[async_trait::async_trait]
impl MigrationTrait for Migration {
async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
// OAuth2 session store used by loco-oauth2 to correlate the provider's
// access token with a local user during the callback flow. `user` adds
// a user_id FK to the users table.
create_table(
m,
"o_auth2_sessions",
&[
("id", ColType::PkAuto),
("session_id", ColType::StringUniq),
("expires_at", ColType::TimestampWithTimeZone),
],
&[("user", "")],
)
.await
}
async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
drop_table(m, "o_auth2_sessions").await
}
}

6
src/app.rs
View File

@@ -18,7 +18,8 @@ use std::{path::Path, sync::Arc};
use crate::{
controllers::{
admin_categories, admin_dashboard, admin_form, admin_orders,
admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, shop,
admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, oauth2,
shop,
},
initializers,
models::_entities::users,
@@ -75,6 +76,8 @@ impl Hooks for App {
Box::new(initializers::view_engine::ViewEngineInitializer),
Box::new(initializers::admin_seeder::AdminSeeder),
Box::new(initializers::shipping_seeder::ShippingSeeder),
Box::new(initializers::oauth2::OAuth2StoreInitializer),
Box::new(initializers::oauth2_session::OAuth2SessionInitializer),
])
}
@@ -88,6 +91,7 @@ impl Hooks for App {
// cross-cutting
.add_route(auth::routes())
.add_route(auth_pages::routes())
.add_route(oauth2::routes())
.add_route(i18n::routes())
.add_route(media::routes())
// admin

1
src/controllers/mod.rs
View File

@@ -1,5 +1,6 @@
pub mod auth;
pub mod auth_pages;
pub mod oauth2;
pub mod admin_categories;
pub mod admin_dashboard;
pub mod admin_form;

56
src/controllers/oauth2.rs Normal file
View File

@@ -0,0 +1,56 @@
//! HTML OAuth2 (Google) sign-in.
//!
//! The provider round-trip is handled by loco-oauth2's built-in authorize +
//! cookie-callback handlers. The callback upserts the user, stores an OAuth2
//! session, sets loco-oauth2's *private* session cookie, and redirects to the
//! configured `protected_url` — which is our [`complete`] handler. There we
//! trade the OAuth2 session for OUR Loco `auth_token` JWT cookie, so the rest of
//! the app (the Casbin layer, `guard`, the unified `/login`) treats a Google
//! user exactly like a password login. Admins (matching `ADMIN_EMAIL`) land on
//! the dashboard, everyone else on the storefront.
use loco_oauth2::controllers::{
middleware::OAuth2CookieUser,
oauth2::{google_authorization_url, google_callback_cookie},
};
use loco_rs::prelude::*;
use crate::{
controllers::auth as auth_controller,
models::{o_auth2_sessions, users, users::OAuth2UserProfile},
shared::guard,
};
type GoogleCookieUser = OAuth2CookieUser<OAuth2UserProfile, users::Model, o_auth2_sessions::Model>;
/// Bridge from loco-oauth2's session cookie to our own auth cookie.
#[debug_handler]
async fn complete(State(ctx): State<AppContext>, user: GoogleCookieUser) -> Result<Response> {
let user: &users::Model = user.as_ref();
let jwt_secret = ctx.config.get_jwt_config()?;
let token = user
.generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
.or_else(|_| unauthorized("unauthorized!"))?;
let dest = if guard::is_admin(&ctx, user) {
"/admin/dashboard"
} else {
"/"
};
format::render()
.cookies(&[auth_controller::auth_cookie(&token, jwt_secret.expiration)])?
.redirect(dest)
}
pub fn routes() -> Routes {
Routes::new()
.prefix("api/oauth2")
// Redirects the browser to Google's consent screen.
.add("/google", get(google_authorization_url))
// Google redirects back here; loco-oauth2 exchanges the code, upserts
// the user, and redirects to `protected_url` (/api/oauth2/protected).
.add(
"/google/callback/cookie",
get(google_callback_cookie::<OAuth2UserProfile, users::Model, o_auth2_sessions::Model>),
)
.add("/protected", get(complete))
}

2
src/initializers/mod.rs
View File

@@ -1,3 +1,5 @@
pub mod admin_seeder;
pub mod oauth2;
pub mod oauth2_session;
pub mod shipping_seeder;
pub mod view_engine;

36
src/initializers/oauth2.rs Normal file
View File

@@ -0,0 +1,36 @@
//! Builds the loco-oauth2 client store from `initializers.oauth2` config and
//! injects it as an Axum extension so the oauth2 controllers can reach it.
use axum::{Extension, Router as AxumRouter};
use loco_oauth2::{config::Config as OAuth2Config, OAuth2ClientStore};
use loco_rs::prelude::*;
pub struct OAuth2StoreInitializer;
#[async_trait]
impl Initializer for OAuth2StoreInitializer {
fn name(&self) -> String {
"oauth2-store".to_string()
}
async fn after_routes(&self, router: AxumRouter, ctx: &AppContext) -> Result<AxumRouter> {
let settings = ctx.config.initializers.clone().ok_or_else(|| {
Error::Message("Initializers config not configured for OAuth2".to_string())
})?;
let oauth2_config_value = settings
.get("oauth2")
.ok_or_else(|| {
Error::Message("oauth2 config not found in initializers configuration".to_string())
})?
.clone();
let oauth2_config: OAuth2Config = oauth2_config_value.try_into().map_err(|e| {
tracing::error!(error = ?e, "could not convert oauth2 config from yaml");
Error::Message("could not convert oauth2 config from yaml".to_string())
})?;
let oauth2_store = OAuth2ClientStore::new(oauth2_config).map_err(|e| {
tracing::error!(error = ?e, "could not create oauth2 store from config");
Error::Message("could not create oauth2 store from config".to_string())
})?;
Ok(router.layer(Extension(oauth2_store)))
}
}

25
src/initializers/oauth2_session.rs Normal file
View File

@@ -0,0 +1,25 @@
//! tower-sessions layer that loco-oauth2 uses to hold the short-lived CSRF /
//! PKCE state between the authorize redirect and the provider callback. An
//! in-memory store is sufficient since the state only needs to survive the
//! round-trip to the provider.
use axum::Router as AxumRouter;
use loco_rs::prelude::*;
use tower_sessions::{cookie::time::Duration, Expiry, MemoryStore, SessionManagerLayer};
pub struct OAuth2SessionInitializer;
#[async_trait]
impl Initializer for OAuth2SessionInitializer {
fn name(&self) -> String {
"oauth2-session".to_string()
}
async fn after_routes(&self, router: AxumRouter, _ctx: &AppContext) -> Result<AxumRouter> {
let session_store = MemoryStore::default();
let session_layer = SessionManagerLayer::new(session_store)
.with_secure(false)
.with_expiry(Expiry::OnInactivity(Duration::minutes(10)));
Ok(router.layer(session_layer))
}
}

1
src/models/_entities/mod.rs
View File

@@ -4,6 +4,7 @@ pub mod prelude;
pub mod audit_logs;
pub mod categories;
pub mod o_auth2_sessions;
pub mod order_items;
pub mod orders;
pub mod product_images;

36
src/models/_entities/o_auth2_sessions.rs Normal file
View File

@@ -0,0 +1,36 @@
//! `SeaORM` Entity for loco-oauth2 sessions. Hand-written to match the
//! `o_auth2_sessions` migration (the rest of `_entities/` is codegen; this table
//! is owned by the loco-oauth2 integration).
use sea_orm::entity::prelude::*;
use serde::{Deserialize, Serialize};
#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Serialize, Deserialize)]
#[sea_orm(table_name = "o_auth2_sessions")]
pub struct Model {
pub created_at: DateTimeUtc,
pub updated_at: DateTimeUtc,
#[sea_orm(primary_key)]
pub id: i32,
pub session_id: String,
pub expires_at: DateTimeUtc,
pub user_id: i32,
}
#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
pub enum Relation {
#[sea_orm(
belongs_to = "super::users::Entity",
from = "Column::UserId",
to = "super::users::Column::Id",
on_update = "Cascade",
on_delete = "Cascade"
)]
Users,
}
impl Related<super::users::Entity> for Entity {
fn to() -> RelationDef {
Relation::Users.def()
}
}

1
src/models/_entities/prelude.rs
View File

@@ -2,6 +2,7 @@
pub use super::audit_logs::Entity as AuditLogs;
pub use super::categories::Entity as Categories;
pub use super::o_auth2_sessions::Entity as OAuth2Sessions;
pub use super::order_items::Entity as OrderItems;
pub use super::orders::Entity as Orders;
pub use super::product_images::Entity as ProductImages;

1
src/models/mod.rs
View File

@@ -8,6 +8,7 @@ pub mod _entities;
pub mod audit_logs;
pub mod categories;
pub mod o_auth2_sessions;
pub mod order_items;
pub mod orders;
pub mod product_images;

79
src/models/o_auth2_sessions.rs Normal file
View File

@@ -0,0 +1,79 @@
pub use super::_entities::o_auth2_sessions::{ActiveModel, Column, Entity, Model};
use crate::models::{o_auth2_sessions, users};
use async_trait::async_trait;
use chrono::Utc;
use loco_oauth2::base_oauth2::{basic::BasicTokenResponse, TokenResponse};
use loco_oauth2::models::oauth2_sessions::OAuth2SessionsTrait;
use loco_rs::prelude::*;
use sea_orm::entity::prelude::*;
pub type OAuth2Sessions = Entity;
#[async_trait::async_trait]
impl ActiveModelBehavior for ActiveModel {
async fn before_save<C>(self, _db: &C, insert: bool) -> std::result::Result<Self, DbErr>
where
C: ConnectionTrait,
{
if !insert && self.updated_at.is_unchanged() {
let mut this = self;
this.updated_at = sea_orm::ActiveValue::Set(Utc::now());
Ok(this)
} else {
Ok(self)
}
}
}
#[async_trait]
impl OAuth2SessionsTrait<users::Model> for Model {
/// Whether the session identified by `session_id` has expired.
async fn is_expired(db: &DatabaseConnection, session_id: &str) -> ModelResult<bool> {
let session = o_auth2_sessions::Entity::find()
.filter(o_auth2_sessions::Column::SessionId.eq(session_id))
.one(db)
.await?
.ok_or_else(|| ModelError::EntityNotFound)?;
Ok(session.expires_at < Utc::now())
}
/// Create or refresh the session row for `user` from the provider token.
async fn upsert_with_oauth2(
db: &DatabaseConnection,
token: &BasicTokenResponse,
user: &users::Model,
) -> ModelResult<Self> {
let txn = db.begin().await?;
let session_id = token.access_token().secret().clone();
let expires_at = Utc::now()
+ token
.expires_in()
.unwrap_or(std::time::Duration::from_secs(3600));
let session = match o_auth2_sessions::Entity::find()
.filter(o_auth2_sessions::Column::UserId.eq(user.id))
.one(&txn)
.await?
{
Some(session) => {
let mut session: o_auth2_sessions::ActiveModel = session.into();
session.session_id = ActiveValue::set(session_id);
session.expires_at = ActiveValue::set(expires_at);
session.updated_at = ActiveValue::set(Utc::now());
session.update(&txn).await?
}
None => {
o_auth2_sessions::ActiveModel {
session_id: ActiveValue::set(session_id),
expires_at: ActiveValue::set(expires_at),
user_id: ActiveValue::set(user.id),
..Default::default()
}
.insert(&txn)
.await?
}
};
txn.commit().await?;
Ok(session)
}
}

93
src/models/users.rs
View File

@@ -1,10 +1,13 @@
use async_trait::async_trait;
use chrono::{offset::Local, Duration};
use loco_oauth2::models::users::OAuth2UserTrait;
use loco_rs::{auth::jwt, hash, prelude::*};
use passwords::PasswordGenerator;
use serde::{Deserialize, Serialize};
use serde_json::Map;
use uuid::Uuid;
use crate::models::_entities::o_auth2_sessions;
pub use crate::models::_entities::users::{self, ActiveModel, Entity, Model};
pub const MAGIC_LINK_LENGTH: i8 = 32;
@@ -367,3 +370,93 @@ impl ActiveModel {
self.update(db).await.map_err(ModelError::from)
}
}
/// Google OpenID Connect user profile (the fields our scopes request).
/// <https://developers.google.com/identity/openid-connect/openid-connect#obtainuserinfo>
#[derive(Serialize, Deserialize, Clone, Debug)]
pub struct OAuth2UserProfile {
pub email: String,
pub name: String,
pub sub: String,
pub email_verified: bool,
pub given_name: Option<String>,
pub family_name: Option<String>,
pub picture: Option<String>,
pub locale: Option<String>,
}
#[async_trait]
impl OAuth2UserTrait<OAuth2UserProfile> for Model {
/// Resolve the user behind an active OAuth2 session id.
async fn find_by_oauth2_session_id(
db: &DatabaseConnection,
session_id: &str,
) -> ModelResult<Self> {
let session = o_auth2_sessions::Entity::find()
.filter(o_auth2_sessions::Column::SessionId.eq(session_id))
.one(db)
.await?
.ok_or_else(|| ModelError::EntityNotFound)?;
users::Entity::find_by_id(session.user_id)
.one(db)
.await?
.ok_or_else(|| ModelError::EntityNotFound)
}
/// Find-or-create the local user for a verified OAuth2 profile.
///
/// Per security advisory LOC-2025-04, OAuth2-created accounts get a strong
/// RANDOM password (never the provider `sub`) — they sign in via the
/// provider, and the random secret just satisfies the NOT NULL column.
/// Google has already verified the email, so we mark it verified.
async fn upsert_with_oauth(
db: &DatabaseConnection,
profile: &OAuth2UserProfile,
) -> ModelResult<Self> {
let txn = db.begin().await?;
let user = match users::Entity::find()
.filter(users::Column::Email.eq(&profile.email))
.one(&txn)
.await?
{
Some(user) => user,
None => {
let password = PasswordGenerator::new()
.length(16)
.numbers(true)
.lowercase_letters(true)
.uppercase_letters(true)
.symbols(true)
.exclude_similar_characters(true)
.strict(true)
.generate_one()
.map_err(|e| ModelError::Any(e.into()))?;
let password_hash =
hash::hash_password(&password).map_err(|e| ModelError::Any(e.into()))?;
users::ActiveModel {
email: ActiveValue::set(profile.email.to_string()),
name: ActiveValue::set(profile.name.to_string()),
email_verified_at: ActiveValue::set(Some(Local::now().into())),
password: ActiveValue::set(password_hash),
..Default::default()
}
.insert(&txn)
.await
.map_err(|e| {
tracing::error!(error = %e, "failed to create OAuth2 user");
ModelError::Any(e.into())
})?
}
};
txn.commit().await?;
Ok(user)
}
/// Required by the trait; mirrors the inherent [`Model::generate_jwt`]
/// (inlined to avoid the inherent/trait name clash).
fn generate_jwt(&self, secret: &str, expiration: &u64) -> ModelResult<String> {
jwt::JWT::new(secret)
.generate_token(*expiration, self.pid.to_string(), Map::new())
.map_err(ModelError::from)
}
}