removing rbac cos its not needed at all

2026-05-17 14:58:13 +02:00
parent 35f0e7af00
commit 0bfd2f8674
17 changed files with 219 additions and 65 deletions
--- a/src/controllers/auth.rs
+++ b/src/controllers/auth.rs
@@ -6,12 +6,15 @@ use crate::{
    },
    views::auth::{CurrentResponse, LoginResponse},
 };
+use axum_extra::extract::cookie::{Cookie, SameSite};
 use loco_rs::prelude::*;
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 use std::sync::OnceLock;
+use time::Duration as TimeDuration;

 pub static EMAIL_DOMAIN_RE: OnceLock<Regex> = OnceLock::new();
+const AUTH_COOKIE: &str = "auth_token";

 fn get_allow_email_domain_re() -> &'static Regex {
    EMAIL_DOMAIN_RE.get_or_init(|| {
@@ -19,6 +22,36 @@ fn get_allow_email_domain_re() -> &'static Regex {
    })
 }

+fn admin_email(ctx: &AppContext) -> Option<&str> {
+    ctx.config
+        .settings
+        .as_ref()
+        .and_then(|settings| settings.get("admin_email"))
+        .and_then(|email| email.as_str())
+}
+
+fn is_admin(ctx: &AppContext, user: &users::Model) -> bool {
+    admin_email(ctx).is_some_and(|email| user.email.eq_ignore_ascii_case(email))
+}
+
+fn auth_cookie(token: &str, max_age_seconds: u64) -> Cookie<'static> {
+    Cookie::build((AUTH_COOKIE, token.to_string()))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(max_age_seconds as i64))
+        .build()
+}
+
+fn clear_auth_cookie() -> Cookie<'static> {
+    Cookie::build((AUTH_COOKIE, ""))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(0))
+        .build()
+}
+
 #[derive(Debug, Deserialize, Serialize)]
 pub struct ForgotParams {
    pub email: String,
@@ -155,13 +188,20 @@ async fn login(State(ctx): State<AppContext>, Json(params): Json<LoginParams>) -
        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
        .or_else(|_| unauthorized("unauthorized!"))?;

-    format::json(LoginResponse::new(&user, &token))
+    format::render()
+        .cookies(&[auth_cookie(&token, jwt_secret.expiration)])?
+        .json(LoginResponse::new(&user, &token, is_admin(&ctx, &user)))
 }

 #[debug_handler]
 async fn current(auth: auth::JWT, State(ctx): State<AppContext>) -> Result<Response> {
    let user = users::Model::find_by_pid(&ctx.db, &auth.claims.pid).await?;
-    format::json(CurrentResponse::new(&user))
+    format::json(CurrentResponse::new(&user, is_admin(&ctx, &user)))
+}
+
+#[debug_handler]
+async fn logout() -> Result<Response> {
+    format::render().cookies(&[clear_auth_cookie()])?.json(())
 }

 /// Magic link authentication provides a secure and passwordless way to log in to the application.
@@ -223,7 +263,9 @@ async fn magic_link_verify(
        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
        .or_else(|_| unauthorized("unauthorized!"))?;

-    format::json(LoginResponse::new(&user, &token))
+    format::render()
+        .cookies(&[auth_cookie(&token, jwt_secret.expiration)])?
+        .json(LoginResponse::new(&user, &token, is_admin(&ctx, &user)))
 }

 #[debug_handler]
@@ -264,6 +306,7 @@ pub fn routes() -> Routes {
        .add("/register", post(register))
        .add("/verify/{token}", get(verify))
        .add("/login", post(login))
+        .add("/logout", post(logout))
        .add("/forgot", post(forgot))
        .add("/reset", post(reset))
        .add("/current", get(current))