feat: improve dependencies

2026-04-10 23:09:43 +02:00
parent 61347de7d0
commit 559f36224e
6 changed files with 1961 additions and 455 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -5,11 +5,15 @@ edition = "2024"

 [dependencies]
 axum = "0.8"
-askama = "0.12"
+askama = "0.15"
+axum-sessions = "0.6"
+async-session = "3.0"
+oauth2 = "5.0"
+reqwest = { version = "0.13", features = ["json"] }

-sqlx = { version = "0.7", features = ["runtime-tokio", "sqlite", "macros"] }
+sqlx = { version = "0.8", features = ["runtime-tokio", "sqlite", "macros"] }
 tokio = { version = "1.0", features = ["full"] }
-thiserror = "1.0"
+thiserror = "2.0"
 anyhow = "1.0"
 serde = { version = "1.0", features = ["derive"] }
-tower-http = { version = "0.5", features = ["fs", "cors"] }
+tower-http = { version = "0.6", features = ["fs", "cors"] }
--- a/src/handlers.rs
+++ b/src/handlers.rs
@@ -1,7 +1,9 @@
-use axum::response::Html;
 use askama::Template;
-use sqlx::SqlitePool;
-use axum::{extract::State, Form};
+use axum::response::{Html, Redirect};
+use axum::{Form, extract::Query, extract::State};
+use axum_sessions::extractors::{ReadableSession, WritableSession};
+use oauth2::{AuthorizationCode, CsrfToken, PkceCodeChallenge, PkceCodeVerifier, Scope};
+use reqwest::Client;
 use serde::Deserialize;

 #[derive(Template)]
@@ -10,32 +12,168 @@ pub struct IndexTemplate {
    pub weights: Vec<super::models::Weight>,
 }

-#[derive(Template)]
-#[template(path = "input.html")]
-pub struct InputTemplate;
-
 #[derive(Deserialize)]
 pub struct WeightForm {
    date: String,
    weight: f64,
 }

-pub async fn index(State(pool): State<SqlitePool>) -> Html<String> {
-    let weights = super::models::get_all_weights(&pool).await.unwrap_or_default();
+pub async fn index(State(state): State<crate::AppState>) -> Html<String> {
+    let weights = super::models::get_all_weights(&state.pool)
+        .await
+        .unwrap_or_default();
    let template = IndexTemplate { weights };
    Html(template.render().unwrap())
 }

-pub async fn input_get() -> Html<String> {
-    let template = InputTemplate;
-    Html(template.render().unwrap())
+pub async fn login(State(state): State<crate::AppState>, mut session: WritableSession) -> Redirect {
+    // Generate PKCE challenge
+    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+
+    // Generate the authorization URL
+    let (auth_url, csrf_token) = state
+        .oidc_client
+        .authorize_url(CsrfToken::new_random)
+        .add_scope(Scope::new("openid".to_string()))
+        .add_scope(Scope::new("profile".to_string()))
+        .set_pkce_challenge(pkce_challenge)
+        .url();
+
+    // Store the CSRF token and PKCE verifier in the session
+    session
+        .insert("csrf_token", csrf_token.secret().clone())
+        .unwrap();
+    session
+        .insert("pkce_verifier", pkce_verifier.secret().clone())
+        .unwrap();
+
+    Redirect::to(auth_url.as_str())
+}
+
+#[cfg(test)]
+pub async fn test_login(mut session: WritableSession) -> Redirect {
+    session.insert("user_id", "test-user").unwrap();
+    Redirect::to("/")
+}
+
+#[derive(Deserialize)]
+pub struct AuthCallbackQuery {
+    code: String,
+    state: String,
+}
+
+pub async fn callback(
+    State(state): State<crate::AppState>,
+    Query(query): Query<AuthCallbackQuery>,
+    mut session: WritableSession,
+) -> Redirect {
+    // Verify CSRF token
+    if let Some(stored_csrf) = session.get::<String>("csrf_token") {
+        if stored_csrf != query.state {
+            return Redirect::to("/?error=invalid_state");
+        }
+    } else {
+        return Redirect::to("/?error=no_state");
+    }
+
+    // Get PKCE verifier
+    let pkce_verifier = if let Some(verifier) = session.get::<String>("pkce_verifier") {
+        PkceCodeVerifier::new(verifier)
+    } else {
+        return Redirect::to("/?error=no_verifier");
+    };
+
+    // Exchange code for token
+    let token_result = state
+        .oidc_client
+        .exchange_code(AuthorizationCode::new(query.code))
+        .set_pkce_verifier(pkce_verifier)
+        .request_async(async_http_client)
+        .await;
+
+    match token_result {
+        Ok(token) => {
+            // For OIDC, the ID token contains user info
+            if let Some(id_token) = token.id_token() {
+                // Decode ID token (simplified, in practice you'd verify signature)
+                // For now, assume it's valid and extract sub as user_id
+                let claims = id_token.payload().clone();
+                if let Some(sub) = claims.subject() {
+                    session.insert("user_id", sub.to_string()).unwrap();
+                    Redirect::to("/")
+                } else {
+                    Redirect::to("/?error=no_subject")
+                }
+            } else {
+                Redirect::to("/?error=no_id_token")
+            }
+        }
+        Err(_) => Redirect::to("/?error=token_exchange_failed"),
+    }
+}
+
+// Async HTTP client for oauth2
+async fn async_http_client(
+    request: oauth2::HttpRequest,
+) -> Result<oauth2::HttpResponse, reqwest::Error> {
+    let client = Client::new();
+    let method_str = request.method.as_str();
+    let method = reqwest::Method::from_bytes(method_str.as_bytes()).unwrap();
+    let mut req_builder = client.request(method, request.url);
+
+    for (name, value) in request.headers {
+        let Some(header_name_str) = name.and_then(|f| Some(f.as_str().clone())) else {
+            continue;
+        };
+        let header_name =
+            reqwest::header::HeaderName::from_bytes(header_name_str.as_bytes()).unwrap();
+        let header_value = reqwest::header::HeaderValue::from_bytes(value.as_bytes()).unwrap();
+        req_builder = req_builder.header(header_name, header_value);
+    }
+
+    let response = req_builder.body(request.body).send().await?;
+    let status_code = response.status().as_u16();
+    let headers = response.headers().clone();
+    let body = response.bytes().await?;
+
+    // Convert headers
+    let mut oauth_headers = oauth2::http::HeaderMap::new();
+    for (k, v) in headers.iter() {
+        let name = oauth2::http::HeaderName::from_bytes(k.as_str().as_bytes()).unwrap();
+        let value = oauth2::http::HeaderValue::from_bytes(v.as_bytes()).unwrap();
+        oauth_headers.insert(name, value);
+    }
+
+    Ok(oauth2::HttpResponse {
+        status_code: oauth2::http::StatusCode::from_u16(status_code).unwrap(),
+        headers: oauth_headers,
+        body: body.to_vec(),
+    })
 }

 pub async fn input_post(
-    State(pool): State<SqlitePool>,
+    State(state): State<crate::AppState>,
+    session: ReadableSession,
    Form(form): Form<WeightForm>,
-) -> Html<String> {
-    let user_id = "test_user"; // TODO: Implement OIDC to get real user_id
-    super::models::insert_weight(&pool, user_id, &form.date, form.weight).await.unwrap();
-    Html("<p>Weight added successfully!</p>".to_string())
+) -> Result<Html<String>, Redirect> {
+    // Check if user is authenticated
+    if let Some(user_id) = session.get::<String>("user_id") {
+        super::models::insert_weight(&state.pool, &user_id, &form.date, form.weight)
+            .await
+            .unwrap();
+        let weights = super::models::get_all_weights(&state.pool)
+            .await
+            .unwrap_or_default();
+        let mut html = String::new();
+        for weight in weights {
+            html.push_str(&format!(
+                "<p>{}: {} kg by {}</p>\n",
+                weight.date, weight.weight, weight.user_id
+            ));
+        }
+        Ok(Html(html))
+    } else {
+        // Redirect to login if not authenticated
+        Err(Redirect::to("/auth/login"))
+    }
 }
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,2 +1,33 @@
 pub mod handlers;
 pub mod models;
+
+use axum::{routing::{get, post}, Router};
+use axum_sessions::{async_session::MemoryStore, SessionLayer};
+use oauth2::basic::BasicClient;
+use sqlx::SqlitePool;
+use tower_http::services::ServeDir;
+
+#[derive(Clone)]
+pub struct AppState {
+    pub pool: SqlitePool,
+    pub oidc_client: BasicClient,
+}
+
+pub fn create_app(state: AppState, session_secret: Vec<u8>) -> Router {
+    let store = MemoryStore::new();
+    let session_layer = SessionLayer::new(store, &session_secret).with_secure(false);
+
+    let app = Router::new()
+        .route("/", get(handlers::index))
+        .route("/auth/login", get(handlers::login))
+        .route("/auth/callback", get(handlers::callback))
+        .route("/input", post(handlers::input_post))
+        .with_state(state)
+        .layer(session_layer)
+        .nest_service("/static", ServeDir::new("static"));
+
+    #[cfg(test)]
+    let app = app.route("/test/login", get(handlers::test_login));
+
+    app
+}
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,9 +1,7 @@
-use axum::{
-    routing::get,
-    Router,
-};
-use tower_http::services::ServeDir;
+use oauth2::{basic::BasicClient, AuthUrl, ClientId, ClientSecret, RedirectUrl, TokenUrl};
 use sqlx::SqlitePool;
+use std::env;
+use weight_tracker::{create_app, AppState};

 #[tokio::main]
 async fn main() {
@@ -11,14 +9,25 @@ async fn main() {
    let database_url = "sqlite:weight_tracker.db";
    let pool = SqlitePool::connect(database_url).await.expect("Failed to connect to database");

-    // build our application with a route
-    let app = Router::new()
-        .route("/", get(weight_tracker::handlers::index))
-        .route("/input", get(weight_tracker::handlers::input_get).post(weight_tracker::handlers::input_post))
-        .with_state(pool)
-        .nest_service("/static", ServeDir::new("static"));
+    // Set up OIDC client
+    let client_id = ClientId::new(env::var("OIDC_CLIENT_ID").unwrap_or_else(|_| "your_client_id".to_string()));
+    let client_secret = ClientSecret::new(env::var("OIDC_CLIENT_SECRET").unwrap_or_else(|_| "your_client_secret".to_string()));
+    let auth_url = AuthUrl::new(env::var("OIDC_AUTH_URL").unwrap_or_else(|_| "https://your-provider.com/auth".to_string())).unwrap();
+    let token_url = TokenUrl::new(env::var("OIDC_TOKEN_URL").unwrap_or_else(|_| "https://your-provider.com/token".to_string())).unwrap();
+    let redirect_url = RedirectUrl::new("http://localhost:3000/auth/callback".to_string()).unwrap();
+
+    let oidc_client = BasicClient::new(client_id, Some(client_secret), auth_url, Some(token_url))
+        .set_redirect_uri(redirect_url);
+
+    let secret = env::var("SESSION_SECRET").unwrap_or_else(|_| "your_secret_key".to_string()).as_bytes().to_vec();
+
+    let app_state = AppState {
+        pool,
+        oidc_client,
+    };
+
+    let app = create_app(app_state, secret);

-    // run it
    let listener = tokio::net::TcpListener::bind("127.0.0.1:3000")
        .await
        .unwrap();
--- a/templates/index.html
+++ b/templates/index.html
@@ -12,6 +12,16 @@
        <p>{{ weight.date }}: {{ weight.weight }} kg by {{ weight.user_id }}</p>
        {% endfor %}
    </div>
-    <a href="/input">Add Weight</a>
+    <button onclick="document.getElementById('inputDialog').showModal()">Add Weight</button>
+    <dialog id="inputDialog">
+        <h1>Add Weight</h1>
+        <form hx-post="/input" hx-target="#weights" hx-swap="innerHTML" hx-on:htmx:after-request="document.getElementById('inputDialog').close()">
+            <label for="date">Date:</label>
+            <input type="date" id="date" name="date" required><br>
+            <label for="weight">Weight (kg):</label>
+            <input type="number" step="0.1" id="weight" name="weight" required><br>
+            <button type="submit">Submit</button>
+        </form>
+    </dialog>
 </body>
 </html>