feat: improve dependencies

Cargo.toml

@@ -5,11 +5,15 @@ edition = "2024"
 
 [dependencies]
 axum = "0.8"
-askama = "0.12"
+askama = "0.15"
+axum-sessions = "0.6"
+async-session = "3.0"
+oauth2 = "5.0"
+reqwest = { version = "0.13", features = ["json"] }
 
-sqlx = { version = "0.7", features = ["runtime-tokio", "sqlite", "macros"] }
+sqlx = { version = "0.8", features = ["runtime-tokio", "sqlite", "macros"] }
 tokio = { version = "1.0", features = ["full"] }
-thiserror = "1.0"
+thiserror = "2.0"
 anyhow = "1.0"
 serde = { version = "1.0", features = ["derive"] }
-tower-http = { version = "0.5", features = ["fs", "cors"] }
+tower-http = { version = "0.6", features = ["fs", "cors"] }

src/handlers.rs

@@ -1,7 +1,9 @@
-use axum::response::Html;
 use askama::Template;
-use sqlx::SqlitePool;
+use axum::response::{Html, Redirect};
-use axum::{extract::State, Form};
+use axum::{Form, extract::Query, extract::State};
+use axum_sessions::extractors::{ReadableSession, WritableSession};
+use oauth2::{AuthorizationCode, CsrfToken, PkceCodeChallenge, PkceCodeVerifier, Scope};
+use reqwest::Client;
 use serde::Deserialize;
 
 #[derive(Template)]
@@ -10,32 +12,168 @@ pub struct IndexTemplate {
     pub weights: Vec<super::models::Weight>,
 }
 
-#[derive(Template)]
-#[template(path = "input.html")]
-pub struct InputTemplate;
-
 #[derive(Deserialize)]
 pub struct WeightForm {
     date: String,
     weight: f64,
 }
 
-pub async fn index(State(pool): State<SqlitePool>) -> Html<String> {
+pub async fn index(State(state): State<crate::AppState>) -> Html<String> {
-    let weights = super::models::get_all_weights(&pool).await.unwrap_or_default();
+    let weights = super::models::get_all_weights(&state.pool)
+        .await
+        .unwrap_or_default();
     let template = IndexTemplate { weights };
     Html(template.render().unwrap())
 }
 
-pub async fn input_get() -> Html<String> {
+pub async fn login(State(state): State<crate::AppState>, mut session: WritableSession) -> Redirect {
-    let template = InputTemplate;
+    // Generate PKCE challenge
-    Html(template.render().unwrap())
+    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+
+    // Generate the authorization URL
+    let (auth_url, csrf_token) = state
+        .oidc_client
+        .authorize_url(CsrfToken::new_random)
+        .add_scope(Scope::new("openid".to_string()))
+        .add_scope(Scope::new("profile".to_string()))
+        .set_pkce_challenge(pkce_challenge)
+        .url();
+
+    // Store the CSRF token and PKCE verifier in the session
+    session
+        .insert("csrf_token", csrf_token.secret().clone())
+        .unwrap();
+    session
+        .insert("pkce_verifier", pkce_verifier.secret().clone())
+        .unwrap();
+
+    Redirect::to(auth_url.as_str())
+}
+
+#[cfg(test)]
+pub async fn test_login(mut session: WritableSession) -> Redirect {
+    session.insert("user_id", "test-user").unwrap();
+    Redirect::to("/")
+}
+
+#[derive(Deserialize)]
+pub struct AuthCallbackQuery {
+    code: String,
+    state: String,
+}
+
+pub async fn callback(
+    State(state): State<crate::AppState>,
+    Query(query): Query<AuthCallbackQuery>,
+    mut session: WritableSession,
+) -> Redirect {
+    // Verify CSRF token
+    if let Some(stored_csrf) = session.get::<String>("csrf_token") {
+        if stored_csrf != query.state {
+            return Redirect::to("/?error=invalid_state");
+        }
+    } else {
+        return Redirect::to("/?error=no_state");
+    }
+
+    // Get PKCE verifier
+    let pkce_verifier = if let Some(verifier) = session.get::<String>("pkce_verifier") {
+        PkceCodeVerifier::new(verifier)
+    } else {
+        return Redirect::to("/?error=no_verifier");
+    };
+
+    // Exchange code for token
+    let token_result = state
+        .oidc_client
+        .exchange_code(AuthorizationCode::new(query.code))
+        .set_pkce_verifier(pkce_verifier)
+        .request_async(async_http_client)
+        .await;
+
+    match token_result {
+        Ok(token) => {
+            // For OIDC, the ID token contains user info
+            if let Some(id_token) = token.id_token() {
+                // Decode ID token (simplified, in practice you'd verify signature)
+                // For now, assume it's valid and extract sub as user_id
+                let claims = id_token.payload().clone();
+                if let Some(sub) = claims.subject() {
+                    session.insert("user_id", sub.to_string()).unwrap();
+                    Redirect::to("/")
+                } else {
+                    Redirect::to("/?error=no_subject")
+                }
+            } else {
+                Redirect::to("/?error=no_id_token")
+            }
+        }
+        Err(_) => Redirect::to("/?error=token_exchange_failed"),
+    }
+}
+
+// Async HTTP client for oauth2
+async fn async_http_client(
+    request: oauth2::HttpRequest,
+) -> Result<oauth2::HttpResponse, reqwest::Error> {
+    let client = Client::new();
+    let method_str = request.method.as_str();
+    let method = reqwest::Method::from_bytes(method_str.as_bytes()).unwrap();
+    let mut req_builder = client.request(method, request.url);
+
+    for (name, value) in request.headers {
+        let Some(header_name_str) = name.and_then(|f| Some(f.as_str().clone())) else {
+            continue;
+        };
+        let header_name =
+            reqwest::header::HeaderName::from_bytes(header_name_str.as_bytes()).unwrap();
+        let header_value = reqwest::header::HeaderValue::from_bytes(value.as_bytes()).unwrap();
+        req_builder = req_builder.header(header_name, header_value);
+    }
+
+    let response = req_builder.body(request.body).send().await?;
+    let status_code = response.status().as_u16();
+    let headers = response.headers().clone();
+    let body = response.bytes().await?;
+
+    // Convert headers
+    let mut oauth_headers = oauth2::http::HeaderMap::new();
+    for (k, v) in headers.iter() {
+        let name = oauth2::http::HeaderName::from_bytes(k.as_str().as_bytes()).unwrap();
+        let value = oauth2::http::HeaderValue::from_bytes(v.as_bytes()).unwrap();
+        oauth_headers.insert(name, value);
+    }
+
+    Ok(oauth2::HttpResponse {
+        status_code: oauth2::http::StatusCode::from_u16(status_code).unwrap(),
+        headers: oauth_headers,
+        body: body.to_vec(),
+    })
 }
 
 pub async fn input_post(
-    State(pool): State<SqlitePool>,
+    State(state): State<crate::AppState>,
+    session: ReadableSession,
     Form(form): Form<WeightForm>,
-) -> Html<String> {
+) -> Result<Html<String>, Redirect> {
-    let user_id = "test_user"; // TODO: Implement OIDC to get real user_id
+    // Check if user is authenticated
-    super::models::insert_weight(&pool, user_id, &form.date, form.weight).await.unwrap();
+    if let Some(user_id) = session.get::<String>("user_id") {
-    Html("<p>Weight added successfully!</p>".to_string())
+        super::models::insert_weight(&state.pool, &user_id, &form.date, form.weight)
+            .await
+            .unwrap();
+        let weights = super::models::get_all_weights(&state.pool)
+            .await
+            .unwrap_or_default();
+        let mut html = String::new();
+        for weight in weights {
+            html.push_str(&format!(
+                "<p>{}: {} kg by {}</p>\n",
+                weight.date, weight.weight, weight.user_id
+            ));
+        }
+        Ok(Html(html))
+    } else {
+        // Redirect to login if not authenticated
+        Err(Redirect::to("/auth/login"))
+    }
 }

src/lib.rs

@@ -1,2 +1,33 @@
 pub mod handlers;
 pub mod models;
+
+use axum::{routing::{get, post}, Router};
+use axum_sessions::{async_session::MemoryStore, SessionLayer};
+use oauth2::basic::BasicClient;
+use sqlx::SqlitePool;
+use tower_http::services::ServeDir;
+
+#[derive(Clone)]
+pub struct AppState {
+    pub pool: SqlitePool,
+    pub oidc_client: BasicClient,
+}
+
+pub fn create_app(state: AppState, session_secret: Vec<u8>) -> Router {
+    let store = MemoryStore::new();
+    let session_layer = SessionLayer::new(store, &session_secret).with_secure(false);
+
+    let app = Router::new()
+        .route("/", get(handlers::index))
+        .route("/auth/login", get(handlers::login))
+        .route("/auth/callback", get(handlers::callback))
+        .route("/input", post(handlers::input_post))
+        .with_state(state)
+        .layer(session_layer)
+        .nest_service("/static", ServeDir::new("static"));
+
+    #[cfg(test)]
+    let app = app.route("/test/login", get(handlers::test_login));
+
+    app
+}

src/main.rs

@@ -1,9 +1,7 @@
-use axum::{
+use oauth2::{basic::BasicClient, AuthUrl, ClientId, ClientSecret, RedirectUrl, TokenUrl};
-    routing::get,
-    Router,
-};
-use tower_http::services::ServeDir;
 use sqlx::SqlitePool;
+use std::env;
+use weight_tracker::{create_app, AppState};
 
 #[tokio::main]
 async fn main() {
@@ -11,14 +9,25 @@ async fn main() {
     let database_url = "sqlite:weight_tracker.db";
     let pool = SqlitePool::connect(database_url).await.expect("Failed to connect to database");
 
-    // build our application with a route
+    // Set up OIDC client
-    let app = Router::new()
+    let client_id = ClientId::new(env::var("OIDC_CLIENT_ID").unwrap_or_else(|_| "your_client_id".to_string()));
-        .route("/", get(weight_tracker::handlers::index))
+    let client_secret = ClientSecret::new(env::var("OIDC_CLIENT_SECRET").unwrap_or_else(|_| "your_client_secret".to_string()));
-        .route("/input", get(weight_tracker::handlers::input_get).post(weight_tracker::handlers::input_post))
+    let auth_url = AuthUrl::new(env::var("OIDC_AUTH_URL").unwrap_or_else(|_| "https://your-provider.com/auth".to_string())).unwrap();
-        .with_state(pool)
+    let token_url = TokenUrl::new(env::var("OIDC_TOKEN_URL").unwrap_or_else(|_| "https://your-provider.com/token".to_string())).unwrap();
-        .nest_service("/static", ServeDir::new("static"));
+    let redirect_url = RedirectUrl::new("http://localhost:3000/auth/callback".to_string()).unwrap();
+
+    let oidc_client = BasicClient::new(client_id, Some(client_secret), auth_url, Some(token_url))
+        .set_redirect_uri(redirect_url);
+
+    let secret = env::var("SESSION_SECRET").unwrap_or_else(|_| "your_secret_key".to_string()).as_bytes().to_vec();
+
+    let app_state = AppState {
+        pool,
+        oidc_client,
+    };
+
+    let app = create_app(app_state, secret);
 
-    // run it
     let listener = tokio::net::TcpListener::bind("127.0.0.1:3000")
         .await
         .unwrap();

templates/index.html

@@ -12,6 +12,16 @@
         <p>{{ weight.date }}: {{ weight.weight }} kg by {{ weight.user_id }}</p>
         {% endfor %}
     </div>
-    <a href="/input">Add Weight</a>
+    <button onclick="document.getElementById('inputDialog').showModal()">Add Weight</button>
+    <dialog id="inputDialog">
+        <h1>Add Weight</h1>
+        <form hx-post="/input" hx-target="#weights" hx-swap="innerHTML" hx-on:htmx:after-request="document.getElementById('inputDialog').close()">
+            <label for="date">Date:</label>
+            <input type="date" id="date" name="date" required><br>
+            <label for="weight">Weight (kg):</label>
+            <input type="number" step="0.1" id="weight" name="weight" required><br>
+            <button type="submit">Submit</button>
+        </form>
+    </dialog>
 </body>
 </html>

tests/e2e.rs

@@ -0,0 +1,107 @@
+use axum::{body::Body, http::{header, Request, StatusCode}};
+use oauth2::{basic::BasicClient, AuthUrl, ClientId, ClientSecret, TokenUrl};
+use sqlx::SqlitePool;
+use tower::ServiceExt;
+use weight_tracker::{create_app, AppState};
+
+async fn make_app() -> axum::Router {
+    let pool = SqlitePool::connect("sqlite::memory:").await.unwrap();
+    sqlx::query(include_str!("../migrations/20260408203423_create_weights_table.sql"))
+        .execute(&pool)
+        .await
+        .unwrap();
+
+    let oidc_client = BasicClient::new(
+        ClientId::new("test-client".into()),
+        Some(ClientSecret::new("test-secret".into())),
+        AuthUrl::new("http://localhost/auth".into()).unwrap(),
+        Some(TokenUrl::new("http://localhost/token".into()).unwrap()),
+    );
+
+    let state = AppState { pool, oidc_client };
+    create_app(state, b"01234567890123456789012345678901".to_vec())
+}
+
+#[tokio::test]
+async fn index_returns_ok() {
+    let app = make_app().await;
+
+    let response = app
+        .oneshot(Request::builder().uri("/").body(Body::empty()).unwrap())
+        .await
+        .unwrap();
+
+    assert_eq!(response.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn auth_login_redirects_and_sets_cookie() {
+    let app = make_app().await;
+
+    let response = app
+        .oneshot(Request::builder().uri("/auth/login").body(Body::empty()).unwrap())
+        .await
+        .unwrap();
+
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert!(response.headers().get(header::LOCATION).is_some());
+    assert!(response.headers().get(header::SET_COOKIE).is_some());
+}
+
+#[tokio::test]
+async fn input_post_requires_authentication() {
+    let app = make_app().await;
+
+    let response = app
+        .oneshot(
+            Request::builder()
+                .method("POST")
+                .uri("/input")
+                .header(header::CONTENT_TYPE, "application/x-www-form-urlencoded")
+                .body(Body::from("date=2026-04-10&weight=80"))
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    assert_eq!(response.status(), StatusCode::FOUND);
+    assert_eq!(response.headers().get(header::LOCATION).unwrap(), "/auth/login");
+}
+
+#[tokio::test]
+async fn authenticated_input_post_stores_weight() {
+    let app = make_app().await;
+    let app_clone = app.clone();
+
+    let auth_response = app_clone
+        .oneshot(Request::builder().uri("/test/login").body(Body::empty()).unwrap())
+        .await
+        .unwrap();
+
+    assert_eq!(auth_response.status(), StatusCode::FOUND);
+    let cookie = auth_response
+        .headers()
+        .get(header::SET_COOKIE)
+        .unwrap()
+        .to_str()
+        .unwrap();
+
+    let response = app
+        .oneshot(
+            Request::builder()
+                .method("POST")
+                .uri("/input")
+                .header(header::CONTENT_TYPE, "application/x-www-form-urlencoded")
+                .header(header::COOKIE, cookie)
+                .body(Body::from("date=2026-04-10&weight=80"))
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+
+    assert_eq!(response.status(), StatusCode::OK);
+    let body_bytes = hyper::body::to_bytes(response.into_body()).await.unwrap();
+    let body_text = std::str::from_utf8(&body_bytes).unwrap();
+    assert!(body_text.contains("80 kg"));
+    assert!(body_text.contains("test-user"));
+}