intial login stuff

2026-05-02 11:01:47 +02:00 · 2026-05-02 11:01:47 +02:00 · f1ddaf5f2d
commit f1ddaf5f2d
parent 07c3da2b71
6 changed files with 44 additions and 10 deletions
--- a/http_client/rhythm/base
+++ b/http_client/rhythm/base
--- a/http_client/rhythm/environments/test.yml
+++ b/http_client/rhythm/environments/test.yml
--- a/http_client/rhythm/opencollection.yml
+++ b/http_client/rhythm/opencollection.yml
--- a/http_client/rhythm/register.yml
+++ b/http_client/rhythm/register.yml
--- a/http_client/rhythm/.gitignore
+++ b/http_client/rhythm/.gitignore
@ -1,9 +0,0 @@
-# Secrets
-.env*
-
-# Dependencies
-node_modules
-
-# OS files
-.DS_Store
-Thumbs.db
--- a/src/service/auth_service.rs
+++ b/src/service/auth_service.rs
@ -14,12 +14,55 @@ use crate::utils::hash;
 use crate::utils::jwt::generate_access_token;
 use crate::utils::refresh_token::generate_refresh_token;

+const MIN_DELAY_MS: u64 = 150;
+const MAX_DELAY_MS: u64 = 300;
+
+/**
+This function role is to parse the email and password from the request and validate the user to give
+back in the happy path the access token (jwt) and the refresh token (opaque token).
+
+An anti enumeration mechanism is in place to have a variable deplay in ms for every case of user authentication (error or happy validation).
+TODO: add a bucket strategy for rate limiting for all of this endpoints
+*/
 pub async fn login(
    state: &AppState,
    cookies: Cookies,
    req: LoginRequest,
 ) -> Result<Json<AuthResponse>, AppError> {
-    todo!()
+    let start = Instant::now();
+    let login_result: Result<(String, String), AppError> = async {
+        let mut tx = state.db.begin().await?;
+
+        let user = user_repository::get_user_by_email(&mut *tx, &req.email)
+            .await?
+            .ok_or(AppError::InvalidCredentials)?;
+        if !hash::verify(&req.password, &user.password)? {
+            return Err(AppError::InvalidCredentials);
+        }
+        let access_token = generate_access_token(user.id, &state.jwt_secret)?;
+        let (refresh_plain, refresh_hash) = generate_refresh_token();
+        let expires_at = chrono::Utc::now() + Duration::days(7);
+
+        create_refresh_token(&mut *tx, user.id, refresh_hash, expires_at).await?;
+        tx.commit().await?;
+        Ok((access_token, refresh_plain))
+    }
+    .await;
+
+    anti_enumeration_delay(start, MIN_DELAY_MS, MAX_DELAY_MS).await;
+
+    return match login_result {
+        Ok((access_token, refresh_token)) => {
+            set_refresh_cookie(&cookies, &refresh_token);
+            Ok(Json(AuthResponse { access_token }))
+        }
+        Err(e) => {
+            if let AppError::InvalidCredentials = e {
+                tracing::warn!("Invalid login attempt for {}", req.email);
+            }
+            Err(e)
+        }
+    };
 }
 pub async fn register(
    state: &AppState,