feat(auth): stabilize v1 auth infrastructure#275
Merged
Conversation
Replaces todo!() in get_devices handler with full implementation that lists active sessions for the authenticated user from the session store. - Add last_active_at field to Session and Device structs - Add get_sessions_for_user() to SessionManager (skips expired sessions) - Handler validates bearer token, fetches user sessions, marks is_current
Adds a nullable registered_via VARCHAR(32) column to the users table. Existing and seeded rows remain NULL; newly invited users will be set to 'invitation' once the invite flow is implemented (td-cde837). - Migration: m20250302_000000_add_registered_via - Entity, model, service, auth, and GraphQL User types updated
Map sea_orm UniqueConstraintViolation errors from concurrent duplicate registrations to RegisterError::UserAlreadyExists (409 Conflict) instead of propagating them as unexpected 500 errors.
Remove EmailService placeholder, account_verified login gate, and all related TODOs/stubs. Password reset token generation is preserved but no longer attempts email delivery.
- Add Redis/in-memory rate limit storage with fixed-window counter - Apply per-IP rate limiting: login (10/min), register (10/min) - Apply per-email + per-IP rate limiting: password-reset-request (5/min) - Return 429 with Retry-After header when limit exceeded - Check failed_login_attempts and lock account after 10 failures (423) - Add MAX_FAILED_LOGIN_ATTEMPTS and RATE_LIMIT_* constants
…ructure - Rewrite all integration tests from axum to salvo TestClient API - Fix common/mod.rs setup to use proper Valkey containers - Add get_router_with_state() to lib.rs for test convenience - Tests cover: register, login, token lifecycle, profile, password reset - Fix missing Scope import in token service unit tests - Add get_password_reset_token_by_email service query for test use
…om request - Add totp_issuer to AuthConfig and ServerConfig, sourced from TOTP_ISSUER env var - Update TotpService to use issuer from config instead of hardcoded constant - Accept optional 'name' field in passkey finish_registration request body - Update get_auth_issuer() to read from PIXLES_ISSUER env var
- Add token storage utilities (localStorage) in auth.ts - Add typed API client with auto-refresh and 401 redirect in api.ts - Add AuthProvider React context with TanStack Query for profile fetching - Schedule proactive token refresh 60s before expiry - Wrap root route with AuthProvider and QueryClientProvider
- Wire login form to POST /v1/auth/login with loading/error states - Handle MFA_required response: show inline TOTP verification step - Store received tokens via auth context and redirect to /photos - Add AuthGuard component in root layout: redirects unauthenticated users to /login and suppresses protected content during auth check - Redirect already-authenticated users away from /login to /photos
- Add WebAuthn browser API helpers with base64url<->ArrayBuffer conversion - Add passkey login button to login page with full WebAuthn flow - Add TotpEnroll component: shows QR code from provisioning_uri, confirms enrollment with a 6-digit code - Add PasskeyRegister component: triggers browser credential creation and sends result to the API - Install react-qr-code for TOTP enrollment QR display
- Add /forgot-password page: email form calls password-reset-request, shows confirmation without revealing if email exists - Add /reset-password page: reads token from ?token= search param, validates and submits new password, shows success with login link - Register both routes in routeTree.gen.ts - Both routes are public (no auth required) per AuthGuard PUBLIC_PATHS
- Update Header: show user avatar with real name/email, working logout, links to /settings and /settings/security; Sign in button when logged out - Add /settings page: edit username/email and change password via API - Add /settings/security page: - Active sessions list from GET /auth/devices - TOTP enrollment and disable (with code verification) - Passkey management: list, delete, and add new passkeys - Register new routes in routeTree.gen.ts
…S env var
Replace wildcard allow_origin("*") in auth and upload servers with
configurable origins loaded from ALLOWED_ORIGINS (comma-separated).
Defaults to ["*"] in debug builds and [] (deny all cross-origin) in
release builds. Both AuthConfig and UploadServerConfig now carry
allowed_origins from ServerConfig/environment.
…kout, TOTP, devices, and password-reset session revocation - Add rate_limiting.rs: login/register (10 req/min) and password-reset (5 req/min per email+IP) with Retry-After header assertion - Add account_lockout.rs: 10 DB-injected failures trigger 423 Locked; correct password still rejected; 9 failures do not lock; successful login resets counter - Add totp.rs: full enrollment/verify-enrollment/disable/verify-login flows including max-attempt lockout (429) and provisioning-URI issuer check - Add devices.rs: is_current flag correctness for single and multi-session scenarios; unauthenticated 401 - Add password_reset_sessions.rs: password reset revokes existing sessions; new login with reset password succeeds - Fix totp-rs 5.7.0 API: TOTP::new now requires account_name and issuer arguments
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This branch establishes the foundational scaffolding for the v1 auth stabilization epic (
td-ee007c), setting up the sidecar/task management tooling and agent context needed to coordinate the full auth hardening effort.Changes
.gitignoreAGENTS.mdwith mandatory task management instructions for AI agentsCLAUDE.mdtoAGENTS.mdfor consistent agent contextEpic: Stabilize v1 Auth (
td-ee007c)This PR is part of the Stabilize v1 Auth epic, which encompasses the following work items:
td-c6d924)td-fe6be1)td-fbd167)td-fb8bc9)td-b7633d)td-b755cc)td-076d43)td-a78578)td-8e557d)td-ddf45d)td-a04093)td-22772d)td-2999a5)Test plan
TBD