init

src/auth/middleware.rs

@@ -0,0 +1,142 @@
+use axum::{
+    extract::{Request, State},
+    http::StatusCode,
+    middleware::Next,
+    response::Response,
+};
+use axum_extra::extract::CookieJar;
+use std::sync::Arc;
+
+use crate::state::AppState;
+
+/// Session cookie name
+pub const SESSION_COOKIE: &str = "one_kvm_session";
+
+/// Auth layer for extracting session from request
+#[derive(Clone)]
+pub struct AuthLayer;
+
+/// Extract session ID from request
+pub fn extract_session_id(cookies: &CookieJar, headers: &axum::http::HeaderMap) -> Option<String> {
+    // First try cookie
+    if let Some(cookie) = cookies.get(SESSION_COOKIE) {
+        return Some(cookie.value().to_string());
+    }
+
+    // Then try Authorization header (Bearer token)
+    if let Some(auth_header) = headers.get(axum::http::header::AUTHORIZATION) {
+        if let Ok(auth_str) = auth_header.to_str() {
+            if let Some(token) = auth_str.strip_prefix("Bearer ") {
+                return Some(token.to_string());
+            }
+        }
+    }
+
+    None
+}
+
+/// Authentication middleware
+pub async fn auth_middleware(
+    State(state): State<Arc<AppState>>,
+    cookies: CookieJar,
+    mut request: Request,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    // Check if system is initialized
+    if !state.config.is_initialized() {
+        // Allow access to setup endpoints when not initialized
+        let path = request.uri().path();
+        if path.starts_with("/api/setup") || path == "/api/info" || path.starts_with("/") && !path.starts_with("/api/") {
+            return Ok(next.run(request).await);
+        }
+    }
+
+    // Public endpoints that don't require auth
+    let path = request.uri().path();
+    if is_public_endpoint(path) {
+        return Ok(next.run(request).await);
+    }
+
+    // Extract session ID
+    let session_id = extract_session_id(&cookies, request.headers());
+
+    if let Some(session_id) = session_id {
+        if let Ok(Some(session)) = state.sessions.get(&session_id).await {
+            // Add session to request extensions
+            request.extensions_mut().insert(session);
+            return Ok(next.run(request).await);
+        }
+    }
+
+    Err(StatusCode::UNAUTHORIZED)
+}
+
+/// Check if endpoint is public (no auth required)
+fn is_public_endpoint(path: &str) -> bool {
+    // Note: paths here are relative to /api since middleware is applied before nest
+    matches!(
+        path,
+        "/"
+        | "/auth/login"
+        | "/info"
+        | "/health"
+        | "/setup"
+        | "/setup/init"
+        // Also check with /api prefix for direct access
+        | "/api/auth/login"
+        | "/api/info"
+        | "/api/health"
+        | "/api/setup"
+        | "/api/setup/init"
+    ) || path.starts_with("/assets/")
+        || path.starts_with("/static/")
+        || path.ends_with(".js")
+        || path.ends_with(".css")
+        || path.ends_with(".ico")
+        || path.ends_with(".png")
+        || path.ends_with(".svg")
+}
+
+/// Require authentication - returns 401 if not authenticated
+pub async fn require_auth(
+    State(state): State<Arc<AppState>>,
+    cookies: CookieJar,
+    request: Request,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    let session_id = extract_session_id(&cookies, request.headers());
+
+    if let Some(session_id) = session_id {
+        if let Ok(Some(_session)) = state.sessions.get(&session_id).await {
+            return Ok(next.run(request).await);
+        }
+    }
+
+    Err(StatusCode::UNAUTHORIZED)
+}
+
+/// Require admin privileges - returns 403 if not admin
+pub async fn require_admin(
+    State(state): State<Arc<AppState>>,
+    cookies: CookieJar,
+    request: Request,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    let session_id = extract_session_id(&cookies, request.headers());
+
+    if let Some(session_id) = session_id {
+        if let Ok(Some(session)) = state.sessions.get(&session_id).await {
+            // Get user and check admin status
+            if let Ok(Some(user)) = state.users.get(&session.user_id).await {
+                if user.is_admin {
+                    return Ok(next.run(request).await);
+                }
+                // User is authenticated but not admin
+                return Err(StatusCode::FORBIDDEN);
+            }
+        }
+    }
+
+    // Not authenticated at all
+    Err(StatusCode::UNAUTHORIZED)
+}

src/auth/mod.rs

@@ -0,0 +1,9 @@
+mod password;
+mod session;
+mod user;
+pub mod middleware;
+
+pub use password::{hash_password, verify_password};
+pub use session::{Session, SessionStore};
+pub use user::{User, UserStore};
+pub use middleware::{AuthLayer, SESSION_COOKIE, auth_middleware, require_admin};

src/auth/password.rs

@@ -0,0 +1,41 @@
+use argon2::{
+    password_hash::{rand_core::OsRng, PasswordHash, PasswordHasher, PasswordVerifier, SaltString},
+    Argon2,
+};
+
+use crate::error::{AppError, Result};
+
+/// Hash a password using Argon2
+pub fn hash_password(password: &str) -> Result<String> {
+    let salt = SaltString::generate(&mut OsRng);
+    let argon2 = Argon2::default();
+
+    argon2
+        .hash_password(password.as_bytes(), &salt)
+        .map(|hash| hash.to_string())
+        .map_err(|e| AppError::Internal(format!("Password hashing failed: {}", e)))
+}
+
+/// Verify a password against a hash
+pub fn verify_password(password: &str, hash: &str) -> Result<bool> {
+    let parsed_hash = PasswordHash::new(hash)
+        .map_err(|e| AppError::Internal(format!("Invalid password hash: {}", e)))?;
+
+    Ok(Argon2::default()
+        .verify_password(password.as_bytes(), &parsed_hash)
+        .is_ok())
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_password_hash_verify() {
+        let password = "test_password_123";
+        let hash = hash_password(password).unwrap();
+
+        assert!(verify_password(password, &hash).unwrap());
+        assert!(!verify_password("wrong_password", &hash).unwrap());
+    }
+}

src/auth/session.rs

@@ -0,0 +1,129 @@
+use chrono::{DateTime, Duration, Utc};
+use serde::{Deserialize, Serialize};
+use sqlx::{Pool, Sqlite};
+use uuid::Uuid;
+
+use crate::error::Result;
+
+/// Session data
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Session {
+    pub id: String,
+    pub user_id: String,
+    pub created_at: DateTime<Utc>,
+    pub expires_at: DateTime<Utc>,
+    pub data: Option<serde_json::Value>,
+}
+
+impl Session {
+    /// Check if session is expired
+    pub fn is_expired(&self) -> bool {
+        Utc::now() > self.expires_at
+    }
+}
+
+/// Session store backed by SQLite
+#[derive(Clone)]
+pub struct SessionStore {
+    pool: Pool<Sqlite>,
+    default_ttl: Duration,
+}
+
+impl SessionStore {
+    /// Create a new session store
+    pub fn new(pool: Pool<Sqlite>, ttl_secs: i64) -> Self {
+        Self {
+            pool,
+            default_ttl: Duration::seconds(ttl_secs),
+        }
+    }
+
+    /// Create a new session
+    pub async fn create(&self, user_id: &str) -> Result<Session> {
+        let session = Session {
+            id: Uuid::new_v4().to_string(),
+            user_id: user_id.to_string(),
+            created_at: Utc::now(),
+            expires_at: Utc::now() + self.default_ttl,
+            data: None,
+        };
+
+        sqlx::query(
+            r#"
+            INSERT INTO sessions (id, user_id, created_at, expires_at, data)
+            VALUES (?1, ?2, ?3, ?4, ?5)
+            "#,
+        )
+        .bind(&session.id)
+        .bind(&session.user_id)
+        .bind(session.created_at.to_rfc3339())
+        .bind(session.expires_at.to_rfc3339())
+        .bind(session.data.as_ref().map(|d| d.to_string()))
+        .execute(&self.pool)
+        .await?;
+
+        Ok(session)
+    }
+
+    /// Get a session by ID
+    pub async fn get(&self, session_id: &str) -> Result<Option<Session>> {
+        let row: Option<(String, String, String, String, Option<String>)> = sqlx::query_as(
+            "SELECT id, user_id, created_at, expires_at, data FROM sessions WHERE id = ?1",
+        )
+        .bind(session_id)
+        .fetch_optional(&self.pool)
+        .await?;
+
+        match row {
+            Some((id, user_id, created_at, expires_at, data)) => {
+                let session = Session {
+                    id,
+                    user_id,
+                    created_at: DateTime::parse_from_rfc3339(&created_at)
+                        .map(|dt| dt.with_timezone(&Utc))
+                        .unwrap_or_else(|_| Utc::now()),
+                    expires_at: DateTime::parse_from_rfc3339(&expires_at)
+                        .map(|dt| dt.with_timezone(&Utc))
+                        .unwrap_or_else(|_| Utc::now()),
+                    data: data.and_then(|d| serde_json::from_str(&d).ok()),
+                };
+
+                if session.is_expired() {
+                    self.delete(&session.id).await?;
+                    Ok(None)
+                } else {
+                    Ok(Some(session))
+                }
+            }
+            None => Ok(None),
+        }
+    }
+
+    /// Delete a session
+    pub async fn delete(&self, session_id: &str) -> Result<()> {
+        sqlx::query("DELETE FROM sessions WHERE id = ?1")
+            .bind(session_id)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+
+    /// Delete all expired sessions
+    pub async fn cleanup_expired(&self) -> Result<u64> {
+        let result = sqlx::query("DELETE FROM sessions WHERE expires_at < datetime('now')")
+            .execute(&self.pool)
+            .await?;
+        Ok(result.rows_affected())
+    }
+
+    /// Extend session expiration
+    pub async fn extend(&self, session_id: &str) -> Result<()> {
+        let new_expires = Utc::now() + self.default_ttl;
+        sqlx::query("UPDATE sessions SET expires_at = ?1 WHERE id = ?2")
+            .bind(new_expires.to_rfc3339())
+            .bind(session_id)
+            .execute(&self.pool)
+            .await?;
+        Ok(())
+    }
+}

src/auth/user.rs

@@ -0,0 +1,185 @@
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sqlx::{Pool, Sqlite};
+use uuid::Uuid;
+
+use crate::error::{AppError, Result};
+use super::password::{hash_password, verify_password};
+
+/// User row type from database
+type UserRow = (String, String, String, i32, String, String);
+
+/// User data
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct User {
+    pub id: String,
+    pub username: String,
+    #[serde(skip_serializing)]
+    pub password_hash: String,
+    pub is_admin: bool,
+    pub created_at: DateTime<Utc>,
+    pub updated_at: DateTime<Utc>,
+}
+
+impl User {
+    /// Convert from database row to User
+    fn from_row(row: UserRow) -> Self {
+        let (id, username, password_hash, is_admin, created_at, updated_at) = row;
+        Self {
+            id,
+            username,
+            password_hash,
+            is_admin: is_admin != 0,
+            created_at: DateTime::parse_from_rfc3339(&created_at)
+                .map(|dt| dt.with_timezone(&Utc))
+                .unwrap_or_else(|_| Utc::now()),
+            updated_at: DateTime::parse_from_rfc3339(&updated_at)
+                .map(|dt| dt.with_timezone(&Utc))
+                .unwrap_or_else(|_| Utc::now()),
+        }
+    }
+}
+
+/// User store backed by SQLite
+#[derive(Clone)]
+pub struct UserStore {
+    pool: Pool<Sqlite>,
+}
+
+impl UserStore {
+    /// Create a new user store
+    pub fn new(pool: Pool<Sqlite>) -> Self {
+        Self { pool }
+    }
+
+    /// Create a new user
+    pub async fn create(&self, username: &str, password: &str, is_admin: bool) -> Result<User> {
+        // Check if username already exists
+        if self.get_by_username(username).await?.is_some() {
+            return Err(AppError::BadRequest(format!(
+                "Username '{}' already exists",
+                username
+            )));
+        }
+
+        let password_hash = hash_password(password)?;
+        let now = Utc::now();
+        let user = User {
+            id: Uuid::new_v4().to_string(),
+            username: username.to_string(),
+            password_hash,
+            is_admin,
+            created_at: now,
+            updated_at: now,
+        };
+
+        sqlx::query(
+            r#"
+            INSERT INTO users (id, username, password_hash, is_admin, created_at, updated_at)
+            VALUES (?1, ?2, ?3, ?4, ?5, ?6)
+            "#,
+        )
+        .bind(&user.id)
+        .bind(&user.username)
+        .bind(&user.password_hash)
+        .bind(user.is_admin as i32)
+        .bind(user.created_at.to_rfc3339())
+        .bind(user.updated_at.to_rfc3339())
+        .execute(&self.pool)
+        .await?;
+
+        Ok(user)
+    }
+
+    /// Get user by ID
+    pub async fn get(&self, user_id: &str) -> Result<Option<User>> {
+        let row: Option<UserRow> = sqlx::query_as(
+            "SELECT id, username, password_hash, is_admin, created_at, updated_at FROM users WHERE id = ?1",
+        )
+        .bind(user_id)
+        .fetch_optional(&self.pool)
+        .await?;
+
+        Ok(row.map(User::from_row))
+    }
+
+    /// Get user by username
+    pub async fn get_by_username(&self, username: &str) -> Result<Option<User>> {
+        let row: Option<UserRow> = sqlx::query_as(
+            "SELECT id, username, password_hash, is_admin, created_at, updated_at FROM users WHERE username = ?1",
+        )
+        .bind(username)
+        .fetch_optional(&self.pool)
+        .await?;
+
+        Ok(row.map(User::from_row))
+    }
+
+    /// Verify user credentials
+    pub async fn verify(&self, username: &str, password: &str) -> Result<Option<User>> {
+        let user = match self.get_by_username(username).await? {
+            Some(user) => user,
+            None => return Ok(None),
+        };
+
+        if verify_password(password, &user.password_hash)? {
+            Ok(Some(user))
+        } else {
+            Ok(None)
+        }
+    }
+
+    /// Update user password
+    pub async fn update_password(&self, user_id: &str, new_password: &str) -> Result<()> {
+        let password_hash = hash_password(new_password)?;
+        let now = Utc::now();
+
+        let result = sqlx::query(
+            "UPDATE users SET password_hash = ?1, updated_at = ?2 WHERE id = ?3",
+        )
+        .bind(&password_hash)
+        .bind(now.to_rfc3339())
+        .bind(user_id)
+        .execute(&self.pool)
+        .await?;
+
+        if result.rows_affected() == 0 {
+            return Err(AppError::NotFound("User not found".to_string()));
+        }
+
+        Ok(())
+    }
+
+    /// List all users
+    pub async fn list(&self) -> Result<Vec<User>> {
+        let rows: Vec<UserRow> = sqlx::query_as(
+            "SELECT id, username, password_hash, is_admin, created_at, updated_at FROM users ORDER BY created_at",
+        )
+        .fetch_all(&self.pool)
+        .await?;
+
+        Ok(rows.into_iter().map(User::from_row).collect())
+    }
+
+    /// Delete user by ID
+    pub async fn delete(&self, user_id: &str) -> Result<()> {
+        let result = sqlx::query("DELETE FROM users WHERE id = ?1")
+            .bind(user_id)
+            .execute(&self.pool)
+            .await?;
+
+        if result.rows_affected() == 0 {
+            return Err(AppError::NotFound("User not found".to_string()));
+        }
+
+        Ok(())
+    }
+
+    /// Check if any users exist
+    pub async fn has_users(&self) -> Result<bool> {
+        let count: (i64,) = sqlx::query_as("SELECT COUNT(*) FROM users")
+            .fetch_one(&self.pool)
+            .await?;
+        Ok(count.0 > 0)
+    }
+}