cedros-login-server 0.0.12

Authentication server for cedros-login with email/password, Google OAuth, and Solana wallet sign-in
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237

//! Password reset handlers
//!
//! # Security (SEC-07)
//!
//! Rate limiting uses both IP-based controls and per-email throttling to prevent
//! multi-source abuse for a single account. Mitigations in place:
//!
//! 1. IP-based rate limiting prevents single-source abuse
//! 2. Per-email throttling limits repeated reset requests
//! 3. Constant-time responses prevent email enumeration
//! 4. Tokens expire within configured window (default: 1 hour)
//! 5. Tokens are single-use and invalidated after use

use axum::{
    extract::State,
    http::{HeaderMap, StatusCode},
    Json,
};
use rand::Rng;
use serde::Deserialize;
use std::sync::Arc;
use std::time::Duration;
use zeroize::{Zeroize, ZeroizeOnDrop};

use crate::callback::AuthCallback;
use crate::errors::AppError;
use crate::models::MessageResponse;
use crate::repositories::{
    default_expiry, generate_verification_token, hash_verification_token, AuditEventType, TokenType,
};
use crate::services::EmailService;
use crate::AppState;

/// SEC-003: Add random delay to mask timing differences and prevent email enumeration.
///
/// This function adds a random delay between 50-150ms to make it harder to distinguish
/// between "user exists" and "user not found" responses based on timing.
async fn add_timing_normalization_delay() {
    let delay_ms = rand::thread_rng().gen_range(50..=150);
    tokio::time::sleep(Duration::from_millis(delay_ms)).await;
}

/// Request to send password reset email
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct ForgotPasswordRequest {
    pub email: String,
}

/// Request to reset password with token
///
/// SEC-005: Derives Zeroize and ZeroizeOnDrop to clear password from memory.
#[derive(Debug, Deserialize, Zeroize, ZeroizeOnDrop)]
#[serde(rename_all = "camelCase")]
pub struct ResetPasswordRequest {
    pub token: String,
    pub new_password: String,
}

/// POST /auth/forgot-password - Send password reset email
pub async fn forgot_password<C: AuthCallback, E: EmailService>(
    State(state): State<Arc<AppState<C, E>>>,
    headers: HeaderMap,
    Json(req): Json<ForgotPasswordRequest>,
) -> Result<(StatusCode, Json<MessageResponse>), AppError> {
    if !state.config.email.enabled {
        return Err(AppError::NotFound("Email auth disabled".into()));
    }

    // Always return success to prevent email enumeration
    let response = (
        StatusCode::OK,
        Json(MessageResponse {
            message: "If an account exists, a reset email has been sent".to_string(),
        }),
    );

    let throttle_key = format!("password_reset:{}", req.email.trim().to_lowercase());
    let throttle_status = state
        .login_attempt_repo
        .record_failed_attempt_atomic(None, &throttle_key, None, &state.login_attempt_config)
        .await?;
    if throttle_status.is_locked {
        if let Some(remaining) = throttle_status.lockout_remaining_secs {
            return Err(AppError::TooManyRequests(format!(
                "Too many password reset requests. Try again in {} seconds",
                remaining
            )));
        }
        return Err(AppError::RateLimited);
    }

    // Find user by email
    let user = match state.user_repo.find_by_email(&req.email).await? {
        Some(u) => u,
        None => {
            // SEC-003: Add delay to prevent timing-based email enumeration
            add_timing_normalization_delay().await;
            return Ok(response); // Don't reveal if email exists
        }
    };

    // User must have a password (email auth method)
    if user.password_hash.is_none() {
        // SEC-003: Add delay to prevent timing-based email enumeration
        add_timing_normalization_delay().await;
        return Ok(response); // Don't reveal if user has no password
    }

    // Delete any existing reset tokens for this user
    state
        .verification_repo
        .delete_for_user(user.id, TokenType::PasswordReset)
        .await?;

    // Generate and store token
    let token = generate_verification_token();
    let token_hash = hash_verification_token(&token);

    state
        .verification_repo
        .create(
            user.id,
            &token_hash,
            TokenType::PasswordReset,
            default_expiry(TokenType::PasswordReset),
        )
        .await
        .map_err(|e| AppError::Internal(anyhow::anyhow!("Failed to create token: {}", e)))?;

    // Queue password reset email via outbox for async delivery
    state
        .comms_service
        .queue_password_reset_email(&req.email, user.name.as_deref(), &token, Some(user.id))
        .await?;

    // REL-001: Log audit event with warning on failure (security-critical event)
    if let Err(e) = state
        .audit_service
        .log_password_event(
            AuditEventType::PasswordResetRequested,
            user.id,
            Some(&headers),
        )
        .await
    {
        tracing::warn!(error = %e, user_id = %user.id, "Failed to log password reset requested audit event");
    }

    Ok(response)
}

/// POST /auth/reset-password - Reset password with token
pub async fn reset_password<C: AuthCallback, E: EmailService>(
    State(state): State<Arc<AppState<C, E>>>,
    headers: HeaderMap,
    Json(req): Json<ResetPasswordRequest>,
) -> Result<(StatusCode, Json<MessageResponse>), AppError> {
    if !state.config.email.enabled {
        return Err(AppError::NotFound("Email auth disabled".into()));
    }

    // Validate password BEFORE consuming token (fail fast, don't waste the token)
    state.password_service.validate(&req.new_password)?;

    let token_hash = hash_verification_token(&req.token);

    // Atomically consume the token (prevents TOCTOU race conditions)
    let token = state
        .verification_repo
        .consume_if_valid(&token_hash)
        .await
        .map_err(|e| AppError::Internal(anyhow::anyhow!("Failed to consume token: {}", e)))?
        .ok_or_else(|| AppError::Validation("Invalid or expired token".to_string()))?;

    if token.token_type != TokenType::PasswordReset {
        return Err(AppError::Validation("Invalid token type".to_string()));
    }

    // Hash the already-validated password
    let password_hash = state
        .password_service
        .hash(req.new_password.clone())
        .await?;

    // Update user password
    state
        .user_repo
        .update_password(token.user_id, &password_hash)
        .await?;

    // Revoke all sessions for this user (force re-login)
    state
        .session_repo
        .revoke_all_for_user_with_reason(token.user_id, "password_reset")
        .await?;

    // REL-001: Log audit event with warning on failure (security-critical event)
    if let Err(e) = state
        .audit_service
        .log_password_event(
            AuditEventType::PasswordResetCompleted,
            token.user_id,
            Some(&headers),
        )
        .await
    {
        tracing::warn!(error = %e, user_id = %token.user_id, "Failed to log password reset completed audit event");
    }

    Ok((
        StatusCode::OK,
        Json(MessageResponse {
            message: "Password reset successfully".to_string(),
        }),
    ))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_forgot_password_request_deserialize() {
        let json = r#"{"email": "test@example.com"}"#;
        let req: ForgotPasswordRequest = serde_json::from_str(json).unwrap();
        assert_eq!(req.email, "test@example.com");
    }

    #[test]
    fn test_reset_password_request_deserialize() {
        let json = r#"{"token": "abc123", "newPassword": "NewPassword1!"}"#;
        let req: ResetPasswordRequest = serde_json::from_str(json).unwrap();
        assert_eq!(req.token, "abc123");
        assert_eq!(req.new_password, "NewPassword1!");
    }
}