reinhardt-admin 0.1.1

Admin panel functionality for Reinhardt framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! Admin Login Server Function
//!
//! Provides JWT-based authentication for the admin WASM SPA.
//!
//! On successful login, the JWT token is set as an HTTP-Only cookie
//! (`reinhardt_admin_token`) instead of being returned in the response body.
//! This prevents XSS attacks from stealing the token.

use crate::adapters::LoginResponse;
use reinhardt_pages::server_fn::{ServerFnError, server_fn};

#[cfg(server)]
use super::admin_auth::AdminLoginAuthenticator;
#[cfg(server)]
use super::security::{build_admin_auth_cookie, require_csrf_token};
#[cfg(server)]
use crate::adapters::AdminSite;
#[cfg(server)]
use reinhardt_auth::JwtAuth;
#[cfg(server)]
use reinhardt_db::orm::DatabaseConnection;
#[cfg(server)]
use reinhardt_di::Depends;
#[cfg(server)]
use reinhardt_pages::server_fn::ServerFnRequest;

/// Authenticate an admin user and set a JWT cookie.
///
/// This server function validates the provided credentials against the
/// database and, on success, sets the JWT token as an HTTP-Only cookie.
/// The browser automatically attaches this cookie to subsequent requests,
/// eliminating the need for sessionStorage token management.
///
/// # Authentication Flow
///
/// 1. Validate CSRF token (double-submit cookie pattern)
/// 2. Look up user by username in the database
/// 3. Verify password using Argon2id
/// 4. Check that the user is active and has staff privileges
/// 5. Generate JWT token and set as HTTP-Only cookie
/// 6. Return user info (without the token) in the response body
///
/// # Security
///
/// - CSRF protection via the double-submit cookie pattern
/// - Password verification uses constant-time Argon2id comparison
/// - Generic error messages prevent username enumeration
/// - Only active staff users can obtain tokens
/// - JWT stored in HTTP-Only cookie (not accessible via JavaScript)
/// - `SameSite=Strict` prevents cross-origin cookie sending
///
/// # Example
///
/// ```ignore
/// use reinhardt_admin::server::login::admin_login;
///
/// // Client-side usage (automatically generates HTTP request)
/// let response = admin_login(
///     "admin".to_string(),
///     "password123".to_string(),
///     csrf_token.to_string(),
/// ).await?;
/// // No need to store token — browser handles it via cookie
/// ```
#[server_fn]
pub async fn admin_login(
	username: String,
	password: String,
	csrf_token: String,
	#[inject] http_request: ServerFnRequest,
	#[inject] db: Depends<DatabaseConnection>,
	#[inject] site: Depends<AdminSite>,
	#[inject] authenticator: Depends<AdminLoginAuthenticator>,
) -> Result<LoginResponse, ServerFnError> {
	// Validate CSRF token
	require_csrf_token(&csrf_token, &http_request.inner().headers)?;

	// Verify JWT secret is configured
	let jwt_secret = site.jwt_secret().ok_or_else(|| {
		::tracing::error!("admin_login: JWT secret not configured on AdminSite");
		ServerFnError::server(500, "Admin login is not configured")
	})?;
	let jwt_auth = JwtAuth::new(jwt_secret);

	// Authenticate user (username lookup + password verification + staff check)
	let user_info = (authenticator.0)(username.clone(), password, db.as_arc().clone())
		.await
		.map_err(|e| {
			::tracing::warn!(error = ?e, "admin_login: Authentication failed");
			ServerFnError::server(500, "Internal authentication error")
		})?;

	let user_info = user_info.ok_or_else(|| {
		// Generic message to prevent username enumeration
		ServerFnError::server(401, "Invalid username or password")
	})?;

	// Generate JWT token
	let token = jwt_auth
		.generate_token(
			user_info.user_id.clone(),
			user_info.username.clone(),
			user_info.is_staff,
			user_info.is_superuser,
		)
		.map_err(|e| {
			::tracing::error!(error = ?e, "admin_login: JWT token generation failed");
			ServerFnError::server(500, "Token generation failed")
		})?;

	// Set JWT as HTTP-Only cookie via the shared cookie jar.
	// The server_fn router (router_ext.rs) reads SharedResponseCookies
	// and applies them as Set-Cookie response headers.
	let is_secure = http_request.inner().is_secure;
	let cookie = build_admin_auth_cookie(&token, is_secure);
	http_request.add_response_cookie(cookie);

	// Return user info without the token — the browser receives the token
	// via the Set-Cookie header, not the response body.
	Ok(LoginResponse {
		token: String::new(),
		username: user_info.username,
		user_id: user_info.user_id,
		is_staff: user_info.is_staff,
		is_superuser: user_info.is_superuser,
	})
}

#[cfg(test)]
mod tests {
	use super::*;

	#[test]
	fn test_login_response_serialization() {
		// Arrange
		let response = LoginResponse {
			token: "eyJhbGciOiJIUzI1NiJ9.test".to_string(),
			username: "admin".to_string(),
			user_id: "550e8400-e29b-41d4-a716-446655440000".to_string(),
			is_staff: true,
			is_superuser: false,
		};

		// Act
		let json = serde_json::to_string(&response).expect("serialization should succeed");
		let deserialized: LoginResponse =
			serde_json::from_str(&json).expect("deserialization should succeed");

		// Assert
		assert_eq!(deserialized.token, response.token);
		assert_eq!(deserialized.username, response.username);
		assert_eq!(deserialized.user_id, response.user_id);
		assert!(deserialized.is_staff);
		assert!(!deserialized.is_superuser);
	}
}