Skip to main content

koan_core/db/queries/
auth.rs

1//! Auth queries: user CRUD, refresh token management.
2
3use rusqlite::{Connection, params};
4
5use crate::auth::{self, Role};
6
7// ---------------------------------------------------------------------------
8// Row types
9// ---------------------------------------------------------------------------
10
11#[derive(Debug, Clone)]
12pub struct UserRow {
13    pub id: i64,
14    pub username: String,
15    pub password_hash: String,
16    pub role: Role,
17    pub created_at: Option<String>,
18}
19
20#[derive(Debug, Clone)]
21pub struct RefreshTokenRow {
22    pub id: String,
23    pub user_id: i64,
24    pub expires_at: i64,
25    pub revoked: bool,
26    pub created_at: Option<String>,
27}
28
29// ---------------------------------------------------------------------------
30// User CRUD
31// ---------------------------------------------------------------------------
32
33/// Create a new user. Returns the user ID.
34pub fn create_user(
35    conn: &Connection,
36    username: &str,
37    password: &str,
38    role: Role,
39) -> Result<i64, rusqlite::Error> {
40    let hash = auth::hash_password(password)
41        .map_err(|e| rusqlite::Error::ToSqlConversionFailure(e.into()))?;
42    conn.execute(
43        "INSERT INTO users (username, password_hash, role) VALUES (?1, ?2, ?3)",
44        params![username, hash, role.as_str()],
45    )?;
46    Ok(conn.last_insert_rowid())
47}
48
49/// Get a user by username.
50pub fn get_user_by_username(
51    conn: &Connection,
52    username: &str,
53) -> Result<Option<UserRow>, rusqlite::Error> {
54    let mut stmt = conn.prepare(
55        "SELECT id, username, password_hash, role, created_at FROM users WHERE username = ?1",
56    )?;
57    let mut rows = stmt.query_map(params![username], |row| {
58        let role_str: String = row.get(3)?;
59        Ok(UserRow {
60            id: row.get(0)?,
61            username: row.get(1)?,
62            password_hash: row.get(2)?,
63            role: role_str.parse().unwrap_or(Role::Readonly),
64            created_at: row.get(4)?,
65        })
66    })?;
67    match rows.next() {
68        Some(Ok(user)) => Ok(Some(user)),
69        Some(Err(e)) => Err(e),
70        None => Ok(None),
71    }
72}
73
74/// Get a user by ID.
75pub fn get_user_by_id(conn: &Connection, user_id: i64) -> Result<Option<UserRow>, rusqlite::Error> {
76    let mut stmt = conn
77        .prepare("SELECT id, username, password_hash, role, created_at FROM users WHERE id = ?1")?;
78    let mut rows = stmt.query_map(params![user_id], |row| {
79        let role_str: String = row.get(3)?;
80        Ok(UserRow {
81            id: row.get(0)?,
82            username: row.get(1)?,
83            password_hash: row.get(2)?,
84            role: role_str.parse().unwrap_or(Role::Readonly),
85            created_at: row.get(4)?,
86        })
87    })?;
88    match rows.next() {
89        Some(Ok(user)) => Ok(Some(user)),
90        Some(Err(e)) => Err(e),
91        None => Ok(None),
92    }
93}
94
95/// List all users (no password hashes).
96pub fn list_users(conn: &Connection) -> Result<Vec<UserRow>, rusqlite::Error> {
97    let mut stmt = conn
98        .prepare("SELECT id, username, password_hash, role, created_at FROM users ORDER BY id")?;
99    let rows = stmt.query_map([], |row| {
100        let role_str: String = row.get(3)?;
101        Ok(UserRow {
102            id: row.get(0)?,
103            username: row.get(1)?,
104            password_hash: row.get(2)?,
105            role: role_str.parse().unwrap_or(Role::Readonly),
106            created_at: row.get(4)?,
107        })
108    })?;
109    rows.collect()
110}
111
112/// Delete a user by ID. Returns true if a row was deleted.
113pub fn delete_user(conn: &Connection, user_id: i64) -> Result<bool, rusqlite::Error> {
114    let count = conn.execute("DELETE FROM users WHERE id = ?1", params![user_id])?;
115    Ok(count > 0)
116}
117
118/// Update a user's password. Revokes all their refresh tokens.
119pub fn update_password(
120    conn: &Connection,
121    username: &str,
122    new_password: &str,
123) -> Result<bool, Box<dyn std::error::Error>> {
124    let hash = crate::auth::hash_password(new_password)?;
125    let updated = conn.execute(
126        "UPDATE users SET password_hash = ?1 WHERE username = ?2",
127        params![hash, username],
128    )?;
129    if updated > 0 {
130        // Revoke all existing tokens for this user.
131        if let Some(user) = get_user_by_username(conn, username)? {
132            revoke_all_user_tokens(conn, user.id)?;
133        }
134    }
135    Ok(updated > 0)
136}
137
138/// Update a user's role.
139pub fn update_role(
140    conn: &Connection,
141    username: &str,
142    role: crate::auth::Role,
143) -> Result<bool, rusqlite::Error> {
144    let updated = conn.execute(
145        "UPDATE users SET role = ?1 WHERE username = ?2",
146        params![role.as_str(), username],
147    )?;
148    Ok(updated > 0)
149}
150
151/// Check if any users exist (for first-run detection).
152pub fn has_users(conn: &Connection) -> Result<bool, rusqlite::Error> {
153    let count: i64 = conn.query_row("SELECT COUNT(*) FROM users", [], |row| row.get(0))?;
154    Ok(count > 0)
155}
156
157/// Count users with admin role.
158pub fn admin_count(conn: &Connection) -> Result<i64, rusqlite::Error> {
159    conn.query_row(
160        "SELECT COUNT(*) FROM users WHERE role = 'admin'",
161        [],
162        |row| row.get(0),
163    )
164}
165
166// ---------------------------------------------------------------------------
167// Refresh tokens
168// ---------------------------------------------------------------------------
169
170/// Store a refresh token.
171pub fn store_refresh_token(
172    conn: &Connection,
173    token_id: &str,
174    user_id: i64,
175    expires_at: i64,
176) -> Result<(), rusqlite::Error> {
177    conn.execute(
178        "INSERT INTO refresh_tokens (id, user_id, expires_at) VALUES (?1, ?2, ?3)",
179        params![token_id, user_id, expires_at],
180    )?;
181    Ok(())
182}
183
184/// Look up a refresh token. Returns None if not found, expired, or revoked.
185pub fn get_valid_refresh_token(
186    conn: &Connection,
187    token_id: &str,
188) -> Result<Option<RefreshTokenRow>, rusqlite::Error> {
189    let now = auth::now_unix() as i64;
190    let mut stmt = conn.prepare(
191        "SELECT id, user_id, expires_at, revoked, created_at
192         FROM refresh_tokens
193         WHERE id = ?1 AND revoked = 0 AND expires_at > ?2",
194    )?;
195    let mut rows = stmt.query_map(params![token_id, now], |row| {
196        Ok(RefreshTokenRow {
197            id: row.get(0)?,
198            user_id: row.get(1)?,
199            expires_at: row.get(2)?,
200            revoked: row.get::<_, i32>(3)? != 0,
201            created_at: row.get(4)?,
202        })
203    })?;
204    match rows.next() {
205        Some(Ok(token)) => Ok(Some(token)),
206        Some(Err(e)) => Err(e),
207        None => Ok(None),
208    }
209}
210
211/// Atomically consume a valid refresh token: revoke it and return the row in one
212/// statement. Returns `None` if the token doesn't exist, is already revoked, or
213/// has expired. This prevents TOCTOU races in refresh-token rotation.
214pub fn consume_refresh_token(
215    conn: &Connection,
216    token_id: &str,
217) -> Result<Option<RefreshTokenRow>, rusqlite::Error> {
218    let now = auth::now_unix() as i64;
219    let mut stmt = conn.prepare(
220        "UPDATE refresh_tokens SET revoked = 1
221         WHERE id = ?1 AND revoked = 0 AND expires_at > ?2
222         RETURNING id, user_id, expires_at, revoked, created_at",
223    )?;
224    let mut rows = stmt.query_map(params![token_id, now], |row| {
225        Ok(RefreshTokenRow {
226            id: row.get(0)?,
227            user_id: row.get(1)?,
228            expires_at: row.get(2)?,
229            revoked: row.get::<_, i32>(3)? != 0,
230            created_at: row.get(4)?,
231        })
232    })?;
233    match rows.next() {
234        Some(Ok(token)) => Ok(Some(token)),
235        Some(Err(e)) => Err(e),
236        None => Ok(None),
237    }
238}
239
240/// Revoke a single refresh token (logout).
241pub fn revoke_refresh_token(conn: &Connection, token_id: &str) -> Result<bool, rusqlite::Error> {
242    let count = conn.execute(
243        "UPDATE refresh_tokens SET revoked = 1 WHERE id = ?1",
244        params![token_id],
245    )?;
246    Ok(count > 0)
247}
248
249/// Revoke all refresh tokens for a user (password change, account delete).
250pub fn revoke_all_user_tokens(conn: &Connection, user_id: i64) -> Result<usize, rusqlite::Error> {
251    let count = conn.execute(
252        "UPDATE refresh_tokens SET revoked = 1 WHERE user_id = ?1 AND revoked = 0",
253        params![user_id],
254    )?;
255    Ok(count)
256}
257
258/// Clean up expired/revoked refresh tokens (housekeeping).
259pub fn cleanup_expired_tokens(conn: &Connection) -> Result<usize, rusqlite::Error> {
260    let now = auth::now_unix() as i64;
261    let count = conn.execute(
262        "DELETE FROM refresh_tokens WHERE revoked = 1 OR expires_at <= ?1",
263        params![now],
264    )?;
265    Ok(count)
266}
267
268// ---------------------------------------------------------------------------
269// Tests
270// ---------------------------------------------------------------------------
271
272#[cfg(test)]
273mod tests {
274    use super::*;
275    use crate::db::connection::Database;
276    use tempfile::TempDir;
277
278    fn test_db() -> (Database, TempDir) {
279        let tmp = TempDir::new().unwrap();
280        let db_path = tmp.path().join("test.db");
281        let db = Database::open(&db_path).unwrap();
282        (db, tmp)
283    }
284
285    #[test]
286    fn create_and_get_user() {
287        let (db, _tmp) = test_db();
288        let id = create_user(&db.conn, "alice", "password123", Role::Admin).unwrap();
289        assert!(id > 0);
290
291        let user = get_user_by_username(&db.conn, "alice").unwrap().unwrap();
292        assert_eq!(user.username, "alice");
293        assert_eq!(user.role, Role::Admin);
294        assert!(user.password_hash.starts_with("$argon2"));
295    }
296
297    #[test]
298    fn duplicate_username_rejected() {
299        let (db, _tmp) = test_db();
300        create_user(&db.conn, "bob", "pass1", Role::User).unwrap();
301        let result = create_user(&db.conn, "bob", "pass2", Role::User);
302        assert!(result.is_err());
303    }
304
305    #[test]
306    fn list_and_delete_users() {
307        let (db, _tmp) = test_db();
308        let id1 = create_user(&db.conn, "user1", "pass", Role::Admin).unwrap();
309        create_user(&db.conn, "user2", "pass", Role::User).unwrap();
310
311        let users = list_users(&db.conn).unwrap();
312        assert_eq!(users.len(), 2);
313
314        assert!(delete_user(&db.conn, id1).unwrap());
315        let users = list_users(&db.conn).unwrap();
316        assert_eq!(users.len(), 1);
317        assert_eq!(users[0].username, "user2");
318    }
319
320    #[test]
321    fn has_users_empty_and_populated() {
322        let (db, _tmp) = test_db();
323        assert!(!has_users(&db.conn).unwrap());
324        create_user(&db.conn, "first", "pass", Role::Admin).unwrap();
325        assert!(has_users(&db.conn).unwrap());
326    }
327
328    #[test]
329    fn refresh_token_lifecycle() {
330        let (db, _tmp) = test_db();
331        let uid = create_user(&db.conn, "user", "pass", Role::User).unwrap();
332
333        let future_ts = auth::now_unix() as i64 + 86400;
334        store_refresh_token(&db.conn, "tok-123", uid, future_ts).unwrap();
335
336        // Valid lookup.
337        let tok = get_valid_refresh_token(&db.conn, "tok-123")
338            .unwrap()
339            .unwrap();
340        assert_eq!(tok.user_id, uid);
341
342        // Revoke.
343        assert!(revoke_refresh_token(&db.conn, "tok-123").unwrap());
344        assert!(
345            get_valid_refresh_token(&db.conn, "tok-123")
346                .unwrap()
347                .is_none()
348        );
349    }
350
351    #[test]
352    fn expired_token_not_returned() {
353        let (db, _tmp) = test_db();
354        let uid = create_user(&db.conn, "user", "pass", Role::User).unwrap();
355
356        // Already expired.
357        store_refresh_token(&db.conn, "tok-old", uid, 0).unwrap();
358        assert!(
359            get_valid_refresh_token(&db.conn, "tok-old")
360                .unwrap()
361                .is_none()
362        );
363    }
364
365    #[test]
366    fn cleanup_removes_expired_and_revoked() {
367        let (db, _tmp) = test_db();
368        let uid = create_user(&db.conn, "user", "pass", Role::User).unwrap();
369
370        let future = auth::now_unix() as i64 + 86400;
371        store_refresh_token(&db.conn, "active", uid, future).unwrap();
372        store_refresh_token(&db.conn, "expired", uid, 0).unwrap();
373        store_refresh_token(&db.conn, "revoked", uid, future).unwrap();
374        revoke_refresh_token(&db.conn, "revoked").unwrap();
375
376        let cleaned = cleanup_expired_tokens(&db.conn).unwrap();
377        assert_eq!(cleaned, 2);
378
379        // Active token still there.
380        assert!(
381            get_valid_refresh_token(&db.conn, "active")
382                .unwrap()
383                .is_some()
384        );
385    }
386}