1use rusqlite::{Connection, params};
4
5use crate::auth::{self, Role};
6
7#[derive(Debug, Clone)]
12pub struct UserRow {
13 pub id: i64,
14 pub username: String,
15 pub password_hash: String,
16 pub role: Role,
17 pub created_at: Option<String>,
18}
19
20#[derive(Debug, Clone)]
21pub struct RefreshTokenRow {
22 pub id: String,
23 pub user_id: i64,
24 pub expires_at: i64,
25 pub revoked: bool,
26 pub created_at: Option<String>,
27}
28
29pub fn create_user(
35 conn: &Connection,
36 username: &str,
37 password: &str,
38 role: Role,
39) -> Result<i64, rusqlite::Error> {
40 let hash = auth::hash_password(password)
41 .map_err(|e| rusqlite::Error::ToSqlConversionFailure(e.into()))?;
42 conn.execute(
43 "INSERT INTO users (username, password_hash, role) VALUES (?1, ?2, ?3)",
44 params![username, hash, role.as_str()],
45 )?;
46 Ok(conn.last_insert_rowid())
47}
48
49pub fn get_user_by_username(
51 conn: &Connection,
52 username: &str,
53) -> Result<Option<UserRow>, rusqlite::Error> {
54 let mut stmt = conn.prepare(
55 "SELECT id, username, password_hash, role, created_at FROM users WHERE username = ?1",
56 )?;
57 let mut rows = stmt.query_map(params![username], |row| {
58 let role_str: String = row.get(3)?;
59 Ok(UserRow {
60 id: row.get(0)?,
61 username: row.get(1)?,
62 password_hash: row.get(2)?,
63 role: role_str.parse().unwrap_or(Role::Readonly),
64 created_at: row.get(4)?,
65 })
66 })?;
67 match rows.next() {
68 Some(Ok(user)) => Ok(Some(user)),
69 Some(Err(e)) => Err(e),
70 None => Ok(None),
71 }
72}
73
74pub fn get_user_by_id(conn: &Connection, user_id: i64) -> Result<Option<UserRow>, rusqlite::Error> {
76 let mut stmt = conn
77 .prepare("SELECT id, username, password_hash, role, created_at FROM users WHERE id = ?1")?;
78 let mut rows = stmt.query_map(params![user_id], |row| {
79 let role_str: String = row.get(3)?;
80 Ok(UserRow {
81 id: row.get(0)?,
82 username: row.get(1)?,
83 password_hash: row.get(2)?,
84 role: role_str.parse().unwrap_or(Role::Readonly),
85 created_at: row.get(4)?,
86 })
87 })?;
88 match rows.next() {
89 Some(Ok(user)) => Ok(Some(user)),
90 Some(Err(e)) => Err(e),
91 None => Ok(None),
92 }
93}
94
95pub fn list_users(conn: &Connection) -> Result<Vec<UserRow>, rusqlite::Error> {
97 let mut stmt = conn
98 .prepare("SELECT id, username, password_hash, role, created_at FROM users ORDER BY id")?;
99 let rows = stmt.query_map([], |row| {
100 let role_str: String = row.get(3)?;
101 Ok(UserRow {
102 id: row.get(0)?,
103 username: row.get(1)?,
104 password_hash: row.get(2)?,
105 role: role_str.parse().unwrap_or(Role::Readonly),
106 created_at: row.get(4)?,
107 })
108 })?;
109 rows.collect()
110}
111
112pub fn delete_user(conn: &Connection, user_id: i64) -> Result<bool, rusqlite::Error> {
114 let count = conn.execute("DELETE FROM users WHERE id = ?1", params![user_id])?;
115 Ok(count > 0)
116}
117
118pub fn update_password(
120 conn: &Connection,
121 username: &str,
122 new_password: &str,
123) -> Result<bool, Box<dyn std::error::Error>> {
124 let hash = crate::auth::hash_password(new_password)?;
125 let updated = conn.execute(
126 "UPDATE users SET password_hash = ?1 WHERE username = ?2",
127 params![hash, username],
128 )?;
129 if updated > 0 {
130 if let Some(user) = get_user_by_username(conn, username)? {
132 revoke_all_user_tokens(conn, user.id)?;
133 }
134 }
135 Ok(updated > 0)
136}
137
138pub fn update_role(
140 conn: &Connection,
141 username: &str,
142 role: crate::auth::Role,
143) -> Result<bool, rusqlite::Error> {
144 let updated = conn.execute(
145 "UPDATE users SET role = ?1 WHERE username = ?2",
146 params![role.as_str(), username],
147 )?;
148 Ok(updated > 0)
149}
150
151pub fn has_users(conn: &Connection) -> Result<bool, rusqlite::Error> {
153 let count: i64 = conn.query_row("SELECT COUNT(*) FROM users", [], |row| row.get(0))?;
154 Ok(count > 0)
155}
156
157pub fn admin_count(conn: &Connection) -> Result<i64, rusqlite::Error> {
159 conn.query_row(
160 "SELECT COUNT(*) FROM users WHERE role = 'admin'",
161 [],
162 |row| row.get(0),
163 )
164}
165
166pub fn store_refresh_token(
172 conn: &Connection,
173 token_id: &str,
174 user_id: i64,
175 expires_at: i64,
176) -> Result<(), rusqlite::Error> {
177 conn.execute(
178 "INSERT INTO refresh_tokens (id, user_id, expires_at) VALUES (?1, ?2, ?3)",
179 params![token_id, user_id, expires_at],
180 )?;
181 Ok(())
182}
183
184pub fn get_valid_refresh_token(
186 conn: &Connection,
187 token_id: &str,
188) -> Result<Option<RefreshTokenRow>, rusqlite::Error> {
189 let now = auth::now_unix() as i64;
190 let mut stmt = conn.prepare(
191 "SELECT id, user_id, expires_at, revoked, created_at
192 FROM refresh_tokens
193 WHERE id = ?1 AND revoked = 0 AND expires_at > ?2",
194 )?;
195 let mut rows = stmt.query_map(params![token_id, now], |row| {
196 Ok(RefreshTokenRow {
197 id: row.get(0)?,
198 user_id: row.get(1)?,
199 expires_at: row.get(2)?,
200 revoked: row.get::<_, i32>(3)? != 0,
201 created_at: row.get(4)?,
202 })
203 })?;
204 match rows.next() {
205 Some(Ok(token)) => Ok(Some(token)),
206 Some(Err(e)) => Err(e),
207 None => Ok(None),
208 }
209}
210
211pub fn consume_refresh_token(
215 conn: &Connection,
216 token_id: &str,
217) -> Result<Option<RefreshTokenRow>, rusqlite::Error> {
218 let now = auth::now_unix() as i64;
219 let mut stmt = conn.prepare(
220 "UPDATE refresh_tokens SET revoked = 1
221 WHERE id = ?1 AND revoked = 0 AND expires_at > ?2
222 RETURNING id, user_id, expires_at, revoked, created_at",
223 )?;
224 let mut rows = stmt.query_map(params![token_id, now], |row| {
225 Ok(RefreshTokenRow {
226 id: row.get(0)?,
227 user_id: row.get(1)?,
228 expires_at: row.get(2)?,
229 revoked: row.get::<_, i32>(3)? != 0,
230 created_at: row.get(4)?,
231 })
232 })?;
233 match rows.next() {
234 Some(Ok(token)) => Ok(Some(token)),
235 Some(Err(e)) => Err(e),
236 None => Ok(None),
237 }
238}
239
240pub fn revoke_refresh_token(conn: &Connection, token_id: &str) -> Result<bool, rusqlite::Error> {
242 let count = conn.execute(
243 "UPDATE refresh_tokens SET revoked = 1 WHERE id = ?1",
244 params![token_id],
245 )?;
246 Ok(count > 0)
247}
248
249pub fn revoke_all_user_tokens(conn: &Connection, user_id: i64) -> Result<usize, rusqlite::Error> {
251 let count = conn.execute(
252 "UPDATE refresh_tokens SET revoked = 1 WHERE user_id = ?1 AND revoked = 0",
253 params![user_id],
254 )?;
255 Ok(count)
256}
257
258pub fn cleanup_expired_tokens(conn: &Connection) -> Result<usize, rusqlite::Error> {
260 let now = auth::now_unix() as i64;
261 let count = conn.execute(
262 "DELETE FROM refresh_tokens WHERE revoked = 1 OR expires_at <= ?1",
263 params![now],
264 )?;
265 Ok(count)
266}
267
268#[cfg(test)]
273mod tests {
274 use super::*;
275 use crate::db::connection::Database;
276 use tempfile::TempDir;
277
278 fn test_db() -> (Database, TempDir) {
279 let tmp = TempDir::new().unwrap();
280 let db_path = tmp.path().join("test.db");
281 let db = Database::open(&db_path).unwrap();
282 (db, tmp)
283 }
284
285 #[test]
286 fn create_and_get_user() {
287 let (db, _tmp) = test_db();
288 let id = create_user(&db.conn, "alice", "password123", Role::Admin).unwrap();
289 assert!(id > 0);
290
291 let user = get_user_by_username(&db.conn, "alice").unwrap().unwrap();
292 assert_eq!(user.username, "alice");
293 assert_eq!(user.role, Role::Admin);
294 assert!(user.password_hash.starts_with("$argon2"));
295 }
296
297 #[test]
298 fn duplicate_username_rejected() {
299 let (db, _tmp) = test_db();
300 create_user(&db.conn, "bob", "pass1", Role::User).unwrap();
301 let result = create_user(&db.conn, "bob", "pass2", Role::User);
302 assert!(result.is_err());
303 }
304
305 #[test]
306 fn list_and_delete_users() {
307 let (db, _tmp) = test_db();
308 let id1 = create_user(&db.conn, "user1", "pass", Role::Admin).unwrap();
309 create_user(&db.conn, "user2", "pass", Role::User).unwrap();
310
311 let users = list_users(&db.conn).unwrap();
312 assert_eq!(users.len(), 2);
313
314 assert!(delete_user(&db.conn, id1).unwrap());
315 let users = list_users(&db.conn).unwrap();
316 assert_eq!(users.len(), 1);
317 assert_eq!(users[0].username, "user2");
318 }
319
320 #[test]
321 fn has_users_empty_and_populated() {
322 let (db, _tmp) = test_db();
323 assert!(!has_users(&db.conn).unwrap());
324 create_user(&db.conn, "first", "pass", Role::Admin).unwrap();
325 assert!(has_users(&db.conn).unwrap());
326 }
327
328 #[test]
329 fn refresh_token_lifecycle() {
330 let (db, _tmp) = test_db();
331 let uid = create_user(&db.conn, "user", "pass", Role::User).unwrap();
332
333 let future_ts = auth::now_unix() as i64 + 86400;
334 store_refresh_token(&db.conn, "tok-123", uid, future_ts).unwrap();
335
336 let tok = get_valid_refresh_token(&db.conn, "tok-123")
338 .unwrap()
339 .unwrap();
340 assert_eq!(tok.user_id, uid);
341
342 assert!(revoke_refresh_token(&db.conn, "tok-123").unwrap());
344 assert!(
345 get_valid_refresh_token(&db.conn, "tok-123")
346 .unwrap()
347 .is_none()
348 );
349 }
350
351 #[test]
352 fn expired_token_not_returned() {
353 let (db, _tmp) = test_db();
354 let uid = create_user(&db.conn, "user", "pass", Role::User).unwrap();
355
356 store_refresh_token(&db.conn, "tok-old", uid, 0).unwrap();
358 assert!(
359 get_valid_refresh_token(&db.conn, "tok-old")
360 .unwrap()
361 .is_none()
362 );
363 }
364
365 #[test]
366 fn cleanup_removes_expired_and_revoked() {
367 let (db, _tmp) = test_db();
368 let uid = create_user(&db.conn, "user", "pass", Role::User).unwrap();
369
370 let future = auth::now_unix() as i64 + 86400;
371 store_refresh_token(&db.conn, "active", uid, future).unwrap();
372 store_refresh_token(&db.conn, "expired", uid, 0).unwrap();
373 store_refresh_token(&db.conn, "revoked", uid, future).unwrap();
374 revoke_refresh_token(&db.conn, "revoked").unwrap();
375
376 let cleaned = cleanup_expired_tokens(&db.conn).unwrap();
377 assert_eq!(cleaned, 2);
378
379 assert!(
381 get_valid_refresh_token(&db.conn, "active")
382 .unwrap()
383 .is_some()
384 );
385 }
386}