[AI] fix some modules, develop the big part of modules. TODO fix critical errors, update pipeline, test everything
This commit is contained in:
@@ -1,10 +1,10 @@
|
||||
use crate::{api::ApiState, error::AppError};
|
||||
use axum::response::IntoResponse;
|
||||
use axum::{extract::State, routing::post, Json, Router};
|
||||
use serde::Deserialize;
|
||||
use serde_json::{json, Value};
|
||||
use tracing::instrument;
|
||||
|
||||
use crate::{api::ApiState, error::AppError};
|
||||
|
||||
#[derive(Deserialize, Debug)]
|
||||
pub struct TgWidgetPayload {
|
||||
pub id: i64,
|
||||
@@ -16,8 +16,16 @@ pub struct TgWidgetPayload {
|
||||
pub hash: String,
|
||||
}
|
||||
|
||||
#[derive(Deserialize, Debug)]
|
||||
pub struct SeedLoginPayload {
|
||||
pub seed: String,
|
||||
}
|
||||
|
||||
pub fn router() -> Router<ApiState> {
|
||||
Router::new().route("/telegram", post(auth_telegram_api))
|
||||
Router::new()
|
||||
.route("/telegram", post(auth_telegram_api))
|
||||
.route("/seed/generate", post(generate_seed_api))
|
||||
.route("/seed/login", post(login_seed_api))
|
||||
}
|
||||
|
||||
#[instrument(skip(state, payload), fields(tg_id = payload.id, username = ?payload.username))]
|
||||
@@ -25,6 +33,7 @@ async fn auth_telegram_api(
|
||||
State(state): State<ApiState>,
|
||||
Json(payload): Json<TgWidgetPayload>,
|
||||
) -> Result<Json<Value>, AppError> {
|
||||
// 1. Проверяем подпись Telegram
|
||||
state.auth_service.verify_tg_widget_auth(
|
||||
&state.bot_token,
|
||||
payload.id,
|
||||
@@ -36,13 +45,43 @@ async fn auth_telegram_api(
|
||||
&payload.hash,
|
||||
)?;
|
||||
|
||||
// 2. Создаем или обновляем юзера
|
||||
let user = state
|
||||
.auth_service
|
||||
.process_login(payload.id, payload.username.clone(), None)
|
||||
.await?;
|
||||
|
||||
// 3. Генерируем токен. Теперь user.tg_id передается как Option автоматически.
|
||||
let token = state
|
||||
.auth_service
|
||||
.generate_auth_token(user.id, user.tg_id, &state.jwt_secret)?;
|
||||
|
||||
Ok(Json(json!({ "status": "success", "token": token })))
|
||||
}
|
||||
|
||||
#[axum::debug_handler]
|
||||
async fn generate_seed_api(State(state): State<ApiState>) -> Result<impl IntoResponse, AppError> {
|
||||
// Fail-fast для соли
|
||||
let salt = std::env::var("ARGON_SALT").expect("КРИТИЧЕСКАЯ ОШИБКА: ARGON_SALT не задан!");
|
||||
let (seed, token) = state
|
||||
.auth_service
|
||||
.register_seed(&salt, &state.jwt_secret)
|
||||
.await?;
|
||||
|
||||
Ok(Json(
|
||||
json!({ "status": "success", "seed": seed, "token": token }),
|
||||
))
|
||||
}
|
||||
|
||||
async fn login_seed_api(
|
||||
State(state): State<ApiState>,
|
||||
Json(payload): Json<SeedLoginPayload>,
|
||||
) -> Result<impl IntoResponse, AppError> {
|
||||
let salt = std::env::var("ARGON_SALT").expect("КРИТИЧЕСКАЯ ОШИБКА: ARGON_SALT не задан!");
|
||||
let token = state
|
||||
.auth_service
|
||||
.login_seed(&payload.seed, &salt, &state.jwt_secret)
|
||||
.await?;
|
||||
|
||||
Ok(Json(json!({ "status": "success", "token": token })))
|
||||
}
|
||||
|
||||
@@ -28,9 +28,14 @@ pub async fn auth_guard(
|
||||
)
|
||||
.map_err(|_| AppError::Unauthorized("Invalid session signature".into()))?;
|
||||
|
||||
// Парсим внутренний UUID из поля sub токена
|
||||
let user_id = uuid::Uuid::parse_str(&token_data.claims.sub)
|
||||
.map_err(|_| AppError::Unauthorized("Invalid token payload structure".into()))?;
|
||||
|
||||
// Ищем оперативника в сети по его системному UUID
|
||||
let user = state
|
||||
.repo
|
||||
.get_user_by_tg_id(token_data.claims.tg_id)
|
||||
.get_user_by_id(user_id)
|
||||
.await?
|
||||
.ok_or_else(|| AppError::NotFound("Operative not found in grid".into()))?;
|
||||
|
||||
|
||||
+70
-22
@@ -1,10 +1,12 @@
|
||||
use argon2::Argon2;
|
||||
use chrono::Utc;
|
||||
use hmac::{Hmac, KeyInit, Mac};
|
||||
use jsonwebtoken::{encode, EncodingKey, Header};
|
||||
use rand::Rng;
|
||||
use sha2::{Digest, Sha256};
|
||||
use std::sync::Arc;
|
||||
use tracing::{error, info, instrument};
|
||||
use uuid::Uuid;
|
||||
use uuid::Uuid; // Не забудь добавить rand в Cargo.toml
|
||||
|
||||
use crate::{
|
||||
db::{models::User, repository::AppRepository},
|
||||
@@ -13,8 +15,8 @@ use crate::{
|
||||
|
||||
#[derive(serde::Serialize, serde::Deserialize, Debug)]
|
||||
pub struct Claims {
|
||||
pub sub: String,
|
||||
pub tg_id: i64,
|
||||
pub sub: String, // Внутренний UUID юзера
|
||||
pub tg_id: Option<i64>, // Опционально (отсутствует у Ghost-юзеров)
|
||||
pub exp: usize,
|
||||
}
|
||||
|
||||
@@ -28,11 +30,12 @@ impl AuthService {
|
||||
Self { repo }
|
||||
}
|
||||
|
||||
/// Генерирует JWT на основе внутреннего ID и опционального Telegram ID
|
||||
#[instrument(skip(self, secret))]
|
||||
pub fn generate_auth_token(
|
||||
&self,
|
||||
user_id: Uuid,
|
||||
tg_id: i64,
|
||||
tg_id: Option<i64>,
|
||||
secret: &str,
|
||||
) -> Result<String, AppError> {
|
||||
let claims = Claims {
|
||||
@@ -47,11 +50,59 @@ impl AuthService {
|
||||
&EncodingKey::from_secret(secret.as_bytes()),
|
||||
)
|
||||
.map_err(|e| {
|
||||
error!("[Auth] Failed to generate JWT: {}", e);
|
||||
AppError::Internal
|
||||
error!("[Auth] JWT Generation Error: {}", e);
|
||||
AppError::Internal(format!("Failed to generate JWT: {}", e))
|
||||
})
|
||||
}
|
||||
|
||||
fn hash_seed_argon2(seed: &str, salt: &str) -> Result<String, AppError> {
|
||||
let mut hash_output = [0u8; 32];
|
||||
Argon2::default()
|
||||
.hash_password_into(seed.as_bytes(), salt.as_bytes(), &mut hash_output)
|
||||
.map_err(|e| AppError::Internal(format!("Argon2 Hashing Error: {}", e)))?;
|
||||
|
||||
Ok(hex::encode(hash_output))
|
||||
}
|
||||
|
||||
/// Ghost Protocol: Регистрация нового анонимного юзера
|
||||
pub async fn register_seed(
|
||||
&self,
|
||||
salt: &str,
|
||||
jwt_secret: &str,
|
||||
) -> Result<(String, String), AppError> {
|
||||
let seed: String = {
|
||||
let mut rng = rand::thread_rng();
|
||||
(0..16).map(|_| rng.gen_range(0..10).to_string()).collect()
|
||||
};
|
||||
|
||||
// Используем мощный Argon2 вместо быстрого SHA256
|
||||
let hash = Self::hash_seed_argon2(&seed, salt)?;
|
||||
|
||||
let user = self.repo.create_seed_user(&hash).await?;
|
||||
let token = self.generate_auth_token(user.id, user.tg_id, jwt_secret)?;
|
||||
|
||||
Ok((seed, token))
|
||||
}
|
||||
|
||||
/// Ghost Protocol: Вход по существующему Seed
|
||||
pub async fn login_seed(
|
||||
&self,
|
||||
seed: &str,
|
||||
salt: &str,
|
||||
jwt_secret: &str,
|
||||
) -> Result<String, AppError> {
|
||||
let hash = Self::hash_seed_argon2(seed, salt)?;
|
||||
|
||||
let user = self
|
||||
.repo
|
||||
.get_user_by_seed_hash(&hash)
|
||||
.await?
|
||||
.ok_or_else(|| AppError::Unauthorized("Invalid credentials".into()))?;
|
||||
|
||||
self.generate_auth_token(user.id, user.tg_id, jwt_secret)
|
||||
}
|
||||
// --- Логика Telegram (без изменений, кроме вызова генерации токена) ---
|
||||
|
||||
#[instrument(skip(self, bot_token, hash))]
|
||||
pub fn verify_tg_widget_auth(
|
||||
&self,
|
||||
@@ -65,17 +116,17 @@ impl AuthService {
|
||||
hash: &str,
|
||||
) -> Result<(), AppError> {
|
||||
let mut data_check_arr = vec![format!("auth_date={}", auth_date), format!("id={}", id)];
|
||||
if let Some(fn_) = first_name {
|
||||
data_check_arr.push(format!("first_name={}", fn_));
|
||||
if let Some(v) = first_name {
|
||||
data_check_arr.push(format!("first_name={}", v));
|
||||
}
|
||||
if let Some(ln) = last_name {
|
||||
data_check_arr.push(format!("last_name={}", ln));
|
||||
if let Some(v) = last_name {
|
||||
data_check_arr.push(format!("last_name={}", v));
|
||||
}
|
||||
if let Some(pu) = photo_url {
|
||||
data_check_arr.push(format!("photo_url={}", pu));
|
||||
if let Some(v) = photo_url {
|
||||
data_check_arr.push(format!("photo_url={}", v));
|
||||
}
|
||||
if let Some(un) = username {
|
||||
data_check_arr.push(format!("username={}", un));
|
||||
if let Some(v) = username {
|
||||
data_check_arr.push(format!("username={}", v));
|
||||
}
|
||||
|
||||
data_check_arr.sort();
|
||||
@@ -85,15 +136,15 @@ impl AuthService {
|
||||
hasher.update(bot_token.trim().as_bytes());
|
||||
let secret_key = hasher.finalize();
|
||||
|
||||
let mut mac =
|
||||
Hmac::<Sha256>::new_from_slice(&secret_key).map_err(|_| AppError::Internal)?;
|
||||
let mut mac = Hmac::<Sha256>::new_from_slice(&secret_key)
|
||||
.map_err(|e| AppError::Internal(format!("HMAC Error: {}", e)))?;
|
||||
mac.update(data_check_string.as_bytes());
|
||||
|
||||
if hex::encode(mac.finalize().into_bytes()) != hash {
|
||||
return Err(AppError::Unauthorized("Invalid Telegram hash".into()));
|
||||
return Err(AppError::Unauthorized("Signature mismatch".into()));
|
||||
}
|
||||
if Utc::now().timestamp() - auth_date > 86400 {
|
||||
return Err(AppError::Unauthorized("Auth date expired".into()));
|
||||
return Err(AppError::Unauthorized("Session expired".into()));
|
||||
}
|
||||
Ok(())
|
||||
}
|
||||
@@ -121,10 +172,7 @@ impl AuthService {
|
||||
|
||||
async fn handle_referral(&self, referrer_tg: i64, new_user_id: Uuid) -> Result<(), AppError> {
|
||||
if let Some(referrer) = self.repo.get_user_by_tg_id(referrer_tg).await? {
|
||||
info!(
|
||||
"[Auth] Creating syndicate link: {} -> {}",
|
||||
referrer.id, new_user_id
|
||||
);
|
||||
info!("[Auth] Syndicate Link: {} -> {}", referrer.id, new_user_id);
|
||||
self.repo
|
||||
.create_referral(referrer.id, new_user_id)
|
||||
.await
|
||||
|
||||
Reference in New Issue
Block a user