[AI] fix some modules, develop the big part of modules. TODO fix critical errors, update pipeline, test everything

This commit is contained in:
2026-05-16 19:16:50 +07:00
parent 0824033602
commit 1ef93c2025
42 changed files with 2780 additions and 786 deletions
+42 -3
View File
@@ -1,10 +1,10 @@
use crate::{api::ApiState, error::AppError};
use axum::response::IntoResponse;
use axum::{extract::State, routing::post, Json, Router};
use serde::Deserialize;
use serde_json::{json, Value};
use tracing::instrument;
use crate::{api::ApiState, error::AppError};
#[derive(Deserialize, Debug)]
pub struct TgWidgetPayload {
pub id: i64,
@@ -16,8 +16,16 @@ pub struct TgWidgetPayload {
pub hash: String,
}
#[derive(Deserialize, Debug)]
pub struct SeedLoginPayload {
pub seed: String,
}
pub fn router() -> Router<ApiState> {
Router::new().route("/telegram", post(auth_telegram_api))
Router::new()
.route("/telegram", post(auth_telegram_api))
.route("/seed/generate", post(generate_seed_api))
.route("/seed/login", post(login_seed_api))
}
#[instrument(skip(state, payload), fields(tg_id = payload.id, username = ?payload.username))]
@@ -25,6 +33,7 @@ async fn auth_telegram_api(
State(state): State<ApiState>,
Json(payload): Json<TgWidgetPayload>,
) -> Result<Json<Value>, AppError> {
// 1. Проверяем подпись Telegram
state.auth_service.verify_tg_widget_auth(
&state.bot_token,
payload.id,
@@ -36,13 +45,43 @@ async fn auth_telegram_api(
&payload.hash,
)?;
// 2. Создаем или обновляем юзера
let user = state
.auth_service
.process_login(payload.id, payload.username.clone(), None)
.await?;
// 3. Генерируем токен. Теперь user.tg_id передается как Option автоматически.
let token = state
.auth_service
.generate_auth_token(user.id, user.tg_id, &state.jwt_secret)?;
Ok(Json(json!({ "status": "success", "token": token })))
}
#[axum::debug_handler]
async fn generate_seed_api(State(state): State<ApiState>) -> Result<impl IntoResponse, AppError> {
// Fail-fast для соли
let salt = std::env::var("ARGON_SALT").expect("КРИТИЧЕСКАЯ ОШИБКА: ARGON_SALT не задан!");
let (seed, token) = state
.auth_service
.register_seed(&salt, &state.jwt_secret)
.await?;
Ok(Json(
json!({ "status": "success", "seed": seed, "token": token }),
))
}
async fn login_seed_api(
State(state): State<ApiState>,
Json(payload): Json<SeedLoginPayload>,
) -> Result<impl IntoResponse, AppError> {
let salt = std::env::var("ARGON_SALT").expect("КРИТИЧЕСКАЯ ОШИБКА: ARGON_SALT не задан!");
let token = state
.auth_service
.login_seed(&payload.seed, &salt, &state.jwt_secret)
.await?;
Ok(Json(json!({ "status": "success", "token": token })))
}
+6 -1
View File
@@ -28,9 +28,14 @@ pub async fn auth_guard(
)
.map_err(|_| AppError::Unauthorized("Invalid session signature".into()))?;
// Парсим внутренний UUID из поля sub токена
let user_id = uuid::Uuid::parse_str(&token_data.claims.sub)
.map_err(|_| AppError::Unauthorized("Invalid token payload structure".into()))?;
// Ищем оперативника в сети по его системному UUID
let user = state
.repo
.get_user_by_tg_id(token_data.claims.tg_id)
.get_user_by_id(user_id)
.await?
.ok_or_else(|| AppError::NotFound("Operative not found in grid".into()))?;
+70 -22
View File
@@ -1,10 +1,12 @@
use argon2::Argon2;
use chrono::Utc;
use hmac::{Hmac, KeyInit, Mac};
use jsonwebtoken::{encode, EncodingKey, Header};
use rand::Rng;
use sha2::{Digest, Sha256};
use std::sync::Arc;
use tracing::{error, info, instrument};
use uuid::Uuid;
use uuid::Uuid; // Не забудь добавить rand в Cargo.toml
use crate::{
db::{models::User, repository::AppRepository},
@@ -13,8 +15,8 @@ use crate::{
#[derive(serde::Serialize, serde::Deserialize, Debug)]
pub struct Claims {
pub sub: String,
pub tg_id: i64,
pub sub: String, // Внутренний UUID юзера
pub tg_id: Option<i64>, // Опционально (отсутствует у Ghost-юзеров)
pub exp: usize,
}
@@ -28,11 +30,12 @@ impl AuthService {
Self { repo }
}
/// Генерирует JWT на основе внутреннего ID и опционального Telegram ID
#[instrument(skip(self, secret))]
pub fn generate_auth_token(
&self,
user_id: Uuid,
tg_id: i64,
tg_id: Option<i64>,
secret: &str,
) -> Result<String, AppError> {
let claims = Claims {
@@ -47,11 +50,59 @@ impl AuthService {
&EncodingKey::from_secret(secret.as_bytes()),
)
.map_err(|e| {
error!("[Auth] Failed to generate JWT: {}", e);
AppError::Internal
error!("[Auth] JWT Generation Error: {}", e);
AppError::Internal(format!("Failed to generate JWT: {}", e))
})
}
fn hash_seed_argon2(seed: &str, salt: &str) -> Result<String, AppError> {
let mut hash_output = [0u8; 32];
Argon2::default()
.hash_password_into(seed.as_bytes(), salt.as_bytes(), &mut hash_output)
.map_err(|e| AppError::Internal(format!("Argon2 Hashing Error: {}", e)))?;
Ok(hex::encode(hash_output))
}
/// Ghost Protocol: Регистрация нового анонимного юзера
pub async fn register_seed(
&self,
salt: &str,
jwt_secret: &str,
) -> Result<(String, String), AppError> {
let seed: String = {
let mut rng = rand::thread_rng();
(0..16).map(|_| rng.gen_range(0..10).to_string()).collect()
};
// Используем мощный Argon2 вместо быстрого SHA256
let hash = Self::hash_seed_argon2(&seed, salt)?;
let user = self.repo.create_seed_user(&hash).await?;
let token = self.generate_auth_token(user.id, user.tg_id, jwt_secret)?;
Ok((seed, token))
}
/// Ghost Protocol: Вход по существующему Seed
pub async fn login_seed(
&self,
seed: &str,
salt: &str,
jwt_secret: &str,
) -> Result<String, AppError> {
let hash = Self::hash_seed_argon2(seed, salt)?;
let user = self
.repo
.get_user_by_seed_hash(&hash)
.await?
.ok_or_else(|| AppError::Unauthorized("Invalid credentials".into()))?;
self.generate_auth_token(user.id, user.tg_id, jwt_secret)
}
// --- Логика Telegram (без изменений, кроме вызова генерации токена) ---
#[instrument(skip(self, bot_token, hash))]
pub fn verify_tg_widget_auth(
&self,
@@ -65,17 +116,17 @@ impl AuthService {
hash: &str,
) -> Result<(), AppError> {
let mut data_check_arr = vec![format!("auth_date={}", auth_date), format!("id={}", id)];
if let Some(fn_) = first_name {
data_check_arr.push(format!("first_name={}", fn_));
if let Some(v) = first_name {
data_check_arr.push(format!("first_name={}", v));
}
if let Some(ln) = last_name {
data_check_arr.push(format!("last_name={}", ln));
if let Some(v) = last_name {
data_check_arr.push(format!("last_name={}", v));
}
if let Some(pu) = photo_url {
data_check_arr.push(format!("photo_url={}", pu));
if let Some(v) = photo_url {
data_check_arr.push(format!("photo_url={}", v));
}
if let Some(un) = username {
data_check_arr.push(format!("username={}", un));
if let Some(v) = username {
data_check_arr.push(format!("username={}", v));
}
data_check_arr.sort();
@@ -85,15 +136,15 @@ impl AuthService {
hasher.update(bot_token.trim().as_bytes());
let secret_key = hasher.finalize();
let mut mac =
Hmac::<Sha256>::new_from_slice(&secret_key).map_err(|_| AppError::Internal)?;
let mut mac = Hmac::<Sha256>::new_from_slice(&secret_key)
.map_err(|e| AppError::Internal(format!("HMAC Error: {}", e)))?;
mac.update(data_check_string.as_bytes());
if hex::encode(mac.finalize().into_bytes()) != hash {
return Err(AppError::Unauthorized("Invalid Telegram hash".into()));
return Err(AppError::Unauthorized("Signature mismatch".into()));
}
if Utc::now().timestamp() - auth_date > 86400 {
return Err(AppError::Unauthorized("Auth date expired".into()));
return Err(AppError::Unauthorized("Session expired".into()));
}
Ok(())
}
@@ -121,10 +172,7 @@ impl AuthService {
async fn handle_referral(&self, referrer_tg: i64, new_user_id: Uuid) -> Result<(), AppError> {
if let Some(referrer) = self.repo.get_user_by_tg_id(referrer_tg).await? {
info!(
"[Auth] Creating syndicate link: {} -> {}",
referrer.id, new_user_id
);
info!("[Auth] Syndicate Link: {} -> {}", referrer.id, new_user_id);
self.repo
.create_referral(referrer.id, new_user_id)
.await