Docker changes (#31)

Reviewed-on: #31
Co-authored-by: phoenix <kundeng00@pm.me>
Co-committed-by: phoenix <kundeng00@pm.me>

.dockerignore.yaml

@@ -0,0 +1,21 @@
+# Ignore build artifacts
+target/
+pkg/
+
+# Ignore git directory
+.git/
+
+.gitea/
+
+# Ignore environment files (configure via docker-compose instead)
+.env*
+
+# Ignore IDE/editor specific files
+.idea/
+.vscode/
+
+# Ignore OS specific files
+*.DS_Store
+
+# Add any other files/directories you don't need in the image
+# e.g., logs/, tmp/

.env.sample

@@ -1,2 +1,6 @@
-DATABASE_URL=postgres://username:password@localhost/database_name
 SECRET_KEY=refero34o8rfhfjn983thf39fhc943rf923n3h
+POSTGRES_USER=icarus_op_test
+POSTGRES_PASSWORD=password
+POSTGRES_DB=icarus_auth_test_db
+POSTGRES_HOST=localhost
+DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:5432/${POSTGRES_DB}

.gitea/workflows/tag_release.yml

@@ -4,8 +4,6 @@ on:
   push:
     branches:
       - devel
-    tags:
-      - 'v*' # Trigger on tags matching v*
 
 jobs:
   release:
@@ -53,5 +51,3 @@ jobs:
            Release of version ${{ steps.version.outputs.project_tag_release }}
           # draft: false
           # prerelease: ${{ startsWith(github.ref, 'v') == false }} # prerelease if not a valid release tag
-
-

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "icarus_auth"
-version = "0.3.0"
+version = "0.3.4"
 edition = "2024"
 rust-version = "1.86"
 

Dockerfile

@@ -0,0 +1,71 @@
+# Stage 1: Build the application
+# Use a specific Rust version for reproducibility. Choose one that matches your development environment.
+# Using slim variant for smaller base image
+FROM rust:1.86 as builder
+
+# Set the working directory inside the container
+WORKDIR /usr/src/app
+
+# Install build dependencies if needed (e.g., for certain crates like sqlx with native TLS)
+# RUN apt-get update && apt-get install -y pkg-config libssl-dev
+
+# Install build dependencies if needed (e.g., git for cloning)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    pkg-config libssl3 \
+    ca-certificates \
+    openssh-client git \
+    && rm -rf /var/lib/apt/lists/*
+
+# << --- ADD HOST KEY HERE --- >>
+# Replace 'yourgithost.com' with the actual hostname (e.g., github.com)
+RUN mkdir -p -m 0700 ~/.ssh && \
+    ssh-keyscan git.kundeng.us >> ~/.ssh/known_hosts
+
+# Copy Cargo manifests
+COPY Cargo.toml Cargo.lock ./
+
+# Build *only* dependencies to leverage Docker cache
+# This dummy build caches dependencies as a separate layer
+RUN --mount=type=ssh mkdir src && \
+    echo "fn main() {println!(\"if you see this, the build broke\")}" > src/main.rs && \
+    cargo build --release --quiet && \
+    rm -rf src target/release/deps/icarus_auth* # Clean up dummy build artifacts (replace icarus_auth)
+
+# Copy the actual source code
+COPY src ./src
+# If you have other directories like `templates` or `static`, copy them too
+COPY .env ./.env
+COPY migrations ./migrations
+
+# << --- SSH MOUNT ADDED HERE --- >>
+# Build *only* dependencies to leverage Docker cache
+# This dummy build caches dependencies as a separate layer
+# Mount the SSH agent socket for this command
+RUN --mount=type=ssh \
+    cargo build --release --quiet
+
+# Stage 2: Create the final, smaller runtime image
+# Use a minimal base image like debian-slim or even distroless for security/size
+FROM ubuntu:24.04
+
+# Install runtime dependencies if needed (e.g., SSL certificates)
+RUN apt-get update && apt-get install -y ca-certificates libssl-dev libssl3 && rm -rf /var/lib/apt/lists/*
+
+# Set the working directory
+WORKDIR /usr/local/bin
+
+# Copy the compiled binary from the builder stage
+# Replace 'icarus_auth' with the actual name of your binary (usually the crate name)
+COPY --from=builder /usr/src/app/target/release/icarus_auth .
+
+# Copy other necessary files like .env (if used for runtime config) or static assets
+# It's generally better to configure via environment variables in Docker though
+COPY --from=builder /usr/src/app/.env .
+COPY --from=builder /usr/src/app/migrations ./migrations
+
+# Expose the port your Axum app listens on (e.g., 3000 or 8000)
+EXPOSE 3000
+
+# Set the command to run your application
+# Ensure this matches the binary name copied above
+CMD ["./icarus_auth"]

READEME.md

@@ -0,0 +1,20 @@
+
+
+# Getting started
+Take notice of the .env.sample file and create copies without the .sample in the name.
+
+`.env.sample` -> `.env`
+
+Ensure that all variables are populated and is correct.
+
+## Docker
+
+Build the images
+```
+docker compose build --ssh default auth_api
+```
+
+Bring it up
+```
+docker compose up -d --force-recreate auth_api
+```

docker-compose.yaml

@@ -0,0 +1,43 @@
+version: '3.8' # Use a recent version
+
+services:
+  # Your Rust Application Service
+  auth_api:
+    build: . # Tells docker-compose to build the Dockerfile in the current directory
+    container_name: icarus_auth # Optional: Give the container a specific name
+    ports:
+      # Map host port 8000 to container port 3000 (adjust as needed)
+      - "8000:3000"
+    env_file:
+      - .env
+    depends_on:
+      auth_db:
+        condition: service_healthy # Wait for the DB to be healthy before starting the app
+    restart: unless-stopped # Optional: Restart policy
+
+  # PostgreSQL Database Service
+  auth_db:
+    image: postgres:17.4-alpine # Use an official Postgres image (Alpine variant is smaller)
+    container_name: icarus_auth_db # Optional: Give the container a specific name
+    environment:
+      # These MUST match the user, password, and database name in the DATABASE_URL above
+      POSTGRES_USER: ${POSTGRES_USER:-icarus_op}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password}
+      POSTGRES_DB: ${POSTGRES_DB:-icarus_auth}
+    volumes:
+      # Persist database data using a named volume
+      - postgres_data:/var/lib/postgresql/data
+    ports: []
+    healthcheck:
+        # Checks if Postgres is ready to accept connections
+        test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
+        interval: 10s
+        timeout: 5s
+        retries: 5
+        start_period: 10s
+    restart: always # Optional: Restart policy
+
+# Define the named volume for data persistence
+volumes:
+  postgres_data:
+    driver: local # Use the default local driver

docker_run.txt

@@ -0,0 +1,13 @@
+
+# Docker stuff
+#Build app
+docker compose build --ssh default auth_api
+
+# Rebuild and bring up
+docker compose up -d --force-recreate auth_api
+
+# Bring it down
+docker compose down -v
+
+# Pruning
+docker system prune -a

src/callers/common.rs

@@ -1,30 +1,37 @@
-use axum::{Extension, Json, http::StatusCode};
+pub mod response {
+    use serde::{Deserialize, Serialize};
 
-use serde::{Deserialize, Serialize};
-
-#[derive(Deserialize, Serialize)]
-pub struct TestResult {
-    message: String,
-}
-
-// basic handler that responds with a static string
-pub async fn root() -> &'static str {
-    "Hello, World!"
-}
-
-pub async fn db_ping(Extension(pool): Extension<sqlx::PgPool>) -> (StatusCode, Json<TestResult>) {
-    match sqlx::query("SELECT 1").execute(&pool).await {
-        Ok(_) => {
-            let tr = TestResult {
-                message: String::from("This works"),
-            };
-            (StatusCode::OK, Json(tr))
-        }
-        Err(e) => (
-            StatusCode::BAD_REQUEST,
-            Json(TestResult {
-                message: e.to_string(),
-            }),
-        ),
+    #[derive(Deserialize, Serialize)]
+    pub struct TestResult {
+        pub message: String,
+    }
+}
+
+pub mod endpoint {
+    use super::*;
+    use axum::{Extension, Json, http::StatusCode};
+
+    // basic handler that responds with a static string
+    pub async fn root() -> &'static str {
+        "Hello, World!"
+    }
+
+    pub async fn db_ping(
+        Extension(pool): Extension<sqlx::PgPool>,
+    ) -> (StatusCode, Json<response::TestResult>) {
+        match sqlx::query("SELECT 1").execute(&pool).await {
+            Ok(_) => {
+                let tr = response::TestResult {
+                    message: String::from("This works"),
+                };
+                (StatusCode::OK, Json(tr))
+            }
+            Err(e) => (
+                StatusCode::BAD_REQUEST,
+                Json(response::TestResult {
+                    message: e.to_string(),
+                }),
+            ),
+        }
     }
 }

src/callers/login.rs

@@ -42,44 +42,25 @@ pub mod endpoint {
         axum::Extension(pool): axum::Extension<sqlx::PgPool>,
         Json(payload): Json<request::Request>,
     ) -> (StatusCode, Json<response::Response>) {
-        let usr = icarus_models::user::User {
-            username: payload.username,
-            password: payload.password,
-            ..Default::default()
-        };
-
         // Check if user exists
-        match repo::user::exists(&pool, &usr.username).await {
-            Ok(exists) => {
-                if !exists {
-                    return not_found("Not Found").await;
-                }
-            }
-            Err(err) => {
-                return not_found(&err.to_string()).await;
-            }
-        };
-
-        let user = repo::user::get(&pool, &usr.username).await.unwrap();
-        let salt = repo::salt::get(&pool, &user.salt_id).await.unwrap();
-        let salt_str = hashing::get_salt(&salt.salt).unwrap();
-
-        // Check if password is correct
-        match hashing::hash_password(&usr.password, &salt_str) {
-            Ok(hash_password) => {
-                if hashing::verify_password(&usr.password, hash_password.clone()).unwrap() {
+        match repo::user::get(&pool, &payload.username).await {
+            Ok(user) => {
+                if hashing::verify_password(&payload.password, user.password.clone()).unwrap() {
                     // Create token
                     let key = token_stuff::get_key().unwrap();
                     let (token_literal, duration) = token_stuff::create_token(&key).unwrap();
 
                     if token_stuff::verify_token(&key, &token_literal) {
+                        let current_time = time::OffsetDateTime::now_utc();
+                        let _ = repo::user::update_last_login(&pool, &user, &current_time).await;
+
                         (
                             StatusCode::OK,
                             Json(response::Response {
                                 message: String::from("Successful"),
                                 data: vec![icarus_models::login_result::LoginResult {
                                     id: user.id,
-                                    username: user.username,
+                                    username: user.username.clone(),
                                     token: token_literal,
                                     token_type: String::from(token_stuff::TOKENTYPE),
                                     expiration: duration,

src/hashing/mod.rs

@@ -11,8 +11,7 @@ use argon2::{
 pub fn generate_salt() -> Result<SaltString, argon2::Error> {
     // Generate a random salt
     // SaltString::generate uses OsRng internally for cryptographic security
-    let salt = SaltString::generate(&mut OsRng);
-    Ok(salt)
+    Ok(SaltString::generate(&mut OsRng))
 }
 
 pub fn get_salt(s: &str) -> Result<SaltString, argon2::password_hash::Error> {
@@ -32,9 +31,7 @@ pub fn hash_password(
     // Hash the password with the salt
     // The output is a PasswordHash string format that includes algorithm, version,
     // parameters, salt, and the hash itself.
-    let password_hash = argon2.hash_password(password_bytes, salt)?.to_string();
-
-    Ok(password_hash)
+    Ok(argon2.hash_password(password_bytes, salt)?.to_string())
 }
 
 pub fn verify_password(
@@ -48,11 +45,9 @@ pub fn verify_password(
     let parsed_hash = argon2::PasswordHash::new(stored_hash.as_str())?;
 
     // Create an Argon2 instance (it will use the parameters from the parsed hash)
-    let argon2 = Argon2::default();
-
     // Verify the password against the parsed hash
     // This automatically uses the correct salt and parameters embedded in `parsed_hash`
-    match argon2.verify_password(password_bytes, &parsed_hash) {
+    match Argon2::default().verify_password(password_bytes, &parsed_hash) {
         Ok(()) => Ok(true),                                       // Passwords match
         Err(argon2::password_hash::Error::Password) => Ok(false), // Passwords don't match
         Err(e) => Err(e), // Some other error occurred (e.g., invalid hash format)
@@ -66,8 +61,7 @@ mod tests {
     #[test]
     fn test_hash_password() {
         let some_password = String::from("somethingrandom");
-        let salt = generate_salt().unwrap();
-        match hash_password(&some_password, &salt) {
+        match hash_password(&some_password, &generate_salt().unwrap()) {
             Ok(p) => match verify_password(&some_password, p.clone()) {
                 Ok(res) => {
                     assert_eq!(res, true);
@@ -81,4 +75,27 @@ mod tests {
             }
         }
     }
+
+    #[test]
+    fn test_wrong_password() {
+        let some_password = String::from("somethingrandom");
+        match hash_password(&some_password, &generate_salt().unwrap()) {
+            Ok(p) => {
+                match verify_password(&some_password, p.clone()) {
+                    Ok(res) => {
+                        assert_eq!(res, true, "Passwords are not verified");
+                    }
+                    Err(err) => {
+                        assert!(false, "Error: {:?}", err.to_string());
+                    }
+                }
+                let wrong_password = String::from("Differentanotherlevel");
+                let result = verify_password(&wrong_password, p.clone()).unwrap();
+                assert_eq!(false, result, "Passwords should not match");
+            }
+            Err(err) => {
+                assert!(false, "Error: {:?}", err.to_string());
+            }
+        }
+    }
 }

src/lib.rs

@@ -36,7 +36,6 @@ pub mod db {
     async fn get_db_url() -> String {
         #[cfg(debug_assertions)] // Example: Only load .env in debug builds
         dotenvy::dotenv().ok();
-
         env::var(keys::DBURL).expect(keys::error::ERROR)
     }
 

src/main.rs

@@ -25,8 +25,14 @@ mod init {
     pub async fn routes() -> Router {
         // build our application with a route
         Router::new()
-            .route(callers::endpoints::DBTEST, get(callers::common::db_ping))
-            .route(callers::endpoints::ROOT, get(callers::common::root))
+            .route(
+                callers::endpoints::DBTEST,
+                get(callers::common::endpoint::db_ping),
+            )
+            .route(
+                callers::endpoints::ROOT,
+                get(callers::common::endpoint::root),
+            )
             .route(
                 callers::endpoints::REGISTER,
                 post(callers::register::register_user),

src/repo/mod.rs

@@ -42,6 +42,39 @@ pub mod user {
         }
     }
 
+    pub async fn update_last_login(
+        pool: &sqlx::PgPool,
+        user: &icarus_models::user::User,
+        time: &time::OffsetDateTime,
+    ) -> Result<time::OffsetDateTime, sqlx::Error> {
+        let result = sqlx::query(
+            r#"
+            UPDATE "user" SET last_login = $1 WHERE id = $2 RETURNING last_login
+            "#,
+        )
+        .bind(time)
+        .bind(user.id)
+        .fetch_optional(pool)
+        .await
+        .map_err(|e| {
+            eprintln!("Error updating time: {}", e);
+            e
+        });
+
+        match result {
+            Ok(row) => match row {
+                Some(r) => {
+                    let last_login: time::OffsetDateTime = r
+                        .try_get("last_login")
+                        .map_err(|_e| sqlx::Error::RowNotFound)?;
+                    Ok(last_login)
+                }
+                None => Err(sqlx::Error::RowNotFound),
+            },
+            Err(err) => Err(err),
+        }
+    }
+
     pub async fn exists(pool: &sqlx::PgPool, username: &String) -> Result<bool, sqlx::Error> {
         let result = sqlx::query(
             r#"

src/token_stuff/mod.rs

@@ -18,11 +18,22 @@ pub fn get_key() -> Result<String, dotenvy::Error> {
     Ok(key)
 }
 
-pub fn get_expiration() -> time::Result<time::Duration> {
-    let now = time::OffsetDateTime::now_utc();
-    let epoch = time::OffsetDateTime::UNIX_EPOCH;
-    let since_the_epoch = now - epoch;
-    Ok(since_the_epoch)
+pub fn get_issued() -> time::Result<time::OffsetDateTime> {
+    Ok(time::OffsetDateTime::now_utc())
+}
+
+pub fn get_expiration(issued: &time::OffsetDateTime) -> Result<time::OffsetDateTime, time::Error> {
+    let duration_expire = time::Duration::hours(4);
+    Ok(*issued + duration_expire)
+}
+
+mod util {
+    pub fn time_to_std_time(
+        provided_time: &time::OffsetDateTime,
+    ) -> Result<std::time::SystemTime, std::time::SystemTimeError> {
+        let converted = std::time::SystemTime::from(*provided_time);
+        Ok(converted)
+    }
 }
 
 pub fn create_token(provided_key: &String) -> Result<(String, i64), josekit::JoseError> {
@@ -33,13 +44,11 @@ pub fn create_token(provided_key: &String) -> Result<(String, i64), josekit::Jos
     payload.set_subject(MESSAGE);
     payload.set_issuer(ISSUER);
     payload.set_audience(vec![AUDIENCE]);
-    match get_expiration() {
-        Ok(duration) => {
-            let expire = duration.whole_seconds();
-            let _ = payload.set_claim(
-                "expiration",
-                Some(serde_json::to_value(expire.to_string()).unwrap()),
-            );
+    match get_issued() {
+        Ok(issued) => {
+            let expire = get_expiration(&issued).unwrap();
+            payload.set_issued_at(&util::time_to_std_time(&issued).unwrap());
+            payload.set_expires_at(&util::time_to_std_time(&expire).unwrap());
 
             let key: String = if provided_key.is_empty() {
                 get_key().unwrap()
@@ -50,7 +59,7 @@ pub fn create_token(provided_key: &String) -> Result<(String, i64), josekit::Jos
             let signer = Hs256.signer_from_bytes(key.as_bytes()).unwrap();
             Ok((
                 josekit::jwt::encode_with_signer(&payload, &header, &signer).unwrap(),
-                duration.whole_seconds(),
+                (expire - time::OffsetDateTime::UNIX_EPOCH).whole_seconds(),
             ))
         }
         Err(e) => Err(josekit::JoseError::InvalidClaim(e.into())),