meow auth

I actually tried my best to speedrun the oauth stuff and GOD its awful. At first I was like “yeah this is going to take nothing” but noope i just forced it with some beautiful unwraps and uglyfying my code to death to make it seem to work (i actually didn’t even test it right because of the time left).

soo yeah. Speedran trying to make Oauth2.1 + OIDC provider stuff and end up just making a (probably barely working) Oauth2.1 (or not even 2.1) provider that might not work or hang in the middle because of the unwraps in the db part soo idk man.

ah and also, let’s not forget HOW i procrastinate to the point where i am like this. Like, what was past me thinking aboout? Like this would be easy? I dont even have a frontend, its just api docs and that’s and that’s pretty bad and not easy to use. Atleast it was fun coding for this thingy called flavortown witht he flavor of town. good night. good luck to other people because of the last minutes.

Changelog

• incomplete and shit oauth2.1
• attach oauth pending consent to user session
• pending oauth auth db model
• add oauth db models
• return ok json instead of just http 200

helo. I added a feature that also should have been there at the start, the temporary sign up users! yup.
Before I directly created the user when they tried to signup, so what i was doing is reserving the user login and email for an user that may not even want an account in (my beautiful) meow auth.
Now I just simply create a temp user for the signup (in another table. i really don’t want to over complicate it lol) and just follow the same flow as before plus send a “yay you signed up” email (and create the real user).

i also added drizzle gateway to the docker compose because i was already tired of having each time to run ./start on their standalone binary :) cool sql explorer, makes me remember the prisma orm days haha

Changelog

• add drizzle gateway to compose
• temp user for signups and signup email

wahoo! now emails have pretty templates and even a beautiful logo that looks kind of a badge… yeah… i am not great at making simple REALLY simple logos (is it even considered art?).

now emails are multipart to be able to include both the rendered html template and the rendered txt template (you can just have the html template haha).

and that’s practically it! Just added email templates, swapped handlers making manually their emails to a helper, wasted an hour making my email templates and got lost while trying to figure out why tera was erroring out for like an hour just to be fixed randomly without me doing anything (i mean i did do a quick “cargo clean” and that’s it but idk man it works now).

OH WAIT. the greeting (like the “howdy” in the attached image) is random because i thought it would be cool :).

Changelog

• fix job queue eating a wrong batch size
• added email html templates with meow auth logo
• email html minifying
• email base template and components

beep beep boop.
now emails have template support! you just need either a .html or .txt (or both!), and its using tera under the hood.
this cleaned up a lot of repetitive code in each exchange handler that sent emails, which is nice.

ah, and also, the mailer and the job queue now have proper error enums… for errors. I really should’ve done this ages ago man
another tiiiny change was just the copy pasting of the authentication flows into the sudo reauth flows with a few tweaks (means that the authentication flow handlers are prettty easy to modify :D)
NOW, gotta make the real email templates to be used because the ones i have are just “hi i work yay”.

Changelog

• handlers swap to email templates
• email templates
• authentication flows cleanup
• C&P flows to sudo reauth
• update crates

nuked my old authentication flow. while it wasn’t terrible on its own, the exchange part was AWFUL because I was (for some reason) trying to crap every single handler of every auth option (otp, totp…) in one place, and i honestly really didn’t want to add more sauce to my beautiful horrible amalgamation especially with me wanting to add passkeys next as a login method.
so, i split everything into its own dedicated exchange endpoints! just like it should have been… great job past me. Now you just talk with a “start” endpoint, get a next_method back, and that tells you which exchange route to hit to get your session. its pretty better and great and beautiful to maintain.
AND about passkeys… yes. i sadly spent way too much time hammering my head against the.. uhhm keys. because I wanted to store things my own way in the database, but the library i wanted to use really was telling me a big nope. i just gave up and just stored the whole credential stuff as json (as the library wanted) along with the credential_id and the counter. now i can do coool passkey stuff like matching the credential to the authenticator (like a github yubikey) and check the counter to make sure it hasn’t been cloned. yay security! (not that cool) with my own complications that shouldnt even happen.
The rest about it was actually prettty ok. cookies to track the challenge session (because you don’t have a session (logged out!!!) and you just slap some simple checks and boom works :D

Changelog

• oops, forgot to update passkey counter
• webauthn login flow
• better login flow handlers (unmerged)
• passkey registration handlers and db models
• swap auth challenges enums to use db types

Right because I’ve been seeing some people adding a their git changes changelog, I’ll also add it :). Plus it helps by making me remember what the hell did i do if it was a lot.
Right, I wrapped the totp auth utils because before i just unwrapped them directly just like the sudo stuff before wrapping them also in the magical map_err.
And sudo like autorization is here! As always to make big baddy auth related changes like enabling two factor auth or deleting sessions will require you to enable sudo to be able to make those changes. Pretty simple security. I even used and renamed an old db table so that I didnt need to create a new table for this sudo stuff (It was the user login attemps that was converted into the auth challenges)
That’s it, I just needed to implement this sudo stuff to the other routes after making it and its working as I intended :D

Changelog

• update cargo crates (d52375c)
• wrap totp with map_err for http handlers (b1cbb84)
• sudo http handler and utils (7d6df89)
• implement sudo to little http handlers (1032854)

implemented the typical two factor authentication stuff like the removing the totp or enabling and added that when you log in and have this enabled, you need to use it (wow).
this stuff is being stored in the db encrypted which is nice.
god am awful at coding these kinds of stuff because i am trying to not have it messy but i always get it messy hahaha and i should be adding more commits per stuff i make but ofc i forget.

added the typical session endpoint that lets you see your own session, delete or delete all. simple stuff but got stuck figuring out that to delete cookies you have to have the same params as the original cookie or else it won’t work. oh and also that you have to set the path param or else the cookie takes the path of the request that is creating it like if the route “/v1/bananas” creates a cookie, instead of creating a cookie at the root, it creates a cookie at “/v1/bananas” which made my middleware that checks the sessions think the user didnt have a session open.

I made a background job queue for background jobs! pretty cool because the hecking email sending was really blocking the requests for around 4 seconds until the email was sent… and now I don’t have to wait for that! and now i even have a tiny framework in which i can make my tiny background jobs to be run on the workers of the queue that are pretty fast :D
I actually don’t know if my queue stuff is good or if i am using the database for the right job because the job of the database is to actually dequeue the jobs by pending jobs and stale jobs that havent updated their heartbeat (updated_at field). I tried my best at making the cost of the query pretty low because gah damn it was pretty pretty high when i was using an OR in the where part of the query, now i just query for the pending and stale inprogress jobs in different queries and then union them which is somehow faster. i mean, also having indexes helped alot (who would have known that!? wow).
but probably i will be using this queue stuff only for my email stuff and that’s it, so I made this thingy for nothing which isn’t cool :(.

wasted a whole lot of time by making a simple thing to track my running services to be able to shutdown them and wait to have all of them sleeping. The primary cause of the time wasting mode was the “oh yeah. i want to add this and this and even. ah yeah, i want this. yes more bloat for useless features i won’t even use” when in reality I just needed a counter that goes up and then down and a away to notify “yeah, i was the last service alive you can shutdown now”.
I mean in the future I might add a method to futures for when i want to force shutdown to make all the futures return poll::ready or maybe not idk.
I also added a less important thingy, the http error enum monolith. muahaha. its great.

right, worked out the basic flow of login in and registering with the typical emails being sent and that’s it. The thing that took a bit more time was just the middleware to manage sessions and that’s it haha.
I also need to get a queue based email sending thingy because sending them in the routes makes so they hang until the email was sent which isn’t cool.
here you get an useless screenshot of the api explorer which has nothing more than “hey, this route exists and needs and returns this”.

wow my procrastination is a bit enormous for these things haha. i am still pretty bad because i actually don’t know how to code this beautiful language called rust.
anyways, currently the beautiful meow auth thingy just has the bare basics: settings management, database, global state and openapi docs… and that’s it I still have to make the actual backend lol.
pew pew peww