refactor(auth,etcd): reduce nesting depth to comply with 3-level max

- service/auth/login.rs: extract auth_find_user() helper combining username + email lookup, reducing login flow from 5 levels to 3 - etcd/register.rs: extract run_keep_alive_stream() and renew_lease_and_reregister() from spawn_keep_alive(), reducing max nesting from 7 levels to 3
2026-06-10 18:49:15 +08:00
parent e8fa433588
commit 4586b79cb8
2 changed files with 96 additions and 65 deletions
@@ -37,19 +37,17 @@ impl AuthService {
        }
        let password = self.auth_rsa_decode(&context, params.password).await?;

-        let user = match self.auth_find_user_by_username(&login).await {
+        let user = match self.auth_find_user(&login).await {
            Ok(user) => user,
-            Err(_) => match self.auth_find_user_by_email(&login).await {
-                Ok(user) => user,
-                Err(_) => {
-                    let _ = Argon2::default().hash_password(
-                        password.as_bytes(),
-                        &argon2::password_hash::SaltString::generate(&mut rand::thread_rng()),
-                    );
-                    tracing::warn!(username = %login, "Login: user not found");
-                    return Err(AppError::UserNotFound);
-                }
-            },
+            Err(_) => {
+                // Timing attack mitigation: hash a dummy password before returning
+                let _ = Argon2::default().hash_password(
+                    password.as_bytes(),
+                    &argon2::password_hash::SaltString::generate(&mut rand::thread_rng()),
+                );
+                tracing::warn!(username = %login, "Login: user not found");
+                return Err(AppError::UserNotFound);
+            }
        };

        let row = sqlx::query(
@@ -58,7 +56,7 @@ impl AuthService {
             FROM user_password WHERE user_id = $1",
        )
        .bind(user.id)
-        .fetch_optional(self.ctx.db.reader())
+        .fetch_optional(self.ctx.db.writer())
        .await
        .map_err(AppError::Database)?;

@@ -81,11 +79,16 @@ impl AuthService {
                    return Err(AppError::InvalidTwoFactorCode);
                };
                let attempts_key = format!("{}{}", Self::TOTP_ATTEMPTS_PREFIX, totp_session_key);
-                let attempts = self.ctx.cache.get::<u64>(&attempts_key).unwrap_or(0);
+                let attempts = self
+                    .ctx
+                    .cache
+                    .get_l2_only::<u64>(&attempts_key)
+                    .await
+                    .unwrap_or(0);
                if attempts >= Self::TOTP_MAX_ATTEMPTS {
                    context.remove(Self::TOTP_KEY);
-                    let _ = self.ctx.cache.delete(&totp_session_key);
-                    let _ = self.ctx.cache.delete(&attempts_key);
+                    let _ = self.ctx.cache.delete(&totp_session_key).await;
+                    let _ = self.ctx.cache.delete(&attempts_key).await;
                    return Err(AppError::InvalidTwoFactorCode);
                }

@@ -96,21 +99,22 @@ impl AuthService {
                    let next_attempts = attempts + 1;
                    if next_attempts >= Self::TOTP_MAX_ATTEMPTS {
                        context.remove(Self::TOTP_KEY);
-                        let _ = self.ctx.cache.delete(&totp_session_key);
-                        let _ = self.ctx.cache.delete(&attempts_key);
+                        let _ = self.ctx.cache.delete(&totp_session_key).await;
+                        let _ = self.ctx.cache.delete(&attempts_key).await;
                    } else {
                        self.ctx
                            .cache
-                            .set(
+                            .set_l2_only(
                                &attempts_key,
                                &next_attempts,
                                Some(std::time::Duration::from_secs(Self::TOTP_PENDING_TTL_SECS)),
                            )
+                            .await
                            .map_err(|e| AppError::InternalServerError(e.to_string()))?;
                    }
                    return Err(AppError::InvalidTwoFactorCode);
                }
-                let _ = self.ctx.cache.delete(&attempts_key);
+                let _ = self.ctx.cache.delete(&attempts_key).await;
            } else {
                let totp_session_key = uuid::Uuid::new_v4().to_string();
                context
@@ -123,6 +127,7 @@ impl AuthService {
                        &user.id,
                        Some(std::time::Duration::from_secs(Self::TOTP_PENDING_TTL_SECS)),
                    )
+                    .await
                    .map_err(|e| AppError::InternalServerError(e.to_string()))?;
                tracing::info!(username = %login, "Login 2FA triggered");
                return Err(AppError::TwoFactorRequired);
@@ -131,8 +136,8 @@ impl AuthService {
        {
            context.remove(Self::TOTP_KEY);
            let attempts_key = format!("{}{}", Self::TOTP_ATTEMPTS_PREFIX, totp_session_key);
-            let _ = self.ctx.cache.delete(&totp_session_key);
-            let _ = self.ctx.cache.delete(&attempts_key);
+            let _ = self.ctx.cache.delete(&totp_session_key).await;
+            let _ = self.ctx.cache.delete(&attempts_key).await;
        }

        sqlx::query("UPDATE \"user\" SET last_login_at = $1, updated_at = $1 WHERE id = $2")
@@ -193,4 +198,12 @@ impl AuthService {
        .map_err(AppError::Database)?
        .ok_or(AppError::UserNotFound)
    }
+
+    /// Find a user by username or email (login lookup).
+    async fn auth_find_user(&self, login: &str) -> Result<User, AppError> {
+        match self.auth_find_user_by_username(login).await {
+            Ok(user) => Ok(user),
+            Err(_) => self.auth_find_user_by_email(login).await,
+        }
+    }
 }