feat(auth): add comprehensive authentication system with 2FA support

- Add new auth module with captcha, login, logout, register, and email verification endpoints - Implement two-factor authentication with TOTP enable, disable, verify, and backup codes regeneration - Create RSA public key endpoint for secure password encryption - Add user profile management with get current user and email retrieval - Integrate OpenAPI documentation for all authentication endpoints - Implement password reset functionality with email verification flow - Add comprehensive API response structures with proper error handling - Configure all auth routes under /api/v1/auth scope with proper tagging
2026-06-07 18:09:38 +08:00
parent 2bb5834167
commit 0d3b53f7a0
24 changed files with 816 additions and 10 deletions
@@ -0,0 +1,64 @@
+use actix_web::{HttpResponse, web};
+use serde::Serialize;
+use uuid::Uuid;
+
+use crate::api::response::{ApiErrorResponse, ApiResponse};
+use crate::error::AppError;
+use crate::models::users::User;
+use crate::service::AppService;
+use crate::service::auth::register::RegisterParams;
+use crate::session::Session;
+
+#[derive(Debug, Serialize, utoipa::ToSchema)]
+pub struct RegisterResponse {
+    /// Newly created user id.
+    pub id: Uuid,
+    /// Unique username used for login and profile URL.
+    pub username: String,
+    /// Display name initialized from username.
+    pub display_name: Option<String>,
+    /// Avatar URL; usually absent right after registration.
+    pub avatar_url: Option<String>,
+}
+
+impl From<User> for RegisterResponse {
+    fn from(user: User) -> Self {
+        Self {
+            id: user.id,
+            username: user.username,
+            display_name: user.display_name,
+            avatar_url: user.avatar_url,
+        }
+    }
+}
+
+#[utoipa::path(
+    post,
+    path = "/api/v1/auth/register",
+    tag = "Auth",
+    operation_id = "authRegister",
+    summary = "Register a new account",
+    description = "Create an account after validating username, email, password, captcha, and email verification code. password must be encrypted with the current session RSA public key; captcha and email_code are one-time credentials. On successful registration, the new user is written to the session and does not need to log in again.",
+    request_body(
+        content = RegisterParams,
+        description = "Registration parameters. email_code comes from /auth/register/email-code; password is a Base64 ciphertext encrypted with RSA-OAEP-SHA256.",
+        content_type = "application/json"
+    ),
+    responses(
+        (status = 200, description = "Registration succeeded; the current session is automatically signed in as the new user.", body = ApiResponse<RegisterResponse>),
+        (status = 400, description = "Captcha error, email verification code error, weak password, RSA decryption failure, or missing required fields.", body = ApiErrorResponse),
+        (status = 409, description = "The username or email is already in use.", body = ApiErrorResponse),
+        (status = 500, description = "Database transaction, password hashing, cache, or session write failed.", body = ApiErrorResponse)
+    )
+)]
+pub async fn handle(
+    service: web::Data<AppService>,
+    session: Session,
+    params: web::Json<RegisterParams>,
+) -> Result<HttpResponse, AppError> {
+    let user = service
+        .auth
+        .auth_register(params.into_inner(), &session)
+        .await?;
+    Ok(HttpResponse::Ok().json(ApiResponse::new(RegisterResponse::from(user))))
+}