chore: tidying up codebase

Author: Utilitycoder

Cargo.lock

@@ -34,6 +34,8 @@ rand = { version = "0.8", features = ["std_rng"] }
 thiserror = "1"
 anyhow = "1"
 base64 = "0.13.0"
+sha3 = "0.9"
+argon2 = { version = "0.3", features = ["std"] }
 
 [dev-dependencies]
 once_cell = "1"

Cargo.toml

@@ -0,0 +1,2 @@
+-- Add migration script here
+ALTER TABLE users RENAME password TO password_hash;

migrations/20230701093040_rename_password_column.sql

@@ -4,6 +4,7 @@ use actix_web::http::{header, StatusCode};
 use actix_web::{web, HttpRequest, HttpResponse, ResponseError};
 use anyhow::Context;
 use secrecy::{ExposeSecret, Secret};
+use sha3::Digest;
 use sqlx::PgPool;
 
 #[derive(serde::Deserialize)]
@@ -71,13 +72,22 @@ impl std::fmt::Debug for PublishError {
     }
 }
 
+#[tracing::instrument(
+    name = "Publish a newsletter issue",
+    skip(body, pool, email_client, request),
+    fields(
+        username = tracing::field::Empty,
+        user_id = tracing::field::Empty,
+    )
+)]
 pub async fn publish_newsletter(
     body: web::Json<BodyData>,
     pool: web::Data<PgPool>,
     email_client: web::Data<EmailClient>,
     request: HttpRequest,
 ) -> Result<HttpResponse, PublishError> {
     let credentials = basic_authentication(request.headers()).map_err(PublishError::AuthError)?;
+    let user_id = validate_credentials(credentials, &pool);
     let subscribers = get_confirmed_subscribers(&pool).await?;
     for subscriber in subscribers {
         match subscriber {
@@ -137,3 +147,26 @@ fn basic_authentication(headers: &HeaderMap) -> Result<Credentials, anyhow::Erro
         password: Secret::new(password.to_owned()),
     })
 }
+
+async fn validate_credentials(
+    credentials: Credentials,
+    pool: &PgPool,
+) -> Result<uuid::Uuid, PublishError> {
+    let password_hash = sha3::Sha3_256::digest(credentials.password.expose_secret().as_bytes());
+    let password_hash = format!("{:x}", password_hash);
+
+    let user_id: Option<_> = sqlx::query!(
+        r#"SELECT user_id FROM users WHERE username = $1 AND password_hash = $2"#,
+        credentials.username,
+        password_hash,
+    )
+    .fetch_optional(pool)
+    .await
+    .context("Failed to perform the query to validate auth credentials")
+    .map_err(PublishError::UnexpectedError)?;
+
+    user_id
+        .map(|row| row.user_id)
+        .ok_or_else(|| anyhow::anyhow!("Invalid username or password"))
+        .map_err(PublishError::AuthError)
+}

src/routes/newsletters.rs

@@ -4,6 +4,7 @@ use robust_rust::{
     startup::{get_connection_pool, Application},
     telemetry::{get_subscriber, init_subscriber},
 };
+use sha3::Digest;
 use sqlx::{Connection, Executor, PgConnection, PgPool};
 use uuid::Uuid;
 use wiremock::MockServer;
@@ -27,11 +28,7 @@ pub struct TestApp {
     pub db_pool: PgPool,
     pub mock_server: MockServer,
     pub port: u16,
-}
-
-pub struct ConfirmationLinks {
-    pub html: reqwest::Url,
-    pub plain_text: reqwest::Url,
+    test_user: TestUser,
 }
 
 impl TestApp {
@@ -68,14 +65,53 @@ impl TestApp {
     pub async fn post_newsletters(&self, body: serde_json::Value) -> reqwest::Response {
         reqwest::Client::new()
             .post(&format!("{}/newsletters", &self.address))
-            .basic_auth(Uuid::new_v4().to_string(), Some(Uuid::new_v4().to_string()))
+            .basic_auth(&self.test_user.username, Some(&self.test_user.password))
             .json(&body)
             .send()
             .await
             .expect("Failed to execute request.")
     }
 }
 
+pub struct ConfirmationLinks {
+    pub html: reqwest::Url,
+    pub plain_text: reqwest::Url,
+}
+
+pub struct TestUser {
+    pub user_id: Uuid,
+    pub username: String,
+    pub password: String,
+}
+
+impl TestUser {
+    pub fn generate() -> Self {
+        Self {
+            user_id: Uuid::new_v4(),
+            username: Uuid::new_v4().to_string(),
+            password: Uuid::new_v4().to_string(),
+        }
+    }
+
+    async fn store(&self, pool: &PgPool) {
+        let password_harsh = sha3::Sha3_256::digest(self.password.as_bytes());
+        let password_hash = format!("{:x}", password_harsh);
+
+        sqlx::query!(
+            r#"
+            INSERT INTO users (user_id, username, password_hash)
+            VALUES ($1, $2, $3)
+            "#,
+            self.user_id,
+            self.username,
+            password_hash
+        )
+        .execute(pool)
+        .await
+        .expect("Failed to store test user.");
+    }
+}
+
 #[allow(clippy::let_underscore_future)]
 pub async fn spawn_app() -> TestApp {
     Lazy::force(&TRACING);
@@ -105,12 +141,16 @@ pub async fn spawn_app() -> TestApp {
 
     let _ = tokio::spawn(application.run_until_stopped());
 
-    TestApp {
+    let test_app = TestApp {
         address,
         db_pool: get_connection_pool(&configuration.database),
         mock_server,
         port: application_port,
-    }
+        test_user: TestUser::generate(),
+    };
+
+   test_app.test_user.store(&test_app.db_pool).await;
+    test_app
 }
 
 async fn configure_database(config: &DatabaseSettings) -> PgPool {