meow auth

ah, beautiful api docs. I reworked the api docs (because they were a messy mess because of my past laziness [not understandable!!]) and now they are organized in pretty folders (tags) with correct descriptions and titles. now its even helpful to read the api docs to understand how to use a api handler, not having to dig into the code [noone does that :(]

right, I DID THE EMAIL CHANGE THING and LOGIN tooo wohooo…. yeah it isn’t that amazing lol. at the start i was just thinking about using the typical chacha encryption that ive used for the TOTP stuff but for a random token nanoid’d… you just don’t, hMAc is fine. Ended up with a dual like verification flow where both the old email AND the new email get a token link (well, now it just the token string because, ahem, i dont have a frontend). both have to be verified before the change goes through. sooo, no more “oh noes, not again, someone got into my account and changed the mail to their own, smh”. then you just get the notif saying “hey, your email has been changed”.

SEEECOND, login (your username) changing magic that is way simpler because I just check if you have sudo enabled and that you havent changed it in the last 24 days (why not). Just like with the email stuff, you get a notification saying “yay, you changed it!”.

and I think that’s the last of the tiny stuff i wanted to do before the BIG and PAINFUL oauth stuff. i think i am going to burst into flames and go boom and the floor is covered with dust and feathers.

OH wait, i sitll need to do account deletion… whatever its just a simple “hya you need sudo”, “are you sure about this”, “ok, bye” flow. meh. i also need profile pictures… heh backblaze or maybe cloudflare idk i like backblaze more but uhh I GOTTA RESEARCH OKAY!?!

shall you see the probabaly useless screenshots that atleast show the tiny progress that i always do. great

beep bwap. firstly, what a waste of argon2. I was using it for encrypting the otp codes and.. dude, that’s like its just 6 characters. I just swapped to the typical hmac256.

I also made a common cookies helper method to not have 2 (or more) instances of the same cookie making method. uhh, also I adde dhte forgotten passkey management handlers… and that’s it.

OH WAIT, i also added validation! I mean, its pretty rough and very bad but it works for what I want! I, in theory, was going to use Garde for the validation with axum-valid to provide me with the base stuff. I DID NOT WORK, like I had (and still have) to make a wrapper around their sutff so I can send out my own error messages and not some plaintext like before i handled them. right, it did not work because of something called the “Context”… I tried everything to make it work, but I just could not, not even doing workarounds and C&P examples directly and stuffies, it just would not work like it wanted the global context to have a trait implemented, which I did, but it still would not work. I guess its because to use my global context inside axum, i wrap it around an Arc and maybe it didnt like that? or whatever meh wa. I just swapped to using Validate, and ta-da works as it should. HERE’s your badly made screenshot showing the crappy validation messages (they just say: “this field is bad :(”)

added a better way to handle required authentication!… middleware. yup, i am very creative. it’s practically a qol improvement in the development side, making code look a bit nicer without seeing in every single protected route the same 3 lines to check if the user is authenticated. now i can “enforce” it when I want the user to be reallly unauthenticated to use a route. to use it, you just “add the middleware and maybe move one flag” and that’s it… goddamit I should have had that before to not write a heck ton of “if not authenticated or if authenticated…”.

i am trying to delay the inevitable.. the need of making the oauth side and the frontend ;D

I started using a master key for everything and fixed the server returning a plain text message when parsing goes wrong.

FIRST, I have seen the future and the future says that I WILL be suffering if I have more than 2 secret keys to manage when I can just derivate them from a single master key. AND EVEN rails does that! its just blake3’s key derivation with a xor to fill the remaining bytes that some libraries require. it works pretty great. neat.

SECOND, this was a problemo that one of the flavourtown (yes flavour not flavor) reviewers made me notice. When you send a malformed json body, like a new line on a field that really doesn’t expect a new line, the server would plainly return a error message in plain text, which is really bad for the client to handle and even for looks. Sooo, I tried fixing it trying to strap a error handler to axum… yes I dont even know if that even exists bruh. In the end i just created a newtype that wraps the original Json extractor from axum to catch its errors and THEN and only then wrap those with my own error messages. And bob’s your dad, the server now return a json error message like every other route error. shall you see the useless screen recording (its cropped by stardance’s ui, great)