feat: Implement full-stack comment system with authentication, voting,

Author: zerox80

.gitignore

@@ -325,6 +325,9 @@ backend/public/
 
 # Ignore generated migration files (if applicable)
 # migrations/
+!backend/migrations/*.sql
+!backend/migrations/20241119_add_votes_and_admin_to_comments.sql
+
 
 
 # ==================== Keep These ====================

backend/Cargo.toml

@@ -26,7 +26,8 @@ chrono = { version = "0.4", features = ["serde"] }
 dotenv = "0.15"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
-uuid = { version = "1.6", features = ["v4", "serde"] }
+uuid = { version = "1.4", features = ["v4", "fast-rng", "macro-diagnostics"] }
+infer = "0.15"
 url = "2.5"
 idna_adapter = "=1.2.1"
 regex = { version = "1.10", default-features = false, features = ["std"] }
@@ -37,6 +38,7 @@ sha2 = "0.10"
 hmac = "0.12"
 subtle = "2.5"
 reqwest = { version = "0.11", features = ["json"] }
+html-escape = "0.2"
 
 [dependencies.home]
 version = "=0.5.12"

backend/migrations/20241119_add_votes_and_admin_to_comments.sql

@@ -0,0 +1,3 @@
+-- Add votes and is_admin columns to comments table
+ALTER TABLE comments ADD COLUMN votes INTEGER NOT NULL DEFAULT 0;
+ALTER TABLE comments ADD COLUMN is_admin BOOLEAN NOT NULL DEFAULT FALSE;

backend/migrations/20241119_create_comment_votes.sql

@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS comment_votes (
+    comment_id TEXT NOT NULL,
+    voter_id TEXT NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    PRIMARY KEY (comment_id, voter_id),
+    FOREIGN KEY (comment_id) REFERENCES comments(id) ON DELETE CASCADE
+);

backend/src/auth.rs

@@ -26,15 +26,16 @@ use axum::{
         HeaderMap, HeaderValue, StatusCode,
     },
     Json,
+    extract::FromRef,
 };
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use chrono::{Duration, Utc};
 use jsonwebtoken::{decode, encode, DecodingKey, EncodingKey, Header, Validation};
+use once_cell::sync::Lazy;
 use serde::{Deserialize, Serialize};
-use std::collections::HashSet;
 use std::env;
-use std::sync::OnceLock;
-use time::{Duration as TimeDuration, OffsetDateTime};
+
+use crate::db::{self, DbPool};
 
 /// Global storage for the JWT secret key.
 /// Initialized once at application startup via init_jwt_secret().
@@ -357,10 +358,11 @@ pub fn build_cookie_removal() -> Cookie<'static> {
 impl<S> FromRequestParts<S> for Claims
 where
     S: Send + Sync,
+    DbPool: FromRef<S>,
 {
     type Rejection = (StatusCode, String);
 
-    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
         // Check if claims already extracted by middleware
         if let Some(claims) = parts.extensions.get::<Claims>() {
             return Ok(claims.clone());
@@ -378,6 +380,21 @@ where
         let claims = verify_jwt(&token)
             .map_err(|e| (StatusCode::UNAUTHORIZED, format!("Invalid token: {}", e)))?;
 
+        // Check if token is blacklisted
+        let pool = DbPool::from_ref(state);
+        if db::is_token_blacklisted(&pool, &token)
+            .await
+            .map_err(|e| {
+                tracing::error!("Database error checking token blacklist: {}", e);
+                (
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                    "Internal server error".to_string(),
+                )
+            })?
+        {
+            return Err((StatusCode::UNAUTHORIZED, "Token has been revoked".to_string()));
+        }
+
         Ok(claims)
     }
 }
@@ -495,7 +512,7 @@ pub fn cookies_should_be_secure() -> bool {
 ///
 /// # Priority
 /// Authorization header is checked first, falling back to cookies
-fn extract_token(headers: &HeaderMap) -> Option<String> {
+pub fn extract_token(headers: &HeaderMap) -> Option<String> {
     // First check Authorization header
     if let Some(header_value) = headers.get(AUTHORIZATION) {
         if let Ok(value_str) = header_value.to_str() {
@@ -536,60 +553,3 @@ fn parse_bearer_token(value: &str) -> Option<String> {
     None
 }
 
-/// AXUM middleware for protecting routes with authentication.
-///
-/// This middleware validates the JWT token and adds the claims to the
-/// request extensions, making them available to downstream handlers.
-///
-/// # Usage
-/// ```rust,no_run
-/// use axum::{Router, routing::get, middleware};
-/// use linux_tutorial_cms::auth;
-///
-/// let app = Router::new()
-///     .route("/protected", get(handler))
-///     .route_layer(middleware::from_fn(auth::auth_middleware));
-/// ```
-///
-/// # Authentication
-/// Accepts tokens from:
-/// - Authorization: Bearer <token> header
-/// - ltcms_session cookie
-///
-/// # Errors
-/// Returns 401 Unauthorized if:
-/// - No token provided
-/// - Token is invalid or expired
-///
-/// # Request Extensions
-/// On success, inserts Claims into request extensions for easy access
-/// by downstream handlers.
-pub async fn auth_middleware(
-    mut request: axum::extract::Request,
-    next: axum::middleware::Next,
-) -> Result<axum::response::Response, (StatusCode, Json<crate::models::ErrorResponse>)> {
-    // Extract token from request
-    let token = extract_token(request.headers()).ok_or_else(|| {
-        (
-            StatusCode::UNAUTHORIZED,
-            Json(crate::models::ErrorResponse {
-                error: "Missing authentication token".to_string(),
-            }),
-        )
-    })?;
-
-    // Verify token and extract claims
-    let claims = verify_jwt(&token).map_err(|e| {
-        (
-            StatusCode::UNAUTHORIZED,
-            Json(crate::models::ErrorResponse {
-                error: format!("Invalid token: {}", e),
-            }),
-        )
-    })?;
-
-    // Add claims to request extensions for downstream handlers
-    request.extensions_mut().insert(claims);
-
-    Ok(next.run(request).await)
-}

backend/src/csrf.rs

@@ -475,6 +475,7 @@ pub struct CsrfGuard;
 impl<S> FromRequestParts<S> for CsrfGuard
 where
     S: Send + Sync,
+    crate::db::DbPool: axum::extract::FromRef<S>,
 {
     type Rejection = (StatusCode, Json<ErrorResponse>);
 
@@ -488,21 +489,28 @@ where
         }
 
         // Ensure user is authenticated by checking existing claims or lazily extracting them
-        let claims = if let Some(existing) = parts.extensions.get::<auth::Claims>() {
-            existing.clone()
+        // For mixed endpoints (like comments) that allow both auth and guest, we only enforce CSRF
+        // if the user is actually authenticated.
+        let claims_result = if let Some(existing) = parts.extensions.get::<auth::Claims>() {
+            Ok(existing.clone())
         } else {
-            let claims = auth::Claims::from_request_parts(parts, _state)
-                .await
-                .map_err(|(status, message)| {
-                    (
-                        status,
-                        Json(ErrorResponse {
-                            error: message,
-                        }),
-                    )
-                })?;
-            parts.extensions.insert(claims.clone());
-            claims
+            auth::Claims::from_request_parts(parts, _state).await
+        };
+
+        let claims = match claims_result {
+            Ok(claims) => {
+                // User is authenticated, so we MUST enforce CSRF
+                parts.extensions.insert(claims.clone());
+                claims
+            }
+            Err(_) => {
+                // User is NOT authenticated (Guest) or token is invalid.
+                // In this case, we skip CSRF validation because:
+                // 1. Guests don't have a session to protect
+                // 2. Guests don't have a username to bind the token to
+                // 3. Invalid tokens will be handled by the route handler (treated as guest or rejected)
+                return Ok(Self);
+            }
         };
 
         // Extract CSRF token from HTTP header