feat: Add JWT authentication middleware and comprehensive CSRF protection.

zerox80 · zerox80 · commit e87785e6cec3 · 2025-11-19T14:28:58.000+01:00
diff --git a/backend/src/csrf.rs b/backend/src/csrf.rs
@@ -571,3 +571,17 @@ pub fn csrf_cookie_name() -> &'static str {
 pub fn csrf_header_name() -> &'static str {
     CSRF_HEADER_NAME
 }
+
+/// Middleware to enforce CSRF protection.
+///
+/// This middleware extracts the `CsrfGuard` which performs the validation.
+/// It is designed to be used with `axum::middleware::from_fn_with_state`
+/// to ensure the database pool state is available for extraction.
+pub async fn enforce_csrf(
+    axum::extract::State(_pool): axum::extract::State<crate::db::DbPool>,
+    _guard: CsrfGuard,
+    req: axum::extract::Request,
+    next: axum::middleware::Next,
+) -> axum::response::Response {
+    next.run(req).await
+}
diff --git a/backend/src/main.rs b/backend/src/main.rs
@@ -247,9 +247,8 @@ async fn main() {
             "/api/upload",
             post(handlers::upload::upload_image),
         )
-        .with_state(pool.clone())
-        .route_layer(from_extractor::<csrf::CsrfGuard>())
-        .route_layer(from_fn(middleware::auth::auth_middleware))
+        .route_layer(axum::middleware::from_fn_with_state(pool.clone(), csrf::enforce_csrf))
+        .route_layer(axum::middleware::from_fn_with_state(pool.clone(), middleware::auth::auth_middleware))
         .layer(RequestBodyLimitLayer::new(ADMIN_BODY_LIMIT))
         .layer(GovernorLayer::new(admin_rate_limit_config.clone()));
 
diff --git a/backend/src/middleware/auth.rs b/backend/src/middleware/auth.rs
@@ -33,6 +33,7 @@ use axum::{
 /// On success, inserts Claims into request extensions for easy access
 /// by downstream handlers.
 pub async fn auth_middleware(
+    axum::extract::State(pool): axum::extract::State<crate::db::DbPool>,
     mut request: axum::extract::Request,
     next: axum::middleware::Next,
 ) -> Result<axum::response::Response, (StatusCode, Json<crate::models::ErrorResponse>)> {
@@ -57,12 +58,7 @@ pub async fn auth_middleware(
     })?;
 
     // Check if token is blacklisted
-    let pool = request
-        .extensions()
-        .get::<crate::db::DbPool>()
-        .expect("Database pool not found in request extensions");
-
-    if let Ok(true) = repositories::token_blacklist::is_token_blacklisted(pool, &token).await {
+    if let Ok(true) = repositories::token_blacklist::is_token_blacklisted(&pool, &token).await {
         return Err((
             StatusCode::UNAUTHORIZED,
             Json(crate::models::ErrorResponse {
