feat: progress on axum-multi-tenant example

Author: abonander

Cargo.lock

@@ -1,5 +1,5 @@
 [package]
-name = "multi-tenant"
+name = "axum-multi-tenant"
 version.workspace = true
 license.workspace = true
 edition.workspace = true

examples/postgres/axum-multi-tenant/Cargo.toml

@@ -4,10 +4,12 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-sqlx = { workspace = true, features = ["postgres", "time"] }
-argon2 = { version = "0.5.3", features = ["password-hash"] }
+sqlx = { workspace = true, features = ["postgres", "time", "uuid"] }
 tokio = { version = "1", features = ["rt", "sync"] }
 
+argon2 = { version = "0.5.3", features = ["password-hash"] }
+password-hash = { version = "0.5", features = ["std"] }
+
 uuid = "1"
 thiserror = "1"
 rand = "0.8"

examples/postgres/axum-multi-tenant/accounts/Cargo.toml

@@ -1,4 +1,4 @@
-create table account
+create table accounts.account
 (
     account_id uuid primary key default gen_random_uuid(),
     email text unique not null,

examples/postgres/axum-multi-tenant/accounts/migrations/02_account.sql

@@ -4,3 +4,4 @@ migrations-table = "accounts._sqlx_migrations"
 
 [macros.table-overrides.'accounts.account']
 'account_id' = "crate::AccountId"
+'password_hash' = "sqlx::types::Text<password_hash::PasswordHashString>"

examples/postgres/axum-multi-tenant/accounts/sqlx.toml

@@ -1,5 +1,6 @@
+use argon2::{password_hash, Argon2, PasswordHasher, PasswordVerifier};
 use std::error::Error;
-use argon2::{password_hash, Argon2, PasswordHash, PasswordHasher, PasswordVerifier};
+use std::sync::Arc;
 
 use password_hash::PasswordHashString;
 
@@ -10,21 +11,24 @@ use uuid::Uuid;
 
 use tokio::sync::Semaphore;
 
-#[derive(sqlx::Type)]
+#[derive(sqlx::Type, Debug)]
 #[sqlx(transparent)]
 pub struct AccountId(pub Uuid);
 
-
 pub struct AccountsManager {
-    hashing_semaphore: Semaphore,
+    hashing_semaphore: Arc<Semaphore>,
 }
 
 #[derive(Debug, thiserror::Error)]
 pub enum CreateError {
-    #[error("email in-use")]
+    #[error("error creating account: email in-use")]
     EmailInUse,
-    General(#[source]
-            #[from] GeneralError),
+    #[error("error creating account")]
+    General(
+        #[source]
+        #[from]
+        GeneralError,
+    ),
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -33,50 +37,95 @@ pub enum AuthenticateError {
     UnknownEmail,
     #[error("invalid password")]
     InvalidPassword,
-    General(#[source]
-            #[from] GeneralError),
+    #[error("authentication error")]
+    General(
+        #[source]
+        #[from]
+        GeneralError,
+    ),
 }
 
 #[derive(Debug, thiserror::Error)]
 pub enum GeneralError {
-    Sqlx(#[source]
-         #[from] sqlx::Error),
-    PasswordHash(#[source] #[from] argon2::password_hash::Error),
-    Task(#[source]
-         #[from] tokio::task::JoinError),
+    #[error("database error")]
+    Sqlx(
+        #[source]
+        #[from]
+        sqlx::Error,
+    ),
+    #[error("error hashing password")]
+    PasswordHash(
+        #[source]
+        #[from]
+        argon2::password_hash::Error,
+    ),
+    #[error("task panicked")]
+    Task(
+        #[source]
+        #[from]
+        tokio::task::JoinError,
+    ),
 }
 
 impl AccountsManager {
-    pub async fn new(conn: &mut PgConnection, max_hashing_threads: usize) -> Result<Self, GeneralError> {
-        sqlx::migrate!().run(conn).await?;
+    pub async fn new(
+        conn: &mut PgConnection,
+        max_hashing_threads: usize,
+    ) -> Result<Self, GeneralError> {
+        sqlx::migrate!()
+            .run(conn)
+            .await
+            .map_err(sqlx::Error::from)?;
 
-        AccountsManager {
-            hashing_semaphore: Semaphore::new(max_hashing_threads)
-        }
+        Ok(AccountsManager {
+            hashing_semaphore: Semaphore::new(max_hashing_threads).into(),
+        })
     }
 
-    async fn hash_password(&self, password: String) -> Result<PasswordHash, GeneralError> {
-        let guard = self.hashing_semaphore.acquire().await
+    async fn hash_password(&self, password: String) -> Result<PasswordHashString, GeneralError> {
+        let guard = self
+            .hashing_semaphore
+            .clone()
+            .acquire_owned()
+            .await
             .expect("BUG: this semaphore should not be closed");
 
         // We transfer ownership to the blocking task and back to ensure Tokio doesn't spawn
         // excess threads.
         let (_guard, res) = tokio::task::spawn_blocking(move || {
             let salt = argon2::password_hash::SaltString::generate(rand::thread_rng());
-            (guard, Argon2::default().hash_password(password.as_bytes(), &salt))
+            (
+                guard,
+                Argon2::default()
+                    .hash_password(password.as_bytes(), &salt)
+                    .map(|hash| hash.serialize()),
+            )
         })
-            .await?;
+        .await?;
 
         Ok(res?)
     }
 
-    async fn verify_password(&self, password: String, hash: PasswordHashString) -> Result<(), AuthenticateError> {
-        let guard = self.hashing_semaphore.acquire().await
+    async fn verify_password(
+        &self,
+        password: String,
+        hash: PasswordHashString,
+    ) -> Result<(), AuthenticateError> {
+        let guard = self
+            .hashing_semaphore
+            .clone()
+            .acquire_owned()
+            .await
             .expect("BUG: this semaphore should not be closed");
 
         let (_guard, res) = tokio::task::spawn_blocking(move || {
-            (guard, Argon2::default().verify_password(password.as_bytes(), &hash.password_hash()))
-        }).await.map_err(GeneralError::from)?;
+            (
+                guard,
+                Argon2::default().verify_password(password.as_bytes(), &hash.password_hash()),
+            )
+        })
+        .await
+        .map_err(GeneralError::from)?;
 
         if let Err(password_hash::Error::Password) = res {
             return Err(AuthenticateError::InvalidPassword);
@@ -87,46 +136,64 @@ impl AccountsManager {
         Ok(())
     }
 
-    pub async fn create(&self, txn: &mut PgTransaction, email: &str, password: String) -> Result<AccountId, CreateError> {
+    pub async fn create(
+        &self,
+        txn: &mut PgTransaction<'_>,
+        email: &str,
+        password: String,
+    ) -> Result<AccountId, CreateError> {
         // Hash password whether the account exists or not to make it harder
         // to tell the difference in the timing.
         let hash = self.hash_password(password).await?;
 
+        // Thanks to `sqlx.toml`, `account_id` maps to `AccountId`
         // language=PostgreSQL
-        sqlx::query!(
+        sqlx::query_scalar!(
             "insert into accounts.account(email, password_hash) \
              values ($1, $2) \
              returning account_id",
             email,
-            Text(hash) as Text<PasswordHash<'static>>,
+            hash.as_str(),
         )
-            .fetch_one(&mut *txn)
-            .await
-            .map_err(|e| if e.constraint() == Some("account_account_id_key") {
+        .fetch_one(&mut **txn)
+        .await
+        .map_err(|e| {
+            if e.as_database_error().and_then(|dbe| dbe.constraint()) == Some("account_account_id_key") {
                 CreateError::EmailInUse
             } else {
                 GeneralError::from(e).into()
-            })
+            }
+        })
     }
 
-    pub async fn authenticate(&self, conn: &mut PgConnection, email: &str, password: String) -> Result<AccountId, AuthenticateError> {
+    pub async fn authenticate(
+        &self,
+        conn: &mut PgConnection,
+        email: &str,
+        password: String,
+    ) -> Result<AccountId, AuthenticateError> {
+        // Thanks to `sqlx.toml`:
+        // * `account_id` maps to `AccountId`
+        // * `password_hash` maps to `Text<PasswordHashString>`
         let maybe_account = sqlx::query!(
-            "select account_id, password_hash as \"password_hash: Text<PasswordHashString>\" \
+            "select account_id, password_hash \
              from accounts.account \
-             where email_id = $1",
+             where email = $1",
             email
         )
-            .fetch_optional(&mut *conn)
-            .await
-            .map_err(GeneralError::from)?;
+        .fetch_optional(&mut *conn)
+        .await
+        .map_err(GeneralError::from)?;
 
         let Some(account) = maybe_account else {
             // Hash the password whether the account exists or not to hide the difference in timing.
-            self.hash_password(password).await.map_err(GeneralError::from)?;
+            self.hash_password(password)
+                .await
+                .map_err(GeneralError::from)?;
             return Err(AuthenticateError::UnknownEmail);
         };
 
-        self.verify_password(password, account.password_hash.into())?;
+        self.verify_password(password, account.password_hash.into_inner()).await?;
 
         Ok(account.account_id)
     }

examples/postgres/axum-multi-tenant/accounts/src/lib.rs

@@ -4,4 +4,4 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-sqlx = { workspace = true, features = ["postgres", "time"] }
+sqlx = { workspace = true, features = ["postgres", "time", "uuid"] }