You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|`src/utils/response.rs`| Defines `ApiResponse<T>` with `success`, `status_code`, `message`, `data`| Gives every endpoint a predictable success payload shape |
106
+
|`src/utils/api_error.rs`| Defines `ApiError` (`BadRequest`, `Unauthorized`, `NotFound`, `Conflict`, `InternalServerError`) and converts it into HTTP responses | Centralizes error-to-status mapping so controllers stay clean |
107
+
|`src/utils/jwt.rs`| Generates and verifies JWT claims (`sub`, `exp`) | Reusable token logic for any protected resource |
108
+
|`src/utils/hash.rs`| Hashes passwords (Argon2 + random salt) and verifies passwords | Security best practice reusable for account/password features |
109
+
|`src/utils/mod.rs`| Exports utility modules and formats validator errors into readable strings | Keeps validation messages user-friendly and consistent |
110
+
111
+
## 🔄 How Response + Error + JWT Work Together
112
+
113
+
1.**Request enters route** (`src/routes/auth_routes.rs`) and is handled by `auth_controller`.
114
+
2.**DTO validation runs** (`validator` crate in `src/dtos/auth_dto.rs`).
115
+
3.**If validation fails**, controller maps errors using `format_validation_errors(...)` and returns `ApiError::BadRequest(...)`.
116
+
4.**If business/database logic fails**, controller returns another `ApiError` variant.
117
+
5.**`ApiError` implements `IntoResponse`**, so Axum converts it into a standardized HTTP error payload.
118
+
6.**If success**, controller returns `Json(ApiResponse<T>)` from `src/utils/response.rs`.
119
+
7.**For protected routes**, `AuthUser` middleware extractor in `src/middleware/auth.rs` reads `token` from cookies, verifies JWT using `utils/jwt.rs`, fetches the user from DB, and injects authenticated `User` into the handler.
120
+
121
+
## 📦 Response Format (Current)
122
+
123
+
Success shape:
124
+
125
+
```json
126
+
{
127
+
"success": true,
128
+
"status_code": 200,
129
+
"message": "User logged in successfully",
130
+
"data": {
131
+
"id": "uuid",
132
+
"email": "user@example.com",
133
+
"name": "User"
134
+
}
135
+
}
136
+
```
137
+
138
+
Error shape:
139
+
140
+
```json
141
+
{
142
+
"success": false,
143
+
"status_code": 400,
144
+
"message": "email: Invalid email format, password: Password must be between 6 and 12 characters",
145
+
"data": null
146
+
}
147
+
```
148
+
149
+
## 🍪 JWT Cookie Behavior
150
+
151
+
- Cookie name: `token`
152
+
-`HttpOnly`: enabled (protects token from client-side JS access)
153
+
-`SameSite`: `Lax`
154
+
-`Secure`: enabled when `DEV_MODE != development`
155
+
- Signing secret: `JWT_SECRET` from environment
156
+
157
+
This makes auth state server-trusted and easy to consume from browser clients.
* Retrieves the authenticated user's information. Requires the user to be authenticated with a valid JWT token in the cookies. Returns a JSON response with the user's information if authentication is successful, or an appropriate error message if authentication fails.
0 commit comments