feat: access token check

api/parameters/xsrf_token_cookie.yaml

@@ -1,4 +1,4 @@
-name: XSRF-TOKEN
+name: xsrf_token
 in: cookie
 required: true
 schema:

deploy/docker-compose.yml

@@ -62,6 +62,8 @@ services:
     environment:
       LOG_LEVEL: ${LOG_LEVEL}
       DATABASE_URL: ${DATABASE_URL}
+      SERVICE_ADDRESS: ${SERVICE_ADDRESS}
+      JWT_PRIVATE_KEY: ${JWT_PRIVATE_KEY}
     ports:
       - "8082:8082"
     depends_on:

modules/auth/handlers/handlers.go

@@ -2,6 +2,8 @@ package handlers
 
 import (
 	"context"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"net/http"
 	auth "nyanimedb/auth"
@@ -15,15 +17,13 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
-var accessSecret = []byte("my_access_secret_key")
-var refreshSecret = []byte("my_refresh_secret_key")
-
 type Server struct {
-	db *sqlc.Queries
+	db            *sqlc.Queries
+	JwtPrivateKey string
 }
 
-func NewServer(db *sqlc.Queries) Server {
+func NewServer(db *sqlc.Queries, JwtPrivatekey string) Server {
-	return Server{db: db}
+	return Server{db: db, JwtPrivateKey: JwtPrivatekey}
 }
 
 func parseInt64(s string) (int32, error) {
@@ -47,15 +47,15 @@ func CheckPassword(password, hash string) (bool, error) {
 	return argon2id.ComparePasswordAndHash(password, hash)
 }
 
-func generateTokens(userID string) (accessToken string, refreshToken string, err error) {
+func (s Server) generateTokens(userID string) (accessToken string, refreshToken string, csrfToken string, err error) {
 	accessClaims := jwt.MapClaims{
 		"user_id": userID,
 		"exp":     time.Now().Add(15 * time.Minute).Unix(),
 	}
 	at := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
-	accessToken, err = at.SignedString(accessSecret)
+	accessToken, err = at.SignedString(s.JwtPrivateKey)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 
 	refreshClaims := jwt.MapClaims{
@@ -63,12 +63,19 @@ func generateTokens(userID string) (accessToken string, refreshToken string, err
 		"exp":     time.Now().Add(7 * 24 * time.Hour).Unix(),
 	}
 	rt := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
-	refreshToken, err = rt.SignedString(refreshSecret)
+	refreshToken, err = rt.SignedString(s.JwtPrivateKey)
 	if err != nil {
-		return "", "", err
+		return "", "", "", err
 	}
 
-	return accessToken, refreshToken, nil
+	csrfBytes := make([]byte, 32)
+	_, err = rand.Read(csrfBytes)
+	if err != nil {
+		return "", "", "", err
+	}
+	csrfToken = base64.RawURLEncoding.EncodeToString(csrfBytes)
+
+	return accessToken, refreshToken, csrfToken, nil
 }
 
 func (s Server) PostAuthSignUp(ctx context.Context, req auth.PostAuthSignUpRequestObject) (auth.PostAuthSignUpResponseObject, error) {
@@ -118,7 +125,7 @@ func (s Server) PostAuthSignIn(ctx context.Context, req auth.PostAuthSignInReque
 		}, nil
 	}
 
-	accessToken, refreshToken, err := generateTokens(req.Body.Nickname)
+	accessToken, refreshToken, csrfToken, err := s.generateTokens(req.Body.Nickname)
 	if err != nil {
 		log.Errorf("failed to generate tokens for user %s: %v", req.Body.Nickname, err)
 		// TODO: return 500
@@ -126,8 +133,9 @@ func (s Server) PostAuthSignIn(ctx context.Context, req auth.PostAuthSignInReque
 
 	// TODO: check cookie settings carefully
 	ginCtx.SetSameSite(http.SameSiteStrictMode)
-	ginCtx.SetCookie("access_token", accessToken, 604800, "/auth", "", false, true)
+	ginCtx.SetCookie("access_token", accessToken, 900, "/api", "", false, true)
-	ginCtx.SetCookie("refresh_token", refreshToken, 604800, "/api", "", false, true)
+	ginCtx.SetCookie("refresh_token", refreshToken, 1209600, "/auth", "", false, true)
+	ginCtx.SetCookie("xsrf_token", csrfToken, 1209600, "/api", "", false, false)
 
 	result := auth.PostAuthSignIn200JSONResponse{
 		UserId:   user.ID,

modules/auth/helpers.go

@@ -0,0 +1,33 @@
+package main
+
+import (
+	"fmt"
+	"reflect"
+)
+
+func setField(obj interface{}, name string, value interface{}) error {
+	v := reflect.ValueOf(obj)
+
+	if v.Kind() != reflect.Ptr || v.Elem().Kind() != reflect.Struct {
+		return fmt.Errorf("expected pointer to a struct")
+	}
+
+	v = v.Elem()
+	field := v.FieldByName(name)
+
+	if !field.IsValid() {
+		return fmt.Errorf("no such field: %s", name)
+	}
+	if !field.CanSet() {
+		return fmt.Errorf("cannot set field: %s", name)
+	}
+
+	val := reflect.ValueOf(value)
+
+	if field.Type() != val.Type() {
+		return fmt.Errorf("provided value type (%s) doesn't match field type (%s)", val.Type(), field.Type())
+	}
+
+	field.Set(val)
+	return nil
+}

modules/auth/main.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+	"reflect"
 	"time"
 
 	auth "nyanimedb/auth"
@@ -13,12 +14,24 @@ import (
 	"github.com/gin-contrib/cors"
 	"github.com/gin-gonic/gin"
 	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/pelletier/go-toml/v2"
+	log "github.com/sirupsen/logrus"
 )
 
 var AppConfig Config
 
 func main() {
-	// TODO: env args
+	if len(os.Args) != 2 {
+		AppConfig.Mode = "env"
+	} else {
+		AppConfig.Mode = "argv"
+	}
+
+	err := InitConfig()
+	if err != nil {
+		log.Fatalf("Failed to init config: %v\n", err)
+	}
+
 	r := gin.Default()
 
 	pool, err := pgxpool.New(context.Background(), os.Getenv("DATABASE_URL"))
@@ -29,10 +42,10 @@ func main() {
 
 	var queries *sqlc.Queries = sqlc.New(pool)
 
-	server := handlers.NewServer(queries)
+	server := handlers.NewServer(queries, AppConfig.JwtPrivateKey)
 
 	r.Use(cors.New(cors.Config{
-		AllowOrigins:     []string{"*"}, // allow all origins, change to specific domains in production
+		AllowOrigins:     []string{AppConfig.ServiceAddress},
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE"},
 		AllowHeaders:     []string{"Origin", "Content-Type", "Accept"},
 		ExposeHeaders:    []string{"Content-Length"},
@@ -47,3 +60,41 @@ func main() {
 
 	r.Run(":8082")
 }
+
+func InitConfig() error {
+	if AppConfig.Mode == "argv" {
+		content, err := os.ReadFile(os.Args[1])
+		if err != nil {
+			return err
+		}
+
+		toml.Unmarshal(content, &AppConfig)
+
+		fmt.Printf("%+v\n", AppConfig)
+
+		return nil
+	} else if AppConfig.Mode == "env" {
+		f := reflect.ValueOf(AppConfig)
+
+		for i := 0; i < f.NumField(); i++ {
+			field := f.Type().Field(i)
+			tag := field.Tag
+			env_var := tag.Get("env")
+			fmt.Printf("Field: %v.\nEnvironment variable: %v.\n", field.Name, env_var)
+			if env_var != "" {
+				env_value, exists := os.LookupEnv(env_var)
+				if !exists {
+					return fmt.Errorf("there is no env variable %s", env_var)
+				}
+				err := setField(&AppConfig, field.Name, env_value)
+				if err != nil {
+					return fmt.Errorf("failed to set config field %s: %v", field.Name, err)
+				}
+			}
+		}
+
+		return nil
+	} else {
+		return fmt.Errorf("incorrect config mode")
+	}
+}

modules/auth/types.go

@@ -1,6 +1,9 @@
 package main
 
 type Config struct {
-	JwtPrivateKey string
+	Mode           string
-	LogLevel      string `toml:"LogLevel" env:"LOG_LEVEL"`
+	ServiceAddress string `toml:"ServiceAddress" env:"SERVICE_ADDRESS"`
+	DdUrl          string `toml:"DbUrl" env:"DATABASE_URL"`
+	JwtPrivateKey  string `toml:"JwtPrivateKey" env:"JWT_PRIVATE_KEY"`
+	LogLevel       string `toml:"LogLevel" env:"LOG_LEVEL"`
 }

modules/backend/main.go

@@ -25,18 +25,18 @@ import (
 var AppConfig Config
 
 func main() {
-	// if len(os.Args) != 2 {
+	if len(os.Args) != 2 {
-	// 	AppConfig.Mode = "env"
+		AppConfig.Mode = "env"
-	// } else {
+	} else {
-	// 	AppConfig.Mode = "argv"
+		AppConfig.Mode = "argv"
-	// }
+	}
 
-	// err := InitConfig()
+	err := InitConfig()
-	// if err != nil {
+	if err != nil {
-	// 	log.Fatalf("Failed to init config: %v\n", err)
+		log.Fatalf("Failed to init config: %v\n", err)
-	// }
+	}
 
-	pool, err := pgxpool.New(context.Background(), os.Getenv("DATABASE_URL"))
+	pool, err := pgxpool.New(context.Background(), AppConfig.DdUrl)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Unable to connect to database: %v\n", err)
 		os.Exit(1)
@@ -47,16 +47,11 @@ func main() {
 	r := gin.Default()
 
 	r.Use(middleware.CSRFMiddleware())
-	// jwt middle will be here
+	r.Use(middleware.JWTAuthMiddleware(AppConfig.JwtPrivateKey))
+
 	queries := sqlc.New(pool)
 
-	// === RabbitMQ setup ===
+	rmqConn, err := amqp091.Dial(AppConfig.rmqURL)
-	rmqURL := os.Getenv("RABBITMQ_URL")
-	if rmqURL == "" {
-		rmqURL = "amqp://guest:guest@rabbitmq:5672/"
-	}
-
-	rmqConn, err := amqp091.Dial(rmqURL)
 	if err != nil {
 		log.Fatalf("Failed to connect to RabbitMQ: %v", err)
 	}
@@ -68,7 +63,7 @@ func main() {
 	server := handlers.NewServer(queries, publisher, rpcClient)
 
 	r.Use(cors.New(cors.Config{
-		AllowOrigins:     []string{"*"}, // allow all origins, change to specific domains in production
+		AllowOrigins:     []string{AppConfig.ServiceAddress},
 		AllowMethods:     []string{"GET", "POST", "PUT", "DELETE", "PATCH"},
 		AllowHeaders:     []string{"Origin", "Content-Type", "Accept"},
 		ExposeHeaders:    []string{"Content-Length"},
@@ -78,7 +73,7 @@ func main() {
 
 	oapi.RegisterHandlers(r, oapi.NewStrictHandler(
 		server,
-		// сюда можно добавить middlewares, если нужно
+
 		[]oapi.StrictMiddlewareFunc{},
 	))
 

modules/backend/middlewares/access.go

@@ -0,0 +1,109 @@
+package middleware
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// ctxKey — приватный тип для ключа контекста
+type ctxKey struct{}
+
+// ginContextKey — уникальный ключ для хранения *gin.Context
+var ginContextKey = &ctxKey{}
+
+// GinContextToContext сохраняет *gin.Context в context.Context запроса
+func GinContextToContext(c *gin.Context) {
+	ctx := context.WithValue(c.Request.Context(), ginContextKey, c)
+	c.Request = c.Request.WithContext(ctx)
+}
+
+// GinContextFromContext извлекает *gin.Context из context.Context
+func GinContextFromContext(ctx context.Context) (*gin.Context, bool) {
+	ginCtx, ok := ctx.Value(ginContextKey).(*gin.Context)
+	return ginCtx, ok
+}
+
+func JWTAuthMiddleware(secret string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// 1. Получаем access_token из cookie
+		tokenStr, err := c.Cookie("access_token")
+		if err != nil {
+			abortWithJSON(c, http.StatusUnauthorized, "missing access_token cookie")
+			return
+		}
+
+		// 2. Парсим токен с MapClaims
+		token, err := jwt.Parse(tokenStr, func(t *jwt.Token) (interface{}, error) {
+			if t.Method != jwt.SigningMethodHS256 {
+				return nil, errors.New("unexpected signing method: " + t.Method.Alg())
+			}
+			return []byte(secret), nil // ← конвертируем string → []byte
+		})
+		if err != nil {
+			abortWithJSON(c, http.StatusUnauthorized, "invalid token: "+err.Error())
+			return
+		}
+
+		// 3. Проверяем валидность
+		if !token.Valid {
+			abortWithJSON(c, http.StatusUnauthorized, "token is invalid")
+			return
+		}
+
+		// 4. Извлекаем user_id из claims
+		claims, ok := token.Claims.(jwt.MapClaims)
+		if !ok {
+			abortWithJSON(c, http.StatusUnauthorized, "invalid claims format")
+			return
+		}
+
+		userID, ok := claims["user_id"].(string)
+		if !ok || userID == "" {
+			abortWithJSON(c, http.StatusUnauthorized, "user_id claim missing or invalid")
+			return
+		}
+
+		// 5. Сохраняем в контексте
+		c.Set("user_id", userID)
+
+		// 6. Для oapi-codegen — кладём gin.Context в request context
+		GinContextToContext(c)
+
+		c.Next()
+	}
+}
+
+// Вспомогательные функции (без изменений)
+func UserIDFromGin(c *gin.Context) (string, bool) {
+	id, exists := c.Get("user_id")
+	if !exists {
+		return "", false
+	}
+	if s, ok := id.(string); ok {
+		return s, true
+	}
+	return "", false
+}
+
+func UserIDFromContext(ctx context.Context) (string, error) {
+	ginCtx, ok := GinContextFromContext(ctx)
+	if !ok {
+		return "", errors.New("gin context not found")
+	}
+	userID, ok := UserIDFromGin(ginCtx)
+	if !ok {
+		return "", errors.New("user_id not found in context")
+	}
+	return userID, nil
+}
+
+func abortWithJSON(c *gin.Context, code int, message string) {
+	c.AbortWithStatusJSON(code, gin.H{
+		"error":   "unauthorized",
+		"message": message,
+	})
+}

modules/backend/types.go

@@ -1,12 +1,10 @@
 package main
 
 type Config struct {
-	Mode     string
+	Mode           string
-	LogLevel string `toml:"LogLevel" env:"LOG_LEVEL"`
+	ServiceAddress string `toml:"ServiceAddress" env:"SERVICE_ADDRESS"`
-}
+	DdUrl          string `toml:"DbUrl" env:"DATABASE_URL"`
-
+	JwtPrivateKey  string `toml:"JwtPrivateKey" env:"JWT_PRIVATE_KEY"`
-type Item struct {
+	LogLevel       string `toml:"LogLevel" env:"LOG_LEVEL"`
-	ID          int    `json:"id"`
+	rmqURL         string `toml:"RabbitMQUrl" env:"RABBITMQ_URL"`
-	Title       string `json:"title"`
-	Description string `json:"description"`
 }

modules/frontend/src/api/services/DefaultService.ts

@@ -20,6 +20,7 @@ export class DefaultService {
      * @param cursor
      * @param sort
      * @param sortForward
+     * @param extSearch
      * @param word
      * @param status List of title statuses to filter
      * @param rating
@@ -35,6 +36,7 @@ export class DefaultService {
         cursor?: string,
         sort?: TitleSort,
         sortForward: boolean = true,
+        extSearch: boolean = false,
         word?: string,
         status?: Array<TitleStatus>,
         rating?: number,
@@ -57,6 +59,7 @@ export class DefaultService {
                 'cursor': cursor,
                 'sort': sort,
                 'sort_forward': sortForward,
+                'ext_search': extSearch,
                 'word': word,
                 'status': status,
                 'rating': rating,

modules/frontend/src/components/TitlesFilterPanel/TitlesFilterPanel.tsx

@@ -0,0 +1,122 @@
+import { useState } from "react";
+import type { TitleStatus, ReleaseSeason } from "../../api";
+import { ChevronDownIcon, ChevronUpIcon } from "@heroicons/react/24/solid";
+
+export type TitlesFilter = {
+  extSearch: boolean;
+  status: TitleStatus | "";
+  rating: number | "";
+  releaseYear: number | "";
+  releaseSeason: ReleaseSeason | "";
+};
+
+type TitlesFilterPanelProps = {
+  filters: TitlesFilter;
+  setFilters: (filters: TitlesFilter) => void;
+};
+
+const STATUS_OPTIONS: (TitleStatus | "")[] = ["", "planned", "finished", "ongoing"];
+const SEASON_OPTIONS: (ReleaseSeason | "")[] = ["", "winter", "spring", "summer", "fall"];
+const RATING_OPTIONS = ["", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+
+export function TitlesFilterPanel({ filters, setFilters }: TitlesFilterPanelProps) {
+  const [open, setOpen] = useState(false);
+
+  const handleChange = (field: keyof TitlesFilter, value: any) => {
+    setFilters({ ...filters, [field]: value });
+  };
+
+  return (
+    <div className="w-full flex justify-center my-4">
+      <div className="bg-white shadow rounded-lg w-full max-w-3xl p-4">
+        {/* Заголовок панели */}
+        <div
+          className="flex justify-between items-center cursor-pointer"
+          onClick={() => setOpen((prev) => !prev)}
+        >
+          <h3 className="text-lg font-medium">Filters</h3>
+          {open ? <ChevronUpIcon className="w-5 h-5" /> : <ChevronDownIcon className="w-5 h-5" />}
+        </div>
+
+        {/* Контент панели */}
+        {open && (
+          <div className="mt-4 grid grid-cols-2 sm:grid-cols-3 gap-4">
+            {/* Extended Search */}
+            <div className="flex items-center gap-2">
+              <input
+                type="checkbox"
+                id="extSearch"
+                checked={filters.extSearch}
+                onChange={(e) => handleChange("extSearch", e.target.checked)}
+                className="w-4 h-4"
+              />
+              <label htmlFor="extSearch" className="text-sm">
+                Extended Search
+              </label>
+            </div>
+
+            {/* Status */}
+            <div className="flex flex-col">
+              <label htmlFor="status" className="text-sm mb-1">Status</label>
+              <select
+                id="status"
+                value={filters.status}
+                onChange={(e) => handleChange("status", e.target.value || "")}
+                className="border rounded px-2 py-1"
+              >
+                {STATUS_OPTIONS.map((s) => (
+                  <option key={s || "all"} value={s}>{s || "All"}</option>
+                ))}
+              </select>
+            </div>
+
+            {/* Rating */}
+            <div className="flex flex-col">
+              <label htmlFor="rating" className="text-sm mb-1">Rating</label>
+              <select
+                id="rating"
+                value={filters.rating}
+                onChange={(e) => handleChange("rating", e.target.value ? Number(e.target.value) : "")}
+                className="border rounded px-2 py-1"
+              >
+                {RATING_OPTIONS.map((r) => (
+                  <option key={r} value={r}>{r || "All"}</option>
+                ))}
+              </select>
+            </div>
+
+            {/* Release Year */}
+            <div className="flex flex-col">
+              <label htmlFor="releaseYear" className="text-sm mb-1">Release Year</label>
+              <input
+                type="number"
+                id="releaseYear"
+                value={filters.releaseYear || ""}
+                onChange={(e) =>
+                  handleChange("releaseYear", e.target.value ? Number(e.target.value) : "")
+                }
+                className="border rounded px-2 py-1"
+                placeholder="Any"
+              />
+            </div>
+
+            {/* Release Season */}
+            <div className="flex flex-col">
+              <label htmlFor="releaseSeason" className="text-sm mb-1">Release Season</label>
+              <select
+                id="releaseSeason"
+                value={filters.releaseSeason}
+                onChange={(e) => handleChange("releaseSeason", e.target.value || "")}
+                className="border rounded px-2 py-1"
+              >
+                {SEASON_OPTIONS.map((s) => (
+                  <option key={s || "all"} value={s}>{s || "All"}</option>
+                ))}
+              </select>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}

modules/frontend/src/pages/TitlesPage/TitlesPage.tsx

@@ -8,6 +8,7 @@ import { TitleCardHorizontal } from "../../components/cards/TitleCardHorizontal"
 import type { CursorObj, Title, TitleSort } from "../../api";
 import { LayoutSwitch } from "../../components/LayoutSwitch/LayoutSwitch";
 import { Link } from "react-router-dom";
+import { type TitlesFilter, TitlesFilterPanel } from "../../components/TitlesFilterPanel/TitlesFilterPanel";
 
 const PAGE_SIZE = 10;
 
@@ -22,6 +23,14 @@ export default function TitlesPage() {
   const [sortForward, setSortForward] = useState(true);
   const [layout, setLayout] = useState<"square" | "horizontal">("square");
 
+  const [filters, setFilters] = useState<TitlesFilter>({
+    extSearch: false,
+    status: "",
+    rating: "",
+    releaseYear: "",
+    releaseSeason: "",
+  });
+
   const fetchPage = async (cursorObj: CursorObj | null) => {
     const cursorStr = cursorObj ? btoa(JSON.stringify(cursorObj)).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '') : "";
 
@@ -30,13 +39,14 @@ export default function TitlesPage() {
         cursorStr,
         sort,
         sortForward,
+        filters.extSearch,
         search.trim() || undefined,
-        undefined,
+        filters.status ? [filters.status] : undefined,
-        undefined,
+        filters.rating || undefined,
-        undefined,
+        filters.releaseYear || undefined,
-        undefined,
+        filters.releaseSeason || undefined,
+        PAGE_SIZE,
         PAGE_SIZE,
-        undefined,
         "all"
       );
 
@@ -73,7 +83,7 @@ export default function TitlesPage() {
     };
 
     initLoad();
-  }, [search, sort, sortForward]);
+  }, [search, sort, sortForward, filters]);
 
 
 const handleLoadMore = async () => {
@@ -121,6 +131,7 @@ const handleLoadMore = async () => {
           setSortForward={setSortForward}
         />
       </div>
+       <TitlesFilterPanel filters={filters} setFilters={setFilters} />
 
       {loading && <div className="mt-20 font-medium text-black">Loading...</div>}