1 files changed, 45 insertions, 0 deletions

diff --git a/src/login.rs b/src/login.rs
new file mode 100644
index 0000000..7f0314f
--- /dev/null
+++ b/src/login.rs
@@ -0,0 +1,45 @@
+use axum_extra::extract::cookie;
+
+/// Show a login page.
+async fn get() {
+    todo!()
+}
+
+/// Accept login and start the IndieAuth dance.
+async fn post() {
+    todo!()
+}
+
+/// Accept the return of the IndieAuth dance. Set a cookie for the
+/// required session.
+async fn callback() {
+    todo!()
+}
+
+/// Show the form necessary for logout. If JS is enabled,
+/// automatically POST the form.
+///
+/// This is essentially protection from CSRF and also from some kind
+/// of crawlers working with a user's cookies (wget?). If a crawler is
+/// stupid enough to execute JS and send a POST request though, that's
+/// on the crawler.
+async fn logout_page() {
+    todo!()
+}
+
+/// Erase the necessary cookies for login and invalidate the session.
+async fn logout() {
+    todo!()
+}
+
+/// Produce a router for all of the above.
+fn router(key: cookie::Key) -> axum::routing::Router<cookie::Key> {
+    axum::routing::Router::new()
+        .route("/start", axum::routing::get(get).post(post))
+        .route("/finish", axum::routing::get(callback))
+        .route("/logout", axum::routing::get(logout_page).post(logout))
+        // I'll need some kind of session store here too. It should be
+        // a key from UUIDs (128 bits is enough for a session token)
+        // to at least a URL, if not something more.
+        .with_state(key)
+}