tyto/backend/internal/auth/local.go

package auth

import (
	"context"

	"tyto/internal/database"
)

// LocalProvider handles local username/password authentication.
type LocalProvider struct {
	db database.Database
}

// NewLocalProvider creates a new local authentication provider.
func NewLocalProvider(db database.Database) *LocalProvider {
	return &LocalProvider{db: db}
}

// Name returns the provider name.
func (p *LocalProvider) Name() string {
	return "local"
}

// Available returns true (local auth is always available).
func (p *LocalProvider) Available() bool {
	return true
}

// Authenticate validates username and password against local database.
func (p *LocalProvider) Authenticate(ctx context.Context, username, password string) (*database.User, error) {
	user, err := p.db.GetUserByUsername(ctx, username)
	if err != nil {
		return nil, err
	}

	if user == nil {
		return nil, ErrUserNotFound
	}

	// Only authenticate local users
	if user.AuthProvider != database.AuthProviderLocal {
		return nil, ErrInvalidCredentials
	}

	// Verify password
	if !CheckPassword(password, user.PasswordHash) {
		return nil, ErrInvalidCredentials
	}

	return user, nil
}