untitaker
diff --git a/‎Cargo.lock
+109 b/‎Cargo.lock
+109
diff --git a/‎Cargo.toml
+2 b/‎Cargo.toml
+2
diff --git a/‎src/auth.rs
+33 b/‎src/auth.rs
+33
diff --git a/‎src/error.rs
+12-3 b/‎src/error.rs
+12-3
@@ -28,3 +28,5 @@ maud = "0.26.0"
 sentry = { version = "0.34.0", features = ["tracing", "reqwest", "rustls"], default-features = false }
 tracing = "0.1.40"
 tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
+tower-sessions = "0.13.0"
+time = "0.3.36"
@@ -0,0 +1,33 @@
+use axum::async_trait;
+use axum::extract::FromRequestParts;
+use axum::http::{request::Parts, StatusCode};
+use tower_sessions::Session;
+
+use crate::AccountPk;
+use crate::ResponseError;
+
+pub const SESSION_COOKIE_KEY: &str = "auth";
+
+pub struct LoggedIn {
+    pub account: Option<AccountPk>,
+}
+
+impl LoggedIn {
+    pub fn account(&self) -> Result<AccountPk, ResponseError> {
+        self.account.clone().ok_or(ResponseError::NeedsAuth)
+    }
+}
+
+#[async_trait]
+impl<S> FromRequestParts<S> for LoggedIn
+where
+    S: Send + Sync,
+{
+    type Rejection = (StatusCode, &'static str);
+
+    async fn from_request_parts(req: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        let session = Session::from_request_parts(req, state).await?;
+        let account: Option<AccountPk> = session.get(SESSION_COOKIE_KEY).await.unwrap();
+        Ok(LoggedIn { account })
+    }
+}
@@ -1,6 +1,6 @@
 use axum::{
     http::StatusCode,
-    response::{IntoResponse, Response},
+    response::{IntoResponse, Redirect, Response},
 };
 use reqwest::header::InvalidHeaderValue;
 use tokio::task::JoinError;
@@ -17,11 +17,20 @@ pub enum ResponseError {
     InvalidHeader(#[from] InvalidHeaderValue),
     #[error("invalid JSON input: {0}")]
     Json(#[from] serde_json::Error),
+    #[error("failed to update session")]
+    Session(#[from] tower_sessions::session::Error),
+    #[error("no login found")]
+    NeedsAuth,
 }
 
 impl IntoResponse for ResponseError {
     fn into_response(self) -> Response {
-        tracing::error!("error while serving request: {}", self);
-        (StatusCode::INTERNAL_SERVER_ERROR, format!("{}\n", self)).into_response()
+        match self {
+            ResponseError::NeedsAuth => Redirect::to("/").into_response(),
+            _ => {
+                tracing::error!("error while serving request: {}", self);
+                (StatusCode::INTERNAL_SERVER_ERROR, format!("{}\n", self)).into_response()
+            }
+        }
     }
 }