GKaszewski/k-photos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: auth hardening + codebase quality sweep

Browse Source 
Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository,
login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout,
JWT expiry 24h→1h, configurable via with_expiry().

Route protection: require_auth middleware on protected routes,
public routes split (register, login, refresh, sharing/access).

Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery,
GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates
on processing, storage, sidecar, duplicates handlers.

Quality fixes: visibility filtering bypass in search(), unwrap panics in
date parsing, DRY auth header parsing, centralized parsers module,
email validation via email_address crate, value objects (Username, MimeType,
RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated,
TagCreated, DuplicateDetected), postgres error mapping for constraint
violations, OptionExt::or_not_found helper, in_memory_repo! macro,
GetStackQuery moved to queries, album add_entry 200→201.
This commit is contained in:
Gabriel Kaszewski
2026-05-31 22:26:02 +02:00
parent 84fb410316
commit c6f82090d2
71 changed files with 2311 additions and 563 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
crates/application/tests/catalog/queries/read_asset_file.rs
View File

@@ -17,7 +17,8 @@ async fn reads_file_successfully() {
relative_path: "photos/inbox/cat.jpg".into(),
checksum: Checksum::new("a".repeat(64)).unwrap(),
};
let asset = Asset::new(source, AssetType::Image, "image/jpeg", 512, SystemId::new());
let owner_id = SystemId::new();
let asset = Asset::new(source, AssetType::Image, "image/jpeg", 512, owner_id);
asset_repo.save(&asset).await.unwrap();
let file_data = Bytes::from(vec![0xFFu8; 512]);
@@ -30,6 +31,7 @@ async fn reads_file_successfully() {
let result = handler
.execute(ReadAssetFileQuery {
asset_id: asset.asset_id,
caller_id: owner_id,
})
.await
.unwrap();
@@ -48,6 +50,7 @@ async fn rejects_nonexistent_asset() {
let result = handler
.execute(ReadAssetFileQuery {
asset_id: SystemId::new(),
caller_id: SystemId::new(),
})
.await;