feat: auth hardening + codebase quality sweep

Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository, login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout, JWT expiry 24h→1h, configurable via with_expiry(). Route protection: require_auth middleware on protected routes, public routes split (register, login, refresh, sharing/access). Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery, GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates on processing, storage, sidecar, duplicates handlers. Quality fixes: visibility filtering bypass in search(), unwrap panics in date parsing, DRY auth header parsing, centralized parsers module, email validation via email_address crate, value objects (Username, MimeType, RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated, TagCreated, DuplicateDetected), postgres error mapping for constraint violations, OptionExt::or_not_found helper, in_memory_repo! macro, GetStackQuery moved to queries, album add_entry 200→201.
2026-05-31 22:26:02 +02:00
parent 84fb410316
commit c6f82090d2
71 changed files with 2311 additions and 563 deletions
--- a/crates/domain/src/catalog/entities.rs
+++ b/crates/domain/src/catalog/entities.rs
@@ -54,6 +54,17 @@ impl Asset {
    }
 }

+// --- AssetFilters ---
+
+#[derive(Default)]
+pub struct AssetFilters {
+    pub asset_type: Option<AssetType>,
+    pub mime_type: Option<String>,
+    pub date_from: Option<DateTimeStamp>,
+    pub date_to: Option<DateTimeStamp>,
+    pub is_processed: Option<bool>,
+}
+
 // --- AssetMetadata ---

 #[derive(
--- a/crates/domain/src/catalog/ports.rs
+++ b/crates/domain/src/catalog/ports.rs
@@ -1,6 +1,6 @@
 use super::entities::{
-    Asset, AssetMetadata, AssetStack, DerivativeAsset, DerivativeProfile, DuplicateGroup,
-    MetadataSource,
+    Asset, AssetFilters, AssetMetadata, AssetStack, DerivativeAsset, DerivativeProfile,
+    DuplicateGroup, MetadataSource,
 };
 use crate::common::errors::DomainError;
 use crate::common::value_objects::{Checksum, StructuredData, SystemId};
@@ -19,6 +19,13 @@ pub trait AssetRepository: Send + Sync {
        limit: u32,
        offset: u32,
    ) -> Result<Vec<Asset>, DomainError>;
+    async fn search(
+        &self,
+        owner_id: &SystemId,
+        filters: &AssetFilters,
+        limit: u32,
+        offset: u32,
+    ) -> Result<Vec<Asset>, DomainError>;
    async fn save(&self, asset: &Asset) -> Result<(), DomainError>;
    async fn delete(&self, id: &SystemId) -> Result<(), DomainError>;
 }