feat: auth hardening + codebase quality sweep

Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository, login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout, JWT expiry 24h→1h, configurable via with_expiry(). Route protection: require_auth middleware on protected routes, public routes split (register, login, refresh, sharing/access). Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery, GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates on processing, storage, sidecar, duplicates handlers. Quality fixes: visibility filtering bypass in search(), unwrap panics in date parsing, DRY auth header parsing, centralized parsers module, email validation via email_address crate, value objects (Username, MimeType, RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated, TagCreated, DuplicateDetected), postgres error mapping for constraint violations, OptionExt::or_not_found helper, in_memory_repo! macro, GetStackQuery moved to queries, album add_entry 200→201.
2026-05-31 22:26:02 +02:00
parent 84fb410316
commit c6f82090d2
71 changed files with 2311 additions and 563 deletions
--- a/crates/presentation/src/extractors/auth.rs
+++ b/crates/presentation/src/extractors/auth.rs
@@ -1,12 +1,6 @@
-use crate::state::AppState;
-use axum::{
-    Json,
-    extract::FromRequestParts,
-    http::{StatusCode, request::Parts},
-    response::{IntoResponse, Response},
-};
+use crate::{middleware::auth::extract_bearer_token, state::AppState};
+use axum::{extract::FromRequestParts, http::request::Parts, response::Response};
 use domain::value_objects::SystemId;
-use serde_json::json;

 pub struct JwtClaims {
    pub user_id: SystemId,
@@ -20,30 +14,13 @@ impl FromRequestParts<AppState> for JwtClaims {
        parts: &mut Parts,
        state: &AppState,
    ) -> Result<Self, Self::Rejection> {
-        let auth_header = parts
-            .headers
-            .get(axum::http::header::AUTHORIZATION)
-            .and_then(|v| v.to_str().ok())
-            .ok_or_else(|| {
-                (
-                    StatusCode::UNAUTHORIZED,
-                    Json(json!({ "error": "Missing Authorization header" })),
-                )
-                    .into_response()
-            })?;
-
-        let token = auth_header.strip_prefix("Bearer ").ok_or_else(|| {
-            (
-                StatusCode::UNAUTHORIZED,
-                Json(json!({ "error": "Invalid Authorization format" })),
-            )
-                .into_response()
-        })?;
+        let token = extract_bearer_token(&parts.headers)?;

        let (user_id, role) = state.token_issuer.verify(token).await.map_err(|_| {
+            use axum::{Json, http::StatusCode, response::IntoResponse};
            (
                StatusCode::UNAUTHORIZED,
-                Json(json!({ "error": "Invalid or expired token" })),
+                Json(serde_json::json!({ "error": "Invalid or expired token" })),
            )
                .into_response()
        })?;