GKaszewski/k-photos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c6f82090d2f4f089cc3faab567643667a89158df
k-photos/crates/domain/src/identity/entities.rs
Gabriel Kaszewski c6f82090d2 feat: auth hardening + codebase quality sweep 
Refresh tokens: RefreshToken entity, PostgresRefreshTokenRepository,
login returns refresh token, POST /auth/refresh (rotation), POST /auth/logout,
JWT expiry 24h→1h, configurable via with_expiry().

Route protection: require_auth middleware on protected routes,
public routes split (register, login, refresh, sharing/access).

Authorization: caller_id added to ReadAssetFileQuery, ReadDerivativeQuery,
GetStackQuery, DeleteStackCommand with ownership checks. Admin-only gates
on processing, storage, sidecar, duplicates handlers.

Quality fixes: visibility filtering bypass in search(), unwrap panics in
date parsing, DRY auth header parsing, centralized parsers module,
email validation via email_address crate, value objects (Username, MimeType,
RelativePath), domain events (UserCreated, UserDeleted, AlbumCreated,
TagCreated, DuplicateDetected), postgres error mapping for constraint
violations, OptionExt::or_not_found helper, in_memory_repo! macro,
GetStackQuery moved to queries, album add_entry 200→201.
2026-05-31 22:26:02 +02:00

223 lines
5.5 KiB
Rust
Raw Blame History

use crate::common::errors::DomainError;
use crate::common::value_objects::{DateTimeStamp, Email, PasswordHash, SystemId};
use chrono::{DateTime, Utc};
use std::collections::HashSet;
// --- Permission ---
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
pub enum PermissionAction {
ReadAsset,
ReadMetadata,
ReadLocation,
ReadPerson,
WriteMetadata,
DeleteAsset,
ManageAccess,
ManageUsers,
ManageSystem,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
pub enum ResourceType {
Asset,
Album,
Collection,
Person,
Directory,
Global,
}
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
pub struct Permission {
pub action: PermissionAction,
pub resource_type: ResourceType,
}
impl Permission {
pub fn new(action: PermissionAction, resource_type: ResourceType) -> Self {
Self {
action,
resource_type,
}
}
}
pub fn viewer_permissions() -> HashSet<Permission> {
HashSet::from([
Permission::new(PermissionAction::ReadAsset, ResourceType::Global),
Permission::new(PermissionAction::ReadMetadata, ResourceType::Global),
])
}
pub fn contributor_permissions() -> HashSet<Permission> {
let mut perms = viewer_permissions();
perms.insert(Permission::new(
PermissionAction::WriteMetadata,
ResourceType::Global,
));
perms
}
pub fn admin_permissions() -> HashSet<Permission> {
let mut perms = contributor_permissions();
perms.insert(Permission::new(
PermissionAction::DeleteAsset,
ResourceType::Global,
));
perms.insert(Permission::new(
PermissionAction::ManageAccess,
ResourceType::Global,
));
perms.insert(Permission::new(
PermissionAction::ManageUsers,
ResourceType::Global,
));
perms.insert(Permission::new(
PermissionAction::ManageSystem,
ResourceType::Global,
));
perms.insert(Permission::new(
PermissionAction::ReadLocation,
ResourceType::Global,
));
perms.insert(Permission::new(
PermissionAction::ReadPerson,
ResourceType::Global,
));
perms
}
// --- Role ---
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct Role {
pub role_id: SystemId,
pub name: String,
pub permissions: HashSet<Permission>,
pub is_system_default: bool,
}
impl Role {
pub fn new(
name: impl Into<String>,
permissions: HashSet<Permission>,
is_system_default: bool,
) -> Self {
Self {
role_id: SystemId::new(),
name: name.into(),
permissions,
is_system_default,
}
}
pub fn has_permission(&self, action: PermissionAction, resource_type: ResourceType) -> bool {
self.permissions
.contains(&Permission::new(action, resource_type))
}
}
// --- User ---
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct User {
pub id: SystemId,
pub username: String,
pub email: Email,
pub password_hash: PasswordHash,
pub created_at: DateTime<Utc>,
}
impl User {
pub fn new(username: impl Into<String>, email: Email, password_hash: PasswordHash) -> Self {
Self {
id: SystemId::new(),
username: username.into(),
email,
password_hash,
created_at: Utc::now(),
}
}
}
// --- RefreshToken ---
#[derive(Debug, Clone)]
pub struct RefreshToken {
pub token_id: SystemId,
pub user_id: SystemId,
pub token_hash: String,
pub expires_at: DateTimeStamp,
pub revoked: bool,
pub created_at: DateTimeStamp,
}
impl RefreshToken {
pub fn new(user_id: SystemId, token_hash: String, expires_at: DateTimeStamp) -> Self {
Self {
token_id: SystemId::new(),
user_id,
token_hash,
expires_at,
revoked: false,
created_at: DateTimeStamp::now(),
}
}
pub fn is_valid(&self) -> bool {
!self.revoked && *self.expires_at.as_datetime() > Utc::now()
}
}
// --- Group ---
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
pub struct Group {
pub group_id: SystemId,
pub name: String,
pub owner_user_id: SystemId,
pub members: HashSet<SystemId>,
}
impl Group {
pub fn new(name: impl Into<String>, owner_user_id: SystemId) -> Self {
let mut members = HashSet::new();
members.insert(owner_user_id);
Self {
group_id: SystemId::new(),
name: name.into(),
owner_user_id,
members,
}
}
pub fn add_member(&mut self, user_id: SystemId) -> Result<(), DomainError> {
if self.members.contains(&user_id) {
return Err(DomainError::Conflict(format!(
"User {user_id} is already a member"
)));
}
self.members.insert(user_id);
Ok(())
}
pub fn remove_member(&mut self, user_id: SystemId) -> Result<(), DomainError> {
if user_id == self.owner_user_id {
return Err(DomainError::Validation(
"Cannot remove the group owner".to_string(),
));
}
if !self.members.remove(&user_id) {
return Err(DomainError::NotFound(format!(
"User {user_id} is not a member"
)));
}
Ok(())
}
pub fn is_member(&self, user_id: &SystemId) -> bool {
self.members.contains(user_id)
}
}
Reference in New Issue View Git Blame Copy Permalink