feat: CORS, role in auth, banner_url, diary sort, cleanup

- CORS layer on API routes via CORS_ORIGINS env var
- role field in login + profile responses
- banner_url in profile response
- diary sort_by: rating_desc/rating_asc/date_asc/date_desc
- UserRole::as_str() to deduplicate role mapping
- typed DTOs for import preview (replace ad-hoc JSON)
- warn on invalid CORS origins

crates/api-types/src/auth.rs

@@ -13,6 +13,7 @@ pub struct LoginResponse {
     pub user_id: Uuid,
     pub email: String,
     pub expires_at: String,
+    pub role: String,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]

crates/api-types/src/import.rs

@@ -45,3 +45,35 @@ pub struct SaveProfileRequest {
     /// Human-readable profile name (e.g. "Letterboxd")
     pub name: String,
 }
+
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
+#[serde(tag = "status")]
+pub enum PreviewRowDto {
+    #[serde(rename = "valid")]
+    Valid {
+        index: usize,
+        title: Option<String>,
+        release_year: Option<String>,
+        director: Option<String>,
+        rating: Option<String>,
+        watched_at: Option<String>,
+        comment: Option<String>,
+    },
+    #[serde(rename = "duplicate")]
+    Duplicate {
+        index: usize,
+        title: Option<String>,
+        release_year: Option<String>,
+        director: Option<String>,
+        rating: Option<String>,
+        watched_at: Option<String>,
+        comment: Option<String>,
+    },
+    #[serde(rename = "invalid")]
+    Invalid { index: usize, errors: Vec<String> },
+}
+
+#[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]
+pub struct ImportPreviewResponse {
+    pub rows: Vec<PreviewRowDto>,
+}

crates/api-types/src/users.rs

@@ -82,6 +82,8 @@ pub struct ProfileResponse {
     pub username: String,
     pub bio: Option<String>,
     pub avatar_url: Option<String>,
+    pub banner_url: Option<String>,
+    pub role: String,
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, utoipa::ToSchema)]

crates/application/src/auth/login.rs

@@ -10,6 +10,7 @@ pub struct LoginResult {
     pub user_id: Uuid,
     pub email: String,
     pub expires_at: DateTime<Utc>,
+    pub role: String,
 }
 
 pub async fn execute(ctx: &AppContext, query: LoginQuery) -> Result<LoginResult, DomainError> {
@@ -37,6 +38,7 @@ pub async fn execute(ctx: &AppContext, query: LoginQuery) -> Result<LoginResult,
         user_id: user.id().value(),
         email: user.email().value().to_string(),
         expires_at: generated.expires_at,
+        role: user.role().as_str().into(),
     })
 }
 

crates/application/src/users/get_current_profile.rs

@@ -6,6 +6,8 @@ pub struct CurrentProfileData {
     pub username: String,
     pub bio: Option<String>,
     pub avatar_url: Option<String>,
+    pub banner_url: Option<String>,
+    pub role: String,
 }
 
 pub async fn execute(
@@ -23,10 +25,15 @@ pub async fn execute(
     let avatar_url = user
         .avatar_path()
         .map(|path| format!("{}/images/{}", ctx.config.base_url, path));
+    let banner_url = user
+        .banner_path()
+        .map(|path| format!("{}/images/{}", ctx.config.base_url, path));
 
     Ok(CurrentProfileData {
         username: user.username().value().to_string(),
         bio: user.bio().map(|s| s.to_string()),
         avatar_url,
+        banner_url,
+        role: user.role().as_str().into(),
     })
 }

crates/domain/src/models/mod.rs

@@ -317,6 +317,15 @@ pub enum UserRole {
     Admin,
 }
 
+impl UserRole {
+    pub fn as_str(&self) -> &'static str {
+        match self {
+            Self::Standard => "standard",
+            Self::Admin => "admin",
+        }
+    }
+}
+
 #[derive(Debug, Clone)]
 pub struct ProfileField {
     pub name: String,

crates/presentation/Cargo.toml

@@ -24,7 +24,7 @@ postgres-federation = [
 ]
 
 [dependencies]
-tower-http = { version = "0.6.8", features = ["fs", "trace", "tracing"] }
+tower-http = { version = "0.6.8", features = ["cors", "fs", "trace", "tracing"] }
 infer = "0.19.0"
 percent-encoding = "2"
 axum-governor = "2"

crates/presentation/src/forms.rs

@@ -251,12 +251,11 @@ pub fn to_diary_query(p: DiaryQueryParams) -> GetDiaryQuery {
     GetDiaryQuery {
         limit: p.limit,
         offset: p.offset,
-        sort_by: p.sort_by.as_deref().map(|s| {
+        sort_by: p.sort_by.as_deref().map(|s| match s {
-            if s == "asc" {
+            "date_asc" | "asc" => SortDirection::Ascending,
-                SortDirection::Ascending
+            "rating_desc" => SortDirection::ByRatingDesc,
-            } else {
+            "rating_asc" => SortDirection::ByRatingAsc,
-                SortDirection::Descending
+            _ => SortDirection::Descending,
-            }
         }),
         movie_id: p.movie_id,
         user_id: None,

crates/presentation/src/handlers/import.rs

@@ -1,6 +1,6 @@
 use api_types::{
-    ApplyMappingRequest, ConfirmRequest, SaveProfileRequest, SessionCreatedResponse,
+    ApplyMappingRequest, ConfirmRequest, ImportPreviewResponse, PreviewRowDto, SaveProfileRequest,
-    SessionStateResponse,
+    SessionCreatedResponse, SessionStateResponse,
 };
 use axum::{
     Extension, Form,
@@ -34,6 +34,7 @@ use template_askama::{
 
 use crate::{
     csrf::CsrfToken,
+    errors::ApiError,
     extractors::{AuthenticatedUser, RequiredCookieUser},
     state::AppState,
 };
@@ -639,64 +640,62 @@ pub async fn api_get_preview(
     State(state): State<AppState>,
     AuthenticatedUser(user_id): AuthenticatedUser,
     Path(session_id_str): Path<String>,
-) -> impl IntoResponse {
+) -> Result<axum::Json<ImportPreviewResponse>, ApiError> {
-    let Ok(session_id) = session_id_str
+    let session_id = session_id_str
         .parse::<uuid::Uuid>()
         .map(ImportSessionId::from_uuid)
-    else {
+        .map_err(|_| {
-        return (
+            ApiError(domain::errors::DomainError::ValidationError(
-            StatusCode::BAD_REQUEST,
+                "invalid session id".into(),
-            axum::Json(serde_json::json!({"error": "invalid session id"})),
+            ))
-        )
+        })?;
-            .into_response();
+
-    };
+    let session = state
-    match state
         .app_ctx
         .repos
         .import_session
         .get(&session_id, &user_id)
-        .await
+        .await?
-    {
+        .ok_or_else(|| {
-        Ok(Some(session)) => {
+            ApiError(domain::errors::DomainError::NotFound(
-            let annotated: Vec<domain::models::AnnotatedRow> =
+                "session not found".into(),
-                session.row_results.unwrap_or_default();
+            ))
-            let rows: Vec<serde_json::Value> = annotated
+        })?;
+
+    let annotated: Vec<AnnotatedRow> = session.row_results.unwrap_or_default();
+    let rows = annotated
         .iter()
         .enumerate()
         .map(|(i, a)| {
             use domain::models::import::RowResult;
             match &a.result {
-                        RowResult::Valid(row) => serde_json::json!({
+                RowResult::Valid(row) if a.is_duplicate => PreviewRowDto::Duplicate {
-                            "index": i,
+                    index: i,
-                            "status": if a.is_duplicate { "duplicate" } else { "valid" },
+                    title: row.title.clone(),
-                            "title": row.title,
+                    release_year: row.release_year.clone(),
-                            "release_year": row.release_year,
+                    director: row.director.clone(),
-                            "director": row.director,
+                    rating: row.rating.clone(),
-                            "rating": row.rating,
+                    watched_at: row.watched_at.clone(),
-                            "watched_at": row.watched_at,
+                    comment: row.comment.clone(),
-                            "comment": row.comment,
+                },
-                        }),
+                RowResult::Valid(row) => PreviewRowDto::Valid {
-                        RowResult::Invalid { errors, .. } => serde_json::json!({
+                    index: i,
-                            "index": i,
+                    title: row.title.clone(),
-                            "status": "invalid",
+                    release_year: row.release_year.clone(),
-                            "errors": errors,
+                    director: row.director.clone(),
-                        }),
+                    rating: row.rating.clone(),
+                    watched_at: row.watched_at.clone(),
+                    comment: row.comment.clone(),
+                },
+                RowResult::Invalid { errors, .. } => PreviewRowDto::Invalid {
+                    index: i,
+                    errors: errors.clone(),
+                },
             }
         })
         .collect();
-            axum::Json(serde_json::json!({ "rows": rows })).into_response()
+
-        }
+    Ok(axum::Json(ImportPreviewResponse { rows }))
-        Ok(None) => (
-            StatusCode::NOT_FOUND,
-            axum::Json(serde_json::json!({"error": "session not found"})),
-        )
-            .into_response(),
-        Err(e) => (
-            StatusCode::INTERNAL_SERVER_ERROR,
-            axum::Json(serde_json::json!({"error": e.to_string()})),
-        )
-            .into_response(),
-    }
 }
 
 #[utoipa::path(

crates/presentation/src/routes.rs

@@ -264,7 +264,16 @@ fn cors_layer() -> CorsLayer {
     } else {
         let parsed: Vec<_> = origins
             .split(',')
-            .filter_map(|s| s.trim().parse().ok())
+            .filter_map(|s| {
+                let trimmed = s.trim();
+                match trimmed.parse() {
+                    Ok(v) => Some(v),
+                    Err(e) => {
+                        tracing::warn!("ignoring invalid CORS origin {trimmed:?}: {e}");
+                        None
+                    }
+                }
+            })
             .collect();
         layer
             .allow_origin(AllowOrigin::list(parsed))