Two bugs surfaced while running the new E2E suite, plus a small test hook:
- jwt.rs: add a per-token `jti: Uuid` claim. Without it, two `create_token`
calls in the same wall-clock second for the same (sub, role, event_id)
produced identical JWT bytes — and identical sha256(token) hashes —
which then collided on `session.token_hash UNIQUE` with a 500. Manifests
in real use when an admin clicks "Anmelden" twice fast.
- auth/handlers.rs: reject display names containing 0x00. Postgres rejects
NUL in TEXT columns with `invalid byte sequence for encoding "UTF8"` and
the request leaks back as a 500. Now returns 400 with a clean message.
- handlers/test_admin.rs + main.rs: new POST /api/v1/admin/__truncate route,
compiled in always but only **registered** when EVENTSNAP_TEST_MODE=1 is
set on startup. Truncates every event-scoped table, reseeds config from
migration defaults, wipes media on disk, and clears the in-memory rate
limiter. RequireAdmin-gated so it's not anonymous even in test mode. In
production builds (no env var) the route returns 404 — verified by the
startup log message.
- services/rate_limiter.rs: add `clear()` so the truncate handler can wipe
the in-memory window map between tests.
- Dockerfile: bump rust:1.87 → rust:1.88 (current dep tree needs it) and
COPY ./migrations into the build context so the `sqlx::migrate!()` macro
can resolve at compile time.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
05f76514a2