feat(manager-core,picloud): expose instance_role + email on /auth/me

Login and /auth/me now return the same shape — id, username, instance_role, email — so the dashboard can gate UI on role from either the login response or the layout's me() refetch without an extra round-trip. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-27 07:39:06 +02:00
parent 2aab92af31
commit 3688c26cb4
2 changed files with 47 additions and 6 deletions
--- a/crates/manager-core/src/auth_api.rs
+++ b/crates/manager-core/src/auth_api.rs
@@ -18,7 +18,7 @@ use axum::response::{IntoResponse, Json, Response};
 use axum::routing::{get, post};
 use axum::Router;
 use chrono::{DateTime, Duration as ChronoDuration, Utc};
-use picloud_shared::AdminUserId;
+use picloud_shared::{AdminUserId, InstanceRole};
 use serde::{Deserialize, Serialize};
 use serde_json::json;

@@ -63,6 +63,8 @@ pub struct LoginResponse {
 pub struct AdminUserDto {
    pub id: AdminUserId,
    pub username: String,
+    pub instance_role: InstanceRole,
+    pub email: Option<String>,
 }

 // ----------------------------------------------------------------------------
@@ -87,9 +89,11 @@ async fn login(State(state): State<AuthState>, Json(input): Json<LoginRequest>)
        }
    };

-    let (stored_hash, user_id, username, is_active) = match creds {
-        Some(c) => (c.password_hash, Some(c.id), c.username, c.is_active),
-        None => (DUMMY_HASH.to_string(), None, String::new(), false),
+    // username from creds is discarded — the re-fetch below carries the
+    // canonical row used in the response DTO.
+    let (stored_hash, user_id, is_active) = match creds {
+        Some(c) => (c.password_hash, Some(c.id), c.is_active),
+        None => (DUMMY_HASH.to_string(), None, false),
    };

    let password_ok = verify_password(&stored_hash, &input.password);
@@ -98,6 +102,18 @@ async fn login(State(state): State<AuthState>, Json(input): Json<LoginRequest>)
    }
    let user_id = user_id.unwrap();

+    // Re-fetch the full row so the login response carries the same
+    // shape /me does (instance_role, email). The credentials struct
+    // intentionally omits email; one extra query per login is fine.
+    let user_row = match state.users.get(user_id).await {
+        Ok(Some(row)) => row,
+        Ok(None) => return invalid_credentials(),
+        Err(err) => {
+            tracing::error!(?err, "admin_users lookup after login failed");
+            return internal_error();
+        }
+    };
+
    let token = generate_session_token();
    let expires_at = Utc::now()
        + ChronoDuration::from_std(state.ttl).unwrap_or_else(|_| ChronoDuration::hours(24));
@@ -130,8 +146,10 @@ async fn login(State(state): State<AuthState>, Json(input): Json<LoginRequest>)
        headers,
        Json(LoginResponse {
            user: AdminUserDto {
-                id: user_id,
-                username,
+                id: user_row.id,
+                username: user_row.username,
+                instance_role: user_row.instance_role,
+                email: user_row.email,
            },
            token: token.raw,
            expires_at,
@@ -171,6 +189,8 @@ async fn me(
        Ok(Some(row)) => Json(AdminUserDto {
            id: row.id,
            username: row.username,
+            instance_role: row.instance_role,
+            email: row.email,
        })
        .into_response(),
        Ok(None) => invalid_credentials(),