feat(manager-core,picloud): bearer pic_ keys land in Principal

* auth_middleware: split into resolve_principal → verify_session OR verify_api_key (selected by the pic_ prefix). Both paths converge on Principal as the request extension; require_admin keeps working as a #[deprecated] alias for require_authenticated. AuthState gains an api_keys repo; the cookie path is unchanged. * api-key path takes the first 8 chars after pic_ as the indexed lookup key, Argon2-verifies each candidate, soft-rejects deactivated users, and updates last_used_at inline. * auth_api: /auth/me now consumes Extension<Principal> and re-fetches the user row so username updates surface immediately. * picloud: AuthDeps + AuthState wired with PostgresApiKeyRepository; the layer call switches to require_authenticated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 21:55:38 +02:00
parent 44db8d107a
commit 5f7ddd23ab
4 changed files with 245 additions and 53 deletions
--- a/crates/manager-core/src/auth_api.rs
+++ b/crates/manager-core/src/auth_api.rs
@@ -22,8 +22,10 @@ use picloud_shared::AdminUserId;
 use serde::{Deserialize, Serialize};
 use serde_json::json;

+use picloud_shared::Principal;
+
 use crate::auth::{generate_session_token, hash_token, verify_password};
-use crate::auth_middleware::{require_admin, AuthState, AuthedAdmin, SESSION_COOKIE};
+use crate::auth_middleware::{require_authenticated, AuthState, SESSION_COOKIE};

 pub fn auth_router(state: AuthState) -> Router {
    // /login + /logout are unguarded (login is how you get in; logout
@@ -31,7 +33,7 @@ pub fn auth_router(state: AuthState) -> Router {
    // who you are, so the middleware must run first.
    let guarded = Router::new()
        .route("/auth/me", get(me))
-        .route_layer(from_fn_with_state(state.clone(), require_admin));
+        .route_layer(from_fn_with_state(state.clone(), require_authenticated));

    Router::new()
        .route("/auth/login", post(login))
@@ -158,11 +160,22 @@ async fn logout(State(state): State<AuthState>, req: Request<Body>) -> Response
    (StatusCode::NO_CONTENT, headers).into_response()
 }

-async fn me(Extension(admin): Extension<AuthedAdmin>) -> Json<AdminUserDto> {
-    Json(AdminUserDto {
-        id: admin.id,
-        username: admin.username,
-    })
+async fn me(State(state): State<AuthState>, Extension(principal): Extension<Principal>) -> Response {
+    // /me consumes the resolved Principal directly; we re-fetch the
+    // user row only to surface a fresh username (it can change via
+    // PATCH while a session/key is still valid).
+    match state.users.get(principal.user_id).await {
+        Ok(Some(row)) => Json(AdminUserDto {
+            id: row.id,
+            username: row.username,
+        })
+        .into_response(),
+        Ok(None) => invalid_credentials(),
+        Err(err) => {
+            tracing::error!(?err, "admin_users lookup for /me failed");
+            internal_error()
+        }
+    }
 }

 // ----------------------------------------------------------------------------