feat(manager-core): admin auth gate (Phase 3a)

Closes the regression risk of the admin API and dashboard being open
to anyone reaching the bound port. Required foundation before v1.1
data-plane services land.

Per-user accounts (admin_users), Argon2id passwords, env-var bootstrap
of the first admin that becomes inert once any admin exists, opaque
32-byte session token doubling as bearer credential, 24h sliding TTL
configurable via PICLOUD_SESSION_TTL_HOURS. is_active column lets
admins be deactivated without losing audit history; last-active-admin
guard on DELETE and on PATCH that flips is_active to false (sessions
also wiped on deactivation).

require_admin middleware fronts every /api/v1/admin/* route. The data
plane (/api/v1/execute/{id}), /healthz, /version, and user routes
stay open. picloud admin reset-password <username> subcommand handles
recovery without going through HTTP.

Dashboard gains /admin/login and /admin/admins surfaces, a top-bar
user menu, and a token store with a localStorage echo so refreshes
don't sign you out. Cookie-based auth works in parallel for non-SPA
clients.

Forward compatibility: future RBAC tables (admin_roles,
admin_user_roles) join on admin_users.id; the auth middleware is the
seam where role checks slot in. Email, 2FA, passkeys, and personal
API tokens are all additive without touching admin_users.

Blueprint §11.4 updated to reflect what actually shipped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

crates/manager-core/src/auth_middleware.rs

@@ -0,0 +1,185 @@
+//! `require_admin` axum middleware: gates a router on a valid admin
+//! session. Accepts the token from either the `picloud_session` cookie
+//! or an `Authorization: Bearer …` header — same token system serves
+//! the dashboard and CLI/CI clients.
+//!
+//! On success, injects `AuthedAdmin` as a request extension so handlers
+//! can `Extension<AuthedAdmin>` to know who's calling. On failure,
+//! returns 401 with a generic JSON body (no enumeration about whether
+//! the token was wrong vs. the user was deactivated).
+
+use std::sync::Arc;
+use std::time::Duration;
+
+use axum::body::Body;
+use axum::extract::{Request, State};
+use axum::http::{header, StatusCode};
+use axum::middleware::Next;
+use axum::response::{IntoResponse, Json, Response};
+use chrono::Utc;
+use picloud_shared::AdminUserId;
+use serde_json::json;
+
+use crate::admin_session_repo::AdminSessionRepository;
+use crate::admin_user_repo::AdminUserRepository;
+use crate::auth::hash_token;
+
+pub const SESSION_COOKIE: &str = "picloud_session";
+
+/// Shared state for auth: the two repos plus the configured sliding
+/// session TTL. Cheap to clone (`Arc` everywhere).
+#[derive(Clone)]
+pub struct AuthState {
+    pub users: Arc<dyn AdminUserRepository>,
+    pub sessions: Arc<dyn AdminSessionRepository>,
+    pub ttl: Duration,
+}
+
+/// Request-extension type that authenticated handlers extract via
+/// `Extension<AuthedAdmin>`. Available only inside guarded routers.
+#[derive(Debug, Clone)]
+pub struct AuthedAdmin {
+    pub id: AdminUserId,
+    pub username: String,
+}
+
+/// Middleware function. Wire with
+/// `axum::middleware::from_fn_with_state(auth_state, require_admin)`.
+pub async fn require_admin(
+    State(state): State<AuthState>,
+    mut req: Request<Body>,
+    next: Next,
+) -> Response {
+    let Some(token) = extract_token(&req) else {
+        return unauthorized();
+    };
+    let token_hash = hash_token(&token);
+
+    let lookup = match state.sessions.lookup(&token_hash).await {
+        Ok(Some(lookup)) => lookup,
+        Ok(None) => return unauthorized(),
+        Err(err) => {
+            tracing::error!(?err, "admin_sessions lookup failed");
+            return internal_error();
+        }
+    };
+
+    // Resolve the user. A deleted user is impossible here (FK cascade
+    // wipes their sessions), but a deactivated user still needs to be
+    // rejected — and so does the edge case of a session predating the
+    // deactivate (we wipe their sessions on deactivate, but a race
+    // could land a request in flight).
+    let user = match state.users.get(lookup.user_id).await {
+        Ok(Some(u)) if u.is_active => u,
+        Ok(_) => return unauthorized(),
+        Err(err) => {
+            tracing::error!(?err, "admin_users lookup failed");
+            return internal_error();
+        }
+    };
+
+    // Sliding window bump. Inline (not fire-and-forget) so a DB blip
+    // surfaces as a request error rather than silent stale sessions.
+    let new_expires_at = Utc::now() + chrono::Duration::from_std(state.ttl).unwrap_or_default();
+    if let Err(err) = state.sessions.touch(&token_hash, new_expires_at).await {
+        tracing::error!(?err, "admin_sessions touch failed");
+        return internal_error();
+    }
+
+    req.extensions_mut().insert(AuthedAdmin {
+        id: user.id,
+        username: user.username,
+    });
+    next.run(req).await
+}
+
+/// Pull the bearer token out of an `Authorization` header (preferred)
+/// or the `picloud_session` cookie (fallback for browser clients).
+fn extract_token(req: &Request<Body>) -> Option<String> {
+    if let Some(value) = req.headers().get(header::AUTHORIZATION) {
+        if let Ok(s) = value.to_str() {
+            if let Some(token) = s.strip_prefix("Bearer ") {
+                let trimmed = token.trim();
+                if !trimmed.is_empty() {
+                    return Some(trimmed.to_string());
+                }
+            }
+        }
+    }
+    if let Some(value) = req.headers().get(header::COOKIE) {
+        if let Ok(s) = value.to_str() {
+            for chunk in s.split(';') {
+                let chunk = chunk.trim();
+                if let Some(rest) = chunk.strip_prefix(&format!("{SESSION_COOKIE}=")) {
+                    if !rest.is_empty() {
+                        return Some(rest.to_string());
+                    }
+                }
+            }
+        }
+    }
+    None
+}
+
+fn unauthorized() -> Response {
+    (
+        StatusCode::UNAUTHORIZED,
+        Json(json!({ "error": "authentication required" })),
+    )
+        .into_response()
+}
+
+fn internal_error() -> Response {
+    (
+        StatusCode::INTERNAL_SERVER_ERROR,
+        Json(json!({ "error": "internal error" })),
+    )
+        .into_response()
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use axum::http::Request;
+
+    fn req_with_header(name: &str, value: &str) -> Request<Body> {
+        Request::builder()
+            .header(name, value)
+            .body(Body::empty())
+            .unwrap()
+    }
+
+    #[test]
+    fn extracts_bearer_token() {
+        let r = req_with_header("authorization", "Bearer abc123");
+        assert_eq!(extract_token(&r).as_deref(), Some("abc123"));
+    }
+
+    #[test]
+    fn ignores_bearer_with_no_token() {
+        let r = req_with_header("authorization", "Bearer ");
+        assert_eq!(extract_token(&r), None);
+    }
+
+    #[test]
+    fn extracts_cookie_token() {
+        let r = req_with_header("cookie", "foo=bar; picloud_session=xyz; baz=qux");
+        assert_eq!(extract_token(&r).as_deref(), Some("xyz"));
+    }
+
+    #[test]
+    fn bearer_wins_over_cookie() {
+        let r = Request::builder()
+            .header("authorization", "Bearer header-token")
+            .header("cookie", "picloud_session=cookie-token")
+            .body(Body::empty())
+            .unwrap();
+        assert_eq!(extract_token(&r).as_deref(), Some("header-token"));
+    }
+
+    #[test]
+    fn returns_none_when_neither_present() {
+        let r = Request::builder().body(Body::empty()).unwrap();
+        assert_eq!(extract_token(&r), None);
+    }
+}