feat(admin): create and list users commands

Cargo.lock

@@ -27,6 +27,7 @@ dependencies = [
  "fully_pub",
  "kernel",
  "log",
+ "thiserror 2.0.3",
  "tokio",
 ]
 
@@ -970,6 +971,7 @@ dependencies = [
  "sqlx",
  "strum",
  "strum_macros",
+ "thiserror 2.0.3",
  "time",
  "tokio",
  "tower-http",
@@ -1260,6 +1262,7 @@ dependencies = [
  "sqlx",
  "strum",
  "strum_macros",
+ "thiserror 2.0.3",
  "toml",
  "url",
  "utils",

Cargo.toml

@@ -14,6 +14,7 @@ members = [
 [workspace.dependencies]
 # commons utils
 anyhow = "1.0"
+thiserror = "2"
 fully_pub = "0.1"
 strum = "0.26.3"
 strum_macros = "0.26"

admin.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/sh
+
+cargo run -q --bin minauthator-admin -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets $@

docs/draft.md

@@ -7,3 +7,47 @@ https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path
 ## Oauth2 test
 
 -> authorize
+
+# User flow
+
+## Invitation flow
+
+- Create invite
+    - generate A random
+    - user.reset_password_token = A
+    - user.status = "Invited"
+    - Send email with link to https://instance/reset-password?token=A&reason=invitation
+- GET /reset-password?token=A&reason=invitation
+    - verification of token
+    - show form
+- POST /reset-password
+    - BODY: with params token
+    - check token validity
+    - set new password hash
+    - if user.status == "invited"
+        - enable new account (user.status = "active")
+        - send welcome email
+    - redirect to login page with a message
+        - we need to redirect to the login page, so the user remember how to login later, and can
+        verify the setup of his/her password manager.
+
+We can instead send link to https://instance/invitation?token=A
+
+## Reset password flow
+
+- Reset password request
+    - generate A random
+    - user.reset_password_token = A
+    - Send email with link to https://instance/reset-password?token=A&reason=lost_password
+- GET /reset-password?token=A&reason=lost_password
+    - verification of token
+    - show form
+- POST /reset-password
+    - BODY: with params token
+    - check token validity
+    - set new password hash
+    - redirect to login page with a message
+        - we need to redirect to the login page, so the user remember how to login later, and can
+        verify the setup of his/her password manager.
+
+We can instead send link to https://instance/reset-password?token=A

justfile

@@ -1,12 +1,15 @@
 export RUST_BACKTRACE := "1"
 export RUST_LOG := "trace"
-export RUN_ARGS := "run --bin minauthator-server -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets"
+export CONTEXT_ARGS := "--config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets"
 
-watch-run:
+watch-server:
-    cargo-watch -x "$RUN_ARGS"
+    cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
 
-run:
+server:
-    cargo $RUN_ARGS
+    cargo run --bin minauthator-server -- $CONTEXT_ARGS
+
+admin:
+    cargo run --bin minauthator-admin -- $CONTEXT_ARGS
 
 docker-run:
     docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator

lib/admin_cli/Cargo.toml

@@ -8,6 +8,7 @@ path = "src/main.rs"
 
 [dependencies]
 anyhow = { workspace = true }
+thiserror = { workspace = true }
 fully_pub = { workspace = true }
 argh = { workspace = true }
 tokio = { workspace = true }

lib/admin_cli/src/commands/mod.rs

@@ -0,0 +1 @@
+pub mod users;

lib/admin_cli/src/commands/users.rs

@@ -0,0 +1,115 @@
+use anyhow::{Context, Result};
+use argh::FromArgs;
+use fully_pub::fully_pub;
+use kernel::{context::KernelContext, models::user::User, repositories::users::get_users};
+use log::info;
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "create",
+    description = "Create user in DB."
+)]
+struct CreateUserCommand {
+    /// aka login, username
+    #[argh(option)]
+    handle: String,
+
+    /// displayed name (eg. first name and last name)
+    #[argh(option)]
+    full_name: Option<String>,
+
+    /// use to identify and prove user identity
+    /// formated as specified in RFC 2821, RFC 3696
+    #[argh(option)]
+    email: String,
+
+    /// if true, create an invitation token
+    #[argh(switch)]
+    invite: bool
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "delete",
+    description = "Delete user in DB."
+)]
+struct DeleteUserCommand {
+    /// delete by user Uuid
+    #[argh(option)]
+    id: String
+}
+
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "list",
+    description = "List users in DB."
+)]
+struct ListUsersCommand {
+    /// how many users to return
+    #[argh(option)]
+    limit: Option<usize>,
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(subcommand)]
+enum UsersSubCommands {
+    Create(CreateUserCommand),
+    List(ListUsersCommand),
+    Delete(DeleteUserCommand),
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "users",
+    description = "Manage instance users."
+)]
+struct UsersCommand {
+    #[argh(subcommand)]
+    nested: UsersSubCommands,
+}
+
+
+pub async fn list_users(cmd: ListUsersCommand, ctx: KernelContext) -> Result<()> {
+    for user in get_users(&ctx.storage).await? {
+        println!(
+            "{0: <36} | [{1:<8}] | {2: <15} | {3: <25}",
+            user.id, user.status, user.handle, user.email.unwrap_or("()".to_string())
+        );
+    }
+    Ok(())
+}
+
+pub async fn create_user(cmd: CreateUserCommand, ctx: KernelContext) -> Result<()> {
+    let mut user = User::new(cmd.handle);
+    user.email = Some(cmd.email);
+    user.full_name = cmd.full_name;
+    if cmd.invite {
+        user.invite();
+        println!("Generated invite code: {}", user.reset_password_token.as_ref().unwrap());
+    }
+    let _res = kernel::actions::users::create_user(ctx, user).await?;
+    info!("Created user.");
+    if cmd.invite {
+        // TODO: Send invitation email
+        info!("Not sending invitation email.");
+    }
+    Ok(())
+}
+
+pub async fn delete_user(cmd: DeleteUserCommand, ctx: KernelContext) -> Result<()> {
+    todo!()
+}
+
+pub async fn handle_command_tree(cmd: UsersCommand, ctx: KernelContext) -> Result<()> {
+    match cmd.nested {
+        UsersSubCommands::List(sc) => list_users(sc, ctx).await,
+        UsersSubCommands::Create(sc) => create_user(sc, ctx).await,
+        UsersSubCommands::Delete(sc) => delete_user(sc, ctx).await
+    }
+}

lib/admin_cli/src/main.rs

@@ -1,11 +1,23 @@
 use argh::FromArgs;
 use anyhow::{Context, Result};
-use kernel::{context::{get_kernel_context, StartKernelConfig}};
+use commands::users;
+use kernel::context::{get_kernel_context, StartKernelConfig};
 use log::info;
 
-#[derive(Debug, FromArgs)]
+pub mod commands;
-/// Minauthator admin CLI args
+
-struct AdminCliArgs {
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(subcommand)]
+enum SubCommands {
+    Users(users::UsersCommand),
+}
+
+#[derive(FromArgs, PartialEq, Debug)]
+/// Minauthator admin top level
+struct AdminCliTopLevelCommand {
+    #[argh(subcommand)]
+    nested: SubCommands,
+
     /// path to YAML config file to use to configure this instance
     #[argh(option)]
     config: Option<String>,
@@ -14,17 +26,24 @@ struct AdminCliArgs {
     #[argh(option)]
     database: Option<String>,
 
+    /// path to the static assets dir
+    #[argh(option)]
+    static_assets: Option<String>,
 }
 
 /// handle CLI arguments to run admin CLI
 #[tokio::main]
 pub async fn main() -> Result<()> {
     info!("Starting minauth");
-    let args: AdminCliArgs = argh::from_env();
+    let command_input: AdminCliTopLevelCommand = argh::from_env();
-    let (config, secrets, db_pool) = get_kernel_context(StartKernelConfig {
+    let ctx = get_kernel_context(StartKernelConfig {
-        config_path: args.config,
+        config_path: command_input.config.clone(),
-        database_path: args.database
+        database_path: command_input.database.clone()
     }).await.context("Getting kernel context")?;
 
-    Ok(())
+    match command_input.nested {
+       SubCommands::Users(sc) => {
+            users::handle_command_tree(sc, ctx).await
+        }
+    }
 }

lib/http_server/Cargo.toml

@@ -14,6 +14,7 @@ strum = { workspace = true }
 strum_macros = { workspace = true }
 
 anyhow = { workspace = true }
+thiserror = { workspace = true }
 fully_pub = { workspace = true }
 
 tokio = { workspace = true }

lib/http_server/src/controllers/ui/mod.rs

@@ -6,3 +6,4 @@ pub mod me;
 pub mod logout;
 pub mod user_panel;
 pub mod apps;
+pub mod reset_password;

lib/http_server/src/controllers/ui/register.rs

@@ -51,7 +51,7 @@ pub async fn perform_register(
         password_hash,
         status: UserStatus::Active,
         roles: Json(Vec::new()), // take the default role in the config
-        activation_token: None,
+        reset_password_token: None,
         created_at: Utc::now(),
         website: None,
         last_login_at: None

lib/http_server/src/controllers/ui/reset_password.rs

@@ -0,0 +1,139 @@
+use axum::{extract::{MatchedPath, Query, State}, http::StatusCode, response::{Html, IntoResponse, Redirect}, Extension, Form};
+use log::{error, info};
+use serde::{Deserialize, Serialize};
+use minijinja::context;
+use fully_pub::fully_pub;
+
+use crate::{renderer::TemplateRenderer, AppState};
+
+use kernel::models::user::{User, UserStatus};
+use utils::get_password_hash;
+
+#[derive(Debug, Deserialize, Serialize)]
+#[fully_pub]
+enum ResetPasswordReason {
+    LostPassword,
+    Invitation
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+#[fully_pub]
+struct ResetPasswordQueryParams {
+    token: String
+}
+
+pub async fn reset_password_form(
+    State(app_state): State<AppState>,
+    path: MatchedPath,
+    Extension(renderer): Extension<TemplateRenderer>,
+    Query(query_params): Query<ResetPasswordQueryParams>
+) -> impl IntoResponse {
+    let reason: ResetPasswordReason = match path.as_str() {
+        "/invitation" => ResetPasswordReason::Invitation,
+        "/reset-password" => ResetPasswordReason::LostPassword,
+        _ => unreachable!()
+    };
+    // 1. Verify token
+    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
+        .bind(&query_params.token)
+        .fetch_one(&app_state.db.0)
+        .await;
+    let _user = match user_res {
+        Ok(u) => u,
+        Err(sqlx::Error::RowNotFound) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Html("Invalid reset password token.")
+            ).into_response();
+        },
+        Err(err) => {
+            error!("Failed to retreive user from reset password token. {}", err);
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Html("Internal server error: Failed to retreive user.")
+            ).into_response();
+        }
+    };
+    renderer.render(
+        "pages/reset_password",
+        context!(
+            reason => reason,
+            token => query_params.token,
+        )
+    ).into_response()
+}
+
+
+#[derive(Debug, Deserialize)]
+#[fully_pub]
+struct ResetPasswordForm {
+    token: String,
+    password: String,
+    password_confirmation: String
+}
+
+pub async fn perform_reset_password(
+    State(app_state): State<AppState>,
+    Form(reset_form): Form<ResetPasswordForm>
+) -> impl IntoResponse {
+    // 1. Verify token
+    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
+        .bind(&reset_form.token)
+        .fetch_one(&app_state.db.0)
+        .await;
+    let user = match user_res {
+        Ok(u) => u,
+        Err(sqlx::Error::RowNotFound) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Html("Invalid reset password token.")
+            ).into_response();
+        },
+        Err(err) => {
+            error!("Failed to retreive user from reset password token. {}", err);
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Html("Internal server error: Failed to retreive user.")
+            ).into_response();
+        }
+    };
+    if reset_form.password != reset_form.password_confirmation {
+        return (
+            StatusCode::BAD_REQUEST,
+            Html("Form data error: The two passwords are differents.")
+        ).into_response();
+    }
+
+    let password_hash = Some(
+        get_password_hash(reset_form.password)
+            .expect("To process password").1
+    );
+    if user.status == UserStatus::Invited {
+        info!("The password of an Invited user was set: activation of user account");
+        // TODO: send welcome email
+    }
+    let res = sqlx::query("UPDATE users
+            SET password_hash = $2, status = $3, reset_password_token = NULL
+            WHERE id = $1
+        ")
+        .bind(user.id)
+        .bind(password_hash)
+        .bind(UserStatus::Active)
+        .execute(&app_state.db.0)
+        .await;
+    match res {
+        Err(err) => {
+            error!("Cannot update user: {}", err);
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Html("Internal server error: Failed to update user.")
+            ).into_response();
+        },
+        Ok(_v) => {
+            info!("Changed user's password successfuly.");
+        }
+    };
+    // TODO: add either "Successfully changed password" or "Account enabled successfully" message 
+    Redirect::to("/login").into_response()
+}
+

lib/http_server/src/lib.rs

@@ -7,7 +7,7 @@ pub mod token_claims;
 
 use fully_pub::fully_pub;
 use anyhow::{Result, Context};
-use kernel::{context::AppSecrets, models::config::Config, repositories::storage::Storage};
+use kernel::{context::{AppSecrets, KernelContext}, models::config::Config, repositories::storage::Storage};
 use log::info;
 use minijinja::Environment;
 
@@ -38,16 +38,14 @@ pub struct AppState {
 
 pub async fn start_http_server(
     server_config: ServerConfig,
-    config: Config,
+    ctx: KernelContext
-    secrets: AppSecrets,
-    db_pool: Storage
 ) -> Result<()> {
     // build state
     let state = AppState {
-        templating_env: build_templating_env(&config),
+        templating_env: build_templating_env(&ctx.config),
-        config,
+        config: ctx.config,
-        secrets,
+        secrets: ctx.secrets,
-        db: db_pool
+        db: ctx.storage
     };
 
     // build routes

lib/http_server/src/main.rs

@@ -32,7 +32,7 @@ struct ServerCliFlags {
 pub async fn main() -> Result<()> {
     info!("Starting minauth");
     let flags: ServerCliFlags = argh::from_env();
-    let (config, secrets, db_pool) = get_kernel_context(StartKernelConfig {
+    let kernel_context = get_kernel_context(StartKernelConfig {
         config_path: flags.config,
         database_path: flags.database
     }).await.context("Getting kernel context")?;
@@ -42,8 +42,6 @@ pub async fn main() -> Result<()> {
             listen_host: flags.listen_host,
             listen_port: flags.listen_port
         },
-        config,
+        kernel_context
-        secrets,
-        db_pool
     ).await
 }

lib/http_server/src/router.rs

@@ -19,6 +19,9 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
         .route("/register", post(ui::register::perform_register))
         .route("/login", get(ui::login::login_form))
         .route("/login", post(ui::login::perform_login))
+        .route("/invitation", get(ui::reset_password::reset_password_form))
+        .route("/reset-password", get(ui::reset_password::reset_password_form))
+        .route("/reset-password", post(ui::reset_password::perform_reset_password))
         .layer(middleware::from_fn_with_state(app_state.clone(), renderer_middleware))
         .layer(middleware::from_fn_with_state(app_state.clone(), user_auth::auth_middleware));
 

lib/http_server/src/templates/pages/error.html

@@ -0,0 +1,11 @@
+{% extends "layouts/base.html" %}
+{% block body %}
+<h1>Internal server error</h1>
+
+{% if error %}
+<div class="alert alert-danger">
+    We are sorry. We've rencountered an unrecoverable error.
+</div>
+{% endif %}
+{% endblock %}
+

lib/http_server/src/templates/pages/reset_password.html

@@ -0,0 +1,54 @@
+{% extends "layouts/base.html" %}
+{% block body %}
+{% if reason == "Invitation" %}
+<h1>Invitation</h1>
+{% endif %}
+{% if reason == "LostPassword" %}
+<h1>Reset your password</h1>
+{% endif %}
+<!-- Reset password form -->
+{% if error %}
+<div class="alert alert-danger">
+    Error: {{ error }}
+</div>
+{% endif %}
+{% if info %}
+<div class="alert alert-info">
+    Info: {{ info }}
+</div>
+{% endif %}
+{% if reason == "Invitation" %}
+<p>
+    Pour activer votre compte, veuillez définir votre mot de passe.
+</p>
+{% endif %}
+{% if reason == "LostPassword" %}
+<p>
+    Votre mot de passe est perdu, veuillez définir un nouveau mot de passe.
+</p>
+{% endif %}
+<form id="reset-password-form" method="post" action="/reset-password">
+    <div class="mb-3">
+        <label for="password" class="form-label">New password</label>
+        <input
+            id="password" name="password" type="password"
+            required
+            class="form-control"
+        />
+    </div>
+    <div class="mb-3">
+        <label for="password" class="form-label">New password confirmation</label>
+        <input
+            id="password_confirmation" name="password_confirmation" type="password"
+            required
+            class="form-control"
+        />
+    </div>
+    <input
+        id="token" name="token" type="hidden"
+        value="{{ token }}"
+    />
+
+    <button type="submit" class="btn btn-primary">Change password</button>
+</form>
+{% endblock %}

lib/kernel/Cargo.toml

@@ -5,9 +5,10 @@ edition = "2021"
 [dependencies]
 utils = { path = "../utils" }
 
+anyhow = { workspace = true }
+thiserror = { workspace = true }
 log = { workspace = true }
 env_logger = { workspace = true }
-anyhow = { workspace = true }
 fully_pub = { workspace = true }
 strum = { workspace = true }
 strum_macros = { workspace = true }

lib/kernel/src/actions/mod.rs

@@ -0,0 +1 @@
+pub mod users;

lib/kernel/src/actions/users.rs

@@ -0,0 +1,44 @@
+use crate::{context::KernelContext, models::user::User};
+
+use anyhow::{Context, Result};
+use chrono::SecondsFormat;
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum CreateUserErr {
+    #[error("Handle or email for user is already used.")]
+    HandleOrEmailNotUnique,
+
+    #[error("Database error.")]
+    DatabaseErr(String)
+}
+
+pub async fn create_user(ctx: KernelContext, user: User) -> Result<(), CreateUserErr> {
+    let res = sqlx::query("
+        INSERT INTO users
+            (id, handle, email, status, roles, password_hash, reset_password_token, created_at)
+            VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+        ")
+        .bind(user.id)
+        .bind(user.handle)
+        .bind(user.email)
+        .bind(user.status.to_string())
+        .bind(user.roles)
+        .bind(user.password_hash)
+        .bind(user.reset_password_token)
+        .bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
+        .execute(&ctx.storage.0)
+        .await;
+    match res {
+        Err(err) => {
+            let db_err = &err.as_database_error().unwrap();
+            if db_err.code().unwrap() == "2067" {
+                Err(CreateUserErr::HandleOrEmailNotUnique)
+            } else {
+                dbg!(&err);
+                Err(CreateUserErr::DatabaseErr(db_err.to_string()))
+            }
+        }
+        Ok(_) => Ok(())
+    }
+}

lib/kernel/src/context.rs

@@ -29,7 +29,15 @@ struct AppSecrets {
     jwt_secret: String
 }
 
-pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<(Config, AppSecrets, Storage)> {
+#[derive(Debug, Clone)]
+#[fully_pub]
+struct KernelContext {
+    config: Config,
+    secrets: AppSecrets,
+    storage: Storage
+}
+
+pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
     env_logger::init();
     let _ = dotenvy::dotenv();
 
@@ -47,5 +55,9 @@ pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<(Conf
         jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
     };
 
-    Ok((config, secrets, storage))
+    Ok(KernelContext {
+        config,
+        secrets,
+        storage
+    })
 }

lib/kernel/src/models/user.rs

@@ -2,13 +2,16 @@ use fully_pub::fully_pub;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use sqlx::types::Json;
+use utils::get_random_human_token;
+use uuid::Uuid;
 
 #[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
 #[derive(strum_macros::Display)]
 #[fully_pub]
 enum UserStatus {
-    Active,
+    Disabled,
-    Disabled
+    Invited,
+    Active
 }
 
 #[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
@@ -24,8 +27,35 @@ struct User {
     password_hash: Option<String>, // argon2 password hash
     status: UserStatus,
     roles: Json<Vec<String>>,
-    activation_token: Option<String>,
+    reset_password_token: Option<String>,
 
     last_login_at: Option<DateTime<Utc>>,
     created_at: DateTime<Utc>
 }
+
+impl User {
+    pub fn new(
+        handle: String
+    ) -> User {
+        User {
+            id: Uuid::new_v4().to_string(),
+            handle,
+            full_name: None,
+            email: None,
+            website: None,
+            picture: None,
+            password_hash: None,
+            status: UserStatus::Disabled,
+            roles: Json(Vec::new()),
+            reset_password_token: None,
+            last_login_at: None,
+            created_at: Utc::now()
+        }
+    }
+
+    pub fn invite(self: &mut Self) {
+        self.reset_password_token = Some(get_random_human_token());
+        self.status = UserStatus::Invited;
+    }
+
+}

lib/kernel/src/repositories/users.rs

@@ -5,10 +5,17 @@ use crate::models::user::User;
 use super::storage::Storage;
 use anyhow::{Result, Context};
 
-async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
+pub async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
     sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(user_id)
         .fetch_one(&storage.0)
         .await
-        .context("To get user from claim")
+        .context("To get user by id.")
+}
+
+pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
+    sqlx::query_as::<_, User>("SELECT * FROM users")
+        .fetch_all(&storage.0)
+        .await
+        .context("To get users.")
 }

lib/utils/src/lib.rs

@@ -43,6 +43,18 @@ pub fn get_random_alphanumerical(length: usize) -> String {
         .collect()
 }
 
+/// Generate easy to type token
+pub fn get_random_human_token() -> String {
+    return format!(
+        "{}-{}-{}-{}-{}",
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4)
+    ).to_uppercase();
+}
+
 pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
     let header_val_components: Vec<&str> = header_value.split(" ").collect();
     let encoded_header_value: &str = header_val_components

migrations/all.sql

@@ -1,18 +1,18 @@
 DROP TABLE IF EXISTS users;
 CREATE TABLE users (
-    id                  TEXT PRIMARY KEY,
+    id                   TEXT PRIMARY KEY,
-    handle              TEXT NOT NULL UNIQUE,
+    handle               TEXT NOT NULL UNIQUE,
-    full_name           TEXT,
+    full_name            TEXT,
-    email               TEXT UNIQUE,
+    email                TEXT UNIQUE,
-    website             TEXT,
+    website              TEXT,
-    picture             BLOB,
+    picture              BLOB,
-    roles               TEXT NOT NULL, -- json array of user roles
+    roles                TEXT NOT NULL, -- json array of user roles
 
-    status              TEXT CHECK(status IN ('Active','Disabled')) NOT NULL DEFAULT 'Disabled',
+    status               TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
-    password_hash       TEXT,
+    password_hash        TEXT,
-    activation_token    TEXT,
+    reset_password_token TEXT,
-    last_login_at       DATETIME,
+    last_login_at        DATETIME,
-    created_at          DATETIME NOT NULL
+    created_at           DATETIME NOT NULL
 );
 
 DROP TABLE IF EXISTS authorizations;

tests/hurl_integration/scenario_1/init_db.sh

@@ -1,3 +1,5 @@
+#!/usr/bin/bash
+
 password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
 echo $password_hash
 SQL=$(cat <<EOF

tests/hurl_integration/user_invitation_scenario/config.toml

@@ -0,0 +1,9 @@
+applications = []
+
+roles = []
+
+[instance]
+base_uri = "http://localhost:8086"
+name = "Example org"
+logo_uri = "https://example.org/logo.png"
+

tests/hurl_integration/user_invitation_scenario/init_db.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+
+SQL=$(cat <<EOF
+    INSERT INTO users
+        (id, handle, email, roles, status, reset_password_token, created_at)
+        VALUES
+        ('$(uuid)', 'invited_user', 'invited-user@example.org', '[]', 'Invited', 'Z433-Y001-V987-P500', '2024-11-30T00:00:00Z');
+EOF)
+echo $SQL | sqlite3 $DB_PATH

tests/hurl_integration/user_invitation_scenario/main.hurl

@@ -0,0 +1,28 @@
+GET {{ base_url }}/api
+HTTP 200
+[Asserts]
+jsonpath "$.software" == "Minauthator"
+
+GET {{ base_url }}/invitation
+[QueryStringParams]
+token: Z433-Y001-V987-P500
+HTTP 200
+[Asserts]
+xpath "string(///h1)" contains "Invitation"
+
+POST {{ base_url }}/reset-password
+[FormParams]
+token: Z433-Y001-V987-P500
+password: newpassword10!
+password_confirmation: newpassword10!
+HTTP 303
+[Asserts]
+header "Location" == "/login"
+
+POST {{ base_url }}/login
+[FormParams]
+login: invited_user
+password: newpassword10!
+HTTP 303
+[Asserts]
+cookie "minauthator_jwt" exists

tests/manual/create_test_user.sql

@@ -1,5 +1,12 @@
-INSERT INTO users
+-- INSERT INTO users
-    (id, handle, email, roles, status, password_hash, created_at)
+--     (id, handle, email, roles, status, password_hash, created_at)
-    VALUES
+--     VALUES
-    ('30c134a7-d541-4ec7-9310-9c8e298077db', 'test', 'test@example.org', '[]', 'Active', '$argon2i$v=19$m=4096,t=3,p=1$V2laYjAwTlFHOUpiekRlVzRQUU0$33h8XwAWM3pKQM7Ksler0l7rMJfseTuWPJKrdX/cGyc', '2024-11-30T00:00:00Z');
+--     ('30c134a7-d541-4ec7-9310-9c8e298077db', 'test', 'test@example.org', '[]', 'Active', '$argon2i$v=19$m=4096,t=3,p=1$V2laYjAwTlFHOUpiekRlVzRQUU0$33h8XwAWM3pKQM7Ksler0l7rMJfseTuWPJKrdX/cGyc', '2024-11-30T00:00:00Z');
+--
+
+
+INSERT INTO users
+    (id, handle, email, roles, status, reset_password_token, created_at)
+    VALUES
+    ('00000001-0042-0001-0001-00000000432', 'invited_user1', 'invited-user1@example.org', '[]', 'Invited', 'A909-Z539-L128-O400', '2024-11-30T00:00:00Z');