Merge branch 'feat_user_avatar_public_asset'

Created a kernel crate to store models and future action implementations.
Will be useful to create admin cli.

.dockerignore

@@ -0,0 +1,7 @@
+target
+.env
+tmp
+Dockerfile
+.dockerignore
+justfile
+config.toml

Cargo.toml

@@ -1,31 +1,36 @@
-cargo-features = ["codegen-backend"]
+# cargo-features = ["codegen-backend"]
 
-[profile.dev]
-codegen-backend = "cranelift"
+# [profile.dev]
+# codegen-backend = "cranelift"
+# # END OF
 
-[package]
-name = "minauthator"
-description = "Identity provider and OAuth2 server for an small-scale organization."
-version = "0.1.0"
-edition = "2021"
+[workspace]
+resolver = "2"
+members = [
+    "lib/kernel",
+    "lib/utils",
+    "lib/http_server",
+    "lib/admin_cli"
+]
 
-[dependencies]
+[workspace.dependencies]
 # commons utils
 anyhow = "1.0"
+thiserror = "2"
 fully_pub = "0.1"
-argon2 = "0.5"
 strum = "0.26.3"
 strum_macros = "0.26"
 uuid = { version = "1.8", features = ["serde", "v4"] }
 dotenvy = "0.15.7"
-base64 = "0.22.1"
-rand = "0.8.5"
-rand_core = { version = "0.6.4", features = ["std"] }
 url = "2.5.3"
-argh = "0.1" # for CLI
+sha2 = "0.10"
+hex-literal = "0.4"
+
+# CLI
+argh = "0.1"
 
 # Async
-tokio = { version = "1.40.0", features = ["rt-multi-thread"] }
+tokio = { version = "1.40.0", features = ["rt-multi-thread", "macros"] }
 
 # Logging
 log = "0.4"
@@ -34,7 +39,6 @@ env_logger = "0.11"
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
-serde_urlencoded = "0.7.1"
 toml = "0.8"
 
 chrono = { version = "0.4", features = ["serde"] }
@@ -43,21 +47,6 @@ chrono = { version = "0.4", features = ["serde"] }
 sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "chrono", "uuid"] }
 redis = { version = "0.27.3", default-features = false, features = ["acl"] }
 
-# Web
-axum = { version = "0.7.7", features = ["json", "multipart"] }
-axum-extra = { version = "0.9.4", features = ["cookie"] }
-axum-template = { version = "2.4.0", features = ["minijinja"] }
-axum_typed_multipart = "0.13.1"
-minijinja = { version = "2.1", features = ["builtins"] }
-# to make work the static assets server
-tower-http = { version = "0.6.1", features = ["fs"] }
-
 # Auth utils
 totp-rs = "5.6"
-minijinja-embed = "2.3.1"
-axum-macros = "0.4.2"
-jsonwebtoken = "9.3.0"
-time = "0.3.36"
 
-[build-dependencies]
-minijinja-embed = "2.3.1"

Dockerfile

@@ -0,0 +1,37 @@
+FROM rust:1.83-alpine3.20 AS builder
+
+WORKDIR /usr/src/minauthator
+COPY . .
+
+RUN apk add musl-dev
+
+RUN cargo install --bin minauthator-admin --locked --path lib/admin_cli
+RUN cargo install --bin minauthator-server --locked --path lib/http_server
+
+FROM alpine:3.20 AS base
+
+RUN apk add sqlite
+COPY --from=builder /usr/local/cargo/bin/minauthator-server /usr/local/bin/minauthator-server
+COPY --from=builder /usr/local/cargo/bin/minauthator-admin /usr/local/bin/minauthator-admin
+RUN mkdir -p \
+    /usr/local/src/minauthator/migrations \
+    /usr/local/lib/minauthator/assets \
+    /var/lib/minauthator \
+    /etc/minauthator
+COPY --from=builder /usr/src/minauthator/migrations/all.sql /usr/local/src/minauthator/migrations
+COPY --from=builder /usr/src/minauthator/init_db.sh /usr/local/bin/minauthator_init_db.sh
+COPY --from=builder /usr/src/minauthator/assets /usr/local/lib/minauthator/assets
+
+RUN addgroup -g 1000 app && \
+    adduser -S -u 1000 -G app -s /bin/sh app && \
+    chown -R app:app /var/lib/minauthator && \
+    chmod -R u=rwx,g=rwx,o= /var/lib/minauthator
+
+USER app:app
+ENV RUST_LOG=info
+ENV RUST_BACKTRACE=1
+ENV APP_JWT_SECRET="DummyAppSecret20241029"
+
+CMD ["minauthator-server", "--listen-host", "0.0.0.0", "--listen-port", "8080"]
+
+

README.md

@@ -1,24 +1,45 @@
 # Minauthator
 
-Minauthator is an identity provider supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
+Minauthator is an identity provider server supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
 
-This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software.
+This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software (FOSS).
+
+This project also aims to provide features while being frugal and minimalist.
 
 **Project status: *early development, work-in-progress***
 
 ## Features
 
-- Login
-- Register
-- OpenID Connect & OAuth 2.0
-- Activation token
-- Profile details
-- Static apps
-- User roles
-- MFA/TOTP
-- Email notifications
-- Login page customization
-- App carousel (App presentation to users)
+- [x] Login
+- [x] Register
+- [x] OpenID Connect & OAuth 2.0
+- [x] Activation token
+- [x] Profile details
+- [x] Static apps
+- [x] Admin CLI to manage user.
+- [x] User invitation with human token
+- [ ] User roles
+- [ ] User groups
+- [ ] MFA/TOTP
+- [ ] Email notifications
+- [ ] Login page customization
+- [x] App listing (App presentation to users)
+- [x] Implicit OAuth 2.0 flow
+- [ ] Email verification
+- [ ] GPG keys verification and signing
+- [ ] Docker deployment
+- [ ] Full user panel & user privacy control
+
+## Architecture
+
+- Sqlite DB
+- Kernel
+- Http server
+    - Public API
+    - User API
+    - Third-party OAuth2 app/client API
+    - Web GUI (no Javascript)
+- Admin CLI
 
 ## Deps
 
@@ -28,4 +49,4 @@ This project aims to allow an organization to setup [single sign-on (SSO)](https
 
 - [Authentik](https://goauthentik.io/)
 - [Keycloak](https://www.keycloak.org/)
-
+- [Kanidm](https://kanidm.com/)

TODO.md

@@ -1,5 +1,23 @@
 # TODO
 
+- [ ] i18n strings in the http website.
+
+- [ ] Instance customization support
+
+- [ ] Public endpoint to get user avatar by id
+- [ ] Rework avatar upload to limit size and process the image?
+
+- Authorize form
+    - [ ] Show details about permissions
+    - [ ] Show app logo
+
+- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+
+- [ ] feat(perms): add groups and roles
+
+- [ ] UserWebGUI: add TOTP
+- [ ] send emails to users
+
 - [x] Login form
 - [x] Register form
 - [x] Redirect to login form if unauthenticated
@@ -13,20 +31,12 @@
 - [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c)
     - .well-known/openid-configuration
 
+- [x] architecture refactor
+- [x] AdminCLI: init
+- [x] AdminCLI: list users
+- [x] AdminCLI: create and invite user
 
-- [ ] i18n strings in the http website.
-
-- [ ] App config
-    - Add app logo (URI?)
-
-- [ ] Public endpoint to get user avatar by id
-- [ ] Rework avatar upload to limit size and process the image?
-
-- [ ] Authorize form
-    - Show details about permissions
-    - Show app logo
-
-- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+- [x] UserWebGUI: Invitation
 
 - [x] UserWebGUI: Redirect to login when JWT expire
 - [x] UserWebGUI: Show user authorizations.
@@ -37,14 +47,6 @@
 
 - [x] UserWebGUI: activate account with token
 
-- [ ] feat(perms): add groups and roles
-
-- [ ] UserWebGUI: add TOTP
-- [ ] send emails to users
-
-- Architecture: do we have an admin API?
-
-- [ ] AdminCLI: init
-- [ ] AdminWebGUI: List users
-- [ ] AdminWebGUI: Assign groups to users
-- [ ] AdminWebGUI: Create invitation
+- [X] basic docker setup
+- [ ] make `docker stop` working (handle SIGTERM/SIGINT)
+- [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/

admin.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/sh
+
+cargo run -q --bin minauthator-admin -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets $@

docs/draft.md

@@ -3,3 +3,51 @@
 https://datatracker.ietf.org/doc/html/rfc6749
 
 https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path-in-a-minijinja-template
+
+## Oauth2 test
+
+-> authorize
+
+# User flow
+
+## Invitation flow
+
+- Create invite
+    - generate A random
+    - user.reset_password_token = A
+    - user.status = "Invited"
+    - Send email with link to https://instance/reset-password?token=A&reason=invitation
+- GET /reset-password?token=A&reason=invitation
+    - verification of token
+    - show form
+- POST /reset-password
+    - BODY: with params token
+    - check token validity
+    - set new password hash
+    - if user.status == "invited"
+        - enable new account (user.status = "active")
+        - send welcome email
+    - redirect to login page with a message
+        - we need to redirect to the login page, so the user remember how to login later, and can
+        verify the setup of his/her password manager.
+
+We can instead send link to https://instance/invitation?token=A
+
+## Reset password flow
+
+- Reset password request
+    - generate A random
+    - user.reset_password_token = A
+    - Send email with link to https://instance/reset-password?token=A&reason=lost_password
+- GET /reset-password?token=A&reason=lost_password
+    - verification of token
+    - show form
+- POST /reset-password
+    - BODY: with params token
+    - check token validity
+    - set new password hash
+    - redirect to login page with a message
+        - we need to redirect to the login page, so the user remember how to login later, and can
+        verify the setup of his/her password manager.
+
+We can instead send link to https://instance/reset-password?token=A

init_db.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+DEFAULT_DB_PATH="/var/lib/minauthator/minauthator.db"
+DEFAULT_MIGRATION_PATH="/usr/local/src/minauthator/migrations/all.sql"
+
+DB_PATH="${DB_PATH:-$DEFAULT_DB_PATH}"
+MIGRATION_PATH="${MIGRATION_PATH:-$DEFAULT_MIGRATION_PATH}"
+
+sqlite3 $DB_PATH < $MIGRATION_PATH
+

justfile

@@ -1,20 +1,32 @@
 export RUST_BACKTRACE := "1"
 export RUST_LOG := "trace"
+export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets"
 
-watch-run:
-    cargo-watch -x 'run -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets'
+watch-server:
+    cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
 
-run:
-    cargo run -- --database ./tmp/dbs/minauthator.db --config ./config.toml --static-assets ./assets
+server:
+    cargo run --bin minauthator-server -- $CONTEXT_ARGS
 
-docker-run:
-    docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator
-
-docker-init-db:
-    docker run -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator /usr/local/bin/minauthator_init_db.sh
+admin:
+    cargo run --bin minauthator-admin -- $CONTEXT_ARGS
 
 docker-build:
-    docker build -t minauthator .
+    docker build -t lefuturiste/minauthator .
+
+docker-init-db:
+    docker run \
+        -v ./tmp/docker/config:/etc/minauthator \
+        -v minauthator-db:/var/lib/minauthator \
+        lefuturiste/minauthator \
+        /usr/local/bin/minauthator_init_db.sh
+
+docker-run:
+    docker run \
+        -p 127.0.0.1:3085:8080 \
+        -v ./tmp/docker/config:/etc/minauthator \
+        -v minauthator-db:/var/lib/minauthator \
+        lefuturiste/minauthator
 
 init-db:
     sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql

lib/admin_cli/Cargo.toml

@@ -0,0 +1,18 @@
+[package]
+name = "admin_cli"
+edition = "2021"
+
+[[bin]]
+name = "minauthator-admin"
+path = "src/main.rs"
+
+[dependencies]
+anyhow = { workspace = true }
+thiserror = { workspace = true }
+fully_pub = { workspace = true }
+argh = { workspace = true }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+
+kernel = { path = "../kernel" }

lib/admin_cli/src/commands/mod.rs

@@ -0,0 +1 @@
+pub mod users;

lib/admin_cli/src/commands/users.rs

@@ -0,0 +1,115 @@
+use anyhow::{Context, Result};
+use argh::FromArgs;
+use fully_pub::fully_pub;
+use kernel::{context::KernelContext, models::user::User, repositories::users::get_users};
+use log::info;
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "create",
+    description = "Create user in DB."
+)]
+struct CreateUserCommand {
+    /// aka login, username
+    #[argh(option)]
+    handle: String,
+
+    /// displayed name (eg. first name and last name)
+    #[argh(option)]
+    full_name: Option<String>,
+
+    /// use to identify and prove user identity
+    /// formated as specified in RFC 2821, RFC 3696
+    #[argh(option)]
+    email: String,
+
+    /// if true, create an invitation token
+    #[argh(switch)]
+    invite: bool
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "delete",
+    description = "Delete user in DB."
+)]
+struct DeleteUserCommand {
+    /// delete by user Uuid
+    #[argh(option)]
+    id: String
+}
+
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "list",
+    description = "List users in DB."
+)]
+struct ListUsersCommand {
+    /// how many users to return
+    #[argh(option)]
+    limit: Option<usize>,
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(subcommand)]
+enum UsersSubCommands {
+    Create(CreateUserCommand),
+    List(ListUsersCommand),
+    Delete(DeleteUserCommand),
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "users",
+    description = "Manage instance users."
+)]
+struct UsersCommand {
+    #[argh(subcommand)]
+    nested: UsersSubCommands,
+}
+
+
+pub async fn list_users(cmd: ListUsersCommand, ctx: KernelContext) -> Result<()> {
+    for user in get_users(&ctx.storage).await? {
+        println!(
+            "{0: <36} | [{1:<8}] | {2: <15} | {3: <25}",
+            user.id, user.status, user.handle, user.email.unwrap_or("()".to_string())
+        );
+    }
+    Ok(())
+}
+
+pub async fn create_user(cmd: CreateUserCommand, ctx: KernelContext) -> Result<()> {
+    let mut user = User::new(cmd.handle);
+    user.email = Some(cmd.email);
+    user.full_name = cmd.full_name;
+    if cmd.invite {
+        user.invite();
+        println!("Generated invite code: {}", user.reset_password_token.as_ref().unwrap());
+    }
+    let _res = kernel::actions::users::create_user(ctx, user).await?;
+    info!("Created user.");
+    if cmd.invite {
+        // TODO: Send invitation email
+        info!("Not sending invitation email.");
+    }
+    Ok(())
+}
+
+pub async fn delete_user(cmd: DeleteUserCommand, ctx: KernelContext) -> Result<()> {
+    todo!()
+}
+
+pub async fn handle_command_tree(cmd: UsersCommand, ctx: KernelContext) -> Result<()> {
+    match cmd.nested {
+        UsersSubCommands::List(sc) => list_users(sc, ctx).await,
+        UsersSubCommands::Create(sc) => create_user(sc, ctx).await,
+        UsersSubCommands::Delete(sc) => delete_user(sc, ctx).await
+    }
+}

lib/admin_cli/src/main.rs

@@ -0,0 +1,49 @@
+use argh::FromArgs;
+use anyhow::{Context, Result};
+use commands::users;
+use kernel::context::{get_kernel_context, StartKernelConfig};
+use log::info;
+
+pub mod commands;
+
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(subcommand)]
+enum SubCommands {
+    Users(users::UsersCommand),
+}
+
+#[derive(FromArgs, PartialEq, Debug)]
+/// Minauthator admin top level
+struct AdminCliTopLevelCommand {
+    #[argh(subcommand)]
+    nested: SubCommands,
+
+    /// path to YAML config file to use to configure this instance
+    #[argh(option)]
+    config: Option<String>,
+
+    /// path to the Sqlite3 DB file to use
+    #[argh(option)]
+    database: Option<String>,
+
+    /// path to the static assets dir
+    #[argh(option)]
+    static_assets: Option<String>,
+}
+
+/// handle CLI arguments to run admin CLI
+#[tokio::main]
+pub async fn main() -> Result<()> {
+    info!("Starting minauth");
+    let command_input: AdminCliTopLevelCommand = argh::from_env();
+    let ctx = get_kernel_context(StartKernelConfig {
+        config_path: command_input.config.clone(),
+        database_path: command_input.database.clone()
+    }).await.context("Getting kernel context")?;
+
+    match command_input.nested {
+       SubCommands::Users(sc) => {
+            users::handle_command_tree(sc, ctx).await
+        }
+    }
+}

lib/http_server/Cargo.toml

@@ -0,0 +1,52 @@
+[package]
+name = "http_server"
+edition = "2021"
+
+[dependencies]
+kernel = { path = "../kernel" }
+utils = { path = "../utils" }
+
+# common
+log = { workspace = true }
+env_logger = { workspace = true }
+
+strum = { workspace = true }
+strum_macros = { workspace = true }
+
+anyhow = { workspace = true }
+thiserror = { workspace = true }
+fully_pub = { workspace = true }
+
+tokio = { workspace = true }
+
+# Web
+axum = { version = "0.7.7", features = ["json", "multipart"] }
+axum-extra = { version = "0.9.4", features = ["cookie"] }
+axum-template = { version = "2.4.0", features = ["minijinja"] }
+axum_typed_multipart = "0.13.1"
+minijinja = { version = "2.1", features = ["builtins"] }
+# to make work the static assets server
+tower-http = { version = "0.6.1", features = ["fs"] }
+
+minijinja-embed = "2.3.1"
+axum-macros = "0.4.2"
+jsonwebtoken = "9.3.0"
+time = "0.3.36"
+
+serde = { workspace = true }
+serde_json = { workspace = true }
+serde_urlencoded = "0.7.1"
+chrono = { workspace = true }
+
+argh = { workspace = true }
+
+sqlx = { workspace = true }
+uuid = { workspace = true }
+url = { workspace = true }
+
+[build-dependencies]
+minijinja-embed = "2.3.1"
+
+[[bin]]
+name = "minauthator-server"
+path = "src/main.rs"

lib/http_server/src/controllers/api/index.rs

@@ -0,0 +1,14 @@
+use axum::{extract::State, response::IntoResponse, Json};
+use serde_json::json;
+
+use crate::AppState;
+
+pub async fn get_index(
+    State(app_state): State<AppState>,
+) -> impl IntoResponse {
+    Json(json!({
+        "software": "Minauthator",
+        "name": app_state.config.instance.name,
+        "base_uri": app_state.config.instance.base_uri
+    }))
+}

lib/http_server/src/controllers/api/mod.rs

@@ -1,3 +1,5 @@
+pub mod index;
 pub mod oauth2;
 pub mod read_user;
 pub mod openid;
+pub mod public_assets;

lib/http_server/src/controllers/api/oauth2/access_token.rs

@@ -4,10 +4,9 @@ use fully_pub::fully_pub;
 use log::error;
 use serde::{Deserialize, Serialize};
 
+use kernel::models::authorization::Authorization;
 use crate::{
-    models::{authorization::Authorization, token_claims::AppUserTokenClaims},
-    server::AppState,
-    services::{app_session::AppClientSession, session::create_token}
+    services::{app_session::AppClientSession, session::create_token}, token_claims::AppUserTokenClaims, AppState
 };
 
 const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;
@@ -43,7 +42,7 @@ pub async fn get_access_token(
     )
         .bind(&form.code)
         .bind(&app_client_session.client_id)
-        .fetch_one(&app_state.db)
+        .fetch_one(&app_state.db.0)
         .await;
     let authorization = match authorizations_res {
         Ok(val) => val,

lib/http_server/src/controllers/api/openid/well_known.rs

@@ -1,9 +1,10 @@
 use axum::{extract::State, response::IntoResponse, Json};
 use fully_pub::fully_pub;
+use kernel::models::authorization::AuthorizationScope;
 use serde::Serialize;
 use strum::IntoEnumIterator;
 
-use crate::{models::authorization::AuthorizationScope, server::AppState};
+use crate::AppState;
 
 #[derive(Serialize)]
 #[fully_pub]

lib/http_server/src/controllers/api/public_assets.rs

@@ -0,0 +1,27 @@
+use axum::{extract::{Path, State}, http::{header, HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse}};
+use kernel::repositories::users::get_user_asset_by_id;
+
+use crate::AppState;
+
+pub async fn get_user_asset(
+    State(app_state): State<AppState>,
+    Path(asset_id): Path<String>
+) -> impl IntoResponse {
+    let user_asset = match get_user_asset_by_id(&app_state.db, &asset_id).await {
+        Err(_) => {
+            return (
+                StatusCode::NOT_FOUND,
+                Html("Could not find user asset")
+            ).into_response();
+        },
+        Ok(ua) => ua
+    };
+
+    let mut hm = HeaderMap::new();
+    hm.insert(
+        header::CONTENT_TYPE,
+        HeaderValue::from_str(&user_asset.mime_type).expect("Constructing header value.")
+    );
+    
+    (hm, user_asset.content).into_response()
+}

lib/http_server/src/controllers/api/read_user.rs

@@ -2,7 +2,8 @@ use axum::{extract::State, response::IntoResponse, Extension, Json};
 use fully_pub::fully_pub;
 use serde::Serialize;
 
-use crate::{models::{token_claims::AppUserTokenClaims, user::User}, server::AppState};
+use crate::{token_claims::AppUserTokenClaims, AppState};
+use kernel::models::user::User;
 
 #[derive(Serialize)]
 #[fully_pub]
@@ -19,10 +20,10 @@ pub async fn read_user_basic(
     State(app_state): State<AppState>,
     Extension(token_claims): Extension<AppUserTokenClaims>,
 ) -> impl IntoResponse {
-    // 1. This handler require client user authentification (JWT)
+    // 1. This handler require app user authentification (JWT)
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.user_id)
-        .fetch_one(&app_state.db)
+        .fetch_one(&app_state.db.0)
         .await
         .expect("To get user from claim");
     let output = ReadUserBasicExtract {

lib/http_server/src/controllers/ui/apps.rs

@@ -1,10 +1,10 @@
 use axum::{extract::State, response::IntoResponse, Extension};
 use minijinja::context;
 
+use kernel::models::{config::AppVisibility, config::Application};
 use crate::{
-    models::{config::AppVisibility, config::Application},
     renderer::TemplateRenderer,
-    server::AppState
+    AppState
 };
 
 pub async fn list_apps(

lib/http_server/src/controllers/ui/authorize.rs

@@ -7,14 +7,15 @@ use serde::{Deserialize, Serialize};
 use url::Url;
 use uuid::Uuid;
 
+use kernel::{
+    models::{authorization::Authorization, config::AppAuthorizeFlow}
+};
+use utils::get_random_alphanumerical;
 use crate::{
-    models::{authorization::Authorization, config::AppAuthorizeFlow, token_claims::UserTokenClaims},
-    renderer::TemplateRenderer, server::AppState,
-    services::oauth2::{parse_scope, verify_redirect_uri},
-    utils::get_random_alphanumerical
+    renderer::TemplateRenderer, services::oauth2::{parse_scope, verify_redirect_uri}, token_claims::UserTokenClaims, AppState
 };
 
-#[derive(Serialize, Deserialize)]
+#[derive(Debug, Serialize, Deserialize)]
 #[fully_pub]
 /// query params described in [RFC6749 section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
 struct AuthorizationParams {
@@ -105,7 +106,7 @@ pub async fn authorize_form(
         .bind(&token_claims.sub)
         .bind(&authorization_params.client_id)
         .bind(sqlx::types::Json(&scopes))
-        .fetch_one(&app_state.db)
+        .fetch_one(&app_state.db.0)
         .await;
 
     match authorizations_res {
@@ -119,7 +120,7 @@ pub async fn authorize_form(
                 .bind(existing_authorization.id)
                 .bind(authorization_code.clone())
                 .bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
-                .execute(&app_state.db)
+                .execute(&app_state.db.0)
                 .await.unwrap();
 
             // Authorization already given, just redirect to the app
@@ -219,7 +220,7 @@ pub async fn perform_authorize(
         .bind(authorization.code)
         .bind(authorization.last_used_at.map(|x| x.to_rfc3339_opts(SecondsFormat::Millis, true)))
         .bind(authorization.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&app_state.db)
+        .execute(&app_state.db.0)
         .await;
     if let Err(err) = res {
         error!("Failed to save authorization in DB. {}", err);

lib/http_server/src/controllers/ui/login.rs

@@ -1,15 +1,15 @@
 use axum_extra::extract::{cookie::{Cookie, SameSite}, CookieJar};
 use chrono::{SecondsFormat, Utc};
+use kernel::models::user::{User, UserStatus};
 use log::info;
 use serde::Deserialize;
-use axum::{extract::{Query, State}, http::{HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse, Redirect}, Extension, Form};
+use axum::{extract::{Query, State}, http::StatusCode, response::{IntoResponse, Redirect}, Extension, Form};
 use fully_pub::fully_pub;
 use minijinja::context;
 use time::Duration;
+use utils::verify_password_hash;
 
-use crate::{
-    consts::WEB_GUI_JWT_COOKIE_NAME, models::{token_claims::UserTokenClaims, user::{User, UserStatus}}, renderer::TemplateRenderer, server::AppState, services::{password::verify_password_hash, session::create_token}
-};
+use crate::{renderer::TemplateRenderer, services::session::create_token, token_claims::UserTokenClaims, AppState, WEB_GUI_JWT_COOKIE_NAME};
 
 pub async fn login_form(
     Extension(renderer): Extension<TemplateRenderer>
@@ -47,7 +47,7 @@ pub async fn perform_login(
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE handle = $1 OR email = $2")
         .bind(&login.login)
         .bind(&login.login)
-        .fetch_one(&app_state.db)
+        .fetch_one(&app_state.db.0)
         .await;
 
     let password_hash = match &user_res {
@@ -87,7 +87,7 @@ pub async fn perform_login(
     let _result = sqlx::query("UPDATE users SET last_login_at = $2 WHERE id = $1")
         .bind(user.id.clone())
         .bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&app_state.db)
+        .execute(&app_state.db.0)
         .await.unwrap();
 
     let jwt_max_age = Duration::days(15);

lib/http_server/src/controllers/ui/logout.rs

@@ -1,7 +1,7 @@
 use axum::response::{IntoResponse, Redirect};
 use axum_extra::extract::CookieJar;
 
-use crate::consts::WEB_GUI_JWT_COOKIE_NAME;
+use crate::WEB_GUI_JWT_COOKIE_NAME;
 
 pub async fn perform_logout(
     cookies: CookieJar

lib/http_server/src/controllers/ui/me.rs

@@ -1,14 +1,16 @@
+use anyhow::Context;
 use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
 use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
 use fully_pub::fully_pub;
-use log::error;
+use log::{error, info};
 use minijinja::context;
 
 use crate::{
-    models::{token_claims::UserTokenClaims, user::User},
+    token_claims::UserTokenClaims,
     renderer::TemplateRenderer,
-    server::AppState
+    AppState
 };
+use kernel::{models::{user::User, user_asset::UserAsset}, repositories::users::create_user_asset};
 
 pub async fn me_page(
     State(app_state): State<AppState>,
@@ -17,7 +19,7 @@ pub async fn me_page(
 ) -> impl IntoResponse {
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.sub)
-        .fetch_one(&app_state.db)
+        .fetch_one(&app_state.db.0)
         .await
         .expect("To get user from claim");
 
@@ -38,7 +40,7 @@ pub async fn me_update_details_form(
 
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.sub)
-        .fetch_one(&app_state.db)
+        .fetch_one(&app_state.db.0)
         .await
         .expect("To get user from claim");
 
@@ -60,7 +62,7 @@ struct UserDetailsUpdateForm {
     website: String,
 
     #[form_data(limit = "5MiB")]
-    picture: FieldData<Bytes>
+    avatar: FieldData<Bytes>
 }
 
 
@@ -72,19 +74,43 @@ pub async fn me_perform_update_details(
 ) -> impl IntoResponse {
     let template_path = "pages/me/details-form";
 
-    let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5, picture = $6 WHERE id = $1")
+    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+        .bind(&token_claims.sub)
+        .fetch_one(&app_state.db.0)
+        .await
+        .expect("To get user from claim");
+
+    let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5 WHERE id = $1")
         .bind(&token_claims.sub)
         .bind(details_update.handle)
         .bind(details_update.email)
         .bind(details_update.full_name)
         .bind(details_update.website)
-        .bind(details_update.picture.contents.to_vec())
-        .execute(&app_state.db)
+        .execute(&app_state.db.0)
         .await;
 
-    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+    if !details_update.avatar.contents.is_empty() {
+        let user_asset = UserAsset::new(
+            &user,
+            details_update.avatar.contents.to_vec(),
+            details_update.avatar.metadata.content_type.expect("Expected mimetype on avatar content"),
+            details_update.avatar.metadata.name
+        );
+        let _update_res = sqlx::query("UPDATE users SET avatar_asset_id = $2 WHERE id = $1")
             .bind(&token_claims.sub)
-        .fetch_one(&app_state.db)
+            .bind(user_asset.id.clone())
+            .execute(&app_state.db.0)
+            .await;
+        // TODO: handle possible error
+        let _ = create_user_asset(&app_state.db, user_asset)
+            .await
+            .context("Creating user avatar asset.");
+        info!("Uploaded new avatar as user asset");
+    }
+
+    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+        .bind(&token_claims.sub)
+        .fetch_one(&app_state.db.0)
         .await
         .expect("To get user from claim");
 
@@ -94,7 +120,7 @@ pub async fn me_perform_update_details(
                 template_path,
                 context!(
                     success => true,
-                    user => user_res
+                    user => user
                 )
             )
         },
@@ -104,7 +130,7 @@ pub async fn me_perform_update_details(
                 template_path,
                 context!(
                     error => Some("Cannot update user details.".to_string()),
-                    user => user_res
+                    user => user
                 )
             )
         }

lib/http_server/src/controllers/ui/mod.rs

@@ -6,3 +6,4 @@ pub mod me;
 pub mod logout;
 pub mod user_panel;
 pub mod apps;
+pub mod reset_password;

lib/http_server/src/controllers/ui/register.rs

@@ -7,7 +7,10 @@ use fully_pub::fully_pub;
 use sqlx::types::Json;
 use uuid::Uuid;
 
-use crate::{models::user::{User, UserStatus}, renderer::TemplateRenderer, server::AppState, services::password::get_password_hash};
+use crate::{renderer::TemplateRenderer, AppState};
+
+use kernel::models::user::{User, UserStatus};
+use utils::get_password_hash;
 
 pub async fn register_form(
     State(app_state): State<AppState>
@@ -43,12 +46,12 @@ pub async fn perform_register(
         email: Some(register.email),
         handle: register.handle,
         full_name: None,
-        picture: None,
+        avatar_asset_id: None,
 
         password_hash,
         status: UserStatus::Active,
         roles: Json(Vec::new()), // take the default role in the config
-        activation_token: None,
+        reset_password_token: None,
         created_at: Utc::now(),
         website: None,
         last_login_at: None
@@ -66,7 +69,7 @@ pub async fn perform_register(
         .bind(user.roles)
         .bind(user.password_hash)
         .bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&app_state.db)
+        .execute(&app_state.db.0)
         .await;
     match res {
         Err(err) => {

lib/http_server/src/controllers/ui/reset_password.rs

@@ -0,0 +1,139 @@
+use axum::{extract::{MatchedPath, Query, State}, http::StatusCode, response::{Html, IntoResponse, Redirect}, Extension, Form};
+use log::{error, info};
+use serde::{Deserialize, Serialize};
+use minijinja::context;
+use fully_pub::fully_pub;
+
+use crate::{renderer::TemplateRenderer, AppState};
+
+use kernel::models::user::{User, UserStatus};
+use utils::get_password_hash;
+
+#[derive(Debug, Deserialize, Serialize)]
+#[fully_pub]
+enum ResetPasswordReason {
+    LostPassword,
+    Invitation
+}
+
+#[derive(Debug, Deserialize, Serialize)]
+#[fully_pub]
+struct ResetPasswordQueryParams {
+    token: String
+}
+
+pub async fn reset_password_form(
+    State(app_state): State<AppState>,
+    path: MatchedPath,
+    Extension(renderer): Extension<TemplateRenderer>,
+    Query(query_params): Query<ResetPasswordQueryParams>
+) -> impl IntoResponse {
+    let reason: ResetPasswordReason = match path.as_str() {
+        "/invitation" => ResetPasswordReason::Invitation,
+        "/reset-password" => ResetPasswordReason::LostPassword,
+        _ => unreachable!()
+    };
+    // 1. Verify token
+    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
+        .bind(&query_params.token)
+        .fetch_one(&app_state.db.0)
+        .await;
+    let _user = match user_res {
+        Ok(u) => u,
+        Err(sqlx::Error::RowNotFound) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Html("Invalid reset password token.")
+            ).into_response();
+        },
+        Err(err) => {
+            error!("Failed to retreive user from reset password token. {}", err);
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Html("Internal server error: Failed to retreive user.")
+            ).into_response();
+        }
+    };
+    renderer.render(
+        "pages/reset_password",
+        context!(
+            reason => reason,
+            token => query_params.token,
+        )
+    ).into_response()
+}
+
+
+#[derive(Debug, Deserialize)]
+#[fully_pub]
+struct ResetPasswordForm {
+    token: String,
+    password: String,
+    password_confirmation: String
+}
+
+pub async fn perform_reset_password(
+    State(app_state): State<AppState>,
+    Form(reset_form): Form<ResetPasswordForm>
+) -> impl IntoResponse {
+    // 1. Verify token
+    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
+        .bind(&reset_form.token)
+        .fetch_one(&app_state.db.0)
+        .await;
+    let user = match user_res {
+        Ok(u) => u,
+        Err(sqlx::Error::RowNotFound) => {
+            return (
+                StatusCode::BAD_REQUEST,
+                Html("Invalid reset password token.")
+            ).into_response();
+        },
+        Err(err) => {
+            error!("Failed to retreive user from reset password token. {}", err);
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Html("Internal server error: Failed to retreive user.")
+            ).into_response();
+        }
+    };
+    if reset_form.password != reset_form.password_confirmation {
+        return (
+            StatusCode::BAD_REQUEST,
+            Html("Form data error: The two passwords are differents.")
+        ).into_response();
+    }
+
+    let password_hash = Some(
+        get_password_hash(reset_form.password)
+            .expect("To process password").1
+    );
+    if user.status == UserStatus::Invited {
+        info!("The password of an Invited user was set: activation of user account");
+        // TODO: send welcome email
+    }
+    let res = sqlx::query("UPDATE users
+            SET password_hash = $2, status = $3, reset_password_token = NULL
+            WHERE id = $1
+        ")
+        .bind(user.id)
+        .bind(password_hash)
+        .bind(UserStatus::Active)
+        .execute(&app_state.db.0)
+        .await;
+    match res {
+        Err(err) => {
+            error!("Cannot update user: {}", err);
+            return (
+                StatusCode::INTERNAL_SERVER_ERROR,
+                Html("Internal server error: Failed to update user.")
+            ).into_response();
+        },
+        Ok(_v) => {
+            info!("Changed user's password successfuly.");
+        }
+    };
+    // TODO: add either "Successfully changed password" or "Account enabled successfully" message 
+    Redirect::to("/login").into_response()
+}
+

lib/http_server/src/controllers/ui/user_panel/authorizations.rs

@@ -4,7 +4,8 @@ use log::error;
 use minijinja::context;
 use serde::Deserialize;
 
-use crate::{models::{authorization::Authorization, token_claims::UserTokenClaims}, renderer::TemplateRenderer, server::AppState};
+use kernel::models::authorization::Authorization;
+use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
 
 pub async fn get_authorizations(
     State(app_state): State<AppState>,
@@ -13,7 +14,7 @@ pub async fn get_authorizations(
 ) -> impl IntoResponse {
     let user_authorizations = sqlx::query_as::<_, Authorization>("SELECT * FROM authorizations WHERE user_id = $1")
         .bind(&token_claims.sub)
-        .fetch_all(&app_state.db)
+        .fetch_all(&app_state.db.0)
         .await
         .expect("To get user authorization with user_id from claim");
     renderer.render(
@@ -37,7 +38,7 @@ pub async fn revoke_authorization(
 ) -> impl IntoResponse {
     let delete_res = sqlx::query("DELETE FROM authorizations WHERE id = $1")
         .bind(&form.authorization_id)
-        .execute(&app_state.db)
+        .execute(&app_state.db.0)
         .await;
     match delete_res {
         Ok(_) => {},

lib/http_server/src/lib.rs

@@ -1,24 +1,22 @@
-use base64::{prelude::BASE64_STANDARD, Engine};
+pub mod controllers;
+pub mod router;
+pub mod services;
+pub mod middlewares;
+pub mod renderer;
+pub mod token_claims;
+
 use fully_pub::fully_pub;
 use anyhow::{Result, Context};
+use kernel::{context::{AppSecrets, KernelContext}, models::config::Config, repositories::storage::Storage};
 use log::info;
-use minijinja::{context, Environment};
-use sqlx::{Pool, Sqlite};
-use crate::{models::config::{AppSecrets, Config}, router::build_router};
+use minijinja::Environment;
 
-fn build_templating_env(config: &Config) -> Environment<'static> {
-    let mut env = Environment::new();
+use crate::{
+    router::build_router,
+    renderer::build_templating_env
+};
 
-    minijinja_embed::load_templates!(&mut env);
-
-    env.add_global("gl", context! {
-        instance => config.instance
-    });
-    env.add_function("encode_b64str", |bin_val: Vec<u8>| {
-        BASE64_STANDARD.encode(bin_val)
-    });
-    env
-}
+pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";
 
 #[derive(Debug)]
 #[fully_pub]
@@ -34,22 +32,20 @@ pub struct ServerConfig {
 pub struct AppState {
     secrets: AppSecrets,
     config: Config,
-    db: Pool<Sqlite>,
+    db: Storage,
     templating_env: Environment<'static>
 }
 
 pub async fn start_http_server(
     server_config: ServerConfig,
-    config: Config,
-    secrets: AppSecrets,
-    db_pool: Pool<Sqlite>
+    ctx: KernelContext
 ) -> Result<()> {
     // build state
     let state = AppState {
-        templating_env: build_templating_env(&config),
-        config,
-        secrets,
-        db: db_pool
+        templating_env: build_templating_env(&ctx.config),
+        config: ctx.config,
+        secrets: ctx.secrets,
+        db: ctx.storage
     };
 
     // build routes

lib/http_server/src/main.rs

@@ -1,9 +1,9 @@
 use argh::FromArgs;
 use anyhow::{Context, Result};
+use http_server::{start_http_server, ServerConfig};
+use kernel::{consts::DEFAULT_ASSETS_PATH, context::{get_kernel_context, StartKernelConfig}};
 use log::info;
 
-use crate::{get_app_context, server::{start_http_server, ServerConfig}, DEFAULT_ASSETS_PATH};
-
 #[derive(Debug, FromArgs)]
 /// Minauthator daemon
 struct ServerCliFlags {
@@ -27,22 +27,21 @@ struct ServerCliFlags {
     listen_port: u32
 }
 
-/// handle CLI arguments to start process daemon
-pub async fn start_server_cli() -> Result<()> {
+/// handle CLI arguments to start HTTP server daemon
+#[tokio::main]
+pub async fn main() -> Result<()> {
     info!("Starting minauth");
     let flags: ServerCliFlags = argh::from_env();
-    let (config, secrets, db_pool) = get_app_context(crate::StartAppConfig {
+    let kernel_context = get_kernel_context(StartKernelConfig {
         config_path: flags.config,
         database_path: flags.database
-    }).await.context("Getting app context")?;
+    }).await.context("Getting kernel context")?;
     start_http_server(
         ServerConfig {
             assets_path: flags.static_assets.unwrap_or(DEFAULT_ASSETS_PATH.to_string()),
             listen_host: flags.listen_host,
             listen_port: flags.listen_port
         },
-        config,
-        secrets,
-        db_pool
+        kernel_context
     ).await
 }

lib/http_server/src/middlewares/app_auth.rs

@@ -5,9 +5,12 @@ use axum::{
     response::{Html, IntoResponse, Response},
     Extension
 };
+use utils::parse_basic_auth;
 
 use crate::{
-    models::token_claims::AppUserTokenClaims, server::AppState, services::{app_session::AppClientSession, session::verify_token}, utils::parse_basic_auth
+    services::{app_session::AppClientSession, session::verify_token},
+    token_claims::AppUserTokenClaims,
+    AppState
 };
 
 

lib/http_server/src/middlewares/renderer.rs

@@ -1,6 +1,5 @@
 use axum::{extract::{Request, State}, http::StatusCode, middleware::Next, response::Response, Extension};
-
-use crate::{models::token_claims::UserTokenClaims, renderer::TemplateRenderer, server::AppState};
+use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
 
 pub async fn renderer_middleware(
     State(app_state): State<AppState>,

lib/http_server/src/middlewares/user_auth.rs

@@ -7,7 +7,9 @@ use axum::{
 use axum_extra::extract::CookieJar;
 
 use crate::{
-    consts::WEB_GUI_JWT_COOKIE_NAME, models::token_claims::UserTokenClaims, server::AppState, services::session::verify_token
+    services::session::verify_token,
+    token_claims::UserTokenClaims,
+    AppState, WEB_GUI_JWT_COOKIE_NAME
 };
 
 

lib/http_server/src/renderer.rs

@@ -1,9 +1,11 @@
 use axum::{http::StatusCode, response::{Html, IntoResponse}};
 use fully_pub::fully_pub;
+use kernel::models::config::Config;
 use log::error;
 use minijinja::{context, Environment, Value};
+use utils::encode_base64_picture;
 
-use crate::models::token_claims::UserTokenClaims;
+use crate::token_claims::UserTokenClaims;
 
 
 #[derive(Debug, Clone)]
@@ -43,3 +45,14 @@ impl TemplateRenderer {
     }
 }
 
+pub fn build_templating_env(config: &Config) -> Environment<'static> {
+    let mut env = Environment::new();
+
+    minijinja_embed::load_templates!(&mut env);
+
+    env.add_global("gl", context! {
+        instance => config.instance
+    });
+    env.add_function("inline_picture", encode_base64_picture);
+    env
+}

lib/http_server/src/router.rs

@@ -9,7 +9,7 @@ use crate::{
         app_auth,
         renderer::renderer_middleware
     },
-    server::{AppState, ServerConfig}
+    AppState, ServerConfig
 };
 
 pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router<AppState> {
@@ -19,6 +19,9 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
         .route("/register", post(ui::register::perform_register))
         .route("/login", get(ui::login::login_form))
         .route("/login", post(ui::login::perform_login))
+        .route("/invitation", get(ui::reset_password::reset_password_form))
+        .route("/reset-password", get(ui::reset_password::reset_password_form))
+        .route("/reset-password", post(ui::reset_password::perform_reset_password))
         .layer(middleware::from_fn_with_state(app_state.clone(), renderer_middleware))
         .layer(middleware::from_fn_with_state(app_state.clone(), user_auth::auth_middleware));
 
@@ -43,7 +46,9 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
 
     let api_user_routes = Router::new()
         .route("/api/user", get(api::read_user::read_user_basic))
-        .layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware));
+        .layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware))
+        .route("/api", get(api::index::get_index))
+        .route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
 
     let well_known_routes = Router::new()
         .route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));

lib/http_server/src/services/mod.rs

@@ -1,4 +1,3 @@
-pub mod password;
 pub mod session;
 pub mod oauth2;
 pub mod app_session;

lib/http_server/src/services/oauth2.rs

@@ -1,7 +1,7 @@
 use std::str::FromStr;
 use anyhow::{Result, Context};
 
-use crate::models::{authorization::AuthorizationScope, config::Application};
+use kernel::models::{authorization::AuthorizationScope, config::Application};
 
 pub fn verify_redirect_uri(app: &Application, input_redirect_uri: &str) -> bool {
     app.allowed_redirect_uris

lib/http_server/src/services/session.rs

@@ -1,8 +1,7 @@
 use anyhow::Result;
 use serde::{de::DeserializeOwned, Serialize};
 use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
-
-use crate::models::config::AppSecrets;
+use kernel::context::AppSecrets;
 
 
 pub fn create_token<T: Serialize>(secrets: &AppSecrets, claims: T) -> String {

lib/http_server/src/templates/pages/error.html

@@ -0,0 +1,11 @@
+{% extends "layouts/base.html" %}
+{% block body %}
+<h1>Internal server error</h1>
+
+{% if error %}
+<div class="alert alert-danger">
+    We are sorry. We've rencountered an unrecoverable error.
+</div>
+{% endif %}
+{% endblock %}
+

lib/http_server/src/templates/pages/me/details-form.html

@@ -55,10 +55,9 @@
         />
     </div>
     <div class="mb-3">
-        <label for="picture">Profile picture</label>
-        <!-- for now, no JPEG -->
+        <label for="avatar">Profile picture</label>
         <input
-            id="picture" name="picture"
+            id="avatar" name="avatar"
             type="file"
             accept="image/gif, image/png, image/jpeg"
             class="form-control"

lib/http_server/src/templates/pages/me/index.html

@@ -5,9 +5,12 @@
 <a href="/me/details-form">Update details.</a>
 <a href="/me/authorizations">Manage authorizations.</a>
 
-<p>
-{% if user.picture %}
-    <img src="data:image/*;base64,{{ encode_b64str(user.picture) }}" style="width: 150px; height: 150px; object-fit: contain">
+{% if user.avatar_asset_id %}
+<div class="my-3">
+    <img
+        src="http://localhost:8085/api/user-assets/{{ user.avatar_asset_id }}"
+        style="width: 150px; height: 150px; object-fit: contain">
+</div>
 {% endif %}
 <ul>
     <li>

lib/http_server/src/templates/pages/reset_password.html

@@ -0,0 +1,54 @@
+{% extends "layouts/base.html" %}
+{% block body %}
+{% if reason == "Invitation" %}
+<h1>Invitation</h1>
+{% endif %}
+{% if reason == "LostPassword" %}
+<h1>Reset your password</h1>
+{% endif %}
+<!-- Reset password form -->
+{% if error %}
+<div class="alert alert-danger">
+    Error: {{ error }}
+</div>
+{% endif %}
+{% if info %}
+<div class="alert alert-info">
+    Info: {{ info }}
+</div>
+{% endif %}
+{% if reason == "Invitation" %}
+<p>
+    Pour activer votre compte, veuillez définir votre mot de passe.
+</p>
+{% endif %}
+{% if reason == "LostPassword" %}
+<p>
+    Votre mot de passe est perdu, veuillez définir un nouveau mot de passe.
+</p>
+{% endif %}
+<form id="reset-password-form" method="post" action="/reset-password">
+    <div class="mb-3">
+        <label for="password" class="form-label">New password</label>
+        <input
+            id="password" name="password" type="password"
+            required
+            class="form-control"
+        />
+    </div>
+    <div class="mb-3">
+        <label for="password" class="form-label">New password confirmation</label>
+        <input
+            id="password_confirmation" name="password_confirmation" type="password"
+            required
+            class="form-control"
+        />
+    </div>
+    <input
+        id="token" name="token" type="hidden"
+        value="{{ token }}"
+    />
+
+    <button type="submit" class="btn btn-primary">Change password</button>
+</form>
+{% endblock %}

lib/http_server/src/token_claims.rs

@@ -1,10 +1,9 @@
 use fully_pub::fully_pub;
 use jsonwebtoken::get_current_timestamp;
+use kernel::models::authorization::AuthorizationScope;
 use serde::{Deserialize, Serialize};
 use time::Duration;
 
-use super::authorization::AuthorizationScope;
-
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[fully_pub]
 struct UserTokenClaims {

lib/kernel/Cargo.toml

@@ -0,0 +1,25 @@
+[package]
+name = "kernel"
+edition = "2021"
+
+[dependencies]
+utils = { path = "../utils" }
+
+anyhow = { workspace = true }
+thiserror = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+fully_pub = { workspace = true }
+strum = { workspace = true }
+strum_macros = { workspace = true }
+serde = { workspace = true }
+serde_json = { workspace = true }
+chrono = { workspace = true }
+toml = { workspace = true }
+sqlx = { workspace = true }
+dotenvy = { workspace = true }
+sha2 = { workspace = true }
+hex-literal = { workspace = true }
+
+uuid = { workspace = true }
+url = { workspace = true }

lib/kernel/src/actions/mod.rs

@@ -0,0 +1 @@
+pub mod users;

lib/kernel/src/actions/users.rs

@@ -0,0 +1,44 @@
+use crate::{context::KernelContext, models::user::User};
+
+use anyhow::{Context, Result};
+use chrono::SecondsFormat;
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum CreateUserErr {
+    #[error("Handle or email for user is already used.")]
+    HandleOrEmailNotUnique,
+
+    #[error("Database error.")]
+    DatabaseErr(String)
+}
+
+pub async fn create_user(ctx: KernelContext, user: User) -> Result<(), CreateUserErr> {
+    let res = sqlx::query("
+        INSERT INTO users
+            (id, handle, email, status, roles, password_hash, reset_password_token, created_at)
+            VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+        ")
+        .bind(user.id)
+        .bind(user.handle)
+        .bind(user.email)
+        .bind(user.status.to_string())
+        .bind(user.roles)
+        .bind(user.password_hash)
+        .bind(user.reset_password_token)
+        .bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
+        .execute(&ctx.storage.0)
+        .await;
+    match res {
+        Err(err) => {
+            let db_err = &err.as_database_error().unwrap();
+            if db_err.code().unwrap() == "2067" {
+                Err(CreateUserErr::HandleOrEmailNotUnique)
+            } else {
+                dbg!(&err);
+                Err(CreateUserErr::DatabaseErr(db_err.to_string()))
+            }
+        }
+        Ok(_) => Ok(())
+    }
+}

lib/kernel/src/consts.rs

@@ -0,0 +1,4 @@
+pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
+pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
+pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml";
+

lib/kernel/src/context.rs

@@ -0,0 +1,64 @@
+use std::{env, fs};
+use anyhow::{Result, Context, anyhow};
+use fully_pub::fully_pub;
+
+use log::info;
+use sqlx::{Pool, Sqlite};
+use crate::{
+    consts::{DEFAULT_CONFIG_PATH, DEFAULT_DB_PATH}, database::prepare_database, models::config::Config, repositories::storage::Storage
+};
+
+/// get server config
+fn get_config(path: String) -> Result<Config> {
+    let inp_def_yaml = fs::read_to_string(path)
+        .expect("Should have been able to read the the config file");
+
+    toml::from_str(&inp_def_yaml)
+        .map_err(|e| anyhow!("Failed to parse config, {:?}", e))
+}
+
+#[fully_pub]
+struct StartKernelConfig {
+    config_path: Option<String>,
+    database_path: Option<String>,
+}
+
+#[derive(Debug, Clone)]
+#[fully_pub]
+struct AppSecrets {
+    jwt_secret: String
+}
+
+#[derive(Debug, Clone)]
+#[fully_pub]
+struct KernelContext {
+    config: Config,
+    secrets: AppSecrets,
+    storage: Storage
+}
+
+pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
+    env_logger::init();
+    let _ = dotenvy::dotenv();
+
+    let database_path = &start_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
+    info!("Using database file at {}", database_path);
+    let storage = prepare_database(database_path).await.context("Could not prepare db.")?;
+
+    let config_path = start_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
+    info!("Using config file at {}", &config_path);
+    let config: Config = get_config(config_path)
+        .expect("Cannot get config.");
+
+    let _ = dotenvy::dotenv();
+    let secrets = AppSecrets {
+        jwt_secret: env::var("APP_JWT_SECRET")
+            .context("Expected APP_JWT_SECRET environment variable to exists.")?
+    };
+
+    Ok(KernelContext {
+        config,
+        secrets,
+        storage
+    })
+}

lib/kernel/src/database.rs

@@ -1,8 +1,10 @@
 use anyhow::{Context, Result};
-use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, Pool, Sqlite, ConnectOptions};
+use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, ConnectOptions};
 use std::str::FromStr;
 
-pub async fn prepare_database(sqlite_db_path: &str) -> Result<Pool<Sqlite>> {
+use crate::repositories::storage::Storage;
+
+pub async fn prepare_database(sqlite_db_path: &str) -> Result<Storage> {
     let conn_str = format!("sqlite:{}", sqlite_db_path);
 
     let pool = SqlitePoolOptions::new()
@@ -14,6 +16,6 @@ pub async fn prepare_database(sqlite_db_path: &str) -> Result<Pool<Sqlite>> {
         .await
         .context("could not connect to database_url")?;
 
-    Ok(pool)
+    Ok(Storage(pool))
 }
 

lib/kernel/src/lib.rs

@@ -0,0 +1,7 @@
+pub mod models;
+pub mod database;
+pub mod consts;
+pub mod context;
+pub mod actions;
+pub mod repositories;
+

lib/kernel/src/models/config.rs

@@ -69,7 +69,6 @@ struct Config {
     roles: Vec<Role>
 }
 
-
 #[derive(Debug, Clone)]
 #[fully_pub]
 struct AppSecrets {

lib/kernel/src/models/mod.rs

@@ -1,4 +1,4 @@
 pub mod config;
 pub mod user;
+pub mod user_asset;
 pub mod authorization;
-pub mod token_claims;

lib/kernel/src/models/user.rs

@@ -0,0 +1,61 @@
+use fully_pub::fully_pub;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sqlx::types::Json;
+use utils::get_random_human_token;
+use uuid::Uuid;
+
+#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
+#[derive(strum_macros::Display)]
+#[fully_pub]
+enum UserStatus {
+    Disabled,
+    Invited,
+    Active
+}
+
+#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
+#[fully_pub]
+struct User {
+    /// uuid
+    id: String,
+    handle: String,
+    full_name: Option<String>,
+    email: Option<String>,
+    website: Option<String>,
+    avatar_asset_id: Option<String>,
+    password_hash: Option<String>, // argon2 password hash
+    status: UserStatus,
+    roles: Json<Vec<String>>,
+    reset_password_token: Option<String>,
+
+    last_login_at: Option<DateTime<Utc>>,
+    created_at: DateTime<Utc>
+}
+
+impl User {
+    pub fn new(
+        handle: String
+    ) -> User {
+        User {
+            id: Uuid::new_v4().to_string(),
+            handle,
+            full_name: None,
+            email: None,
+            website: None,
+            avatar_asset_id: None,
+            password_hash: None,
+            status: UserStatus::Disabled,
+            roles: Json(Vec::new()),
+            reset_password_token: None,
+            last_login_at: None,
+            created_at: Utc::now()
+        }
+    }
+
+    pub fn invite(self: &mut Self) {
+        self.reset_password_token = Some(get_random_human_token());
+        self.status = UserStatus::Invited;
+    }
+
+}

lib/kernel/src/models/user_asset.rs

@@ -0,0 +1,41 @@
+use fully_pub::fully_pub;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+use sha2::{Sha256, Digest};
+
+use super::user::User;
+
+
+#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
+#[fully_pub]
+struct UserAsset {
+    /// uuid
+    id: String,
+    user_id: String,
+    mime_type: String,
+    fingerprint: String,
+    name: Option<String>,
+    content: Vec<u8>,
+    created_at: DateTime<Utc>
+}
+
+impl UserAsset {
+    pub fn new(
+        user: &User,
+        content: Vec<u8>,
+        mime_type: String,
+        name: Option<String>
+    ) -> UserAsset {
+        let digest = Sha256::digest(&content);
+        UserAsset {
+            id: Uuid::new_v4().to_string(),
+            user_id: user.id.clone(),
+            fingerprint: format!("{:x}", digest),
+            mime_type,
+            content,
+            name,
+            created_at: Utc::now()
+        }
+    }
+}

lib/kernel/src/repositories/mod.rs

@@ -0,0 +1,2 @@
+pub mod storage;
+pub mod users;

lib/kernel/src/repositories/storage.rs

@@ -0,0 +1,7 @@
+use fully_pub::fully_pub;
+use sqlx::{Pool, Sqlite};
+
+/// storage interface
+#[fully_pub]
+#[derive(Clone, Debug)]
+struct Storage(Pool<Sqlite>);

lib/kernel/src/repositories/users.rs

@@ -0,0 +1,48 @@
+// user repositories
+
+use crate::models::{user::User, user_asset::UserAsset};
+
+use super::storage::Storage;
+use anyhow::{Result, Context};
+
+pub async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
+    sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+        .bind(user_id)
+        .fetch_one(&storage.0)
+        .await
+        .context("To get user by id.")
+}
+
+pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
+    sqlx::query_as::<_, User>("SELECT * FROM users")
+        .fetch_all(&storage.0)
+        .await
+        .context("To get users.")
+}
+
+pub async fn create_user_asset(storage: &Storage, asset: UserAsset) -> Result<()> {
+    sqlx::query("INSERT INTO user_assets
+        (id, user_id, mime_type, fingerprint, content, created_at)
+        VALUES ($1, $2, $3, $4, $5, $6)
+    ")
+        .bind(&asset.id)
+        .bind(&asset.user_id)
+        .bind(&asset.mime_type)
+        .bind(&asset.fingerprint)
+        .bind(&asset.content)
+        .bind(&asset.created_at)
+        .execute(&storage.0)
+        .await
+        .context("While inserting user asset.")?;
+            // .bind(details_update.avatar.contents.to_vec())
+    Ok(())
+}
+
+pub async fn get_user_asset_by_id(storage: &Storage, id: &str) -> Result<UserAsset> {
+    sqlx::query_as("SELECT * FROM user_assets WHERE id = $1")
+        .bind(id)
+        .fetch_one(&storage.0)
+        .await
+        .context("To get user asset by id.")
+}
+

lib/utils/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "utils"
+edition = "2021"
+
+[dependencies]
+anyhow = { workspace = true }
+argon2 = "0.5"
+base64 = "0.22"
+rand = "0.8.5"
+rand_core = { version = "0.6.4", features = ["std"] }

lib/utils/src/lib.rs

@@ -43,6 +43,18 @@ pub fn get_random_alphanumerical(length: usize) -> String {
         .collect()
 }
 
+/// Generate easy to type token
+pub fn get_random_human_token() -> String {
+    return format!(
+        "{}-{}-{}-{}-{}",
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4)
+    ).to_uppercase();
+}
+
 pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
     let header_val_components: Vec<&str> = header_value.split(" ").collect();
     let encoded_header_value: &str = header_val_components
@@ -61,3 +73,7 @@ pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
     ))
 }
 
+pub fn encode_base64_picture(picture_bytes: Vec<u8>) -> String {
+    let encoded = BASE64_STANDARD.encode(picture_bytes);
+    return format!("data:image/*;base64,{}", encoded);
+}

migrations/all.sql

@@ -5,16 +5,27 @@ CREATE TABLE users (
     full_name            TEXT,
     email                TEXT UNIQUE,
     website              TEXT,
-    picture             BLOB,
     roles                TEXT NOT NULL, -- json array of user roles
+    avatar_asset_id      TEXT,
 
-    status              TEXT CHECK(status IN ('Active','Disabled')) NOT NULL DEFAULT 'Disabled',
+    status               TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
     password_hash        TEXT,
-    activation_token    TEXT,
+    reset_password_token TEXT,
     last_login_at        DATETIME,
     created_at           DATETIME NOT NULL
 );
 
+DROP TABLE IF EXISTS user_assets;
+CREATE TABLE user_assets (
+    id                   TEXT PRIMARY KEY,
+    user_id              TEXT NOT NULL,
+    mime_type            TEXT NOT NULL,
+    fingerprint          TEXT NOT NULL,
+    name                 TEXT, -- file name
+    content              BLOB NOT NULL,
+    created_at           DATETIME NOT NULL
+);
+
 DROP TABLE IF EXISTS authorizations;
 CREATE TABLE authorizations (
     id                  TEXT PRIMARY KEY,

src/consts.rs

@@ -1 +0,0 @@
-pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";

src/main.rs

@@ -1,62 +0,0 @@
-pub mod models;
-pub mod controllers;
-pub mod router;
-pub mod server;
-pub mod database;
-pub mod cli;
-pub mod utils;
-pub mod services;
-pub mod middlewares;
-pub mod renderer;
-pub mod consts;
-
-use std::{env, fs};
-use anyhow::{Result, Context, anyhow};
-
-use database::prepare_database;
-use log::info;
-use sqlx::{Pool, Sqlite};
-use models::config::{AppSecrets, Config};
-
-pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
-pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
-pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.yaml";
-
-fn get_config(path: String) -> Result<Config> {
-    let inp_def_yaml = fs::read_to_string(path)
-        .expect("Should have been able to read the the config file");
-
-    toml::from_str(&inp_def_yaml)
-        .map_err(|e| anyhow!("Failed to parse config, {:?}", e))
-}
-
-struct StartAppConfig {
-    config_path: Option<String>,
-    database_path: Option<String>,
-}
-
-#[tokio::main]
-async fn main() -> Result<()> {
-    cli::start_server_cli().await
-}
-
-async fn get_app_context(start_app_config: StartAppConfig) -> Result<(Config, AppSecrets, Pool<Sqlite>)> {
-    env_logger::init();
-    let _ = dotenvy::dotenv();
-
-    let database_path = &start_app_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
-    info!("Using database file at {}", database_path);
-    let pool = prepare_database(database_path).await.context("Could not prepare db.")?;
-
-    let config_path = start_app_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
-    info!("Using config file at {}", &config_path);
-    let config: Config = get_config(config_path)
-        .expect("Cannot get config.");
-
-    dotenvy::dotenv().context("loading .env")?;
-    let secrets = AppSecrets {
-        jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
-    };
-
-    Ok((config, secrets, pool))
-}

src/models/user.rs

@@ -1,31 +0,0 @@
-use fully_pub::fully_pub;
-use chrono::{DateTime, Utc};
-use serde::{Deserialize, Serialize};
-use sqlx::types::Json;
-
-#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
-#[derive(strum_macros::Display)]
-#[fully_pub]
-enum UserStatus {
-    Active,
-    Disabled
-}
-
-#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
-#[fully_pub]
-struct User {
-    /// uuid
-    id: String,
-    handle: String,
-    full_name: Option<String>,
-    email: Option<String>,
-    website: Option<String>,
-    picture: Option<Vec<u8>>, // embeded blob to store profile pic
-    password_hash: Option<String>, // argon2 password hash
-    status: UserStatus,
-    roles: Json<Vec<String>>,
-    activation_token: Option<String>,
-
-    last_login_at: Option<DateTime<Utc>>,
-    created_at: DateTime<Utc>
-}

src/services/password.rs

@@ -1,35 +0,0 @@
-use anyhow::{anyhow, Result};
-use argon2::{
-    password_hash::{
-        rand_core::OsRng,
-        PasswordHash, PasswordHasher, PasswordVerifier, SaltString
-    },
-    Argon2
-};
-
-pub fn get_password_hash(password: String) -> Result<(String, String)> {
-    let salt = SaltString::generate(&mut OsRng);
-
-    // Argon2 with default params (Argon2id v19)
-    let argon2 = Argon2::default();
-
-    // Hash password to PHC string ($argon2id$v=19$...)
-    match argon2.hash_password(password.as_bytes(), &salt) {
-        Ok(val) => Ok((salt.to_string(), val.to_string())),
-        Err(_) => Err(anyhow!("Failed to process password."))
-    }
-}
-
-pub fn verify_password_hash(password_hash: String, password: String) -> Result<()> {
-    let parsed_hash = match PasswordHash::new(&password_hash) {
-        Ok(val) => val,
-        Err(_) => {
-            return Err(anyhow!("Failed to parse password hash"));
-        }
-    };
-    match Argon2::default().verify_password(password.as_bytes(), &parsed_hash) {
-        Ok(()) => Ok(()),
-        Err(_) => Err(anyhow!("Failed to verify password."))
-    }
-}
-

tests/hurl_integration/run_scenario.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/sh
+
+set -eou pipefail
+
+scenario_name="$1"
+project_root="$(dirname $(cargo locate-project | jq -r .root))"
+scenario_dir="$project_root/tests/hurl_integration/$1"
+scenario_tmp_dir_path="$project_root/tmp/tests/$scenario_name"
+database_path="$project_root/tmp/tests/$scenario_name/minauthator.db"
+
+echo "Starting scenario $scenario_name."
+mkdir -p $scenario_tmp_dir_path
+if [ -f $database_path ]; then
+    rm $database_path
+fi
+sqlite3 $database_path < $project_root/migrations/all.sql
+
+export DB_PATH=$database_path
+if [ -f $scenario_dir/init_db.sh ]; then
+    $scenario_dir/init_db.sh
+fi
+
+pkill -f $project_root/target/debug/minauthator-server &
+sleep 0.1
+$project_root/target/debug/minauthator-server \
+    --config "$scenario_dir/config.toml" \
+    --database  $database_path \
+    --listen-host "127.0.0.1" \
+    --listen-port "8086" \
+    --static-assets "$project_root/assets" &
+
+server_pid=$!
+sleep 0.2
+hurl \
+    --variable base_url="http://localhost:8086" \
+    --test --error-format long \
+    $scenario_dir/main.hurl
+kill $server_pid
+echo "End of scenario."

tests/hurl_integration/scenario_1/config.toml

@@ -0,0 +1,56 @@
+[instance]
+base_uri = "http://localhost:8086"
+name = "Example org"
+logo_uri = "https://example.org/logo.png"
+
+[[applications]]
+slug = "demo_app"
+name = "Demo app"
+description = "A super application where you can do everything you want."
+client_id = "00000001-0000-0000-0000-000000000001"
+client_secret = "dummy_client_secret"
+login_uri = "https://localhost:9876"
+allowed_redirect_uris = [
+    "http://localhost:9090/callback",
+    "http://localhost:9876/callback"
+]
+visibility = "Internal"
+authorize_flow = "Implicit"
+
+[[applications]]
+slug = "wiki"
+name = "Wiki app"
+description = "The knowledge base of the exemple org."
+client_id = "f9de1885-448d-44bb-8c48-7e985486a8c6"
+client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
+login_uri = "https://wiki.example.org/login"
+allowed_redirect_uris = [
+    "https://wiki.example.org/oauth2/callback"
+]
+visibility = "Public"
+authorize_flow = "Implicit"
+
+[[applications]]
+slug = "private_app"
+name = "Demo app"
+description = "Private app you should never discover"
+client_id = "c8a08783-2342-4ce3-a3cb-9dc89b6bdf"
+client_secret = "this_is_the_secret"
+login_uri = "https://private-app.org"
+allowed_redirect_uris = [
+    "http://localhost:9091/authorize",
+]
+visibility = "Private"
+authorize_flow = "Implicit"
+
+[[roles]]
+slug = "basic"
+name = "Basic"
+description = "Basic user"
+default = true
+
+[[roles]]
+slug = "admin"
+name = "Administrator"
+description = "Full power on organization instance"
+

tests/hurl_integration/scenario_1/init_db.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/bash
+
+password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
+echo $password_hash
+SQL=$(cat <<EOF
+    INSERT INTO users
+        (id, handle, email, roles, status, password_hash, created_at)
+        VALUES
+        ('$(uuid)', 'root', 'root@example.org', '[]', 'Active', '$password_hash', '2024-11-30T00:00:00Z');
+EOF)
+echo $SQL | sqlite3 $DB_PATH

tests/hurl_integration/scenario_1/main.hurl

@@ -0,0 +1,88 @@
+GET {{ base_url }}/api
+HTTP 200
+[Asserts]
+jsonpath "$.software" == "Minauthator"
+
+POST {{ base_url }}/login
+[FormParams]
+login: root
+password: root
+HTTP 303
+[Captures]
+user_jwt: cookie "minauthator_jwt"
+[Asserts]
+cookie "minauthator_jwt" exists
+cookie "minauthator_jwt[Value]" contains "eyJ0"
+cookie "minauthator_jwt[SameSite]" == "Lax"
+
+GET {{ base_url }}/me
+HTTP 200
+Content-Type: text/html; charset=utf-8
+[Asserts]
+xpath "string(///h1)" == "Welcome root!"
+
+POST {{ base_url }}/me/details-form
+[MultipartFormData]
+handle: root
+email: root@johndoe.net
+full_name: John Doe
+website: https://johndoe.net
+picture: file,john_doe_profile_pic.jpg; image/jpeg
+HTTP 200
+
+GET {{ base_url }}/me/authorizations
+HTTP 200
+[Asserts]
+xpath "string(///h1)" == "Your authorizations"
+xpath "string(///i)" == "You didn't authorized or accessed any applications for now."
+
+# OAuth2 implicit flow (pre-granted app)
+GET {{ base_url }}/authorize
+[QueryStringParams]
+client_id: 00000001-0000-0000-0000-000000000001
+response_type: code
+redirect_uri: http://localhost:9090/callback
+state: Afk4kf6pbZkms78jM
+scope: user_read_basic
+HTTP 302
+[Asserts]
+header "Location" contains "http://localhost:9090/callback?code="
+[Captures]
+authorization_code: header "Location" regex "\\?code=(.*)&"
+
+# OAuth2 get access token
+POST {{ base_url }}/api/token
+[BasicAuth]
+00000001-0000-0000-0000-000000000001: dummy_client_secret
+[FormParams]
+code: {{ authorization_code }}
+scope: user_read_basic
+redirect_uri: http://localhost:9090/callback
+grant_type: authorization_code
+HTTP 200
+Content-Type: application/json
+[Asserts]
+jsonpath "$.access_token" exists
+jsonpath "$.access_token" matches "eyJ[[:alpha:]0-9].[[:alpha:]0-9].[[:alpha:]0-9]"
+[Captures]
+access_token: jsonpath "$.access_token"
+
+# Get basic user info
+GET {{ base_url }}/api/user
+Authorization: JWT {{ access_token }}
+HTTP 200
+Content-Type: application/json
+[Asserts]
+jsonpath "$.handle" == "root"
+jsonpath "$.email" == "root@johndoe.net"
+
+GET {{ base_url }}/me/authorizations
+HTTP 200
+[Asserts]
+xpath "string(///h1)" == "Your authorizations"
+xpath "string(///main/ul/li)" contains "UserReadBasic"
+
+GET {{ base_url }}/logout
+HTTP 303
+[Asserts]
+cookie "minauthator_jwt" == ""

tests/hurl_integration/user_invitation_scenario/config.toml

@@ -0,0 +1,9 @@
+applications = []
+
+roles = []
+
+[instance]
+base_uri = "http://localhost:8086"
+name = "Example org"
+logo_uri = "https://example.org/logo.png"
+

tests/hurl_integration/user_invitation_scenario/init_db.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/bash
+
+SQL=$(cat <<EOF
+    INSERT INTO users
+        (id, handle, email, roles, status, reset_password_token, created_at)
+        VALUES
+        ('$(uuid)', 'invited_user', 'invited-user@example.org', '[]', 'Invited', 'Z433-Y001-V987-P500', '2024-11-30T00:00:00Z');
+EOF)
+echo $SQL | sqlite3 $DB_PATH

tests/hurl_integration/user_invitation_scenario/main.hurl

@@ -0,0 +1,28 @@
+GET {{ base_url }}/api
+HTTP 200
+[Asserts]
+jsonpath "$.software" == "Minauthator"
+
+GET {{ base_url }}/invitation
+[QueryStringParams]
+token: Z433-Y001-V987-P500
+HTTP 200
+[Asserts]
+xpath "string(///h1)" contains "Invitation"
+
+POST {{ base_url }}/reset-password
+[FormParams]
+token: Z433-Y001-V987-P500
+password: newpassword10!
+password_confirmation: newpassword10!
+HTTP 303
+[Asserts]
+header "Location" == "/login"
+
+POST {{ base_url }}/login
+[FormParams]
+login: invited_user
+password: newpassword10!
+HTTP 303
+[Asserts]
+cookie "minauthator_jwt" exists

tests/manual/all.sh

@@ -0,0 +1,8 @@
+#!/usr/bin/sh
+
+set -xeuo pipefail
+
+./login.sh
+./authorize.sh
+./access_token_request.sh
+./get_user_info.sh

tests/manual/authorize.sh

@@ -6,7 +6,7 @@ curl -v http://localhost:8085/authorize \
     --cookie "tmp/.curl-cookies" \
     -d client_id="a1785786-8be1-443c-9a6f-35feed703609" \
     -d response_type="code" \
-    -d redirect_uri="http://localhost:9090/authorize" \
+    -d redirect_uri="http://localhost:9090/callback" \
     -d scope="user_read_basic" \
     -d state="qxYAfk4kf6pbZkms78jM"