Merge branch 'feat_user_avatar_public_asset'

feat: user avatar as public asset
docs: update README
2024-12-07 18:20:04 +01:00 · 2024-12-05 23:08:39 +01:00 · 2024-12-04 19:55:26 +01:00 · 2024-12-04 19:52:59 +01:00 · 2024-12-03 23:58:26 +01:00 · 2024-12-03 19:20:03 +01:00
35 changed files with 620 additions and 100 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,7 @@
+target
+.env
+tmp
+Dockerfile
+.dockerignore
+justfile
+config.toml
--- a/Cargo.lock
+++ b/Cargo.lock
@ -22,7 +22,13 @@ name = "admin_cli"
 version = "0.0.0"
 dependencies = [
 "anyhow",
+ "argh",
+ "env_logger",
 "fully_pub",
+ "kernel",
+ "log",
+ "thiserror 2.0.3",
+ "tokio",
 ]

 [[package]]
@ -873,6 +879,12 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"

+[[package]]
+name = "hex-literal"
+version = "0.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fe2267d4ed49bc07b63801559be28c718ea06c4738b7a03c94df7386d2cde46"
+
 [[package]]
 name = "hkdf"
 version = "0.12.4"
@ -965,6 +977,7 @@ dependencies = [
 "sqlx",
 "strum",
 "strum_macros",
+ "thiserror 2.0.3",
 "time",
 "tokio",
 "tower-http",
@ -1249,12 +1262,15 @@ dependencies = [
 "dotenvy",
 "env_logger",
 "fully_pub",
+ "hex-literal",
 "log",
 "serde",
 "serde_json",
+ "sha2",
 "sqlx",
 "strum",
 "strum_macros",
+ "thiserror 2.0.3",
 "toml",
 "url",
 "utils",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -1,9 +1,11 @@
-cargo-features = ["codegen-backend"]
+# cargo-features = ["codegen-backend"]

-[profile.dev]
-codegen-backend = "cranelift"
+# [profile.dev]
+# codegen-backend = "cranelift"
+# # END OF

 [workspace]
+resolver = "2"
 members = [
    "lib/kernel",
    "lib/utils",
@ -14,18 +16,21 @@ members = [
 [workspace.dependencies]
 # commons utils
 anyhow = "1.0"
+thiserror = "2"
 fully_pub = "0.1"
 strum = "0.26.3"
 strum_macros = "0.26"
 uuid = { version = "1.8", features = ["serde", "v4"] }
 dotenvy = "0.15.7"
 url = "2.5.3"
+sha2 = "0.10"
+hex-literal = "0.4"

 # CLI
 argh = "0.1"

 # Async
-tokio = { version = "1.40.0", features = ["rt-multi-thread"] }
+tokio = { version = "1.40.0", features = ["rt-multi-thread", "macros"] }

 # Logging
 log = "0.4"
--- a/37
+++ b/37
@ -0,0 +1,37 @@
+FROM rust:1.83-alpine3.20 AS builder
+
+WORKDIR /usr/src/minauthator
+COPY . .
+
+RUN apk add musl-dev
+
+RUN cargo install --bin minauthator-admin --locked --path lib/admin_cli
+RUN cargo install --bin minauthator-server --locked --path lib/http_server
+
+FROM alpine:3.20 AS base
+
+RUN apk add sqlite
+COPY --from=builder /usr/local/cargo/bin/minauthator-server /usr/local/bin/minauthator-server
+COPY --from=builder /usr/local/cargo/bin/minauthator-admin /usr/local/bin/minauthator-admin
+RUN mkdir -p \
+    /usr/local/src/minauthator/migrations \
+    /usr/local/lib/minauthator/assets \
+    /var/lib/minauthator \
+    /etc/minauthator
+COPY --from=builder /usr/src/minauthator/migrations/all.sql /usr/local/src/minauthator/migrations
+COPY --from=builder /usr/src/minauthator/init_db.sh /usr/local/bin/minauthator_init_db.sh
+COPY --from=builder /usr/src/minauthator/assets /usr/local/lib/minauthator/assets
+
+RUN addgroup -g 1000 app && \
+    adduser -S -u 1000 -G app -s /bin/sh app && \
+    chown -R app:app /var/lib/minauthator && \
+    chmod -R u=rwx,g=rwx,o= /var/lib/minauthator
+
+USER app:app
+ENV RUST_LOG=info
+ENV RUST_BACKTRACE=1
+ENV APP_JWT_SECRET="DummyAppSecret20241029"
+
+CMD ["minauthator-server", "--listen-host", "0.0.0.0", "--listen-port", "8080"]
+
+
--- a/README.md
+++ b/README.md
@ -1,24 +1,45 @@
 # Minauthator

-Minauthator is an identity provider supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
+Minauthator is an identity provider server supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).

-This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software.
+This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software (FOSS).
+
+This project also aims to provide features while being frugal and minimalist.

 **Project status: *early development, work-in-progress***

 ## Features

- Login
- Register
- OpenID Connect & OAuth 2.0
- Activation token
- Profile details
- Static apps
- User roles
- MFA/TOTP
- Email notifications
- Login page customization
- App carousel (App presentation to users)
+- [x] Login
+- [x] Register
+- [x] OpenID Connect & OAuth 2.0
+- [x] Activation token
+- [x] Profile details
+- [x] Static apps
+- [x] Admin CLI to manage user.
+- [x] User invitation with human token
+- [ ] User roles
+- [ ] User groups
+- [ ] MFA/TOTP
+- [ ] Email notifications
+- [ ] Login page customization
+- [x] App listing (App presentation to users)
+- [x] Implicit OAuth 2.0 flow
+- [ ] Email verification
+- [ ] GPG keys verification and signing
+- [ ] Docker deployment
+- [ ] Full user panel & user privacy control
+
+## Architecture
+
+- Sqlite DB
+- Kernel
+- Http server
+    - Public API
+    - User API
+    - Third-party OAuth2 app/client API
+    - Web GUI (no Javascript)
+- Admin CLI

 ## Deps

@ -28,4 +49,4 @@ This project aims to allow an organization to setup [single sign-on (SSO)](https

 - [Authentik](https://goauthentik.io/)
 - [Keycloak](https://www.keycloak.org/)
-
+- [Kanidm](https://kanidm.com/)
--- a/TODO.md
+++ b/TODO.md
@ -1,5 +1,23 @@
 # TODO

+- [ ] i18n strings in the http website.
+
+- [ ] Instance customization support
+
+- [ ] Public endpoint to get user avatar by id
+- [ ] Rework avatar upload to limit size and process the image?
+
+- Authorize form
+    - [ ] Show details about permissions
+    - [ ] Show app logo
+
+- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+
+- [ ] feat(perms): add groups and roles
+
+- [ ] UserWebGUI: add TOTP
+- [ ] send emails to users
+
 - [x] Login form
 - [x] Register form
 - [x] Redirect to login form if unauthenticated
@ -13,20 +31,12 @@
 - [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c)
    - .well-known/openid-configuration

+- [x] architecture refactor
+- [x] AdminCLI: init
+- [x] AdminCLI: list users
+- [x] AdminCLI: create and invite user

- [ ] i18n strings in the http website.
-
- [ ] App config
-    - Add app logo (URI?)
-
- [ ] Public endpoint to get user avatar by id
- [ ] Rework avatar upload to limit size and process the image?
-
- [ ] Authorize form
-    - Show details about permissions
-    - Show app logo
-
- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
+- [x] UserWebGUI: Invitation

 - [x] UserWebGUI: Redirect to login when JWT expire
 - [x] UserWebGUI: Show user authorizations.
@ -37,14 +47,6 @@

 - [x] UserWebGUI: activate account with token

- [ ] feat(perms): add groups and roles
-
- [ ] UserWebGUI: add TOTP
- [ ] send emails to users
-
- Architecture: do we have an admin API?
-
- [ ] AdminCLI: init
- [ ] AdminWebGUI: List users
- [ ] AdminWebGUI: Assign groups to users
- [ ] AdminWebGUI: Create invitation
+- [X] basic docker setup
+- [ ] make `docker stop` working (handle SIGTERM/SIGINT)
+- [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/
--- a/admin.sh
+++ b/admin.sh
@ -0,0 +1,3 @@
+#!/usr/bin/sh
+
+cargo run -q --bin minauthator-admin -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets $@
--- a/init_db.sh
+++ b/init_db.sh
@ -0,0 +1,10 @@
+#!/bin/sh
+
+DEFAULT_DB_PATH="/var/lib/minauthator/minauthator.db"
+DEFAULT_MIGRATION_PATH="/usr/local/src/minauthator/migrations/all.sql"
+
+DB_PATH="${DB_PATH:-$DEFAULT_DB_PATH}"
+MIGRATION_PATH="${MIGRATION_PATH:-$DEFAULT_MIGRATION_PATH}"
+
+sqlite3 $DB_PATH < $MIGRATION_PATH
+
--- a/33
+++ b/33
@ -1,21 +1,32 @@
 export RUST_BACKTRACE := "1"
 export RUST_LOG := "trace"
-export RUN_ARGS := "run --bin minauthator-server -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets"
+export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets"

-watch-run:
-    cargo-watch -x "$RUN_ARGS"
+watch-server:
+    cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"

-run:
-    cargo $RUN_ARGS
+server:
+    cargo run --bin minauthator-server -- $CONTEXT_ARGS

-docker-run:
-    docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator
-
-docker-init-db:
-    docker run -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator /usr/local/bin/minauthator_init_db.sh
+admin:
+    cargo run --bin minauthator-admin -- $CONTEXT_ARGS

 docker-build:
-    docker build -t minauthator .
+    docker build -t lefuturiste/minauthator .
+
+docker-init-db:
+    docker run \
+        -v ./tmp/docker/config:/etc/minauthator \
+        -v minauthator-db:/var/lib/minauthator \
+        lefuturiste/minauthator \
+        /usr/local/bin/minauthator_init_db.sh
+
+docker-run:
+    docker run \
+        -p 127.0.0.1:3085:8080 \
+        -v ./tmp/docker/config:/etc/minauthator \
+        -v minauthator-db:/var/lib/minauthator \
+        lefuturiste/minauthator

 init-db:
    sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql
--- a/lib/admin_cli/Cargo.toml
+++ b/lib/admin_cli/Cargo.toml
@ -2,10 +2,17 @@
 name = "admin_cli"
 edition = "2021"

-[dependencies]
-anyhow = { workspace = true }
-fully_pub = { workspace = true }
-
 [[bin]]
 name = "minauthator-admin"
 path = "src/main.rs"
+
+[dependencies]
+anyhow = { workspace = true }
+thiserror = { workspace = true }
+fully_pub = { workspace = true }
+argh = { workspace = true }
+tokio = { workspace = true }
+log = { workspace = true }
+env_logger = { workspace = true }
+
+kernel = { path = "../kernel" }
--- a/lib/admin_cli/src/commands/mod.rs
+++ b/lib/admin_cli/src/commands/mod.rs
@ -0,0 +1 @@
+pub mod users;
--- a/lib/admin_cli/src/commands/users.rs
+++ b/lib/admin_cli/src/commands/users.rs
@ -0,0 +1,115 @@
+use anyhow::{Context, Result};
+use argh::FromArgs;
+use fully_pub::fully_pub;
+use kernel::{context::KernelContext, models::user::User, repositories::users::get_users};
+use log::info;
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "create",
+    description = "Create user in DB."
+)]
+struct CreateUserCommand {
+    /// aka login, username
+    #[argh(option)]
+    handle: String,
+
+    /// displayed name (eg. first name and last name)
+    #[argh(option)]
+    full_name: Option<String>,
+
+    /// use to identify and prove user identity
+    /// formated as specified in RFC 2821, RFC 3696
+    #[argh(option)]
+    email: String,
+
+    /// if true, create an invitation token
+    #[argh(switch)]
+    invite: bool
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "delete",
+    description = "Delete user in DB."
+)]
+struct DeleteUserCommand {
+    /// delete by user Uuid
+    #[argh(option)]
+    id: String
+}
+
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "list",
+    description = "List users in DB."
+)]
+struct ListUsersCommand {
+    /// how many users to return
+    #[argh(option)]
+    limit: Option<usize>,
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(subcommand)]
+enum UsersSubCommands {
+    Create(CreateUserCommand),
+    List(ListUsersCommand),
+    Delete(DeleteUserCommand),
+}
+
+#[fully_pub]
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(
+    subcommand, name = "users",
+    description = "Manage instance users."
+)]
+struct UsersCommand {
+    #[argh(subcommand)]
+    nested: UsersSubCommands,
+}
+
+
+pub async fn list_users(cmd: ListUsersCommand, ctx: KernelContext) -> Result<()> {
+    for user in get_users(&ctx.storage).await? {
+        println!(
+            "{0: <36} | [{1:<8}] | {2: <15} | {3: <25}",
+            user.id, user.status, user.handle, user.email.unwrap_or("()".to_string())
+        );
+    }
+    Ok(())
+}
+
+pub async fn create_user(cmd: CreateUserCommand, ctx: KernelContext) -> Result<()> {
+    let mut user = User::new(cmd.handle);
+    user.email = Some(cmd.email);
+    user.full_name = cmd.full_name;
+    if cmd.invite {
+        user.invite();
+        println!("Generated invite code: {}", user.reset_password_token.as_ref().unwrap());
+    }
+    let _res = kernel::actions::users::create_user(ctx, user).await?;
+    info!("Created user.");
+    if cmd.invite {
+        // TODO: Send invitation email
+        info!("Not sending invitation email.");
+    }
+    Ok(())
+}
+
+pub async fn delete_user(cmd: DeleteUserCommand, ctx: KernelContext) -> Result<()> {
+    todo!()
+}
+
+pub async fn handle_command_tree(cmd: UsersCommand, ctx: KernelContext) -> Result<()> {
+    match cmd.nested {
+        UsersSubCommands::List(sc) => list_users(sc, ctx).await,
+        UsersSubCommands::Create(sc) => create_user(sc, ctx).await,
+        UsersSubCommands::Delete(sc) => delete_user(sc, ctx).await
+    }
+}
--- a/lib/admin_cli/src/main.rs
+++ b/lib/admin_cli/src/main.rs
@ -1,6 +1,49 @@
-use anyhow::Result;
+use argh::FromArgs;
+use anyhow::{Context, Result};
+use commands::users;
+use kernel::context::{get_kernel_context, StartKernelConfig};
+use log::info;

-fn main() -> Result<()> {
-    println!("Starting minauthator admin CLI");
-    Ok(())
+pub mod commands;
+
+#[derive(FromArgs, PartialEq, Debug)]
+#[argh(subcommand)]
+enum SubCommands {
+    Users(users::UsersCommand),
+}
+
+#[derive(FromArgs, PartialEq, Debug)]
+/// Minauthator admin top level
+struct AdminCliTopLevelCommand {
+    #[argh(subcommand)]
+    nested: SubCommands,
+
+    /// path to YAML config file to use to configure this instance
+    #[argh(option)]
+    config: Option<String>,
+
+    /// path to the Sqlite3 DB file to use
+    #[argh(option)]
+    database: Option<String>,
+
+    /// path to the static assets dir
+    #[argh(option)]
+    static_assets: Option<String>,
+}
+
+/// handle CLI arguments to run admin CLI
+#[tokio::main]
+pub async fn main() -> Result<()> {
+    info!("Starting minauth");
+    let command_input: AdminCliTopLevelCommand = argh::from_env();
+    let ctx = get_kernel_context(StartKernelConfig {
+        config_path: command_input.config.clone(),
+        database_path: command_input.database.clone()
+    }).await.context("Getting kernel context")?;
+
+    match command_input.nested {
+       SubCommands::Users(sc) => {
+            users::handle_command_tree(sc, ctx).await
+        }
+    }
 }
--- a/lib/http_server/Cargo.toml
+++ b/lib/http_server/Cargo.toml
@ -14,6 +14,7 @@ strum = { workspace = true }
 strum_macros = { workspace = true }

 anyhow = { workspace = true }
+thiserror = { workspace = true }
 fully_pub = { workspace = true }

 tokio = { workspace = true }
--- a/lib/http_server/src/controllers/api/mod.rs
+++ b/lib/http_server/src/controllers/api/mod.rs
@ -2,3 +2,4 @@ pub mod index;
 pub mod oauth2;
 pub mod read_user;
 pub mod openid;
+pub mod public_assets;
--- a/lib/http_server/src/controllers/api/public_assets.rs
+++ b/lib/http_server/src/controllers/api/public_assets.rs
@ -0,0 +1,27 @@
+use axum::{extract::{Path, State}, http::{header, HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse}};
+use kernel::repositories::users::get_user_asset_by_id;
+
+use crate::AppState;
+
+pub async fn get_user_asset(
+    State(app_state): State<AppState>,
+    Path(asset_id): Path<String>
+) -> impl IntoResponse {
+    let user_asset = match get_user_asset_by_id(&app_state.db, &asset_id).await {
+        Err(_) => {
+            return (
+                StatusCode::NOT_FOUND,
+                Html("Could not find user asset")
+            ).into_response();
+        },
+        Ok(ua) => ua
+    };
+
+    let mut hm = HeaderMap::new();
+    hm.insert(
+        header::CONTENT_TYPE,
+        HeaderValue::from_str(&user_asset.mime_type).expect("Constructing header value.")
+    );
+    
+    (hm, user_asset.content).into_response()
+}
--- a/lib/http_server/src/controllers/ui/me.rs
+++ b/lib/http_server/src/controllers/ui/me.rs
@ -1,7 +1,8 @@
+use anyhow::Context;
 use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
 use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
 use fully_pub::fully_pub;
-use log::error;
+use log::{error, info};
 use minijinja::context;

 use crate::{
@ -9,7 +10,7 @@ use crate::{
    renderer::TemplateRenderer,
    AppState
 };
-use kernel::models::user::User;
+use kernel::{models::{user::User, user_asset::UserAsset}, repositories::users::create_user_asset};

 pub async fn me_page(
    State(app_state): State<AppState>,
@ -61,7 +62,7 @@ struct UserDetailsUpdateForm {
    website: String,

    #[form_data(limit = "5MiB")]
-    picture: FieldData<Bytes>
+    avatar: FieldData<Bytes>
 }


@ -73,17 +74,41 @@ pub async fn me_perform_update_details(
 ) -> impl IntoResponse {
    let template_path = "pages/me/details-form";

-    let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5, picture = $6 WHERE id = $1")
+    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+        .bind(&token_claims.sub)
+        .fetch_one(&app_state.db.0)
+        .await
+        .expect("To get user from claim");
+
+    let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5 WHERE id = $1")
        .bind(&token_claims.sub)
        .bind(details_update.handle)
        .bind(details_update.email)
        .bind(details_update.full_name)
        .bind(details_update.website)
-        .bind(details_update.picture.contents.to_vec())
        .execute(&app_state.db.0)
        .await;

-    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+    if !details_update.avatar.contents.is_empty() {
+        let user_asset = UserAsset::new(
+            &user,
+            details_update.avatar.contents.to_vec(),
+            details_update.avatar.metadata.content_type.expect("Expected mimetype on avatar content"),
+            details_update.avatar.metadata.name
+        );
+        let _update_res = sqlx::query("UPDATE users SET avatar_asset_id = $2 WHERE id = $1")
+            .bind(&token_claims.sub)
+            .bind(user_asset.id.clone())
+            .execute(&app_state.db.0)
+            .await;
+        // TODO: handle possible error
+        let _ = create_user_asset(&app_state.db, user_asset)
+            .await
+            .context("Creating user avatar asset.");
+        info!("Uploaded new avatar as user asset");
+    }
+
+    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
        .bind(&token_claims.sub)
        .fetch_one(&app_state.db.0)
        .await
@ -95,7 +120,7 @@ pub async fn me_perform_update_details(
                template_path,
                context!(
                    success => true,
-                    user => user_res
+                    user => user
                )
            )
        },
@ -105,7 +130,7 @@ pub async fn me_perform_update_details(
                template_path,
                context!(
                    error => Some("Cannot update user details.".to_string()),
-                    user => user_res
+                    user => user
                )
            )
        }
--- a/lib/http_server/src/controllers/ui/register.rs
+++ b/lib/http_server/src/controllers/ui/register.rs
@ -46,7 +46,7 @@ pub async fn perform_register(
        email: Some(register.email),
        handle: register.handle,
        full_name: None,
-        picture: None,
+        avatar_asset_id: None,

        password_hash,
        status: UserStatus::Active,
--- a/lib/http_server/src/lib.rs
+++ b/lib/http_server/src/lib.rs
@ -7,7 +7,7 @@ pub mod token_claims;

 use fully_pub::fully_pub;
 use anyhow::{Result, Context};
-use kernel::{context::AppSecrets, models::config::Config, repositories::storage::Storage};
+use kernel::{context::{AppSecrets, KernelContext}, models::config::Config, repositories::storage::Storage};
 use log::info;
 use minijinja::Environment;

@ -38,16 +38,14 @@ pub struct AppState {

 pub async fn start_http_server(
    server_config: ServerConfig,
-    config: Config,
-    secrets: AppSecrets,
-    db_pool: Storage
+    ctx: KernelContext
 ) -> Result<()> {
    // build state
    let state = AppState {
-        templating_env: build_templating_env(&config),
-        config,
-        secrets,
-        db: db_pool
+        templating_env: build_templating_env(&ctx.config),
+        config: ctx.config,
+        secrets: ctx.secrets,
+        db: ctx.storage
    };

    // build routes
--- a/lib/http_server/src/main.rs
+++ b/lib/http_server/src/main.rs
@ -32,7 +32,7 @@ struct ServerCliFlags {
 pub async fn main() -> Result<()> {
    info!("Starting minauth");
    let flags: ServerCliFlags = argh::from_env();
-    let (config, secrets, db_pool) = get_kernel_context(StartKernelConfig {
+    let kernel_context = get_kernel_context(StartKernelConfig {
        config_path: flags.config,
        database_path: flags.database
    }).await.context("Getting kernel context")?;
@ -42,8 +42,6 @@ pub async fn main() -> Result<()> {
            listen_host: flags.listen_host,
            listen_port: flags.listen_port
        },
-        config,
-        secrets,
-        db_pool
+        kernel_context
    ).await
 }
--- a/lib/http_server/src/router.rs
+++ b/lib/http_server/src/router.rs
@ -47,7 +47,8 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
    let api_user_routes = Router::new()
        .route("/api/user", get(api::read_user::read_user_basic))
        .layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware))
-        .route("/api", get(api::index::get_index));
+        .route("/api", get(api::index::get_index))
+        .route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));

    let well_known_routes = Router::new()
        .route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));
--- a/lib/http_server/src/templates/pages/me/details-form.html
+++ b/lib/http_server/src/templates/pages/me/details-form.html
@ -55,10 +55,9 @@
        />
    </div>
    <div class="mb-3">
-        <label for="picture">Profile picture</label>
-        <!-- for now, no JPEG -->
+        <label for="avatar">Profile picture</label>
        <input
-            id="picture" name="picture"
+            id="avatar" name="avatar"
            type="file"
            accept="image/gif, image/png, image/jpeg"
            class="form-control"
--- a/lib/http_server/src/templates/pages/me/index.html
+++ b/lib/http_server/src/templates/pages/me/index.html
@ -5,9 +5,12 @@
 <a href="/me/details-form">Update details.</a>
 <a href="/me/authorizations">Manage authorizations.</a>

-<p>
-{% if user.picture %}
-    <img src="data:image/*;base64,{{ encode_b64str(user.picture) }}" style="width: 150px; height: 150px; object-fit: contain">
+{% if user.avatar_asset_id %}
+<div class="my-3">
+    <img
+        src="http://localhost:8085/api/user-assets/{{ user.avatar_asset_id }}"
+        style="width: 150px; height: 150px; object-fit: contain">
+</div>
 {% endif %}
 <ul>
    <li>
--- a/lib/kernel/Cargo.toml
+++ b/lib/kernel/Cargo.toml
@ -5,9 +5,10 @@ edition = "2021"
 [dependencies]
 utils = { path = "../utils" }

+anyhow = { workspace = true }
+thiserror = { workspace = true }
 log = { workspace = true }
 env_logger = { workspace = true }
-anyhow = { workspace = true }
 fully_pub = { workspace = true }
 strum = { workspace = true }
 strum_macros = { workspace = true }
@ -17,6 +18,8 @@ chrono = { workspace = true }
 toml = { workspace = true }
 sqlx = { workspace = true }
 dotenvy = { workspace = true }
+sha2 = { workspace = true }
+hex-literal = { workspace = true }

 uuid = { workspace = true }
 url = { workspace = true }
--- a/lib/kernel/src/actions/mod.rs
+++ b/lib/kernel/src/actions/mod.rs
@ -0,0 +1 @@
+pub mod users;
--- a/lib/kernel/src/actions/user.rs
+++ b/lib/kernel/src/actions/user.rs
--- a/lib/kernel/src/actions/users.rs
+++ b/lib/kernel/src/actions/users.rs
@ -0,0 +1,44 @@
+use crate::{context::KernelContext, models::user::User};
+
+use anyhow::{Context, Result};
+use chrono::SecondsFormat;
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum CreateUserErr {
+    #[error("Handle or email for user is already used.")]
+    HandleOrEmailNotUnique,
+
+    #[error("Database error.")]
+    DatabaseErr(String)
+}
+
+pub async fn create_user(ctx: KernelContext, user: User) -> Result<(), CreateUserErr> {
+    let res = sqlx::query("
+        INSERT INTO users
+            (id, handle, email, status, roles, password_hash, reset_password_token, created_at)
+            VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
+        ")
+        .bind(user.id)
+        .bind(user.handle)
+        .bind(user.email)
+        .bind(user.status.to_string())
+        .bind(user.roles)
+        .bind(user.password_hash)
+        .bind(user.reset_password_token)
+        .bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
+        .execute(&ctx.storage.0)
+        .await;
+    match res {
+        Err(err) => {
+            let db_err = &err.as_database_error().unwrap();
+            if db_err.code().unwrap() == "2067" {
+                Err(CreateUserErr::HandleOrEmailNotUnique)
+            } else {
+                dbg!(&err);
+                Err(CreateUserErr::DatabaseErr(db_err.to_string()))
+            }
+        }
+        Ok(_) => Ok(())
+    }
+}
--- a/lib/kernel/src/consts.rs
+++ b/lib/kernel/src/consts.rs
@ -1,4 +1,4 @@
 pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
 pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
-pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.yaml";
+pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml";

--- a/lib/kernel/src/context.rs
+++ b/lib/kernel/src/context.rs
@ -29,7 +29,15 @@ struct AppSecrets {
    jwt_secret: String
 }

-pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<(Config, AppSecrets, Storage)> {
+#[derive(Debug, Clone)]
+#[fully_pub]
+struct KernelContext {
+    config: Config,
+    secrets: AppSecrets,
+    storage: Storage
+}
+
+pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
    env_logger::init();
    let _ = dotenvy::dotenv();

@ -42,10 +50,15 @@ pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<(Conf
    let config: Config = get_config(config_path)
        .expect("Cannot get config.");

-    dotenvy::dotenv().context("loading .env")?;
+    let _ = dotenvy::dotenv();
    let secrets = AppSecrets {
-        jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
+        jwt_secret: env::var("APP_JWT_SECRET")
+            .context("Expected APP_JWT_SECRET environment variable to exists.")?
    };

-    Ok((config, secrets, storage))
+    Ok(KernelContext {
+        config,
+        secrets,
+        storage
+    })
 }
--- a/lib/kernel/src/models/mod.rs
+++ b/lib/kernel/src/models/mod.rs
@ -1,3 +1,4 @@
 pub mod config;
 pub mod user;
+pub mod user_asset;
 pub mod authorization;
--- a/lib/kernel/src/models/user.rs
+++ b/lib/kernel/src/models/user.rs
@ -2,6 +2,8 @@ use fully_pub::fully_pub;
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
 use sqlx::types::Json;
+use utils::get_random_human_token;
+use uuid::Uuid;

 #[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
 #[derive(strum_macros::Display)]
@ -21,7 +23,7 @@ struct User {
    full_name: Option<String>,
    email: Option<String>,
    website: Option<String>,
-    picture: Option<Vec<u8>>, // embeded blob to store profile pic
+    avatar_asset_id: Option<String>,
    password_hash: Option<String>, // argon2 password hash
    status: UserStatus,
    roles: Json<Vec<String>>,
@ -30,3 +32,30 @@ struct User {
    last_login_at: Option<DateTime<Utc>>,
    created_at: DateTime<Utc>
 }
+
+impl User {
+    pub fn new(
+        handle: String
+    ) -> User {
+        User {
+            id: Uuid::new_v4().to_string(),
+            handle,
+            full_name: None,
+            email: None,
+            website: None,
+            avatar_asset_id: None,
+            password_hash: None,
+            status: UserStatus::Disabled,
+            roles: Json(Vec::new()),
+            reset_password_token: None,
+            last_login_at: None,
+            created_at: Utc::now()
+        }
+    }
+
+    pub fn invite(self: &mut Self) {
+        self.reset_password_token = Some(get_random_human_token());
+        self.status = UserStatus::Invited;
+    }
+
+}
--- a/lib/kernel/src/models/user_asset.rs
+++ b/lib/kernel/src/models/user_asset.rs
@ -0,0 +1,41 @@
+use fully_pub::fully_pub;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+use sha2::{Sha256, Digest};
+
+use super::user::User;
+
+
+#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
+#[fully_pub]
+struct UserAsset {
+    /// uuid
+    id: String,
+    user_id: String,
+    mime_type: String,
+    fingerprint: String,
+    name: Option<String>,
+    content: Vec<u8>,
+    created_at: DateTime<Utc>
+}
+
+impl UserAsset {
+    pub fn new(
+        user: &User,
+        content: Vec<u8>,
+        mime_type: String,
+        name: Option<String>
+    ) -> UserAsset {
+        let digest = Sha256::digest(&content);
+        UserAsset {
+            id: Uuid::new_v4().to_string(),
+            user_id: user.id.clone(),
+            fingerprint: format!("{:x}", digest),
+            mime_type,
+            content,
+            name,
+            created_at: Utc::now()
+        }
+    }
+}
--- a/lib/kernel/src/repositories/users.rs
+++ b/lib/kernel/src/repositories/users.rs
@ -1,14 +1,48 @@
 // user repositories

-use crate::models::user::User;
+use crate::models::{user::User, user_asset::UserAsset};

 use super::storage::Storage;
 use anyhow::{Result, Context};

-async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
+pub async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
    sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
        .bind(user_id)
        .fetch_one(&storage.0)
        .await
-        .context("To get user from claim")
+        .context("To get user by id.")
 }
+
+pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
+    sqlx::query_as::<_, User>("SELECT * FROM users")
+        .fetch_all(&storage.0)
+        .await
+        .context("To get users.")
+}
+
+pub async fn create_user_asset(storage: &Storage, asset: UserAsset) -> Result<()> {
+    sqlx::query("INSERT INTO user_assets
+        (id, user_id, mime_type, fingerprint, content, created_at)
+        VALUES ($1, $2, $3, $4, $5, $6)
+    ")
+        .bind(&asset.id)
+        .bind(&asset.user_id)
+        .bind(&asset.mime_type)
+        .bind(&asset.fingerprint)
+        .bind(&asset.content)
+        .bind(&asset.created_at)
+        .execute(&storage.0)
+        .await
+        .context("While inserting user asset.")?;
+            // .bind(details_update.avatar.contents.to_vec())
+    Ok(())
+}
+
+pub async fn get_user_asset_by_id(storage: &Storage, id: &str) -> Result<UserAsset> {
+    sqlx::query_as("SELECT * FROM user_assets WHERE id = $1")
+        .bind(id)
+        .fetch_one(&storage.0)
+        .await
+        .context("To get user asset by id.")
+}
+
--- a/lib/utils/src/lib.rs
+++ b/lib/utils/src/lib.rs
@ -43,6 +43,18 @@ pub fn get_random_alphanumerical(length: usize) -> String {
        .collect()
 }

+/// Generate easy to type token
+pub fn get_random_human_token() -> String {
+    return format!(
+        "{}-{}-{}-{}-{}",
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4),
+        get_random_alphanumerical(4)
+    ).to_uppercase();
+}
+
 pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
    let header_val_components: Vec<&str> = header_value.split(" ").collect();
    let encoded_header_value: &str = header_val_components
--- a/migrations/all.sql
+++ b/migrations/all.sql
@ -5,8 +5,8 @@ CREATE TABLE users (
    full_name            TEXT,
    email                TEXT UNIQUE,
    website              TEXT,
-    picture              BLOB,
    roles                TEXT NOT NULL, -- json array of user roles
+    avatar_asset_id      TEXT,

    status               TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
    password_hash        TEXT,
@ -15,6 +15,17 @@ CREATE TABLE users (
    created_at           DATETIME NOT NULL
 );

+DROP TABLE IF EXISTS user_assets;
+CREATE TABLE user_assets (
+    id                   TEXT PRIMARY KEY,
+    user_id              TEXT NOT NULL,
+    mime_type            TEXT NOT NULL,
+    fingerprint          TEXT NOT NULL,
+    name                 TEXT, -- file name
+    content              BLOB NOT NULL,
+    created_at           DATETIME NOT NULL
+);
+
 DROP TABLE IF EXISTS authorizations;
 CREATE TABLE authorizations (
    id                  TEXT PRIMARY KEY,
Author	SHA1	Message	Date
Matthieu Bessat	1b21ee1573	Merge branch 'feat_user_avatar_public_asset'	2024-12-07 18:20:04 +01:00
Matthieu Bessat	07fff532f7	feat: user avatar as public asset	2024-12-05 23:08:39 +01:00
Matthieu Bessat	f98a102854	docs: update README	2024-12-04 19:55:26 +01:00
Matthieu Bessat	91530d13ab	docs: update README	2024-12-04 19:52:59 +01:00
Matthieu Bessat	23f12904cc	build(docker): add Dockerfile	2024-12-03 23:58:26 +01:00
Matthieu Bessat	0243535469	docs: update TODO	2024-12-03 19:20:03 +01:00
Matthieu Bessat	a0de3b287b	feat(admin): create and list users commands	2024-12-03 19:16:09 +01:00