WIP: user groups

.dockerignore

@@ -1,7 +0,0 @@
-target
-.env
-tmp
-Dockerfile
-.dockerignore
-justfile
-config.toml

Cargo.toml

@@ -1,36 +1,31 @@
-# cargo-features = ["codegen-backend"]
+cargo-features = ["codegen-backend"]
 
-# [profile.dev]
+[profile.dev]
-# codegen-backend = "cranelift"
+codegen-backend = "cranelift"
-# # END OF
 
-[workspace]
+[package]
-resolver = "2"
+name = "minauthator"
-members = [
+description = "Identity provider and OAuth2 server for an small-scale organization."
-    "lib/kernel",
+version = "0.1.0"
-    "lib/utils",
+edition = "2021"
-    "lib/http_server",
-    "lib/admin_cli"
-]
 
-[workspace.dependencies]
+[dependencies]
 # commons utils
 anyhow = "1.0"
-thiserror = "2"
 fully_pub = "0.1"
+argon2 = "0.5"
 strum = "0.26.3"
 strum_macros = "0.26"
 uuid = { version = "1.8", features = ["serde", "v4"] }
 dotenvy = "0.15.7"
+base64 = "0.22.1"
+rand = "0.8.5"
+rand_core = { version = "0.6.4", features = ["std"] }
 url = "2.5.3"
-sha2 = "0.10"
+argh = "0.1" # for CLI
-hex-literal = "0.4"
-
-# CLI
-argh = "0.1"
 
 # Async
-tokio = { version = "1.40.0", features = ["rt-multi-thread", "macros"] }
+tokio = { version = "1.40.0", features = ["rt-multi-thread"] }
 
 # Logging
 log = "0.4"
@@ -39,6 +34,7 @@ env_logger = "0.11"
 # Serialization
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
+serde_urlencoded = "0.7.1"
 toml = "0.8"
 
 chrono = { version = "0.4", features = ["serde"] }
@@ -47,6 +43,21 @@ chrono = { version = "0.4", features = ["serde"] }
 sqlx = { version = "0.7.4", features = ["sqlite", "runtime-tokio", "chrono", "uuid"] }
 redis = { version = "0.27.3", default-features = false, features = ["acl"] }
 
+# Web
+axum = { version = "0.7.7", features = ["json", "multipart"] }
+axum-extra = { version = "0.9.4", features = ["cookie"] }
+axum-template = { version = "2.4.0", features = ["minijinja"] }
+axum_typed_multipart = "0.13.1"
+minijinja = { version = "2.1", features = ["builtins"] }
+# to make work the static assets server
+tower-http = { version = "0.6.1", features = ["fs"] }
+
 # Auth utils
 totp-rs = "5.6"
+minijinja-embed = "2.3.1"
+axum-macros = "0.4.2"
+jsonwebtoken = "9.3.0"
+time = "0.3.36"
 
+[build-dependencies]
+minijinja-embed = "2.3.1"

Dockerfile

@@ -1,37 +0,0 @@
-FROM rust:1.83-alpine3.20 AS builder
-
-WORKDIR /usr/src/minauthator
-COPY . .
-
-RUN apk add musl-dev
-
-RUN cargo install --bin minauthator-admin --locked --path lib/admin_cli
-RUN cargo install --bin minauthator-server --locked --path lib/http_server
-
-FROM alpine:3.20 AS base
-
-RUN apk add sqlite
-COPY --from=builder /usr/local/cargo/bin/minauthator-server /usr/local/bin/minauthator-server
-COPY --from=builder /usr/local/cargo/bin/minauthator-admin /usr/local/bin/minauthator-admin
-RUN mkdir -p \
-    /usr/local/src/minauthator/migrations \
-    /usr/local/lib/minauthator/assets \
-    /var/lib/minauthator \
-    /etc/minauthator
-COPY --from=builder /usr/src/minauthator/migrations/all.sql /usr/local/src/minauthator/migrations
-COPY --from=builder /usr/src/minauthator/init_db.sh /usr/local/bin/minauthator_init_db.sh
-COPY --from=builder /usr/src/minauthator/assets /usr/local/lib/minauthator/assets
-
-RUN addgroup -g 1000 app && \
-    adduser -S -u 1000 -G app -s /bin/sh app && \
-    chown -R app:app /var/lib/minauthator && \
-    chmod -R u=rwx,g=rwx,o= /var/lib/minauthator
-
-USER app:app
-ENV RUST_LOG=info
-ENV RUST_BACKTRACE=1
-ENV APP_JWT_SECRET="DummyAppSecret20241029"
-
-CMD ["minauthator-server", "--listen-host", "0.0.0.0", "--listen-port", "8080"]
-
-

README.md

@@ -1,45 +1,24 @@
 # Minauthator
 
-Minauthator is an identity provider server supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
+Minauthator is an identity provider supporting [OpenID Connect (OIDC)](https://en.wikipedia.org/wiki/OpenID_Connect).
 
-This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software (FOSS).
+This project aims to allow an organization to setup [single sign-on (SSO)](https://en.wikipedia.org/wiki/Single_sign-on) using a self-hosted free software.
-
-This project also aims to provide features while being frugal and minimalist.
 
 **Project status: *early development, work-in-progress***
 
 ## Features
 
-- [x] Login
+- Login
-- [x] Register
+- Register
-- [x] OpenID Connect & OAuth 2.0
+- OpenID Connect & OAuth 2.0
-- [x] Activation token
+- Activation token
-- [x] Profile details
+- Profile details
-- [x] Static apps
+- Static apps
-- [x] Admin CLI to manage user.
+- User roles
-- [x] User invitation with human token
+- MFA/TOTP
-- [ ] User roles
+- Email notifications
-- [ ] User groups
+- Login page customization
-- [ ] MFA/TOTP
+- App carousel (App presentation to users)
-- [ ] Email notifications
-- [ ] Login page customization
-- [x] App listing (App presentation to users)
-- [x] Implicit OAuth 2.0 flow
-- [ ] Email verification
-- [ ] GPG keys verification and signing
-- [ ] Docker deployment
-- [ ] Full user panel & user privacy control
-
-## Architecture
-
-- Sqlite DB
-- Kernel
-- Http server
-    - Public API
-    - User API
-    - Third-party OAuth2 app/client API
-    - Web GUI (no Javascript)
-- Admin CLI
 
 ## Deps
 
@@ -49,4 +28,4 @@ This project also aims to provide features while being frugal and minimalist.
 
 - [Authentik](https://goauthentik.io/)
 - [Keycloak](https://www.keycloak.org/)
-- [Kanidm](https://kanidm.com/)
+

TODO.md

@@ -1,23 +1,5 @@
 # TODO
 
-- [ ] i18n strings in the http website.
-
-- [ ] Instance customization support
-
-- [ ] Public endpoint to get user avatar by id
-- [ ] Rework avatar upload to limit size and process the image?
-
-- Authorize form
-    - [ ] Show details about permissions
-    - [ ] Show app logo
-
-- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
-
-- [ ] feat(perms): add groups and roles
-
-- [ ] UserWebGUI: add TOTP
-- [ ] send emails to users
-
 - [x] Login form
 - [x] Register form
 - [x] Redirect to login form if unauthenticated
@@ -31,12 +13,20 @@
 - [x] Support OpenID to use with demo client [oauth2c](https://github.com/cloudentity/oauth2c)
     - .well-known/openid-configuration
 
-- [x] architecture refactor
-- [x] AdminCLI: init
-- [x] AdminCLI: list users
-- [x] AdminCLI: create and invite user
 
-- [x] UserWebGUI: Invitation
+- [ ] i18n strings in the http website.
+
+- [ ] App config
+    - Add app logo (URI?)
+
+- [ ] Public endpoint to get user avatar by id
+- [ ] Rework avatar upload to limit size and process the image?
+
+- [ ] Authorize form
+    - Show details about permissions
+    - Show app logo
+
+- [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
 
 - [x] UserWebGUI: Redirect to login when JWT expire
 - [x] UserWebGUI: Show user authorizations.
@@ -47,6 +37,20 @@
 
 - [x] UserWebGUI: activate account with token
 
-- [X] basic docker setup
+- [x] feat: add groups and roles models
-- [ ] make `docker stop` working (handle SIGTERM/SIGINT)
+
-- [ ] implement docker secrets. https://docs.docker.com/engine/swarm/secrets/
+- [ ] UserWebGUI: add TOTP
+- [ ] send emails to users
+
+- Architecture: do we have an admin API?
+
+- [ ] AdminCLI: init
+- [ ] AdminWebGUI: List users
+- [ ] AdminWebGUI: Assign groups to users
+- [ ] AdminWebGUI: Create invitation
+
+# Minimal flow
+
+- [ ] Invite user from command line bash script that will edit sqlite
+- [ ] Activation UI
+- [ ] Send email

admin.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/sh
-
-cargo run -q --bin minauthator-admin -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets $@

config.toml

@@ -48,9 +48,28 @@ slug = "basic"
 name = "Basic"
 description = "Basic user"
 default = true
+permissions = []
 
 [[roles]]
 slug = "admin"
 name = "Administrator"
 description = "Full power on organization instance"
+permissions = [
+    "InviteUser", # creation of user
+    "ListUsers",
+    "EnableUser",
+    "DisableUser",
+    "AssignUserGroups"
+]
 
+# [[groups]]
+# slug = "ca_member"
+# name = "G1"
+# description = "Lorem ipsum"
+# roles = []
+
+# [[groups]]
+# slug = "bureau"
+# name = "G2"
+# description = "Lorem ipseum"
+# roles = ["admin"]

docs/draft.md

@@ -4,50 +4,27 @@ https://datatracker.ietf.org/doc/html/rfc6749
 
 https://stackoverflow.com/questions/79118231/how-to-access-the-axum-request-path-in-a-minijinja-template
 
-## Oauth2 test
+# Need for groups and roles
 
--> authorize
+There is two kinds of role
 
-# User flow
+- Role that will be used interllay to the tapp
+- Roles that will be used exteranlly on oauth2 clients.
 
-## Invitation flow
+- For now we only have roles and not groups
 
-- Create invite
+## Groups feature
-    - generate A random
-    - user.reset_password_token = A
-    - user.status = "Invited"
-    - Send email with link to https://instance/reset-password?token=A&reason=invitation
-- GET /reset-password?token=A&reason=invitation
-    - verification of token
-    - show form
-- POST /reset-password
-    - BODY: with params token
-    - check token validity
-    - set new password hash
-    - if user.status == "invited"
-        - enable new account (user.status = "active")
-        - send welcome email
-    - redirect to login page with a message
-        - we need to redirect to the login page, so the user remember how to login later, and can
-        verify the setup of his/her password manager.
 
-We can instead send link to https://instance/invitation?token=A
+Group will be later used to combine multiple roles.
 
-## Reset password flow
+# [[groups]]
+# slug = "ca_member"
+# name = "G1"
+# description = "Lorem ipsum"
+# roles = []
 
-- Reset password request
+# [[groups]]
-    - generate A random
+# slug = "bureau"
-    - user.reset_password_token = A
+# name = "G2"
-    - Send email with link to https://instance/reset-password?token=A&reason=lost_password
+# description = "Lorem ipseum"
-- GET /reset-password?token=A&reason=lost_password
+# roles = ["admin"]
-    - verification of token
-    - show form
-- POST /reset-password
-    - BODY: with params token
-    - check token validity
-    - set new password hash
-    - redirect to login page with a message
-        - we need to redirect to the login page, so the user remember how to login later, and can
-        verify the setup of his/her password manager.
-
-We can instead send link to https://instance/reset-password?token=A

http_integration_tests/authorize.sh

@@ -6,7 +6,7 @@ curl -v http://localhost:8085/authorize \
     --cookie "tmp/.curl-cookies" \
     -d client_id="a1785786-8be1-443c-9a6f-35feed703609" \
     -d response_type="code" \
-    -d redirect_uri="http://localhost:9090/callback" \
+    -d redirect_uri="http://localhost:9090/authorize" \
     -d scope="user_read_basic" \
     -d state="qxYAfk4kf6pbZkms78jM"
 

init_db.sh

@@ -1,10 +0,0 @@
-#!/bin/sh
-
-DEFAULT_DB_PATH="/var/lib/minauthator/minauthator.db"
-DEFAULT_MIGRATION_PATH="/usr/local/src/minauthator/migrations/all.sql"
-
-DB_PATH="${DB_PATH:-$DEFAULT_DB_PATH}"
-MIGRATION_PATH="${MIGRATION_PATH:-$DEFAULT_MIGRATION_PATH}"
-
-sqlite3 $DB_PATH < $MIGRATION_PATH
-

justfile

@@ -1,32 +1,20 @@
 export RUST_BACKTRACE := "1"
 export RUST_LOG := "trace"
-export CONTEXT_ARGS := "--config config.toml --database tmp/dbs/minauthator.db --static-assets ./assets"
 
-watch-server:
+watch-run:
-    cargo-watch -x "run --bin minauthator-server -- $CONTEXT_ARGS"
+    cargo-watch -x 'run -- --config ./config.toml --database ./tmp/dbs/minauthator.db --static-assets ./assets'
 
-server:
+run:
-    cargo run --bin minauthator-server -- $CONTEXT_ARGS
+    cargo run -- --database ./tmp/dbs/minauthator.db --config ./config.toml --static-assets ./assets
-
-admin:
-    cargo run --bin minauthator-admin -- $CONTEXT_ARGS
-
-docker-build:
-    docker build -t lefuturiste/minauthator .
-
-docker-init-db:
-    docker run \
-        -v ./tmp/docker/config:/etc/minauthator \
-        -v minauthator-db:/var/lib/minauthator \
-        lefuturiste/minauthator \
-        /usr/local/bin/minauthator_init_db.sh
 
 docker-run:
-    docker run \
+    docker run -p 3085:8080 -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator
-        -p 127.0.0.1:3085:8080 \
+
-        -v ./tmp/docker/config:/etc/minauthator \
+docker-init-db:
-        -v minauthator-db:/var/lib/minauthator \
+    docker run -v ./tmp/docker/config:/etc/minauthator -v ./tmp/docker/db:/var/lib/minauthator minauthator /usr/local/bin/minauthator_init_db.sh
-        lefuturiste/minauthator
+
+docker-build:
+    docker build -t minauthator .
 
 init-db:
     sqlite3 -echo tmp/dbs/minauthator.db < migrations/all.sql

lib/admin_cli/Cargo.toml

@@ -1,18 +0,0 @@
-[package]
-name = "admin_cli"
-edition = "2021"
-
-[[bin]]
-name = "minauthator-admin"
-path = "src/main.rs"
-
-[dependencies]
-anyhow = { workspace = true }
-thiserror = { workspace = true }
-fully_pub = { workspace = true }
-argh = { workspace = true }
-tokio = { workspace = true }
-log = { workspace = true }
-env_logger = { workspace = true }
-
-kernel = { path = "../kernel" }

lib/admin_cli/src/commands/mod.rs

@@ -1 +0,0 @@
-pub mod users;

lib/admin_cli/src/commands/users.rs

@@ -1,115 +0,0 @@
-use anyhow::{Context, Result};
-use argh::FromArgs;
-use fully_pub::fully_pub;
-use kernel::{context::KernelContext, models::user::User, repositories::users::get_users};
-use log::info;
-
-#[fully_pub]
-#[derive(FromArgs, PartialEq, Debug)]
-#[argh(
-    subcommand, name = "create",
-    description = "Create user in DB."
-)]
-struct CreateUserCommand {
-    /// aka login, username
-    #[argh(option)]
-    handle: String,
-
-    /// displayed name (eg. first name and last name)
-    #[argh(option)]
-    full_name: Option<String>,
-
-    /// use to identify and prove user identity
-    /// formated as specified in RFC 2821, RFC 3696
-    #[argh(option)]
-    email: String,
-
-    /// if true, create an invitation token
-    #[argh(switch)]
-    invite: bool
-}
-
-#[fully_pub]
-#[derive(FromArgs, PartialEq, Debug)]
-#[argh(
-    subcommand, name = "delete",
-    description = "Delete user in DB."
-)]
-struct DeleteUserCommand {
-    /// delete by user Uuid
-    #[argh(option)]
-    id: String
-}
-
-
-#[fully_pub]
-#[derive(FromArgs, PartialEq, Debug)]
-#[argh(
-    subcommand, name = "list",
-    description = "List users in DB."
-)]
-struct ListUsersCommand {
-    /// how many users to return
-    #[argh(option)]
-    limit: Option<usize>,
-}
-
-#[fully_pub]
-#[derive(FromArgs, PartialEq, Debug)]
-#[argh(subcommand)]
-enum UsersSubCommands {
-    Create(CreateUserCommand),
-    List(ListUsersCommand),
-    Delete(DeleteUserCommand),
-}
-
-#[fully_pub]
-#[derive(FromArgs, PartialEq, Debug)]
-#[argh(
-    subcommand, name = "users",
-    description = "Manage instance users."
-)]
-struct UsersCommand {
-    #[argh(subcommand)]
-    nested: UsersSubCommands,
-}
-
-
-pub async fn list_users(cmd: ListUsersCommand, ctx: KernelContext) -> Result<()> {
-    for user in get_users(&ctx.storage).await? {
-        println!(
-            "{0: <36} | [{1:<8}] | {2: <15} | {3: <25}",
-            user.id, user.status, user.handle, user.email.unwrap_or("()".to_string())
-        );
-    }
-    Ok(())
-}
-
-pub async fn create_user(cmd: CreateUserCommand, ctx: KernelContext) -> Result<()> {
-    let mut user = User::new(cmd.handle);
-    user.email = Some(cmd.email);
-    user.full_name = cmd.full_name;
-    if cmd.invite {
-        user.invite();
-        println!("Generated invite code: {}", user.reset_password_token.as_ref().unwrap());
-    }
-    let _res = kernel::actions::users::create_user(ctx, user).await?;
-    info!("Created user.");
-    if cmd.invite {
-        // TODO: Send invitation email
-        info!("Not sending invitation email.");
-    }
-    Ok(())
-}
-
-pub async fn delete_user(cmd: DeleteUserCommand, ctx: KernelContext) -> Result<()> {
-    todo!()
-}
-
-pub async fn handle_command_tree(cmd: UsersCommand, ctx: KernelContext) -> Result<()> {
-    match cmd.nested {
-        UsersSubCommands::List(sc) => list_users(sc, ctx).await,
-        UsersSubCommands::Create(sc) => create_user(sc, ctx).await,
-        UsersSubCommands::Delete(sc) => delete_user(sc, ctx).await
-    }
-}

lib/admin_cli/src/main.rs

@@ -1,49 +0,0 @@
-use argh::FromArgs;
-use anyhow::{Context, Result};
-use commands::users;
-use kernel::context::{get_kernel_context, StartKernelConfig};
-use log::info;
-
-pub mod commands;
-
-#[derive(FromArgs, PartialEq, Debug)]
-#[argh(subcommand)]
-enum SubCommands {
-    Users(users::UsersCommand),
-}
-
-#[derive(FromArgs, PartialEq, Debug)]
-/// Minauthator admin top level
-struct AdminCliTopLevelCommand {
-    #[argh(subcommand)]
-    nested: SubCommands,
-
-    /// path to YAML config file to use to configure this instance
-    #[argh(option)]
-    config: Option<String>,
-
-    /// path to the Sqlite3 DB file to use
-    #[argh(option)]
-    database: Option<String>,
-
-    /// path to the static assets dir
-    #[argh(option)]
-    static_assets: Option<String>,
-}
-
-/// handle CLI arguments to run admin CLI
-#[tokio::main]
-pub async fn main() -> Result<()> {
-    info!("Starting minauth");
-    let command_input: AdminCliTopLevelCommand = argh::from_env();
-    let ctx = get_kernel_context(StartKernelConfig {
-        config_path: command_input.config.clone(),
-        database_path: command_input.database.clone()
-    }).await.context("Getting kernel context")?;
-
-    match command_input.nested {
-       SubCommands::Users(sc) => {
-            users::handle_command_tree(sc, ctx).await
-        }
-    }
-}

lib/http_server/Cargo.toml

@@ -1,52 +0,0 @@
-[package]
-name = "http_server"
-edition = "2021"
-
-[dependencies]
-kernel = { path = "../kernel" }
-utils = { path = "../utils" }
-
-# common
-log = { workspace = true }
-env_logger = { workspace = true }
-
-strum = { workspace = true }
-strum_macros = { workspace = true }
-
-anyhow = { workspace = true }
-thiserror = { workspace = true }
-fully_pub = { workspace = true }
-
-tokio = { workspace = true }
-
-# Web
-axum = { version = "0.7.7", features = ["json", "multipart"] }
-axum-extra = { version = "0.9.4", features = ["cookie"] }
-axum-template = { version = "2.4.0", features = ["minijinja"] }
-axum_typed_multipart = "0.13.1"
-minijinja = { version = "2.1", features = ["builtins"] }
-# to make work the static assets server
-tower-http = { version = "0.6.1", features = ["fs"] }
-
-minijinja-embed = "2.3.1"
-axum-macros = "0.4.2"
-jsonwebtoken = "9.3.0"
-time = "0.3.36"
-
-serde = { workspace = true }
-serde_json = { workspace = true }
-serde_urlencoded = "0.7.1"
-chrono = { workspace = true }
-
-argh = { workspace = true }
-
-sqlx = { workspace = true }
-uuid = { workspace = true }
-url = { workspace = true }
-
-[build-dependencies]
-minijinja-embed = "2.3.1"
-
-[[bin]]
-name = "minauthator-server"
-path = "src/main.rs"

lib/http_server/src/controllers/api/index.rs

@@ -1,14 +0,0 @@
-use axum::{extract::State, response::IntoResponse, Json};
-use serde_json::json;
-
-use crate::AppState;
-
-pub async fn get_index(
-    State(app_state): State<AppState>,
-) -> impl IntoResponse {
-    Json(json!({
-        "software": "Minauthator",
-        "name": app_state.config.instance.name,
-        "base_uri": app_state.config.instance.base_uri
-    }))
-}

lib/http_server/src/controllers/api/public_assets.rs

@@ -1,27 +0,0 @@
-use axum::{extract::{Path, State}, http::{header, HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse}};
-use kernel::repositories::users::get_user_asset_by_id;
-
-use crate::AppState;
-
-pub async fn get_user_asset(
-    State(app_state): State<AppState>,
-    Path(asset_id): Path<String>
-) -> impl IntoResponse {
-    let user_asset = match get_user_asset_by_id(&app_state.db, &asset_id).await {
-        Err(_) => {
-            return (
-                StatusCode::NOT_FOUND,
-                Html("Could not find user asset")
-            ).into_response();
-        },
-        Ok(ua) => ua
-    };
-
-    let mut hm = HeaderMap::new();
-    hm.insert(
-        header::CONTENT_TYPE,
-        HeaderValue::from_str(&user_asset.mime_type).expect("Constructing header value.")
-    );
-    
-    (hm, user_asset.content).into_response()
-}

lib/http_server/src/controllers/ui/reset_password.rs

@@ -1,139 +0,0 @@
-use axum::{extract::{MatchedPath, Query, State}, http::StatusCode, response::{Html, IntoResponse, Redirect}, Extension, Form};
-use log::{error, info};
-use serde::{Deserialize, Serialize};
-use minijinja::context;
-use fully_pub::fully_pub;
-
-use crate::{renderer::TemplateRenderer, AppState};
-
-use kernel::models::user::{User, UserStatus};
-use utils::get_password_hash;
-
-#[derive(Debug, Deserialize, Serialize)]
-#[fully_pub]
-enum ResetPasswordReason {
-    LostPassword,
-    Invitation
-}
-
-#[derive(Debug, Deserialize, Serialize)]
-#[fully_pub]
-struct ResetPasswordQueryParams {
-    token: String
-}
-
-pub async fn reset_password_form(
-    State(app_state): State<AppState>,
-    path: MatchedPath,
-    Extension(renderer): Extension<TemplateRenderer>,
-    Query(query_params): Query<ResetPasswordQueryParams>
-) -> impl IntoResponse {
-    let reason: ResetPasswordReason = match path.as_str() {
-        "/invitation" => ResetPasswordReason::Invitation,
-        "/reset-password" => ResetPasswordReason::LostPassword,
-        _ => unreachable!()
-    };
-    // 1. Verify token
-    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
-        .bind(&query_params.token)
-        .fetch_one(&app_state.db.0)
-        .await;
-    let _user = match user_res {
-        Ok(u) => u,
-        Err(sqlx::Error::RowNotFound) => {
-            return (
-                StatusCode::BAD_REQUEST,
-                Html("Invalid reset password token.")
-            ).into_response();
-        },
-        Err(err) => {
-            error!("Failed to retreive user from reset password token. {}", err);
-            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Html("Internal server error: Failed to retreive user.")
-            ).into_response();
-        }
-    };
-    renderer.render(
-        "pages/reset_password",
-        context!(
-            reason => reason,
-            token => query_params.token,
-        )
-    ).into_response()
-}
-
-
-#[derive(Debug, Deserialize)]
-#[fully_pub]
-struct ResetPasswordForm {
-    token: String,
-    password: String,
-    password_confirmation: String
-}
-
-pub async fn perform_reset_password(
-    State(app_state): State<AppState>,
-    Form(reset_form): Form<ResetPasswordForm>
-) -> impl IntoResponse {
-    // 1. Verify token
-    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE reset_password_token = $1")
-        .bind(&reset_form.token)
-        .fetch_one(&app_state.db.0)
-        .await;
-    let user = match user_res {
-        Ok(u) => u,
-        Err(sqlx::Error::RowNotFound) => {
-            return (
-                StatusCode::BAD_REQUEST,
-                Html("Invalid reset password token.")
-            ).into_response();
-        },
-        Err(err) => {
-            error!("Failed to retreive user from reset password token. {}", err);
-            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Html("Internal server error: Failed to retreive user.")
-            ).into_response();
-        }
-    };
-    if reset_form.password != reset_form.password_confirmation {
-        return (
-            StatusCode::BAD_REQUEST,
-            Html("Form data error: The two passwords are differents.")
-        ).into_response();
-    }
-
-    let password_hash = Some(
-        get_password_hash(reset_form.password)
-            .expect("To process password").1
-    );
-    if user.status == UserStatus::Invited {
-        info!("The password of an Invited user was set: activation of user account");
-        // TODO: send welcome email
-    }
-    let res = sqlx::query("UPDATE users
-            SET password_hash = $2, status = $3, reset_password_token = NULL
-            WHERE id = $1
-        ")
-        .bind(user.id)
-        .bind(password_hash)
-        .bind(UserStatus::Active)
-        .execute(&app_state.db.0)
-        .await;
-    match res {
-        Err(err) => {
-            error!("Cannot update user: {}", err);
-            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
-                Html("Internal server error: Failed to update user.")
-            ).into_response();
-        },
-        Ok(_v) => {
-            info!("Changed user's password successfuly.");
-        }
-    };
-    // TODO: add either "Successfully changed password" or "Account enabled successfully" message 
-    Redirect::to("/login").into_response()
-}
-

lib/http_server/src/templates/pages/error.html

@@ -1,11 +0,0 @@
-{% extends "layouts/base.html" %}
-{% block body %}
-<h1>Internal server error</h1>
-
-{% if error %}
-<div class="alert alert-danger">
-    We are sorry. We've rencountered an unrecoverable error.
-</div>
-{% endif %}
-{% endblock %}
-

lib/http_server/src/templates/pages/reset_password.html

@@ -1,54 +0,0 @@
-{% extends "layouts/base.html" %}
-{% block body %}
-{% if reason == "Invitation" %}
-<h1>Invitation</h1>
-{% endif %}
-{% if reason == "LostPassword" %}
-<h1>Reset your password</h1>
-{% endif %}
-<!-- Reset password form -->
-{% if error %}
-<div class="alert alert-danger">
-    Error: {{ error }}
-</div>
-{% endif %}
-{% if info %}
-<div class="alert alert-info">
-    Info: {{ info }}
-</div>
-{% endif %}
-{% if reason == "Invitation" %}
-<p>
-    Pour activer votre compte, veuillez définir votre mot de passe.
-</p>
-{% endif %}
-{% if reason == "LostPassword" %}
-<p>
-    Votre mot de passe est perdu, veuillez définir un nouveau mot de passe.
-</p>
-{% endif %}
-<form id="reset-password-form" method="post" action="/reset-password">
-    <div class="mb-3">
-        <label for="password" class="form-label">New password</label>
-        <input
-            id="password" name="password" type="password"
-            required
-            class="form-control"
-        />
-    </div>
-    <div class="mb-3">
-        <label for="password" class="form-label">New password confirmation</label>
-        <input
-            id="password_confirmation" name="password_confirmation" type="password"
-            required
-            class="form-control"
-        />
-    </div>
-    <input
-        id="token" name="token" type="hidden"
-        value="{{ token }}"
-    />
-
-    <button type="submit" class="btn btn-primary">Change password</button>
-</form>
-{% endblock %}

lib/kernel/Cargo.toml

@@ -1,25 +0,0 @@
-[package]
-name = "kernel"
-edition = "2021"
-
-[dependencies]
-utils = { path = "../utils" }
-
-anyhow = { workspace = true }
-thiserror = { workspace = true }
-log = { workspace = true }
-env_logger = { workspace = true }
-fully_pub = { workspace = true }
-strum = { workspace = true }
-strum_macros = { workspace = true }
-serde = { workspace = true }
-serde_json = { workspace = true }
-chrono = { workspace = true }
-toml = { workspace = true }
-sqlx = { workspace = true }
-dotenvy = { workspace = true }
-sha2 = { workspace = true }
-hex-literal = { workspace = true }
-
-uuid = { workspace = true }
-url = { workspace = true }

lib/kernel/src/actions/mod.rs

@@ -1 +0,0 @@
-pub mod users;

lib/kernel/src/actions/users.rs

@@ -1,44 +0,0 @@
-use crate::{context::KernelContext, models::user::User};
-
-use anyhow::{Context, Result};
-use chrono::SecondsFormat;
-use thiserror::Error;
-
-#[derive(Error, Debug)]
-pub enum CreateUserErr {
-    #[error("Handle or email for user is already used.")]
-    HandleOrEmailNotUnique,
-
-    #[error("Database error.")]
-    DatabaseErr(String)
-}
-
-pub async fn create_user(ctx: KernelContext, user: User) -> Result<(), CreateUserErr> {
-    let res = sqlx::query("
-        INSERT INTO users
-            (id, handle, email, status, roles, password_hash, reset_password_token, created_at)
-            VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
-        ")
-        .bind(user.id)
-        .bind(user.handle)
-        .bind(user.email)
-        .bind(user.status.to_string())
-        .bind(user.roles)
-        .bind(user.password_hash)
-        .bind(user.reset_password_token)
-        .bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&ctx.storage.0)
-        .await;
-    match res {
-        Err(err) => {
-            let db_err = &err.as_database_error().unwrap();
-            if db_err.code().unwrap() == "2067" {
-                Err(CreateUserErr::HandleOrEmailNotUnique)
-            } else {
-                dbg!(&err);
-                Err(CreateUserErr::DatabaseErr(db_err.to_string()))
-            }
-        }
-        Ok(_) => Ok(())
-    }
-}

lib/kernel/src/consts.rs

@@ -1,4 +0,0 @@
-pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
-pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
-pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.toml";
-

lib/kernel/src/context.rs

@@ -1,64 +0,0 @@
-use std::{env, fs};
-use anyhow::{Result, Context, anyhow};
-use fully_pub::fully_pub;
-
-use log::info;
-use sqlx::{Pool, Sqlite};
-use crate::{
-    consts::{DEFAULT_CONFIG_PATH, DEFAULT_DB_PATH}, database::prepare_database, models::config::Config, repositories::storage::Storage
-};
-
-/// get server config
-fn get_config(path: String) -> Result<Config> {
-    let inp_def_yaml = fs::read_to_string(path)
-        .expect("Should have been able to read the the config file");
-
-    toml::from_str(&inp_def_yaml)
-        .map_err(|e| anyhow!("Failed to parse config, {:?}", e))
-}
-
-#[fully_pub]
-struct StartKernelConfig {
-    config_path: Option<String>,
-    database_path: Option<String>,
-}
-
-#[derive(Debug, Clone)]
-#[fully_pub]
-struct AppSecrets {
-    jwt_secret: String
-}
-
-#[derive(Debug, Clone)]
-#[fully_pub]
-struct KernelContext {
-    config: Config,
-    secrets: AppSecrets,
-    storage: Storage
-}
-
-pub async fn get_kernel_context(start_config: StartKernelConfig) -> Result<KernelContext> {
-    env_logger::init();
-    let _ = dotenvy::dotenv();
-
-    let database_path = &start_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
-    info!("Using database file at {}", database_path);
-    let storage = prepare_database(database_path).await.context("Could not prepare db.")?;
-
-    let config_path = start_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
-    info!("Using config file at {}", &config_path);
-    let config: Config = get_config(config_path)
-        .expect("Cannot get config.");
-
-    let _ = dotenvy::dotenv();
-    let secrets = AppSecrets {
-        jwt_secret: env::var("APP_JWT_SECRET")
-            .context("Expected APP_JWT_SECRET environment variable to exists.")?
-    };
-
-    Ok(KernelContext {
-        config,
-        secrets,
-        storage
-    })
-}

lib/kernel/src/lib.rs

@@ -1,7 +0,0 @@
-pub mod models;
-pub mod database;
-pub mod consts;
-pub mod context;
-pub mod actions;
-pub mod repositories;
-

lib/kernel/src/models/user.rs

@@ -1,61 +0,0 @@
-use fully_pub::fully_pub;
-use chrono::{DateTime, Utc};
-use serde::{Deserialize, Serialize};
-use sqlx::types::Json;
-use utils::get_random_human_token;
-use uuid::Uuid;
-
-#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
-#[derive(strum_macros::Display)]
-#[fully_pub]
-enum UserStatus {
-    Disabled,
-    Invited,
-    Active
-}
-
-#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
-#[fully_pub]
-struct User {
-    /// uuid
-    id: String,
-    handle: String,
-    full_name: Option<String>,
-    email: Option<String>,
-    website: Option<String>,
-    avatar_asset_id: Option<String>,
-    password_hash: Option<String>, // argon2 password hash
-    status: UserStatus,
-    roles: Json<Vec<String>>,
-    reset_password_token: Option<String>,
-
-    last_login_at: Option<DateTime<Utc>>,
-    created_at: DateTime<Utc>
-}
-
-impl User {
-    pub fn new(
-        handle: String
-    ) -> User {
-        User {
-            id: Uuid::new_v4().to_string(),
-            handle,
-            full_name: None,
-            email: None,
-            website: None,
-            avatar_asset_id: None,
-            password_hash: None,
-            status: UserStatus::Disabled,
-            roles: Json(Vec::new()),
-            reset_password_token: None,
-            last_login_at: None,
-            created_at: Utc::now()
-        }
-    }
-
-    pub fn invite(self: &mut Self) {
-        self.reset_password_token = Some(get_random_human_token());
-        self.status = UserStatus::Invited;
-    }
-
-}

lib/kernel/src/models/user_asset.rs

@@ -1,41 +0,0 @@
-use fully_pub::fully_pub;
-use chrono::{DateTime, Utc};
-use serde::{Deserialize, Serialize};
-use uuid::Uuid;
-use sha2::{Sha256, Digest};
-
-use super::user::User;
-
-
-#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
-#[fully_pub]
-struct UserAsset {
-    /// uuid
-    id: String,
-    user_id: String,
-    mime_type: String,
-    fingerprint: String,
-    name: Option<String>,
-    content: Vec<u8>,
-    created_at: DateTime<Utc>
-}
-
-impl UserAsset {
-    pub fn new(
-        user: &User,
-        content: Vec<u8>,
-        mime_type: String,
-        name: Option<String>
-    ) -> UserAsset {
-        let digest = Sha256::digest(&content);
-        UserAsset {
-            id: Uuid::new_v4().to_string(),
-            user_id: user.id.clone(),
-            fingerprint: format!("{:x}", digest),
-            mime_type,
-            content,
-            name,
-            created_at: Utc::now()
-        }
-    }
-}

lib/kernel/src/repositories/mod.rs

@@ -1,2 +0,0 @@
-pub mod storage;
-pub mod users;

lib/kernel/src/repositories/storage.rs

@@ -1,7 +0,0 @@
-use fully_pub::fully_pub;
-use sqlx::{Pool, Sqlite};
-
-/// storage interface
-#[fully_pub]
-#[derive(Clone, Debug)]
-struct Storage(Pool<Sqlite>);

lib/kernel/src/repositories/users.rs

@@ -1,48 +0,0 @@
-// user repositories
-
-use crate::models::{user::User, user_asset::UserAsset};
-
-use super::storage::Storage;
-use anyhow::{Result, Context};
-
-pub async fn get_user_by_id(storage: &Storage, user_id: &str) -> Result<User> {
-    sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
-        .bind(user_id)
-        .fetch_one(&storage.0)
-        .await
-        .context("To get user by id.")
-}
-
-pub async fn get_users(storage: &Storage) -> Result<Vec<User>> {
-    sqlx::query_as::<_, User>("SELECT * FROM users")
-        .fetch_all(&storage.0)
-        .await
-        .context("To get users.")
-}
-
-pub async fn create_user_asset(storage: &Storage, asset: UserAsset) -> Result<()> {
-    sqlx::query("INSERT INTO user_assets
-        (id, user_id, mime_type, fingerprint, content, created_at)
-        VALUES ($1, $2, $3, $4, $5, $6)
-    ")
-        .bind(&asset.id)
-        .bind(&asset.user_id)
-        .bind(&asset.mime_type)
-        .bind(&asset.fingerprint)
-        .bind(&asset.content)
-        .bind(&asset.created_at)
-        .execute(&storage.0)
-        .await
-        .context("While inserting user asset.")?;
-            // .bind(details_update.avatar.contents.to_vec())
-    Ok(())
-}
-
-pub async fn get_user_asset_by_id(storage: &Storage, id: &str) -> Result<UserAsset> {
-    sqlx::query_as("SELECT * FROM user_assets WHERE id = $1")
-        .bind(id)
-        .fetch_one(&storage.0)
-        .await
-        .context("To get user asset by id.")
-}
-

lib/utils/Cargo.toml

@@ -1,10 +0,0 @@
-[package]
-name = "utils"
-edition = "2021"
-
-[dependencies]
-anyhow = { workspace = true }
-argon2 = "0.5"
-base64 = "0.22"
-rand = "0.8.5"
-rand_core = { version = "0.6.4", features = ["std"] }

migrations/all.sql

@@ -1,29 +1,18 @@
 DROP TABLE IF EXISTS users;
 CREATE TABLE users (
-    id                   TEXT PRIMARY KEY,
+    id                  TEXT PRIMARY KEY,
-    handle               TEXT NOT NULL UNIQUE,
+    handle              TEXT NOT NULL UNIQUE,
-    full_name            TEXT,
+    full_name           TEXT,
-    email                TEXT UNIQUE,
+    email               TEXT UNIQUE,
-    website              TEXT,
+    website             TEXT,
-    roles                TEXT NOT NULL, -- json array of user roles
+    picture             BLOB,
-    avatar_asset_id      TEXT,
+    roles               TEXT NOT NULL, -- json array of user roles
 
-    status               TEXT CHECK(status IN ('Invited', 'Active', 'Disabled')) NOT NULL DEFAULT 'Disabled',
+    status              TEXT CHECK(status IN ('Active','Disabled')) NOT NULL DEFAULT 'Disabled',
-    password_hash        TEXT,
+    password_hash       TEXT,
-    reset_password_token TEXT,
+    activation_token    TEXT,
-    last_login_at        DATETIME,
+    last_login_at       DATETIME,
-    created_at           DATETIME NOT NULL
+    created_at          DATETIME NOT NULL
-);
-
-DROP TABLE IF EXISTS user_assets;
-CREATE TABLE user_assets (
-    id                   TEXT PRIMARY KEY,
-    user_id              TEXT NOT NULL,
-    mime_type            TEXT NOT NULL,
-    fingerprint          TEXT NOT NULL,
-    name                 TEXT, -- file name
-    content              BLOB NOT NULL,
-    created_at           DATETIME NOT NULL
 );
 
 DROP TABLE IF EXISTS authorizations;

src/cli.rs

@@ -1,9 +1,9 @@
 use argh::FromArgs;
 use anyhow::{Context, Result};
-use http_server::{start_http_server, ServerConfig};
-use kernel::{consts::DEFAULT_ASSETS_PATH, context::{get_kernel_context, StartKernelConfig}};
 use log::info;
 
+use crate::{get_app_context, server::{start_http_server, ServerConfig}, DEFAULT_ASSETS_PATH};
+
 #[derive(Debug, FromArgs)]
 /// Minauthator daemon
 struct ServerCliFlags {
@@ -27,21 +27,22 @@ struct ServerCliFlags {
     listen_port: u32
 }
 
-/// handle CLI arguments to start HTTP server daemon
+/// handle CLI arguments to start process daemon
-#[tokio::main]
+pub async fn start_server_cli() -> Result<()> {
-pub async fn main() -> Result<()> {
     info!("Starting minauth");
     let flags: ServerCliFlags = argh::from_env();
-    let kernel_context = get_kernel_context(StartKernelConfig {
+    let (config, secrets, db_pool) = get_app_context(crate::StartAppConfig {
         config_path: flags.config,
         database_path: flags.database
-    }).await.context("Getting kernel context")?;
+    }).await.context("Getting app context")?;
     start_http_server(
         ServerConfig {
             assets_path: flags.static_assets.unwrap_or(DEFAULT_ASSETS_PATH.to_string()),
             listen_host: flags.listen_host,
             listen_port: flags.listen_port
         },
-        kernel_context
+        config,
+        secrets,
+        db_pool
     ).await
 }

src/consts.rs

@@ -0,0 +1 @@
+pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";

src/controllers/api/mod.rs

@@ -1,5 +1,3 @@
-pub mod index;
 pub mod oauth2;
 pub mod read_user;
 pub mod openid;
-pub mod public_assets;

src/controllers/api/oauth2/access_token.rs

@@ -4,9 +4,10 @@ use fully_pub::fully_pub;
 use log::error;
 use serde::{Deserialize, Serialize};
 
-use kernel::models::authorization::Authorization;
 use crate::{
-    services::{app_session::AppClientSession, session::create_token}, token_claims::AppUserTokenClaims, AppState
+    models::{authorization::Authorization, token_claims::AppUserTokenClaims},
+    server::AppState,
+    services::{app_session::AppClientSession, session::create_token}
 };
 
 const AUTHORIZATION_CODE_TTL_SECONDS: i64 = 120;
@@ -42,7 +43,7 @@ pub async fn get_access_token(
     )
         .bind(&form.code)
         .bind(&app_client_session.client_id)
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await;
     let authorization = match authorizations_res {
         Ok(val) => val,

src/controllers/api/openid/well_known.rs

@@ -1,10 +1,9 @@
 use axum::{extract::State, response::IntoResponse, Json};
 use fully_pub::fully_pub;
-use kernel::models::authorization::AuthorizationScope;
 use serde::Serialize;
 use strum::IntoEnumIterator;
 
-use crate::AppState;
+use crate::{models::authorization::AuthorizationScope, server::AppState};
 
 #[derive(Serialize)]
 #[fully_pub]

src/controllers/api/read_user.rs

@@ -2,8 +2,7 @@ use axum::{extract::State, response::IntoResponse, Extension, Json};
 use fully_pub::fully_pub;
 use serde::Serialize;
 
-use crate::{token_claims::AppUserTokenClaims, AppState};
+use crate::{models::{token_claims::AppUserTokenClaims, user::User}, server::AppState};
-use kernel::models::user::User;
 
 #[derive(Serialize)]
 #[fully_pub]
@@ -20,10 +19,10 @@ pub async fn read_user_basic(
     State(app_state): State<AppState>,
     Extension(token_claims): Extension<AppUserTokenClaims>,
 ) -> impl IntoResponse {
-    // 1. This handler require app user authentification (JWT)
+    // 1. This handler require client user authentification (JWT)
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.user_id)
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await
         .expect("To get user from claim");
     let output = ReadUserBasicExtract {

src/controllers/ui/apps.rs

@@ -1,10 +1,10 @@
 use axum::{extract::State, response::IntoResponse, Extension};
 use minijinja::context;
 
-use kernel::models::{config::AppVisibility, config::Application};
 use crate::{
+    models::{config::AppVisibility, config::Application},
     renderer::TemplateRenderer,
-    AppState
+    server::AppState
 };
 
 pub async fn list_apps(

src/controllers/ui/authorize.rs

@@ -7,15 +7,14 @@ use serde::{Deserialize, Serialize};
 use url::Url;
 use uuid::Uuid;
 
-use kernel::{
-    models::{authorization::Authorization, config::AppAuthorizeFlow}
-};
-use utils::get_random_alphanumerical;
 use crate::{
-    renderer::TemplateRenderer, services::oauth2::{parse_scope, verify_redirect_uri}, token_claims::UserTokenClaims, AppState
+    models::{authorization::Authorization, config::AppAuthorizeFlow, token_claims::UserTokenClaims},
+    renderer::TemplateRenderer, server::AppState,
+    services::oauth2::{parse_scope, verify_redirect_uri},
+    utils::get_random_alphanumerical
 };
 
-#[derive(Debug, Serialize, Deserialize)]
+#[derive(Serialize, Deserialize)]
 #[fully_pub]
 /// query params described in [RFC6749 section 4.1.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.1)
 struct AuthorizationParams {
@@ -106,7 +105,7 @@ pub async fn authorize_form(
         .bind(&token_claims.sub)
         .bind(&authorization_params.client_id)
         .bind(sqlx::types::Json(&scopes))
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await;
 
     match authorizations_res {
@@ -120,7 +119,7 @@ pub async fn authorize_form(
                 .bind(existing_authorization.id)
                 .bind(authorization_code.clone())
                 .bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
-                .execute(&app_state.db.0)
+                .execute(&app_state.db)
                 .await.unwrap();
 
             // Authorization already given, just redirect to the app
@@ -220,7 +219,7 @@ pub async fn perform_authorize(
         .bind(authorization.code)
         .bind(authorization.last_used_at.map(|x| x.to_rfc3339_opts(SecondsFormat::Millis, true)))
         .bind(authorization.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&app_state.db.0)
+        .execute(&app_state.db)
         .await;
     if let Err(err) = res {
         error!("Failed to save authorization in DB. {}", err);

src/controllers/ui/login.rs

@@ -1,15 +1,15 @@
 use axum_extra::extract::{cookie::{Cookie, SameSite}, CookieJar};
 use chrono::{SecondsFormat, Utc};
-use kernel::models::user::{User, UserStatus};
 use log::info;
 use serde::Deserialize;
-use axum::{extract::{Query, State}, http::StatusCode, response::{IntoResponse, Redirect}, Extension, Form};
+use axum::{extract::{Query, State}, http::{HeaderMap, HeaderValue, StatusCode}, response::{Html, IntoResponse, Redirect}, Extension, Form};
 use fully_pub::fully_pub;
 use minijinja::context;
 use time::Duration;
-use utils::verify_password_hash;
 
-use crate::{renderer::TemplateRenderer, services::session::create_token, token_claims::UserTokenClaims, AppState, WEB_GUI_JWT_COOKIE_NAME};
+use crate::{
+    consts::WEB_GUI_JWT_COOKIE_NAME, models::{token_claims::UserTokenClaims, user::{User, UserStatus}}, renderer::TemplateRenderer, server::AppState, services::{password::verify_password_hash, session::create_token}
+};
 
 pub async fn login_form(
     Extension(renderer): Extension<TemplateRenderer>
@@ -47,7 +47,7 @@ pub async fn perform_login(
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE handle = $1 OR email = $2")
         .bind(&login.login)
         .bind(&login.login)
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await;
 
     let password_hash = match &user_res {
@@ -87,7 +87,7 @@ pub async fn perform_login(
     let _result = sqlx::query("UPDATE users SET last_login_at = $2 WHERE id = $1")
         .bind(user.id.clone())
         .bind(Utc::now().to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&app_state.db.0)
+        .execute(&app_state.db)
         .await.unwrap();
 
     let jwt_max_age = Duration::days(15);

src/controllers/ui/logout.rs

@@ -1,7 +1,7 @@
 use axum::response::{IntoResponse, Redirect};
 use axum_extra::extract::CookieJar;
 
-use crate::WEB_GUI_JWT_COOKIE_NAME;
+use crate::consts::WEB_GUI_JWT_COOKIE_NAME;
 
 pub async fn perform_logout(
     cookies: CookieJar

src/controllers/ui/me.rs

@@ -1,16 +1,14 @@
-use anyhow::Context;
 use axum::{body::Bytes, extract::State, response::IntoResponse, Extension};
 use axum_typed_multipart::{FieldData, TryFromMultipart, TypedMultipart};
 use fully_pub::fully_pub;
-use log::{error, info};
+use log::error;
 use minijinja::context;
 
 use crate::{
-    token_claims::UserTokenClaims,
+    models::{token_claims::UserTokenClaims, user::User},
     renderer::TemplateRenderer,
-    AppState
+    server::AppState
 };
-use kernel::{models::{user::User, user_asset::UserAsset}, repositories::users::create_user_asset};
 
 pub async fn me_page(
     State(app_state): State<AppState>,
@@ -19,7 +17,7 @@ pub async fn me_page(
 ) -> impl IntoResponse {
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.sub)
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await
         .expect("To get user from claim");
 
@@ -40,7 +38,7 @@ pub async fn me_update_details_form(
 
     let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.sub)
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await
         .expect("To get user from claim");
 
@@ -62,7 +60,7 @@ struct UserDetailsUpdateForm {
     website: String,
 
     #[form_data(limit = "5MiB")]
-    avatar: FieldData<Bytes>
+    picture: FieldData<Bytes>
 }
 
 
@@ -74,43 +72,19 @@ pub async fn me_perform_update_details(
 ) -> impl IntoResponse {
     let template_path = "pages/me/details-form";
 
-    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
+    let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5, picture = $6 WHERE id = $1")
-        .bind(&token_claims.sub)
-        .fetch_one(&app_state.db.0)
-        .await
-        .expect("To get user from claim");
-
-    let update_res = sqlx::query("UPDATE users SET handle = $2, email = $3, full_name = $4, website = $5 WHERE id = $1")
         .bind(&token_claims.sub)
         .bind(details_update.handle)
         .bind(details_update.email)
         .bind(details_update.full_name)
         .bind(details_update.website)
-        .execute(&app_state.db.0)
+        .bind(details_update.picture.contents.to_vec())
+        .execute(&app_state.db)
         .await;
 
-    if !details_update.avatar.contents.is_empty() {
+    let user_res = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
-        let user_asset = UserAsset::new(
-            &user,
-            details_update.avatar.contents.to_vec(),
-            details_update.avatar.metadata.content_type.expect("Expected mimetype on avatar content"),
-            details_update.avatar.metadata.name
-        );
-        let _update_res = sqlx::query("UPDATE users SET avatar_asset_id = $2 WHERE id = $1")
-            .bind(&token_claims.sub)
-            .bind(user_asset.id.clone())
-            .execute(&app_state.db.0)
-            .await;
-        // TODO: handle possible error
-        let _ = create_user_asset(&app_state.db, user_asset)
-            .await
-            .context("Creating user avatar asset.");
-        info!("Uploaded new avatar as user asset");
-    }
-
-    let user = sqlx::query_as::<_, User>("SELECT * FROM users WHERE id = $1")
         .bind(&token_claims.sub)
-        .fetch_one(&app_state.db.0)
+        .fetch_one(&app_state.db)
         .await
         .expect("To get user from claim");
 
@@ -120,7 +94,7 @@ pub async fn me_perform_update_details(
                 template_path,
                 context!(
                     success => true,
-                    user => user
+                    user => user_res
                 )
             )
         },
@@ -130,7 +104,7 @@ pub async fn me_perform_update_details(
                 template_path,
                 context!(
                     error => Some("Cannot update user details.".to_string()),
-                    user => user
+                    user => user_res
                 )
             )
         }

src/controllers/ui/mod.rs

@@ -6,4 +6,3 @@ pub mod me;
 pub mod logout;
 pub mod user_panel;
 pub mod apps;
-pub mod reset_password;

src/controllers/ui/register.rs

@@ -7,10 +7,7 @@ use fully_pub::fully_pub;
 use sqlx::types::Json;
 use uuid::Uuid;
 
-use crate::{renderer::TemplateRenderer, AppState};
+use crate::{models::user::{User, UserStatus}, renderer::TemplateRenderer, server::AppState, services::password::get_password_hash};
-
-use kernel::models::user::{User, UserStatus};
-use utils::get_password_hash;
 
 pub async fn register_form(
     State(app_state): State<AppState>
@@ -46,12 +43,12 @@ pub async fn perform_register(
         email: Some(register.email),
         handle: register.handle,
         full_name: None,
-        avatar_asset_id: None,
+        picture: None,
 
         password_hash,
         status: UserStatus::Active,
-        roles: Json(Vec::new()), // take the default role in the config
+        roles: Json(Vec::new()),
-        reset_password_token: None,
+        activation_token: None,
         created_at: Utc::now(),
         website: None,
         last_login_at: None
@@ -69,7 +66,7 @@ pub async fn perform_register(
         .bind(user.roles)
         .bind(user.password_hash)
         .bind(user.created_at.to_rfc3339_opts(SecondsFormat::Millis, true))
-        .execute(&app_state.db.0)
+        .execute(&app_state.db)
         .await;
     match res {
         Err(err) => {

src/controllers/ui/user_panel/authorizations.rs

@@ -4,8 +4,7 @@ use log::error;
 use minijinja::context;
 use serde::Deserialize;
 
-use kernel::models::authorization::Authorization;
+use crate::{models::{authorization::Authorization, token_claims::UserTokenClaims}, renderer::TemplateRenderer, server::AppState};
-use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
 
 pub async fn get_authorizations(
     State(app_state): State<AppState>,
@@ -14,7 +13,7 @@ pub async fn get_authorizations(
 ) -> impl IntoResponse {
     let user_authorizations = sqlx::query_as::<_, Authorization>("SELECT * FROM authorizations WHERE user_id = $1")
         .bind(&token_claims.sub)
-        .fetch_all(&app_state.db.0)
+        .fetch_all(&app_state.db)
         .await
         .expect("To get user authorization with user_id from claim");
     renderer.render(
@@ -38,7 +37,7 @@ pub async fn revoke_authorization(
 ) -> impl IntoResponse {
     let delete_res = sqlx::query("DELETE FROM authorizations WHERE id = $1")
         .bind(&form.authorization_id)
-        .execute(&app_state.db.0)
+        .execute(&app_state.db)
         .await;
     match delete_res {
         Ok(_) => {},

src/database.rs

@@ -1,10 +1,8 @@
 use anyhow::{Context, Result};
-use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, ConnectOptions};
+use sqlx::{sqlite::{SqliteConnectOptions, SqlitePoolOptions}, Pool, Sqlite, ConnectOptions};
 use std::str::FromStr;
 
-use crate::repositories::storage::Storage;
+pub async fn prepare_database(sqlite_db_path: &str) -> Result<Pool<Sqlite>> {
-
-pub async fn prepare_database(sqlite_db_path: &str) -> Result<Storage> {
     let conn_str = format!("sqlite:{}", sqlite_db_path);
 
     let pool = SqlitePoolOptions::new()
@@ -16,6 +14,6 @@ pub async fn prepare_database(sqlite_db_path: &str) -> Result<Storage> {
         .await
         .context("could not connect to database_url")?;
 
-    Ok(Storage(pool))
+    Ok(pool)
 }
 

src/main.rs

@@ -0,0 +1,62 @@
+pub mod models;
+pub mod controllers;
+pub mod router;
+pub mod server;
+pub mod database;
+pub mod cli;
+pub mod utils;
+pub mod services;
+pub mod middlewares;
+pub mod renderer;
+pub mod consts;
+
+use std::{env, fs};
+use anyhow::{Result, Context, anyhow};
+
+use database::prepare_database;
+use log::info;
+use sqlx::{Pool, Sqlite};
+use models::config::{AppSecrets, Config};
+
+pub const DEFAULT_DB_PATH: &str = "/var/lib/minauthator/minauthator.db";
+pub const DEFAULT_ASSETS_PATH: &str = "/usr/local/lib/minauthator/assets";
+pub const DEFAULT_CONFIG_PATH: &str = "/etc/minauthator/config.yaml";
+
+fn get_config(path: String) -> Result<Config> {
+    let inp_def_yaml = fs::read_to_string(path)
+        .expect("Should have been able to read the the config file");
+
+    toml::from_str(&inp_def_yaml)
+        .map_err(|e| anyhow!("Failed to parse config, {:?}", e))
+}
+
+struct StartAppConfig {
+    config_path: Option<String>,
+    database_path: Option<String>,
+}
+
+#[tokio::main]
+async fn main() -> Result<()> {
+    cli::start_server_cli().await
+}
+
+async fn get_app_context(start_app_config: StartAppConfig) -> Result<(Config, AppSecrets, Pool<Sqlite>)> {
+    env_logger::init();
+    let _ = dotenvy::dotenv();
+
+    let database_path = &start_app_config.database_path.unwrap_or(DEFAULT_DB_PATH.to_string());
+    info!("Using database file at {}", database_path);
+    let pool = prepare_database(database_path).await.context("Could not prepare db.")?;
+
+    let config_path = start_app_config.config_path.unwrap_or(DEFAULT_CONFIG_PATH.to_string());
+    info!("Using config file at {}", &config_path);
+    let config: Config = get_config(config_path)
+        .expect("Cannot get config.");
+
+    dotenvy::dotenv().context("loading .env")?;
+    let secrets = AppSecrets {
+        jwt_secret: env::var("APP_JWT_SECRET").context("Expecting APP_JWT_SECRET env var.")?
+    };
+
+    Ok((config, secrets, pool))
+}

src/middlewares/app_auth.rs

@@ -5,12 +5,9 @@ use axum::{
     response::{Html, IntoResponse, Response},
     Extension
 };
-use utils::parse_basic_auth;
 
 use crate::{
-    services::{app_session::AppClientSession, session::verify_token},
+    models::token_claims::AppUserTokenClaims, server::AppState, services::{app_session::AppClientSession, session::verify_token}, utils::parse_basic_auth
-    token_claims::AppUserTokenClaims,
-    AppState
 };
 
 

src/middlewares/renderer.rs

@@ -1,5 +1,6 @@
 use axum::{extract::{Request, State}, http::StatusCode, middleware::Next, response::Response, Extension};
-use crate::{renderer::TemplateRenderer, token_claims::UserTokenClaims, AppState};
+
+use crate::{models::token_claims::UserTokenClaims, renderer::TemplateRenderer, server::AppState};
 
 pub async fn renderer_middleware(
     State(app_state): State<AppState>,

src/middlewares/user_auth.rs

@@ -7,9 +7,7 @@ use axum::{
 use axum_extra::extract::CookieJar;
 
 use crate::{
-    services::session::verify_token,
+    consts::WEB_GUI_JWT_COOKIE_NAME, models::token_claims::UserTokenClaims, server::AppState, services::session::verify_token
-    token_claims::UserTokenClaims,
-    AppState, WEB_GUI_JWT_COOKIE_NAME
 };
 
 

src/models/config.rs

@@ -1,3 +1,5 @@
+use std::collections::HashSet;
+
 use fully_pub::fully_pub;
 use serde::{Deserialize, Serialize};
 
@@ -48,6 +50,20 @@ struct Application {
     login_uri: String
 }
 
+
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Hash, Eq)]
+#[fully_pub]
+enum Permission {
+    ListUsers,
+    DisableUser,
+    EnableUser,
+    VerifyEmail,
+    InviteUser,
+    DeleteUser,
+    ResetUserPassword,
+    AssignUserGroups
+}
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 #[fully_pub]
 struct Role {
@@ -55,7 +71,8 @@ struct Role {
     name: String,
     description: Option<String>,
     #[serde(default = "_default_true")]
-    default: bool
+    default: bool,
+    permissions: HashSet<Permission>
 }
 
 // todo: Role hierarchy https://en.wikipedia.org/wiki/Role_hierarchy
@@ -69,6 +86,7 @@ struct Config {
     roles: Vec<Role>
 }
 
+
 #[derive(Debug, Clone)]
 #[fully_pub]
 struct AppSecrets {

src/models/mod.rs

@@ -1,4 +1,4 @@
 pub mod config;
 pub mod user;
-pub mod user_asset;
 pub mod authorization;
+pub mod token_claims;

src/models/token_claims.rs

@@ -1,9 +1,10 @@
 use fully_pub::fully_pub;
 use jsonwebtoken::get_current_timestamp;
-use kernel::models::authorization::AuthorizationScope;
 use serde::{Deserialize, Serialize};
 use time::Duration;
 
+use super::authorization::AuthorizationScope;
+
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[fully_pub]
 struct UserTokenClaims {

src/models/user.rs

@@ -0,0 +1,31 @@
+use fully_pub::fully_pub;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use sqlx::types::Json;
+
+#[derive(sqlx::Type, Clone, Debug, Serialize, Deserialize, PartialEq)]
+#[derive(strum_macros::Display)]
+#[fully_pub]
+enum UserStatus {
+    Active,
+    Disabled
+}
+
+#[derive(sqlx::FromRow, Deserialize, Serialize, Debug)]
+#[fully_pub]
+struct User {
+    /// uuid
+    id: String,
+    handle: String,
+    full_name: Option<String>,
+    email: Option<String>,
+    website: Option<String>,
+    picture: Option<Vec<u8>>, // embeded blob to store profile pic
+    password_hash: Option<String>, // argon2 password hash
+    status: UserStatus,
+    roles: Json<Vec<String>>,
+    activation_token: Option<String>,
+
+    last_login_at: Option<DateTime<Utc>>,
+    created_at: DateTime<Utc>
+}

src/renderer.rs

@@ -1,11 +1,9 @@
 use axum::{http::StatusCode, response::{Html, IntoResponse}};
 use fully_pub::fully_pub;
-use kernel::models::config::Config;
 use log::error;
 use minijinja::{context, Environment, Value};
-use utils::encode_base64_picture;
 
-use crate::token_claims::UserTokenClaims;
+use crate::models::token_claims::UserTokenClaims;
 
 
 #[derive(Debug, Clone)]
@@ -45,14 +43,3 @@ impl TemplateRenderer {
     }
 }
 
-pub fn build_templating_env(config: &Config) -> Environment<'static> {
-    let mut env = Environment::new();
-
-    minijinja_embed::load_templates!(&mut env);
-
-    env.add_global("gl", context! {
-        instance => config.instance
-    });
-    env.add_function("inline_picture", encode_base64_picture);
-    env
-}

src/router.rs

@@ -9,7 +9,7 @@ use crate::{
         app_auth,
         renderer::renderer_middleware
     },
-    AppState, ServerConfig
+    server::{AppState, ServerConfig}
 };
 
 pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router<AppState> {
@@ -19,9 +19,6 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
         .route("/register", post(ui::register::perform_register))
         .route("/login", get(ui::login::login_form))
         .route("/login", post(ui::login::perform_login))
-        .route("/invitation", get(ui::reset_password::reset_password_form))
-        .route("/reset-password", get(ui::reset_password::reset_password_form))
-        .route("/reset-password", post(ui::reset_password::perform_reset_password))
         .layer(middleware::from_fn_with_state(app_state.clone(), renderer_middleware))
         .layer(middleware::from_fn_with_state(app_state.clone(), user_auth::auth_middleware));
 
@@ -46,9 +43,7 @@ pub fn build_router(server_config: &ServerConfig, app_state: AppState) -> Router
 
     let api_user_routes = Router::new()
         .route("/api/user", get(api::read_user::read_user_basic))
-        .layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware))
+        .layer(middleware::from_fn_with_state(app_state.clone(), app_auth::enforce_jwt_auth_middleware));
-        .route("/api", get(api::index::get_index))
-        .route("/api/user-assets/:asset_id", get(api::public_assets::get_user_asset));
 
     let well_known_routes = Router::new()
         .route("/.well-known/openid-configuration", get(api::openid::well_known::get_well_known_openid_configuration));

src/server.rs

@@ -1,22 +1,24 @@
-pub mod controllers;
+use base64::{prelude::BASE64_STANDARD, Engine};
-pub mod router;
-pub mod services;
-pub mod middlewares;
-pub mod renderer;
-pub mod token_claims;
-
 use fully_pub::fully_pub;
 use anyhow::{Result, Context};
-use kernel::{context::{AppSecrets, KernelContext}, models::config::Config, repositories::storage::Storage};
 use log::info;
-use minijinja::Environment;
+use minijinja::{context, Environment};
+use sqlx::{Pool, Sqlite};
+use crate::{models::config::{AppSecrets, Config}, router::build_router};
 
-use crate::{
+fn build_templating_env(config: &Config) -> Environment<'static> {
-    router::build_router,
+    let mut env = Environment::new();
-    renderer::build_templating_env
-};
 
-pub const WEB_GUI_JWT_COOKIE_NAME: &str = "minauthator_jwt";
+    minijinja_embed::load_templates!(&mut env);
+
+    env.add_global("gl", context! {
+        instance => config.instance
+    });
+    env.add_function("encode_b64str", |bin_val: Vec<u8>| {
+        BASE64_STANDARD.encode(bin_val)
+    });
+    env
+}
 
 #[derive(Debug)]
 #[fully_pub]
@@ -32,20 +34,22 @@ pub struct ServerConfig {
 pub struct AppState {
     secrets: AppSecrets,
     config: Config,
-    db: Storage,
+    db: Pool<Sqlite>,
     templating_env: Environment<'static>
 }
 
 pub async fn start_http_server(
     server_config: ServerConfig,
-    ctx: KernelContext
+    config: Config,
+    secrets: AppSecrets,
+    db_pool: Pool<Sqlite>
 ) -> Result<()> {
     // build state
     let state = AppState {
-        templating_env: build_templating_env(&ctx.config),
+        templating_env: build_templating_env(&config),
-        config: ctx.config,
+        config,
-        secrets: ctx.secrets,
+        secrets,
-        db: ctx.storage
+        db: db_pool
     };
 
     // build routes

src/services/mod.rs

@@ -1,3 +1,4 @@
+pub mod password;
 pub mod session;
 pub mod oauth2;
 pub mod app_session;

src/services/oauth2.rs

@@ -1,7 +1,7 @@
 use std::str::FromStr;
 use anyhow::{Result, Context};
 
-use kernel::models::{authorization::AuthorizationScope, config::Application};
+use crate::models::{authorization::AuthorizationScope, config::Application};
 
 pub fn verify_redirect_uri(app: &Application, input_redirect_uri: &str) -> bool {
     app.allowed_redirect_uris

src/services/password.rs

@@ -0,0 +1,35 @@
+use anyhow::{anyhow, Result};
+use argon2::{
+    password_hash::{
+        rand_core::OsRng,
+        PasswordHash, PasswordHasher, PasswordVerifier, SaltString
+    },
+    Argon2
+};
+
+pub fn get_password_hash(password: String) -> Result<(String, String)> {
+    let salt = SaltString::generate(&mut OsRng);
+
+    // Argon2 with default params (Argon2id v19)
+    let argon2 = Argon2::default();
+
+    // Hash password to PHC string ($argon2id$v=19$...)
+    match argon2.hash_password(password.as_bytes(), &salt) {
+        Ok(val) => Ok((salt.to_string(), val.to_string())),
+        Err(_) => Err(anyhow!("Failed to process password."))
+    }
+}
+
+pub fn verify_password_hash(password_hash: String, password: String) -> Result<()> {
+    let parsed_hash = match PasswordHash::new(&password_hash) {
+        Ok(val) => val,
+        Err(_) => {
+            return Err(anyhow!("Failed to parse password hash"));
+        }
+    };
+    match Argon2::default().verify_password(password.as_bytes(), &parsed_hash) {
+        Ok(()) => Ok(()),
+        Err(_) => Err(anyhow!("Failed to verify password."))
+    }
+}
+

src/services/session.rs

@@ -1,7 +1,8 @@
 use anyhow::Result;
 use serde::{de::DeserializeOwned, Serialize};
 use jsonwebtoken::{encode, decode, Header, Algorithm, Validation, EncodingKey, DecodingKey};
-use kernel::context::AppSecrets;
+
+use crate::models::config::AppSecrets;
 
 
 pub fn create_token<T: Serialize>(secrets: &AppSecrets, claims: T) -> String {

src/templates/pages/me/details-form.html

@@ -55,9 +55,10 @@
         />
     </div>
     <div class="mb-3">
-        <label for="avatar">Profile picture</label>
+        <label for="picture">Profile picture</label>
+        <!-- for now, no JPEG -->
         <input
-            id="avatar" name="avatar"
+            id="picture" name="picture"
             type="file"
             accept="image/gif, image/png, image/jpeg"
             class="form-control"

src/templates/pages/me/index.html

@@ -5,12 +5,9 @@
 <a href="/me/details-form">Update details.</a>
 <a href="/me/authorizations">Manage authorizations.</a>
 
-{% if user.avatar_asset_id %}
+<p>
-<div class="my-3">
+{% if user.picture %}
-    <img
+    <img src="data:image/*;base64,{{ encode_b64str(user.picture) }}" style="width: 150px; height: 150px; object-fit: contain">
-        src="http://localhost:8085/api/user-assets/{{ user.avatar_asset_id }}"
-        style="width: 150px; height: 150px; object-fit: contain">
-</div>
 {% endif %}
 <ul>
     <li>

src/utils.rs

@@ -43,18 +43,6 @@ pub fn get_random_alphanumerical(length: usize) -> String {
         .collect()
 }
 
-/// Generate easy to type token
-pub fn get_random_human_token() -> String {
-    return format!(
-        "{}-{}-{}-{}-{}",
-        get_random_alphanumerical(4),
-        get_random_alphanumerical(4),
-        get_random_alphanumerical(4),
-        get_random_alphanumerical(4),
-        get_random_alphanumerical(4)
-    ).to_uppercase();
-}
-
 pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
     let header_val_components: Vec<&str> = header_value.split(" ").collect();
     let encoded_header_value: &str = header_val_components
@@ -73,7 +61,3 @@ pub fn parse_basic_auth(header_value: &str) -> Result<(String, String)> {
     ))
 }
 
-pub fn encode_base64_picture(picture_bytes: Vec<u8>) -> String {
-    let encoded = BASE64_STANDARD.encode(picture_bytes);
-    return format!("data:image/*;base64,{}", encoded);
-}

tests/hurl_integration/run_scenario.sh

@@ -1,39 +0,0 @@
-#!/usr/bin/sh
-
-set -eou pipefail
-
-scenario_name="$1"
-project_root="$(dirname $(cargo locate-project | jq -r .root))"
-scenario_dir="$project_root/tests/hurl_integration/$1"
-scenario_tmp_dir_path="$project_root/tmp/tests/$scenario_name"
-database_path="$project_root/tmp/tests/$scenario_name/minauthator.db"
-
-echo "Starting scenario $scenario_name."
-mkdir -p $scenario_tmp_dir_path
-if [ -f $database_path ]; then
-    rm $database_path
-fi
-sqlite3 $database_path < $project_root/migrations/all.sql
-
-export DB_PATH=$database_path
-if [ -f $scenario_dir/init_db.sh ]; then
-    $scenario_dir/init_db.sh
-fi
-
-pkill -f $project_root/target/debug/minauthator-server &
-sleep 0.1
-$project_root/target/debug/minauthator-server \
-    --config "$scenario_dir/config.toml" \
-    --database  $database_path \
-    --listen-host "127.0.0.1" \
-    --listen-port "8086" \
-    --static-assets "$project_root/assets" &
-
-server_pid=$!
-sleep 0.2
-hurl \
-    --variable base_url="http://localhost:8086" \
-    --test --error-format long \
-    $scenario_dir/main.hurl
-kill $server_pid
-echo "End of scenario."

tests/hurl_integration/scenario_1/config.toml

@@ -1,56 +0,0 @@
-[instance]
-base_uri = "http://localhost:8086"
-name = "Example org"
-logo_uri = "https://example.org/logo.png"
-
-[[applications]]
-slug = "demo_app"
-name = "Demo app"
-description = "A super application where you can do everything you want."
-client_id = "00000001-0000-0000-0000-000000000001"
-client_secret = "dummy_client_secret"
-login_uri = "https://localhost:9876"
-allowed_redirect_uris = [
-    "http://localhost:9090/callback",
-    "http://localhost:9876/callback"
-]
-visibility = "Internal"
-authorize_flow = "Implicit"
-
-[[applications]]
-slug = "wiki"
-name = "Wiki app"
-description = "The knowledge base of the exemple org."
-client_id = "f9de1885-448d-44bb-8c48-7e985486a8c6"
-client_secret = "49c6c16a-0a8a-4981-a60d-5cb96582cc1a"
-login_uri = "https://wiki.example.org/login"
-allowed_redirect_uris = [
-    "https://wiki.example.org/oauth2/callback"
-]
-visibility = "Public"
-authorize_flow = "Implicit"
-
-[[applications]]
-slug = "private_app"
-name = "Demo app"
-description = "Private app you should never discover"
-client_id = "c8a08783-2342-4ce3-a3cb-9dc89b6bdf"
-client_secret = "this_is_the_secret"
-login_uri = "https://private-app.org"
-allowed_redirect_uris = [
-    "http://localhost:9091/authorize",
-]
-visibility = "Private"
-authorize_flow = "Implicit"
-
-[[roles]]
-slug = "basic"
-name = "Basic"
-description = "Basic user"
-default = true
-
-[[roles]]
-slug = "admin"
-name = "Administrator"
-description = "Full power on organization instance"
-

tests/hurl_integration/scenario_1/init_db.sh

@@ -1,11 +0,0 @@
-#!/usr/bin/bash
-
-password_hash="$(echo -n "root" | argon2 salt_06cGGWYDJCZ -e)"
-echo $password_hash
-SQL=$(cat <<EOF
-    INSERT INTO users
-        (id, handle, email, roles, status, password_hash, created_at)
-        VALUES
-        ('$(uuid)', 'root', 'root@example.org', '[]', 'Active', '$password_hash', '2024-11-30T00:00:00Z');
-EOF)
-echo $SQL | sqlite3 $DB_PATH