cedros-login-server 0.0.43

Authentication server for cedros-login with email/password, Google OAuth, and Solana wallet sign-in
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! Dashboard permissions handlers
//!
//! GET /admin/dashboard-permissions - Get current dashboard permissions config
//! PUT /admin/dashboard-permissions - Update dashboard permissions (owner only)
//!
//! Dashboard permissions control which sections of the admin dashboard each role
//! (admin, member) can access. Owner always has full access (enforced in frontend).

use axum::{extract::State, http::HeaderMap, Json};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::sync::Arc;

use super::users::validate_system_admin;
use crate::callback::AuthCallback;
use crate::errors::AppError;
use crate::repositories::SystemSetting;
use crate::services::EmailService;
use crate::AppState;

/// Dashboard section identifier
type DashboardSection = String;

/// Dashboard permissions per role
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct DashboardPermissions {
    pub admin: HashMap<DashboardSection, bool>,
    pub member: HashMap<DashboardSection, bool>,
}

/// Response for GET/PUT /admin/dashboard-permissions
#[derive(Debug, Clone, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct DashboardPermissionsResponse {
    pub permissions: DashboardPermissions,
}

/// Key used in system_settings table
const DASHBOARD_PERMISSIONS_KEY: &str = "dashboard_permissions";
const DASHBOARD_PERMISSIONS_CATEGORY: &str = "dashboard";

/// Default permissions for new orgs
fn default_permissions() -> DashboardPermissions {
    let mut admin = HashMap::new();
    admin.insert("users".to_string(), true);
    admin.insert("team".to_string(), true);
    admin.insert("deposits".to_string(), true);
    admin.insert("withdrawals".to_string(), true);
    admin.insert("settings-wallet".to_string(), true);
    admin.insert("settings-auth".to_string(), true);
    admin.insert("settings-messaging".to_string(), true);
    admin.insert("settings-credits".to_string(), true);
    admin.insert("settings-server".to_string(), true);

    let mut member = HashMap::new();
    member.insert("users".to_string(), false);
    member.insert("team".to_string(), true);
    member.insert("deposits".to_string(), false);
    member.insert("withdrawals".to_string(), false);
    member.insert("settings-wallet".to_string(), false);
    member.insert("settings-auth".to_string(), false);
    member.insert("settings-messaging".to_string(), false);
    member.insert("settings-credits".to_string(), false);
    member.insert("settings-server".to_string(), false);

    DashboardPermissions { admin, member }
}

/// GET /admin/dashboard-permissions
///
/// Returns the current dashboard permissions configuration.
/// If not configured, returns default permissions.
pub async fn get_dashboard_permissions<C: AuthCallback, E: EmailService>(
    State(state): State<Arc<AppState<C, E>>>,
    headers: HeaderMap,
) -> Result<Json<DashboardPermissionsResponse>, AppError> {
    validate_system_admin(&state, &headers).await?;

    // Try to get permissions from system_settings
    let setting = state
        .system_settings_repo
        .get_by_key(DASHBOARD_PERMISSIONS_KEY)
        .await?;

    let permissions = match setting {
        Some(s) => serde_json::from_str(&s.value).unwrap_or_else(|_| default_permissions()),
        None => default_permissions(),
    };

    Ok(Json(DashboardPermissionsResponse { permissions }))
}

/// PUT /admin/dashboard-permissions
///
/// Updates the dashboard permissions configuration.
/// Requires system admin privileges.
pub async fn update_dashboard_permissions<C: AuthCallback, E: EmailService>(
    State(state): State<Arc<AppState<C, E>>>,
    headers: HeaderMap,
    Json(permissions): Json<DashboardPermissions>,
) -> Result<Json<DashboardPermissionsResponse>, AppError> {
    let admin_id = validate_system_admin(&state, &headers).await?;

    // Serialize permissions to JSON
    let value = serde_json::to_string(&permissions).map_err(|e| AppError::Internal(e.into()))?;

    // Upsert the setting
    let setting = SystemSetting {
        key: DASHBOARD_PERMISSIONS_KEY.to_string(),
        value,
        category: DASHBOARD_PERMISSIONS_CATEGORY.to_string(),
        description: Some("Dashboard permissions per role".to_string()),
        is_secret: false,
        encryption_version: None,
        updated_at: chrono::Utc::now(),
        updated_by: Some(admin_id),
    };

    state
        .system_settings_repo
        .upsert_many(vec![setting])
        .await?;

    tracing::info!(
        admin_id = %admin_id,
        "Admin updated dashboard permissions"
    );

    Ok(Json(DashboardPermissionsResponse { permissions }))
}