cedros-login-server 0.0.6

Authentication server for cedros-login with email/password, Google OAuth, and Solana wallet sign-in
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208

//! Setup handlers for first-run configuration
//!
//! These endpoints are used during initial setup before any admin user exists.
//! Once an admin is created, most of these endpoints become disabled.

use axum::{extract::State, http::StatusCode, response::IntoResponse, Json};
use serde::{Deserialize, Serialize};
use std::sync::Arc;
use uuid::Uuid;

use crate::callback::AuthCallback;
use crate::errors::AppError;
use crate::AppState;
use crate::models::AuthMethod;
use crate::repositories::{MembershipEntity, OrgEntity, OrgRole, UserEntity};
use crate::services::EmailService;

/// Response for setup status check
#[derive(Debug, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct SetupStatusResponse {
    /// Whether initial setup is needed (no admin exists)
    pub needs_setup: bool,
    /// Whether at least one admin user exists
    pub has_admin: bool,
    /// Server version for compatibility checking
    pub server_version: String,
}

/// Request to create the first admin user
#[derive(Debug, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct CreateFirstAdminRequest {
    /// Admin email address
    pub email: String,
    /// Admin password (will be hashed)
    pub password: String,
    /// Optional display name
    pub name: Option<String>,
}

/// Response after creating first admin
#[derive(Debug, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct CreateFirstAdminResponse {
    /// Whether admin was successfully created
    pub success: bool,
    /// Created user ID
    pub user_id: Uuid,
    /// Message for the user
    pub message: String,
}

/// Check if initial setup is required
///
/// GET /setup/status
///
/// This endpoint is always accessible (no auth required).
/// Returns whether the system needs initial setup (no admin exists).
pub async fn setup_status<C: AuthCallback, E: EmailService>(
    State(state): State<Arc<AppState<C, E>>>,
) -> Result<impl IntoResponse, AppError> {
    let has_admin = check_has_admin(&state).await?;

    Ok(Json(SetupStatusResponse {
        needs_setup: !has_admin,
        has_admin,
        server_version: env!("CARGO_PKG_VERSION").to_string(),
    }))
}

/// Create the first admin user
///
/// POST /setup/admin
///
/// This endpoint only works when no admin users exist.
/// After the first admin is created, this endpoint returns 403 Forbidden.
pub async fn create_first_admin<C: AuthCallback, E: EmailService>(
    State(state): State<Arc<AppState<C, E>>>,
    Json(req): Json<CreateFirstAdminRequest>,
) -> Result<impl IntoResponse, AppError> {
    // Check if admin already exists
    let has_admin = check_has_admin(&state).await?;
    if has_admin {
        return Err(AppError::Forbidden(
            "Setup already completed. An admin user already exists.".into(),
        ));
    }

    // Validate email format
    if !req.email.contains('@') || req.email.len() < 5 {
        return Err(AppError::Validation("Invalid email format".into()));
    }

    // Validate password strength
    if req.password.len() < 8 {
        return Err(AppError::Validation(
            "Password must be at least 8 characters".into(),
        ));
    }

    // Check if email already exists
    if let Some(_existing) = state.user_repo.find_by_email(&req.email).await? {
        return Err(AppError::Validation("Email already registered".into()));
    }

    // Hash password using the password service
    let password_hash = state.password_service.hash(req.password.clone()).await?;

    // Create user entity
    let user_id = Uuid::new_v4();
    let now = chrono::Utc::now();
    let user = UserEntity {
        id: user_id,
        email: Some(req.email.clone()),
        email_verified: true, // Auto-verify for setup admin
        password_hash: Some(password_hash),
        name: req.name,
        picture: None,
        wallet_address: None,
        google_id: None,
        apple_id: None,
        stripe_customer_id: None,
        auth_methods: vec![AuthMethod::Email],
        is_system_admin: true, // This is the key - make them admin
        created_at: now,
        updated_at: now,
        last_login_at: Some(now),
    };

    // Create the user
    state.user_repo.create(user).await?;

    // Create personal organization for the admin
    let org_id = Uuid::new_v4();
    let org = OrgEntity {
        id: org_id,
        name: "Personal".to_string(),
        slug: format!("personal-{}", &user_id.to_string()[..8]),
        logo_url: None,
        is_personal: true,
        owner_id: user_id,
        created_at: chrono::Utc::now(),
        updated_at: chrono::Utc::now(),
    };
    state.org_repo.create(org).await?;

    // Create owner membership
    let membership_id = Uuid::new_v4();
    let membership = MembershipEntity {
        id: membership_id,
        user_id,
        org_id,
        role: OrgRole::Owner,
        joined_at: chrono::Utc::now(),
    };
    state.membership_repo.create(membership).await?;

    tracing::info!(
        user_id = %user_id,
        email = %req.email,
        "First admin user created during setup"
    );

    Ok((
        StatusCode::CREATED,
        Json(CreateFirstAdminResponse {
            success: true,
            user_id,
            message: "Admin account created successfully. You can now log in.".to_string(),
        }),
    ))
}

/// Check if any system admin users exist
async fn check_has_admin<C: AuthCallback, E: EmailService>(
    state: &Arc<AppState<C, E>>,
) -> Result<bool, AppError> {
    // Check for any user with is_system_admin = true
    let admin_count = state.user_repo.count_system_admins().await?;
    Ok(admin_count > 0)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_setup_status_serialization() {
        let status = SetupStatusResponse {
            needs_setup: true,
            has_admin: false,
            server_version: "1.0.0".to_string(),
        };
        let json = serde_json::to_string(&status).unwrap();
        assert!(json.contains("needsSetup"));
        assert!(json.contains("hasAdmin"));
    }

    #[test]
    fn test_create_admin_request_deserialization() {
        let json = r#"{"email":"admin@example.com","password":"secret123","name":"Admin"}"#;
        let req: CreateFirstAdminRequest = serde_json::from_str(json).unwrap();
        assert_eq!(req.email, "admin@example.com");
        assert_eq!(req.password, "secret123");
        assert_eq!(req.name, Some("Admin".to_string()));
    }
}