mockforge-registry-server 0.3.124

Plugin registry server for MockForge
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

//! Organization context middleware for multi-tenancy
//!
//! This middleware extracts organization context from requests and provides
//! it to handlers via extractors. Supports:
//! - X-Organization-Id header
//! - X-Organization-Slug header
//! - Default org from user's personal org

use axum::http::{HeaderMap, StatusCode};
use uuid::Uuid;

use crate::{models::Organization, AppState};

/// Verify user has access to organization
async fn verify_org_access(
    pool: &sqlx::PgPool,
    org_id: Uuid,
    user_id: Uuid,
) -> Result<(), StatusCode> {
    use crate::models::OrgMember;

    // Check if user is owner
    let org = Organization::find_by_id(pool, org_id)
        .await
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
        .ok_or(StatusCode::NOT_FOUND)?;

    if org.owner_id == user_id {
        return Ok(());
    }

    // Check if user is a member
    let member = OrgMember::find(pool, org_id, user_id)
        .await
        .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;

    if member.is_some() {
        Ok(())
    } else {
        Err(StatusCode::FORBIDDEN)
    }
}

/// Organization context
#[derive(Debug, Clone)]
pub struct OrgContext {
    pub org_id: Uuid,
    pub org: Organization,
}

/// Helper function to resolve org context from State and AuthUser
/// Use this in handlers instead of the extractor if you need more control
///
/// Also checks request extensions for org_id set by API token auth
pub async fn resolve_org_context(
    state: &AppState,
    user_id: Uuid,
    headers: &HeaderMap,
    request_extensions: Option<&axum::http::Extensions>, // Optional extensions from request
) -> Result<OrgContext, StatusCode> {
    let pool = state.db.pool();

    // Check if org_id was set by API token auth (for faster lookup)
    let api_token_org_id = request_extensions.and_then(|ext| {
        // Try to get org_id from extensions
        ext.get::<String>()
            .and_then(|s| s.strip_prefix("org_id:").and_then(|rest| Uuid::parse_str(rest).ok()))
    });

    // Try to get org from API token first, then header, then default
    let org = if let Some(org_id) = api_token_org_id {
        // Use org_id from API token (fastest path)
        // Try cache first
        let org = Organization::find_by_id(pool, org_id)
            .await
            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
            .ok_or(StatusCode::NOT_FOUND)?;

        // Verify user has access (already verified by API token, but double-check)
        verify_org_access(pool, org_id, user_id)
            .await
            .map_err(|_| StatusCode::FORBIDDEN)?;

        org
    } else if let Some(org_id_header) = headers.get("X-Organization-Id") {
        // Resolve by ID
        let org_id_str = org_id_header.to_str().map_err(|_| StatusCode::BAD_REQUEST)?;
        let org_id = Uuid::parse_str(org_id_str).map_err(|_| StatusCode::BAD_REQUEST)?;

        // Try cache first
        let org = Organization::find_by_id(pool, org_id)
            .await
            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
            .ok_or(StatusCode::NOT_FOUND)?;

        // Verify user has access to this org
        verify_org_access(pool, org_id, user_id)
            .await
            .map_err(|_| StatusCode::FORBIDDEN)?;

        org
    } else if let Some(org_slug_header) = headers.get("X-Organization-Slug") {
        // Resolve by slug
        let slug = org_slug_header.to_str().map_err(|_| StatusCode::BAD_REQUEST)?;

        let org = Organization::find_by_slug(pool, slug)
            .await
            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?
            .ok_or(StatusCode::NOT_FOUND)?;

        // Verify user has access to this org
        verify_org_access(pool, org.id, user_id)
            .await
            .map_err(|_| StatusCode::FORBIDDEN)?;

        org
    } else {
        // Get user's default/personal org
        // For now, get the first org where user is owner
        // In the future, we might store a "default_org_id" on users
        let orgs = Organization::find_by_user(pool, user_id)
            .await
            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;

        orgs.into_iter().find(|o| o.owner_id == user_id).ok_or(StatusCode::NOT_FOUND)?
    };

    Ok(OrgContext {
        org_id: org.id,
        org,
    })
}