rustango 0.25.0

Django-shaped batteries-included web framework for Rust: ORM + migrations + auto-admin + multi-tenancy + audit log + auth (sessions, JWT, OAuth2/OIDC, HMAC) + APIs (ViewSet, OpenAPI auto-derive, JSON:API) + jobs (in-mem + Postgres) + email + media (S3 / R2 / B2 / MinIO + presigned uploads + collections + tags) + production middleware (CSRF, CSP, rate-limiting, compression, idempotency, etc.).
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364

//! 2-domain auth — registry-scoped [`Operator`] and per-tenant
//! [`User`].
//!
//! ## Hard wall
//!
//! These are **two distinct identity domains** with no crossover:
//!
//! * `Operator` lives in `rustango_operators` in the **registry**
//!   database. They sign in at `/operator/*` against the registry
//!   pool. They NEVER appear in any tenant table.
//! * `User` lives in `rustango_users` inside the **tenant's**
//!   storage (schema or dedicated DB). They sign in at the tenant
//!   URL against the tenant pool. The `is_superuser` flag elevates
//!   them to org-admin INSIDE that tenant — but they NEVER reach
//!   `/operator` even with that flag.
//!
//! The hard wall is enforced by middleware: operator routes call
//! [`authenticate_operator`] against the registry; tenant routes
//! call [`authenticate_user`] against the resolved tenant's pool.
//! An operator's `Authorization: Basic …` header sent to a tenant
//! URL won't authenticate (the username doesn't exist in the
//! tenant's `rustango_users`); a user's header sent to `/operator`
//! won't authenticate (the username doesn't exist in the registry's
//! `rustango_operators`). Browser cookie isolation by subdomain
//! plus this hard wall gives defense in depth.
//!
//! ## Auth mechanism
//!
//! Slice 6 ships **HTTP Basic** auth backed by argon2id-hashed
//! passwords in the database. Sessions / cookies / login forms /
//! password reset / OAuth land in v0.6.x; the model + crypto
//! foundations stay the same.
//!
//! ## Bootstrap
//!
//! Use `cargo run -- create-operator <username> --password <p>` and
//! `cargo run -- create-user <slug> <username> --password <p>
//! [--superuser]` — see [`super::manage`]. (Replace `cargo run` with
//! your project's binary name if different; the verbs route through
//! `rustango::manage::Cli`.)

use base64::Engine;
use crate::core::Column as _;
use crate::sql::sqlx::{PgConnection, PgPool};
use crate::sql::{Auto, Fetcher};
use crate::Model;

use super::error::TenancyError;
use super::password;

/// Registry-scoped operator. Single identity domain for the main app
/// administrator(s); not visible to tenants.
#[derive(Model, Debug, Clone)]
#[rustango(table = "rustango_operators", display = "username", scope = "registry")]
#[allow(dead_code)]
pub struct Operator {
    #[rustango(primary_key)]
    pub id: rustango::sql::Auto<i64>,
    /// Login handle. Globally unique within the registry.
    #[rustango(max_length = 64, unique)]
    pub username: String,
    /// PHC-format Argon2id hash. NEVER stored as plaintext.
    #[rustango(max_length = 255)]
    pub password_hash: String,
    /// Soft-disable — `false` rejects login without dropping the row.
    pub active: bool,
    pub created_at: chrono::DateTime<chrono::Utc>,
}

/// Per-tenant user. Lives in the tenant's storage (schema or
/// dedicated DB). `is_superuser = true` elevates to org-admin inside
/// the tenant — never grants access to `/operator`.
#[derive(Model, Debug, Clone)]
#[rustango(
    table = "rustango_users",
    display = "username",
    admin(
        list_display    = "username, is_superuser, active, created_at",
        search_fields   = "username",
        ordering        = "username",
        readonly_fields = "password_hash, created_at",
    ),
)]
#[allow(dead_code)]
pub struct User {
    #[rustango(primary_key)]
    pub id: rustango::sql::Auto<i64>,
    /// Login handle. Unique within this tenant.
    #[rustango(max_length = 64, unique)]
    pub username: String,
    /// PHC-format Argon2id hash.
    #[rustango(max_length = 255)]
    pub password_hash: String,
    /// Org-admin within this tenant. Renders write-buttons, allows
    /// edit/delete; non-superusers see read-only views (admin
    /// authorization is the v0.6.x story; slice 6 stores the flag).
    pub is_superuser: bool,
    /// Soft-disable.
    pub active: bool,
    pub created_at: chrono::DateTime<chrono::Utc>,
    /// Flexible per-user metadata bag. Store preferences, onboarding
    /// state, app-specific attributes — anything that doesn't need its
    /// own column. Never read by the framework itself.
    #[rustango(default = "'{}'")]
    pub data: serde_json::Value,
}

/// Look up an operator by username and verify the password.
///
/// Returns `Ok(Some(operator))` on success, `Ok(None)` for an
/// unknown username OR a wrong password (one return path → no
/// timing oracle on whether the username exists). `Ok(None)` on an
/// inactive (`active = false`) operator.
///
/// # Errors
/// Returns [`TenancyError::Driver`]/[`TenancyError::Exec`] for SQL
/// failures, or [`TenancyError::Validation`] for malformed stored
/// hashes (corrupt row).
pub async fn authenticate_operator(
    registry: &PgPool,
    username: &str,
    password: &str,
) -> Result<Option<Operator>, TenancyError> {
    let rows: Vec<Operator> = Operator::objects()
        .where_(Operator::username.eq(username.to_owned()))
        .fetch(registry)
        .await?;
    let Some(op) = rows.into_iter().next() else {
        // Run a dummy verify against a known-good hash to keep
        // timing roughly even with the success path. Skipped here
        // for simplicity — the registry pool is presumed not to be
        // exposed to high-frequency probing in slice 6.
        return Ok(None);
    };
    if !op.active {
        return Ok(None);
    }
    if !password::verify(password, &op.password_hash)? {
        return Ok(None);
    }
    Ok(Some(op))
}

/// Look up a tenant user by username and verify the password.
///
/// `conn` must be already scoped to the tenant — typically obtained
/// via [`super::TenantPools::acquire`] (schema mode pre-sets
/// `search_path`; database mode is naturally scoped to the tenant
/// DB).
///
/// Same return semantics as [`authenticate_operator`]: `Ok(None)`
/// for unknown user, wrong password, or inactive row; `Ok(Some(_))`
/// only on a successful match.
///
/// # Errors
/// As [`authenticate_operator`].
pub async fn authenticate_user(
    conn: &mut PgConnection,
    username: &str,
    password: &str,
) -> Result<Option<User>, TenancyError> {
    use crate::sql::sqlx::Row;
    // We can't reuse `User::objects().fetch(&pool)` here because we
    // have a connection, not a pool. Hand-write the query — small
    // surface, not a hot path.
    let user_rows = rustango::sql::sqlx::query(
        "SELECT id, username, password_hash, is_superuser, active, created_at \
         FROM rustango_users WHERE username = $1",
    )
    .bind(username)
    .fetch_optional(&mut *conn)
    .await?;
    let Some(row) = user_rows else {
        return Ok(None);
    };
    let user = User {
        id: Auto::Set(row.try_get::<i64, _>("id")?),
        username: row.try_get::<String, _>("username")?,
        password_hash: row.try_get::<String, _>("password_hash")?,
        is_superuser: row.try_get::<bool, _>("is_superuser")?,
        active: row.try_get::<bool, _>("active")?,
        created_at: row.try_get::<chrono::DateTime<chrono::Utc>, _>("created_at")?,
        data: row.try_get::<serde_json::Value, _>("data").unwrap_or_else(|_| serde_json::json!({})),
    };
    if !user.active {
        return Ok(None);
    }
    if !password::verify(password, &user.password_hash)? {
        return Ok(None);
    }
    Ok(Some(user))
}

// ---------- Swappable user model ----------

/// Marker trait for the model backing `rustango_users` in a tenant's
/// storage. The framework's [`User`] implements it as the default.
///
/// Implement it on your own `#[derive(Model)]` struct when you want the
/// tenant `rustango_users` table to carry **extra columns** beyond the
/// framework's defaults (display name, timezone, avatar URL, …).
///
/// ## Contract
///
/// The implementing struct's [`crate::core::ModelSchema`] MUST:
/// * have `table = "rustango_users"`,
/// * include every column in [`REQUIRED_USER_COLUMNS`] with a compatible
///   Rust type (the framework's auth path reads these by name).
///
/// Extras must be NULL-able or carry a `default = "…"` so existing
/// tenants can run the bootstrap migration without per-row backfill.
///
/// Wire your model in via [`crate::manage::Cli::user_model`].
///
/// ```ignore
/// #[derive(rustango::Model)]
/// #[rustango(table = "rustango_users")]
/// pub struct AppUser {
///     #[rustango(primary_key)] pub id: rustango::sql::Auto<i64>,
///     #[rustango(max_length = 64, unique)] pub username: String,
///     #[rustango(max_length = 255)] pub password_hash: String,
///     pub is_superuser: bool,
///     pub active: bool,
///     pub created_at: chrono::DateTime<chrono::Utc>,
///     #[rustango(default = "'{}'")] pub data: serde_json::Value,
///     // extras —
///     #[rustango(max_length = 128, default = "''")] pub display_name: String,
///     #[rustango(max_length = 64, default = "'UTC'")] pub timezone: String,
/// }
/// impl rustango::tenancy::TenantUserModel for AppUser {}
/// ```
pub trait TenantUserModel: crate::core::Model {}

impl TenantUserModel for User {}

/// Column names the framework's auth/admin paths read directly from
/// `rustango_users`. A [`TenantUserModel`] schema must contain every
/// one of these.
pub const REQUIRED_USER_COLUMNS: &[&str] = &[
    "id",
    "username",
    "password_hash",
    "is_superuser",
    "active",
    "created_at",
    "data",
];

/// Validate that `schema` is a viable `rustango_users` model — same
/// table name and all [`REQUIRED_USER_COLUMNS`] present. Called by
/// the bootstrap-migration generators so a misconfigured override
/// fails fast with a clear message at `init-tenancy` time, not later
/// during a tenant create or login.
///
/// # Errors
/// Returns [`TenancyError::Validation`] when the table name is wrong
/// or a required column is missing.
pub fn validate_tenant_user_schema(
    schema: &crate::core::ModelSchema,
) -> Result<(), TenancyError> {
    if schema.table != "rustango_users" {
        return Err(TenancyError::Validation(format!(
            "TenantUserModel must point at table \"rustango_users\", got \"{}\"",
            schema.table
        )));
    }
    for required in REQUIRED_USER_COLUMNS {
        if !schema.fields.iter().any(|f| f.column == *required) {
            return Err(TenancyError::Validation(format!(
                "TenantUserModel \"{}\" is missing required column \"{}\"",
                schema.name, required
            )));
        }
    }
    Ok(())
}

// ---------- HTTP Basic helpers ----------

/// Parse an `Authorization: Basic <base64>` header value into
/// `(username, password)`. Returns `None` for missing or malformed
/// headers; the caller surfaces a 401 in that case.
#[must_use]
pub fn parse_basic_auth(header_value: Option<&str>) -> Option<(String, String)> {
    let raw = header_value?;
    let encoded = raw.strip_prefix("Basic ")?;
    let decoded = base64::engine::general_purpose::STANDARD
        .decode(encoded.trim())
        .ok()?;
    let s = String::from_utf8(decoded).ok()?;
    let (user, pass) = s.split_once(':')?;
    Some((user.to_owned(), pass.to_owned()))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn parse_basic_auth_decodes_standard_format() {
        // base64 of "alice:hunter2" → "YWxpY2U6aHVudGVyMg=="
        let v = "Basic YWxpY2U6aHVudGVyMg==";
        let (u, p) = parse_basic_auth(Some(v)).unwrap();
        assert_eq!(u, "alice");
        assert_eq!(p, "hunter2");
    }

    #[test]
    fn parse_basic_auth_rejects_non_basic_scheme() {
        assert!(parse_basic_auth(Some("Bearer tokenhere")).is_none());
        assert!(parse_basic_auth(Some("Digest qop=auth")).is_none());
    }

    #[test]
    fn parse_basic_auth_rejects_missing_colon() {
        // base64 of "no-colon-here"
        let v = "Basic bm8tY29sb24taGVyZQ==";
        assert!(parse_basic_auth(Some(v)).is_none());
    }

    #[test]
    fn parse_basic_auth_handles_none_header() {
        assert!(parse_basic_auth(None).is_none());
    }

    #[test]
    fn validate_accepts_default_user() {
        use crate::core::Model as _;
        validate_tenant_user_schema(&User::SCHEMA).unwrap();
    }

    #[test]
    fn validate_rejects_wrong_table() {
        use crate::core::Model as _;
        // Use Operator's schema — same shape-ish but wrong table name.
        let err = validate_tenant_user_schema(&Operator::SCHEMA).unwrap_err();
        let msg = format!("{err}");
        assert!(msg.contains("rustango_users"), "{msg}");
    }

    #[derive(crate::Model, Debug, Clone)]
    #[rustango(table = "rustango_users")]
    #[allow(dead_code)]
    pub struct MissingDataColumn {
        #[rustango(primary_key)]
        pub id: rustango::sql::Auto<i64>,
        #[rustango(max_length = 64, unique)]
        pub username: String,
        #[rustango(max_length = 255)]
        pub password_hash: String,
        pub is_superuser: bool,
        pub active: bool,
        pub created_at: chrono::DateTime<chrono::Utc>,
        // `data` deliberately omitted
    }

    #[test]
    fn validate_rejects_missing_required_column() {
        use crate::core::Model as _;
        let err = validate_tenant_user_schema(&MissingDataColumn::SCHEMA).unwrap_err();
        let msg = format!("{err}");
        assert!(msg.contains("data"), "{msg}");
    }
}