ironflow_api/routes/users/
list.rs1use axum::extract::{Query, State};
4use axum::response::IntoResponse;
5use serde::Deserialize;
6
7use ironflow_auth::extractor::Authenticated;
8
9use crate::entities::UserResponse;
10use crate::error::ApiError;
11use crate::response::ok_paged;
12use crate::state::AppState;
13
14#[cfg_attr(feature = "openapi", derive(utoipa::IntoParams, utoipa::ToSchema))]
16#[derive(Debug, Deserialize)]
17pub struct ListUsersQuery {
18 pub page: Option<u32>,
20 pub per_page: Option<u32>,
22}
23
24#[cfg_attr(
30 feature = "openapi",
31 utoipa::path(
32 get,
33 path = "/api/v1/users",
34 tags = ["users"],
35 params(ListUsersQuery),
36 responses(
37 (status = 200, description = "Paginated list of users", body = Vec<UserResponse>),
38 (status = 401, description = "Unauthorized"),
39 (status = 403, description = "Forbidden (not an admin)")
40 ),
41 security(("Bearer" = []))
42 )
43)]
44pub async fn list_users(
45 auth: Authenticated,
46 State(state): State<AppState>,
47 Query(query): Query<ListUsersQuery>,
48) -> Result<impl IntoResponse, ApiError> {
49 if !auth.is_admin() {
50 return Err(ApiError::Forbidden);
51 }
52
53 let page = query.page.unwrap_or(1).max(1);
54 let per_page = query.per_page.unwrap_or(20).clamp(1, 100);
55
56 let result = state.user_store.list_users(page, per_page).await?;
57
58 let items: Vec<UserResponse> = result.items.into_iter().map(UserResponse::from).collect();
59
60 Ok(ok_paged(items, page, per_page, result.total))
61}
62
63#[cfg(test)]
64mod tests {
65 use axum::Router;
66 use axum::body::Body;
67 use axum::http::{Request, StatusCode};
68 use axum::routing::get;
69 use http_body_util::BodyExt;
70 use ironflow_auth::jwt::{AccessToken, JwtConfig};
71 use ironflow_core::providers::claude::ClaudeCodeProvider;
72 use ironflow_engine::context::WorkflowContext;
73 use ironflow_engine::engine::Engine;
74 use ironflow_engine::handler::{HandlerFuture, WorkflowHandler};
75 use ironflow_engine::notify::Event;
76 use ironflow_store::api_key_store::ApiKeyStore;
77 use ironflow_store::entities::NewUser;
78 use ironflow_store::memory::InMemoryStore;
79 use ironflow_store::user_store::UserStore;
80 use serde_json::Value as JsonValue;
81 use std::sync::Arc;
82 use tokio::sync::broadcast;
83 use tower::ServiceExt;
84 use uuid::Uuid;
85
86 use super::*;
87
88 struct TestWorkflow;
89
90 impl WorkflowHandler for TestWorkflow {
91 fn name(&self) -> &str {
92 "test-workflow"
93 }
94
95 fn execute<'a>(&'a self, _ctx: &'a mut WorkflowContext) -> HandlerFuture<'a> {
96 Box::pin(async move { Ok(()) })
97 }
98 }
99
100 fn test_jwt_config() -> Arc<JwtConfig> {
101 Arc::new(JwtConfig {
102 secret: "test-secret-for-user-tests".to_string(),
103 access_token_ttl_secs: 900,
104 refresh_token_ttl_secs: 604800,
105 cookie_domain: None,
106 cookie_secure: false,
107 })
108 }
109
110 fn test_state() -> AppState {
111 let store = Arc::new(InMemoryStore::new());
112 let user_store: Arc<dyn UserStore> = Arc::new(InMemoryStore::new());
113 let api_key_store: Arc<dyn ApiKeyStore> = Arc::new(InMemoryStore::new());
114 let provider = Arc::new(ClaudeCodeProvider::new());
115 let mut engine = Engine::new(store.clone(), provider);
116 engine
117 .register(TestWorkflow)
118 .expect("failed to register test workflow");
119 let (event_sender, _) = broadcast::channel::<Event>(1);
120 AppState::new(
121 store,
122 user_store,
123 api_key_store,
124 Arc::new(engine),
125 test_jwt_config(),
126 "test-worker-token".to_string(),
127 event_sender,
128 )
129 }
130
131 fn make_auth_header(user_id: Uuid, is_admin: bool, state: &AppState) -> String {
132 let token =
133 AccessToken::for_user(user_id, "testuser", is_admin, &state.jwt_config).unwrap();
134 format!("Bearer {}", token.0)
135 }
136
137 #[tokio::test]
138 async fn list_users_as_admin() {
139 let state = test_state();
140 let admin = state
141 .user_store
142 .create_user(NewUser {
143 email: "admin@example.com".to_string(),
144 username: "admin".to_string(),
145 password_hash: "hash".to_string(),
146 is_admin: None,
147 })
148 .await
149 .unwrap();
150
151 let auth_header = make_auth_header(admin.id, true, &state);
152 let app = Router::new().route("/", get(list_users)).with_state(state);
153
154 let req = Request::builder()
155 .uri("/?page=1&per_page=20")
156 .header("authorization", auth_header)
157 .body(Body::empty())
158 .unwrap();
159
160 let resp = app.oneshot(req).await.unwrap();
161 assert_eq!(resp.status(), StatusCode::OK);
162
163 let body = resp.into_body().collect().await.unwrap().to_bytes();
164 let json: JsonValue = serde_json::from_slice(&body).unwrap();
165 assert_eq!(json["data"].as_array().unwrap().len(), 1);
166 assert_eq!(json["meta"]["total"], 1);
167 }
168
169 #[tokio::test]
170 async fn list_users_as_member_forbidden() {
171 let state = test_state();
172 let member = state
173 .user_store
174 .create_user(NewUser {
175 email: "member@example.com".to_string(),
176 username: "member".to_string(),
177 password_hash: "hash".to_string(),
178 is_admin: Some(false),
179 })
180 .await
181 .unwrap();
182
183 let auth_header = make_auth_header(member.id, false, &state);
184 let app = Router::new().route("/", get(list_users)).with_state(state);
185
186 let req = Request::builder()
187 .uri("/?page=1&per_page=20")
188 .header("authorization", auth_header)
189 .body(Body::empty())
190 .unwrap();
191
192 let resp = app.oneshot(req).await.unwrap();
193 assert_eq!(resp.status(), StatusCode::FORBIDDEN);
194 }
195}