Commit Graph

12 Commits

Author SHA1 Message Date
bvandeusen 4845628ae4 feat(db/m7-user-mgmt): migration 0022 + audit helper
Schema for user management U1: display_name on users; user_invites;
registration_settings singleton (default 'invite_only'); audit_log.
Plus the internal/audit package centralizing the action-name
vocabulary and JSON metadata marshaling so handlers don't repeat
boilerplate.

Race-safe first-admin uses a query-shape primitive
(CreateUserFirstAdminRace's WHERE NOT EXISTS subquery) rather than
a schema-level constraint. Concurrent empty-state registrations
both see 'no users yet' and both insert as admin — fine, having
two admins from the start is benign; what matters is at-least-one.
users.username uniqueness arbitrates if the two callers picked the
same username.

CreateUser signature gains display_name (nullable); existing
bootstrap call sites pass nil. The audit package declares the full
U1+U2+U3 action vocabulary upfront so subsequent slices are purely
additive on the caller side.

Tests cover audit Write with + without metadata and that every
declared action constant persists correctly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-07 11:51:00 -04:00
bvandeusen d1c1853d49 fix(auth): silence revive unused-parameter on stub test handlers 2026-04-29 17:58:43 -04:00
bvandeusen 4492826354 feat(auth): add RequireAdmin middleware for /api/admin/* routes
Replaces the old X-API-Token-based RequireAdmin in middleware.go with a
context-aware RequireAdmin() that runs after RequireUser, checks
user.IsAdmin, and returns 403 {"error":"not_authorized"} for non-admins
or 500 {"error":"internal_error"} if RequireUser was bypassed. Updates
server.go to mount RequireUser then RequireAdmin on the /api/admin group.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-29 17:27:47 -04:00
bvandeusen 21310e7716 test: bootstrap test saves/restores non-test users
Companion to the dbtest.ResetDB change. The bootstrap integration
test fundamentally needs an empty users table — it exercises the
"first time admin is created" path, which Bootstrap() guards with
a count==0 check. So this test alone still has to TRUNCATE users.

To keep the operator's admin login intact on a shared dev DB:

- Before TRUNCATE, save every user that doesn't start with 'test-'.
- Use cfg.Username = 'test-admin' for the bootstrap call so the
  test row is itself test-prefixed and gets cleaned up by other
  tests' ResetDB calls.
- t.Cleanup restores the saved rows after assertions complete,
  so admin/admin (or whatever password the operator set) keeps
  working between test runs.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-29 12:04:16 -04:00
bvandeusen 2324c5d576 fix(auth): silence unused-parameter lint in RequireUser test
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 22:43:22 -04:00
bvandeusen 8537821d29 feat(api): POST /api/auth/logout
Deletes the session row keyed by the cookie/bearer token and
clears the cookie on the client. Best-effort DB delete — logout
still succeeds for the client if the row's already gone.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 22:07:16 -04:00
bvandeusen 8cdaf8f0f1 feat(auth): RequireUser middleware (cookie or bearer)
Resolves /api/* callers from session cookie first, Authorization
bearer second. Touches last_seen on success for future active-
sessions UI. Adds GetUserByID query used by the middleware.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 20:53:11 -04:00
bvandeusen ff4d443269 feat(auth): session token + password verification helpers
Shared primitives for /api/* auth: mint a url-safe opaque token,
hash it for storage, verify a bcrypt password hash.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-20 20:24:09 -04:00
bvandeusen 64582b21e3 fix(auth): set subsonic_password on admin bootstrap
Bootstrap was creating password_hash + api_token but leaving
subsonic_password nil, which meant Subsonic clients (Feishin, Symfonium)
got ErrTokenNotSupported on t+s auth — the server had no plaintext to
hash against. Mirror the bootstrap password into subsonic_password so
the admin can sign in to Subsonic clients with the same credential
printed on first boot. Plaintext at rest is the cost of Subsonic's
legacy auth; matches Navidrome's posture.

Also folds in the local dev compose tweaks: dedicated bridge network
with postgres unpublished from the host, and a bind-mount aimed at the
operator's real library path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-19 18:30:54 -04:00
bvandeusen 6e776810b2 M1/#293: RequireAdmin middleware + UserFromContext 2026-04-19 15:17:16 +00:00
bvandeusen 442668874d M1/#292: integration test for admin bootstrap (MINSTREL_TEST_DATABASE_URL-gated) 2026-04-19 02:32:58 +00:00
bvandeusen 33f6514696 M1/#292: auth.Bootstrap for empty-users-table first-run admin 2026-04-19 02:32:43 +00:00