diff --git a/crates/server/src/auth_middleware.rs b/crates/server/src/auth_middleware.rs index ede3b05..280e06c 100644 --- a/crates/server/src/auth_middleware.rs +++ b/crates/server/src/auth_middleware.rs @@ -73,43 +73,45 @@ pub async fn require_api_key( { // Try user session first (new fc_user_session cookie) if let Some(session_id) = parse_cookie(cookie_header, "fc_user_session") - && let Some(session) = state.sessions.get(&session_id) { - // Check session expiry (24 hours) - if session.created_at.elapsed() - < std::time::Duration::from_secs(24 * 60 * 60) - { - // Insert both user and session data - if let Some(ref user) = session.user { - request.extensions_mut().insert(user.clone()); - } - if let Some(ref api_key) = session.api_key { - request.extensions_mut().insert(api_key.clone()); - } - return Ok(next.run(request).await); - } else { - // Expired, remove it - drop(session); - state.sessions.remove(&session_id); + && let Some(session) = state.sessions.get(&session_id) + { + // Check session expiry (24 hours) + if session.created_at.elapsed() + < std::time::Duration::from_secs(24 * 60 * 60) + { + // Insert both user and session data + if let Some(ref user) = session.user { + request.extensions_mut().insert(user.clone()); } + if let Some(ref api_key) = session.api_key { + request.extensions_mut().insert(api_key.clone()); + } + return Ok(next.run(request).await); + } else { + // Expired, remove it + drop(session); + state.sessions.remove(&session_id); } + } // Try legacy API key session (fc_session cookie) if let Some(session_id) = parse_cookie(cookie_header, "fc_session") - && let Some(session) = state.sessions.get(&session_id) { - // Check session expiry (24 hours) - if session.created_at.elapsed() - < std::time::Duration::from_secs(24 * 60 * 60) - { - if let Some(ref api_key) = session.api_key { - request.extensions_mut().insert(api_key.clone()); - } - return Ok(next.run(request).await); - } else { - // Expired, remove it - drop(session); - state.sessions.remove(&session_id); + && let Some(session) = state.sessions.get(&session_id) + { + // Check session expiry (24 hours) + if session.created_at.elapsed() + < std::time::Duration::from_secs(24 * 60 * 60) + { + if let Some(ref api_key) = session.api_key { + request.extensions_mut().insert(api_key.clone()); } + return Ok(next.run(request).await); + } else { + // Expired, remove it + drop(session); + state.sessions.remove(&session_id); } + } } // No valid auth found @@ -133,18 +135,19 @@ impl FromRequestParts for RequireAdmin { ) -> Result { // Check for user first (new auth) if let Some(user) = parts.extensions.get::() - && user.role == "admin" { - // Create a synthetic API key for compatibility - return Ok(RequireAdmin(ApiKey { - id: user.id, - name: user.username.clone(), - key_hash: String::new(), - role: user.role.clone(), - created_at: user.created_at, - last_used_at: user.last_login_at, - user_id: Some(user.id), - })); - } + && user.role == "admin" + { + // Create a synthetic API key for compatibility + return Ok(RequireAdmin(ApiKey { + id: user.id, + name: user.username.clone(), + key_hash: String::new(), + role: user.role.clone(), + created_at: user.created_at, + last_used_at: user.last_login_at, + user_id: Some(user.id), + })); + } // Fall back to API key let key = parts @@ -173,17 +176,18 @@ impl RequireRoles { ) -> Result { // Check for user first if let Some(user) = extensions.get::() - && (user.role == "admin" || allowed.contains(&user.role.as_str())) { - return Ok(ApiKey { - id: user.id, - name: user.username.clone(), - key_hash: String::new(), - role: user.role.clone(), - created_at: user.created_at, - last_used_at: user.last_login_at, - user_id: Some(user.id), - }); - } + && (user.role == "admin" || allowed.contains(&user.role.as_str())) + { + return Ok(ApiKey { + id: user.id, + name: user.username.clone(), + key_hash: String::new(), + role: user.role.clone(), + created_at: user.created_at, + last_used_at: user.last_login_at, + user_id: Some(user.id), + }); + } // Fall back to API key let key = extensions @@ -217,38 +221,40 @@ pub async fn extract_session( if let Some(cookie_header) = cookie_header { // Try user session first if let Some(session_id) = parse_cookie(&cookie_header, "fc_user_session") - && let Some(session) = state.sessions.get(&session_id) { - // Check session expiry - if session.created_at.elapsed() - < std::time::Duration::from_secs(24 * 60 * 60) - { - if let Some(ref user) = session.user { - request.extensions_mut().insert(user.clone()); - } - if let Some(ref api_key) = session.api_key { - request.extensions_mut().insert(api_key.clone()); - } - } else { - drop(session); - state.sessions.remove(&session_id); + && let Some(session) = state.sessions.get(&session_id) + { + // Check session expiry + if session.created_at.elapsed() + < std::time::Duration::from_secs(24 * 60 * 60) + { + if let Some(ref user) = session.user { + request.extensions_mut().insert(user.clone()); } + if let Some(ref api_key) = session.api_key { + request.extensions_mut().insert(api_key.clone()); + } + } else { + drop(session); + state.sessions.remove(&session_id); } + } // Try legacy API key session if let Some(session_id) = parse_cookie(&cookie_header, "fc_session") - && let Some(session) = state.sessions.get(&session_id) { - // Check session expiry - if session.created_at.elapsed() - < std::time::Duration::from_secs(24 * 60 * 60) - { - if let Some(ref api_key) = session.api_key { - request.extensions_mut().insert(api_key.clone()); - } - } else { - drop(session); - state.sessions.remove(&session_id); + && let Some(session) = state.sessions.get(&session_id) + { + // Check session expiry + if session.created_at.elapsed() + < std::time::Duration::from_secs(24 * 60 * 60) + { + if let Some(ref api_key) = session.api_key { + request.extensions_mut().insert(api_key.clone()); } + } else { + drop(session); + state.sessions.remove(&session_id); } + } } next.run(request).await diff --git a/crates/server/src/routes/dashboard.rs b/crates/server/src/routes/dashboard.rs index 3d56b55..63817c2 100644 --- a/crates/server/src/routes/dashboard.rs +++ b/crates/server/src/routes/dashboard.rs @@ -435,7 +435,7 @@ async fn projects_page( Query(params): Query, extensions: Extensions, ) -> Html { - let limit = params.limit.unwrap_or(50).min(200).max(1); + let limit = params.limit.unwrap_or(50).clamp(1, 200); let offset = params.offset.unwrap_or(0).max(0); let items = fc_common::repo::projects::list(&state.pool, limit, offset) .await @@ -602,7 +602,7 @@ async fn evaluations_page( State(state): State, Query(params): Query, ) -> Html { - let limit = params.limit.unwrap_or(50).min(200).max(1); + let limit = params.limit.unwrap_or(50).clamp(1, 200); let offset = params.offset.unwrap_or(0).max(0); let items = fc_common::repo::evaluations::list_filtered( &state.pool, @@ -760,7 +760,7 @@ async fn builds_page( State(state): State, Query(params): Query, ) -> Html { - let limit = params.limit.unwrap_or(50).min(200).max(1); + let limit = params.limit.unwrap_or(50).clamp(1, 200); let offset = params.offset.unwrap_or(0).max(0); let items = fc_common::repo::builds::list_filtered( &state.pool, diff --git a/crates/server/src/routes/users.rs b/crates/server/src/routes/users.rs index db00365..9ff3cc8 100644 --- a/crates/server/src/routes/users.rs +++ b/crates/server/src/routes/users.rs @@ -8,13 +8,7 @@ use axum::{ routing::get, }; use fc_common::{ - models::{ - CreateStarredJob, - CreateUser, - PaginationParams, - UpdateUser, - User, - }, + models::{CreateStarredJob, CreateUser, PaginationParams, UpdateUser, User}, repo::{self}, }; use serde::{Deserialize, Serialize};