Initial shared instances backend (#3800)

* Create base shared instance migration and initial routes

* Fix build

* Add version uploads

* Add permissions field for shared instance users

* Actually use permissions field

* Add "public" flag to shared instances that allow GETing them without authorization

* Add the ability to get and list shared instance versions

* Add the ability to delete shared instance versions

* Fix build after merge

* Secured file hosting (#3784)

* Remove Backblaze-specific file-hosting backend

* Added S3_USES_PATH_STYLE_BUCKETS

* Remove unused file_id parameter from delete_file_version

* Add support for separate public and private buckets in labrinth::file_hosting

* Rename delete_file_version to delete_file

* Add (untested) get_url_for_private_file

* Remove url field from shared instance routes

* Remove url field from shared instance routes

* Use private bucket for shared instance versions

* Make S3 environment variables fully separate between public and private buckets

* Change file host expiry for shared instances to 180 seconds

* Fix lint

* Merge shared instance migrations into a single migration

* Replace shared instance owners with Ghost instead of deleting the instance

apps/labrinth/src/auth/oauth/errors.rs

@@ -9,7 +9,7 @@ use ariadne::ids::DecodingError;
 #[error("{}", .error_type)]
 pub struct OAuthError {
     #[source]
-    pub error_type: OAuthErrorType,
+    pub error_type: Box<OAuthErrorType>,
 
     pub state: Option<String>,
     pub valid_redirect_uri: Option<ValidatedRedirectUri>,
@@ -32,7 +32,7 @@ impl OAuthError {
     /// See: IETF RFC 6749 4.1.2.1 (https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1)
     pub fn error(error_type: impl Into<OAuthErrorType>) -> Self {
         Self {
-            error_type: error_type.into(),
+            error_type: Box::new(error_type.into()),
             valid_redirect_uri: None,
             state: None,
         }
@@ -48,7 +48,7 @@ impl OAuthError {
         valid_redirect_uri: &ValidatedRedirectUri,
     ) -> Self {
         Self {
-            error_type: err.into(),
+            error_type: Box::new(err.into()),
             state: state.clone(),
             valid_redirect_uri: Some(valid_redirect_uri.clone()),
         }
@@ -57,7 +57,7 @@ impl OAuthError {
 
 impl actix_web::ResponseError for OAuthError {
     fn status_code(&self) -> StatusCode {
-        match self.error_type {
+        match *self.error_type {
             OAuthErrorType::AuthenticationError(_)
             | OAuthErrorType::FailedScopeParse(_)
             | OAuthErrorType::ScopesTooBroad

apps/labrinth/src/auth/oauth/uris.rs

@@ -101,7 +101,7 @@ mod tests {
         );
 
         assert!(validated.is_err_and(|e| matches!(
-            e.error_type,
+            *e.error_type,
             OAuthErrorType::RedirectUriNotConfigured(_)
         )));
     }

apps/labrinth/src/auth/validate.rs

@@ -10,6 +10,40 @@ use actix_web::HttpRequest;
 use actix_web::http::header::{AUTHORIZATION, HeaderValue};
 use chrono::Utc;
 
+pub async fn get_maybe_user_from_headers<'a, E>(
+    req: &HttpRequest,
+    executor: E,
+    redis: &RedisPool,
+    session_queue: &AuthQueue,
+    required_scopes: Scopes,
+) -> Result<Option<(Scopes, User)>, AuthenticationError>
+where
+    E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+{
+    if !req.headers().contains_key(AUTHORIZATION) {
+        return Ok(None);
+    }
+
+    // Fetch DB user record and minos user from headers
+    let Some((scopes, db_user)) = get_user_record_from_bearer_token(
+        req,
+        None,
+        executor,
+        redis,
+        session_queue,
+    )
+    .await?
+    else {
+        return Ok(None);
+    };
+
+    if !scopes.contains(required_scopes) {
+        return Ok(None);
+    }
+
+    Ok(Some((scopes, User::from_full(db_user))))
+}
+
 pub async fn get_user_from_headers<'a, E>(
     req: &HttpRequest,
     executor: E,