Initial shared instances backend (#3800)

* Create base shared instance migration and initial routes * Fix build * Add version uploads * Add permissions field for shared instance users * Actually use permissions field * Add "public" flag to shared instances that allow GETing them without authorization * Add the ability to get and list shared instance versions * Add the ability to delete shared instance versions * Fix build after merge * Secured file hosting (#3784) * Remove Backblaze-specific file-hosting backend * Added S3_USES_PATH_STYLE_BUCKETS * Remove unused file_id parameter from delete_file_version * Add support for separate public and private buckets in labrinth::file_hosting * Rename delete_file_version to delete_file * Add (untested) get_url_for_private_file * Remove url field from shared instance routes * Remove url field from shared instance routes * Use private bucket for shared instance versions * Make S3 environment variables fully separate between public and private buckets * Change file host expiry for shared instances to 180 seconds * Fix lint * Merge shared instance migrations into a single migration * Replace shared instance owners with Ghost instead of deleting the instance
2025-06-19 14:46:12 -05:00
parent d4864deac5
commit cc34e69524
61 changed files with 2161 additions and 491 deletions
--- a/apps/labrinth/src/auth/validate.rs
+++ b/apps/labrinth/src/auth/validate.rs
@@ -10,6 +10,40 @@ use actix_web::HttpRequest;
 use actix_web::http::header::{AUTHORIZATION, HeaderValue};
 use chrono::Utc;

+pub async fn get_maybe_user_from_headers<'a, E>(
+    req: &HttpRequest,
+    executor: E,
+    redis: &RedisPool,
+    session_queue: &AuthQueue,
+    required_scopes: Scopes,
+) -> Result<Option<(Scopes, User)>, AuthenticationError>
+where
+    E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+{
+    if !req.headers().contains_key(AUTHORIZATION) {
+        return Ok(None);
+    }
+
+    // Fetch DB user record and minos user from headers
+    let Some((scopes, db_user)) = get_user_record_from_bearer_token(
+        req,
+        None,
+        executor,
+        redis,
+        session_queue,
+    )
+    .await?
+    else {
+        return Ok(None);
+    };
+
+    if !scopes.contains(required_scopes) {
+        return Ok(None);
+    }
+
+    Ok(Some((scopes, User::from_full(db_user))))
+}
+
 pub async fn get_user_from_headers<'a, E>(
    req: &HttpRequest,
    executor: E,