ips/pkg6depotd/src/http/admin.rs

use axum::{
    extract::State,
    http::{HeaderMap, StatusCode},
    response::{IntoResponse, Response},
    Json,
};
use serde::Serialize;
use std::sync::Arc;

use crate::repo::DepotRepo;

#[derive(Serialize)]
struct HealthResponse {
    status: &'static str,
}

pub async fn health(
    _state: State<Arc<DepotRepo>>,
) -> impl IntoResponse {
    // Basic liveness/readiness for now. Future: include repo checks.
    (StatusCode::OK, Json(HealthResponse { status: "ok" }))
}

#[derive(Serialize)]
struct AuthCheckResponse<'a> {
    authenticated: bool,
    token_present: bool,
    subject: Option<&'a str>,
    scopes: Vec<&'a str>,
    decision: &'static str,
}

/// Admin auth-check endpoint.
/// For now, this is a minimal placeholder that only checks for the presence of a Bearer token.
/// TODO: Validate JWT via OIDC JWKs using configured issuer/jwks_uri and required scopes.
pub async fn auth_check(
    _state: State<Arc<DepotRepo>>,
    headers: HeaderMap,
) -> Response {
    let auth = headers.get(axum::http::header::AUTHORIZATION).and_then(|v| v.to_str().ok());
    let (authenticated, token_present) = match auth {
        Some(h) if h.to_ascii_lowercase().starts_with("bearer ") => (true, true),
        Some(_) => (false, true),
        None => (false, false),
    };

    let resp = AuthCheckResponse {
        authenticated,
        token_present,
        subject: None,
        scopes: vec![],
        decision: if authenticated { "allow" } else { "deny" },
    };

    let status = if authenticated { StatusCode::OK } else { StatusCode::UNAUTHORIZED };
    (status, Json(resp)).into_response()
}
Add caching headers, admin routes, and configurable cache max-age support - Introduced caching headers (`Cache-Control`, `ETag`, `Last-Modified`) for file responses to improve client-side caching. - Added HTTP admin routes for health check and authentication validation. - Made `cache_max_age` configurable via server configuration with a default of 3600 seconds. - Enhanced file handler with metadata-based `Last-Modified` computation. - Updated integration tests to cover new functionality and ensure correctness. 2025-12-09 20:23:00 +01:00			`use axum::{`
			`extract::State,`
			`http::{HeaderMap, StatusCode},`
			`response::{IntoResponse, Response},`
			`Json,`
			`};`
			`use serde::Serialize;`
			`use std::sync::Arc;`

			`use crate::repo::DepotRepo;`

			`#[derive(Serialize)]`
			`struct HealthResponse {`
			`status: &'static str,`
			`}`

			`pub async fn health(`
			`_state: State<Arc<DepotRepo>>,`
			`) -> impl IntoResponse {`
			`// Basic liveness/readiness for now. Future: include repo checks.`
			`(StatusCode::OK, Json(HealthResponse { status: "ok" }))`
			`}`

			`#[derive(Serialize)]`
			`struct AuthCheckResponse<'a> {`
			`authenticated: bool,`
			`token_present: bool,`
			`subject: Option<&'a str>,`
			`scopes: Vec<&'a str>,`
			`decision: &'static str,`
			`}`

			`/// Admin auth-check endpoint.`
			`/// For now, this is a minimal placeholder that only checks for the presence of a Bearer token.`
			`/// TODO: Validate JWT via OIDC JWKs using configured issuer/jwks_uri and required scopes.`
			`pub async fn auth_check(`
			`_state: State<Arc<DepotRepo>>,`
			`headers: HeaderMap,`
			`) -> Response {`
			`let auth = headers.get(axum::http::header::AUTHORIZATION).and_then(\|v\| v.to_str().ok());`
			`let (authenticated, token_present) = match auth {`
			`Some(h) if h.to_ascii_lowercase().starts_with("bearer ") => (true, true),`
			`Some(_) => (false, true),`
			`None => (false, false),`
			`};`

			`let resp = AuthCheckResponse {`
			`authenticated,`
			`token_present,`
			`subject: None,`
			`scopes: vec![],`
			`decision: if authenticated { "allow" } else { "deny" },`
			`};`

			`let status = if authenticated { StatusCode::OK } else { StatusCode::UNAUTHORIZED };`
			`(status, Json(resp)).into_response()`
			`}`