feat(auth): login, roles, user mgmt, setup wizard, and session guard

- New skald-setup crate: interactive first-run wizard that creates the
  admin user, prompts for encryption choice and password
- Auth system: session-based login/logout with cookie, guard middleware
- Roles API: CRUD for data-driven roles, seeded on first boot
- Users management API: create, list, edit, delete users
- Setup state API: check if first admin has been created
- Frontend: login-page, setup-page, users-page, roles-page, profile-page
  components with corresponding CSS
- Topbar: avatar dropdown with profile link and logout
- Sidebar: nav entries for Users and Roles (admin only)
- Page shell CSS: layout support for the new pages
- build.sh: builds both skald and skald-setup binaries
- run.sh: runs skald-setup before the server loop
- CLAUDE.md: updated workspace layout and build/run docs
This commit is contained in:
2026-07-10 19:19:25 +01:00
parent 178a38357e
commit 7dd77d4ef4
36 changed files with 2660 additions and 27 deletions
+21
View File
@@ -0,0 +1,21 @@
[package]
name = "skald-setup"
version = "0.1.0"
edition = "2024"
# Guided first-run setup: a thin terminal shell over `skald-core`. Deliberately
# separate from the server binary so a richer installer (a GUI later) can be a
# third shell over the same `UserManager`, and so the server never links the
# TTY-prompt dependencies. It is a *frontend* on provisioning — all the real work
# (envelope, file+row ordering, rollback) lives in `UserManager::register_user`.
[[bin]]
name = "skald-setup"
path = "src/main.rs"
[dependencies]
skald-core = { path = "../skald-core" }
tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
anyhow = "1"
# Reads a password without echoing it to the terminal.
rpassword = "7"
+242
View File
@@ -0,0 +1,242 @@
//! `skald-setup` — guided first-run setup.
//!
//! A terminal shell over `skald-core`: it opens the system database, and if no
//! user exists yet, walks whoever is at the keyboard through creating the first
//! admin. The real provisioning — envelope encryption, writing the file before
//! the row, rolling back on failure — lives in [`UserManager::register_user`];
//! this file is only the conversation around it.
//!
//! Run automatically by `run.sh` before the server loop. It is safe to run by
//! hand at any time: every step checks whether it is already satisfied and skips
//! itself, so re-running never duplicates anything.
//!
//! ## When it prompts
//!
//! Only when there is a real person to answer: no users yet **and** stdin is a
//! terminal. Headless (systemd, a container, CI) it prints one line and exits 0
//! so the server still starts — necessary while nothing consumes `users` yet and
//! the server runs fine with none. `SKALD_SKIP_SETUP=1` forces that path even on
//! a terminal.
//!
//! `--check` reports readiness without prompting: exit 0 if an admin exists,
//! exit 1 if setup is still needed. Anything else is a real error (exit 2).
use std::io::{self, IsTerminal, Write};
use anyhow::{Context, Result};
use skald_core::db::{self, SYSTEM_DB_PATH};
use skald_core::users::UserManager;
/// The role id given to the first user. There is no `roles` table yet, and
/// `users.role_id` has no foreign key, so this is a plain string for now — the
/// seeded `admin` preset (blueprint §12) will adopt it later without a migration.
const ADMIN_ROLE: &str = "admin";
/// SQLCipher's per-user privacy is only as strong as the password's entropy
/// times the KDF cost (§5.1). The KDF is fixed; this is the floor we put under
/// the entropy. Not a substitute for a real strength meter — a deliberate,
/// visible minimum.
const MIN_PASSWORD_LEN: usize = 10;
fn main() -> std::process::ExitCode {
let mode = match parse_args() {
Ok(m) => m,
Err(msg) => {
eprintln!("{msg}");
return std::process::ExitCode::from(2);
}
};
let rt = match tokio::runtime::Runtime::new() {
Ok(rt) => rt,
Err(e) => {
eprintln!("skald-setup: failed to start async runtime: {e}");
return std::process::ExitCode::from(2);
}
};
match rt.block_on(run(mode)) {
Ok(code) => code,
Err(e) => {
eprintln!("skald-setup: {e:#}");
std::process::ExitCode::from(2)
}
}
}
enum Mode {
/// Prompt if needed, otherwise a no-op.
Run,
/// Report readiness via exit code, never prompt.
Check,
}
fn parse_args() -> Result<Mode, String> {
let mut args = std::env::args().skip(1);
match args.next().as_deref() {
None => Ok(Mode::Run),
Some("--check") => Ok(Mode::Check),
Some("--help" | "-h") => Err(usage()),
Some(other) => Err(format!("skald-setup: unknown argument {other:?}\n\n{}", usage())),
}
}
fn usage() -> String {
"skald-setup — guided first-run setup\n\n\
usage:\n \
skald-setup create the first admin if none exists (interactive)\n \
skald-setup --check exit 0 if setup is done, 1 if still needed\n\n\
environment:\n \
SKALD_SKIP_SETUP=1 never prompt, even on a terminal"
.to_string()
}
async fn run(mode: Mode) -> Result<std::process::ExitCode> {
// Opening the pool creates `database/system.db` and its schema if absent —
// the same call the server makes, so setup and server agree on the layout.
let pool = db::init_system_pool(SYSTEM_DB_PATH)
.await
.context("opening the system database")?;
let users = UserManager::new(std::sync::Arc::new(pool));
let has_admin = users.count().await.context("counting users")? > 0;
if let Mode::Check = mode {
return Ok(if has_admin {
std::process::ExitCode::SUCCESS
} else {
std::process::ExitCode::FAILURE
});
}
// ── Steps ──────────────────────────────────────────────────────────────
// Each is idempotent: it decides for itself whether there is work to do.
// Today there is one. Provider and model setup will be added here as further
// steps, in order, each skipping itself when already configured.
step_first_user(&users, has_admin).await?;
Ok(std::process::ExitCode::SUCCESS)
}
/// Create the first admin, or do nothing if one already exists.
async fn step_first_user(users: &UserManager, has_admin: bool) -> Result<()> {
if has_admin {
// Idempotent re-run, or a second binary got there first.
return Ok(());
}
// No one to answer ⇒ don't block the server. It runs fine with no users
// today, so a missing admin is a note, not a failure.
if std::env::var_os("SKALD_SKIP_SETUP").is_some() || !io::stdin().is_terminal() {
eprintln!(
"skald-setup: no users configured. Run `./bin/skald-setup` from a terminal \
to create the first admin."
);
return Ok(());
}
println!("\nWelcome to Skald. Let's create the first user (the admin).\n");
let username = prompt_username()?;
let display_name = prompt_line("Display name (optional): ")?;
let display_name = display_name.trim();
let display_name = (!display_name.is_empty()).then_some(display_name);
let encrypt = prompt_encrypt()?;
let password = prompt_new_password()?;
let id = users
.register_user(&username, display_name, ADMIN_ROLE, Some(&password), encrypt)
.await
.context("creating the admin user")?;
println!("\n✓ Admin user '{username}' created (id {id}).");
if encrypt {
println!(" Their private database is encrypted. There is no recovery if the password is lost.");
}
println!();
Ok(())
}
// ── Prompts ────────────────────────────────────────────────────────────────
fn prompt_username() -> Result<String> {
loop {
let name = prompt_line("Username: ")?;
let name = name.trim();
if name.is_empty() {
println!(" A username is required.");
continue;
}
// The username is a login handle; keep it to something a person types.
if name.contains(char::is_whitespace) {
println!(" No spaces in a username.");
continue;
}
return Ok(name.to_string());
}
}
/// Default yes, with the honest caveat shown before the choice. For the admin —
/// who owns the box — encryption guards against a stolen machine, not against
/// the other users (§2/§4); and it has no recovery. The prompt says so.
fn prompt_encrypt() -> Result<bool> {
println!("Encrypt this user's private conversations at rest?");
println!(" • Only this user, unlocked with their password, can read them.");
println!(" • There is NO recovery: if the password is lost, the data is gone.");
loop {
let ans = prompt_line("Encrypt? [Y/n]: ")?;
match ans.trim().to_lowercase().as_str() {
"" | "y" | "yes" => return Ok(true),
"n" | "no" => return Ok(false),
_ => println!(" Please answer y or n."),
}
}
}
/// Reads a password twice, without echo, and holds it to a visible floor.
fn prompt_new_password() -> Result<String> {
loop {
let pw = rpassword::prompt_password("Password: ").context("reading password")?;
if let Some(reason) = weak_password(&pw) {
println!(" {reason}");
continue;
}
let again = rpassword::prompt_password("Confirm password: ").context("reading password")?;
if pw != again {
println!(" The passwords did not match — try again.");
continue;
}
return Ok(pw);
}
}
/// A blunt weak-password check: a length floor plus the handful of passwords an
/// attacker guesses first. Not a strength meter — enough to stop the obviously
/// hopeless choice on an account whose password *is* the encryption key.
fn weak_password(pw: &str) -> Option<String> {
if pw.chars().count() < MIN_PASSWORD_LEN {
return Some(format!("Too short — use at least {MIN_PASSWORD_LEN} characters."));
}
const COMMON: &[&str] = &[
"password", "password1", "1234567890", "12345678", "qwertyuiop",
"letmein", "iloveyou", "admin", "welcome", "changeme", "skald",
];
if COMMON.contains(&pw.to_lowercase().as_str()) {
return Some("That is one of the most common passwords — choose another.".to_string());
}
None
}
fn prompt_line(label: &str) -> Result<String> {
print!("{label}");
io::stdout().flush().ok();
let mut line = String::new();
let n = io::stdin().read_line(&mut line).context("reading input")?;
if n == 0 {
// EOF on a terminal (Ctrl-D): the person is declining. Stop the whole
// supervisor rather than looping on empty input.
anyhow::bail!("setup cancelled");
}
Ok(line)
}