From 400b63462a52e55c603ac7c8a48b45932f32a23a Mon Sep 17 00:00:00 2001
From: Hector van der Aa <hector@h3cx.dev>
Date: Sat, 6 Dec 2025 18:17:46 +0100
Subject: [PATCH] Fixed middleware signature and added /me endpoint

---
 src/backend/src/config.rs             | 10 ++--------
 src/backend/src/main.rs               |  8 ++------
 src/backend/src/router/middleware.rs  | 15 ++++++++++++---
 src/backend/src/router/mod.rs         | 13 ++++++++-----
 src/backend/src/router/user_routes.rs | 13 +++++++++++--
 5 files changed, 35 insertions(+), 24 deletions(-)

diff --git a/src/backend/src/config.rs b/src/backend/src/config.rs
index b3ef83e..e6672a4 100644
--- a/src/backend/src/config.rs
+++ b/src/backend/src/config.rs
@@ -63,16 +63,10 @@ impl AppCfg {
 
     pub async fn route_allows(
         &self,
-        req: &Request,
+        method: &Method,
+        path: &str,
         user_perms: UserPermissions,
     ) -> Result<bool, StatusCode> {
-        let method = req.method();
-
-        let path = req
-            .extensions()
-            .get::<MatchedPath>()
-            .map(|p| p.as_str())
-            .ok_or(StatusCode::INTERNAL_SERVER_ERROR)?;
         let req_perms = match self.get_route_perms(method, path) {
             Some(val) => val,
             None => return Ok(false),
diff --git a/src/backend/src/main.rs b/src/backend/src/main.rs
index ffb95c1..06c4b30 100644
--- a/src/backend/src/main.rs
+++ b/src/backend/src/main.rs
@@ -63,12 +63,8 @@ async fn main() -> Result<()> {
         route_perms: HashMap::new(),
     };
 
-    config.insert_route_perms(
-        Method::GET,
-        "/api/users",
-        false,
-        vec![UserActions::ManageUsers],
-    );
+    config.insert_route_perms(Method::GET, "/api/users", false, vec![]);
+    config.insert_route_perms(Method::GET, "/api/users/{uuid}", false, vec![]);
     config.insert_route_perms(
         Method::POST,
         "/api/users",
diff --git a/src/backend/src/router/middleware.rs b/src/backend/src/router/middleware.rs
index e29e280..12a6053 100644
--- a/src/backend/src/router/middleware.rs
+++ b/src/backend/src/router/middleware.rs
@@ -3,7 +3,7 @@ use std::sync::Arc;
 
 use axum::{
     Extension,
-    extract::{Request, State},
+    extract::{MatchedPath, Request, State},
     http::{self, Method, StatusCode, header::AUTHORIZATION},
     middleware::Next,
     response::Response,
@@ -109,7 +109,7 @@ pub fn cors() -> CorsLayer {
 pub async fn permissions(
     State(state): State<Arc<AppState>>,
     Extension(user): Extension<InternalUser>,
-    mut req: Request,
+    req: Request,
     next: Next,
 ) -> Result<Response, StatusCode> {
     let request_method = req.method().clone();
@@ -117,13 +117,22 @@ pub async fn permissions(
 
     debug!(method = ?request_method, path = request_path, "permissions request started");
     debug!("Calling user {}", user.username.clone());
+
     if user.permissions.root {
         return Ok(next.run(req).await);
     }
 
+    let method = req.method();
+
+    let path = req
+        .extensions()
+        .get::<MatchedPath>()
+        .map(|p| p.as_str())
+        .ok_or(StatusCode::INTERNAL_SERVER_ERROR)?;
+
     match state
         .config
-        .route_allows(&req, user.permissions.clone())
+        .route_allows(method, path, user.permissions.clone())
         .await
     {
         Ok(true) => Ok(next.run(req).await),
diff --git a/src/backend/src/router/mod.rs b/src/backend/src/router/mod.rs
index 7a0436b..cf3ec62 100644
--- a/src/backend/src/router/mod.rs
+++ b/src/backend/src/router/mod.rs
@@ -25,11 +25,8 @@ macro_rules! middleware {
     (cors_auth_perms, $state:expr) => {
         (
             crate::router::middleware::cors(),
-            axum::middleware::from_fn_with_state($state.clone(), crate::router::middleware::auth),
-            axum::middleware::from_fn_with_state(
-                $state.clone(),
-                crate::router::middleware::permissions,
-            ),
+            axum::middleware::from_fn_with_state($state, crate::router::middleware::auth),
+            axum::middleware::from_fn_with_state($state, crate::router::middleware::permissions),
         )
     };
 }
@@ -65,6 +62,12 @@ pub async fn init_router(app_state: Arc<AppState>) -> Router {
             post(user_routes::logout)
                 .layer(middleware!(cors_auth, app_state.clone()))
                 .with_state(app_state.clone()),
+        )
+        .route(
+            "/api/me",
+            get(user_routes::me)
+                .layer(middleware!(cors_auth, app_state.clone()))
+                .with_state(app_state.clone()),
         );
 
     info!("router initialization completed");
diff --git a/src/backend/src/router/user_routes.rs b/src/backend/src/router/user_routes.rs
index 51de9e1..d7fa14f 100644
--- a/src/backend/src/router/user_routes.rs
+++ b/src/backend/src/router/user_routes.rs
@@ -1,4 +1,7 @@
-use crate::{domain::api::LoginData, prelude::*};
+use crate::{
+    domain::{api::LoginData, user::InternalUser},
+    prelude::*,
+};
 use std::sync::Arc;
 
 use crate::{
@@ -8,7 +11,7 @@ use crate::{
 };
 use anyhow::Result;
 use axum::{
-    Json,
+    Extension, Json,
     extract::{Path, State},
     http::StatusCode,
 };
@@ -73,3 +76,9 @@ pub async fn logout(jar: CookieJar) -> Result<CookieJar, StatusCode> {
 
     Ok(jar)
 }
+
+pub async fn me(Extension(user): Extension<InternalUser>) -> Result<Json<User>, StatusCode> {
+    let clean = User::from(user);
+
+    Ok(Json(clean))
+}