This directory contains 4 comprehensive documentation files for implementing two new endpoints:
- POST /api/v1/auth/login (email + password → session_token + user's deployments)
- POST /api/v1/agents/link (session_token + deployment_id + fingerprint → agent credentials)
Time to read: 10 minutes
Best for: Implementation planning and quick pattern lookup
Contains:
- Summary of all key patterns
- Implementation checklists for both endpoints
- Error response format
- Testing examples with curl
- Database models needed
👉 Start here for: Understanding what you need to do
Time to read: 15 minutes (to find what you need)
Best for: Implementation - copy-paste production-ready code
Contains:
- Complete
src/routes/auth/login.rshandler - Complete
src/routes/agent/link.rshandler - All file modifications needed
- Database migration SQL
- VaultClient extensions
👉 Use this for: Copying exact code to implement
Time to read: 45 minutes (or read as needed)
Best for: Understanding patterns, troubleshooting, adapting code
Contains:
- Route structure & registration explained
- Complete agent registration flow breakdown
- All 6 authentication methods explained
- Database query patterns with examples
- Response/error handling with builder pattern
- Vault client token storage with retry logic
- Audit logging patterns
- Complete handler pattern example
- Middleware stack composition
👉 Use this for: "Why does this pattern exist?" and troubleshooting
Time to read: 15 minutes
Best for: Understanding the big picture and implementation roadmap
Contains:
- Master index
- Key findings from codebase analysis
- Files changed/created summary
- Quick start implementation path
- Architecture patterns checklist
- Dependencies required
👉 Use this for: Project-level overview and quick reference
1. Read QUICK_REFERENCE.md (10 min)
↓
2. Copy code from CODE_SNIPPETS.md (10 min)
↓
3. Run database migrations & test (10 min)
↓
✅ Done! Both endpoints working
If you get stuck:
→ Check IMPLEMENTATION_GUIDE.md for explanations
→ Refer to existing route handlers in src/routes/
Pattern: Scoped routes with authenticated user extraction
Auth: JWT/OAuth/Cookie/Agent tokens injected via middleware
DB: sqlx queries returning Result<T, String>
Responses: JsonResponse builder pattern with error methods
Tokens: 86-char random strings, async storage in Vault/DB
Logging: Audit logs with details, IP address, timestamps
- Create
src/routes/auth/login.rs(copy from CODE_SNIPPETS) - Create
src/routes/auth/mod.rs - Create
src/db/user.rswithfetch_by_email() - Update
src/routes/mod.rsto add auth module - Update
src/startup.rsto register route - Run database migration for users table
- Test with curl POST /api/v1/auth/login
- Create
src/routes/agent/link.rs(copy from CODE_SNIPPETS) - Update
src/routes/agent/mod.rs - Update
src/startup.rsto register route - Update
src/db/if needed for session queries - Test with curl POST /api/v1/agents/link
curl -X POST http://localhost:8080/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"pass123"}'curl -X POST http://localhost:8080/api/v1/agents/link \
-H "Content-Type: application/json" \
-d '{
"session_token":"<token_from_login>",
"deployment_id":1,
"fingerprint":"hash"
}'Expected: 200 OK with credentials
- Routes: Scoped with
web::scope()+#[post]/#[get]macros - Auth: User injected via
web::ReqData<Arc<models::User>> - DB: All functions return
Result<T, String> - Responses:
JsonResponse::build().set_item(data).ok("msg") - Errors:
.bad_request(),.not_found(),.forbidden(),.internal_server_error() - Tokens: 86-char random, stored async with retry
- Audit:
AuditLog::new(...).with_details(...).with_ip(...)
src/routes/auth/mod.rssrc/routes/auth/login.rssrc/routes/agent/link.rssrc/db/user.rsmigrations/[DATE]_create_users_sessions.sql
src/routes/mod.rs- Add auth modulesrc/routes/agent/mod.rs- Add link handlersrc/startup.rs- Register routessrc/models/user.rs- Add password_hash field
All changes are in CODE_SNIPPETS.md!
Q: Where's the authentication?
A: Middleware automatically extracts JWT/OAuth/Cookie tokens. See IMPLEMENTATION_GUIDE.md section 3.
Q: How do I store sessions?
A: Use database (recommended) or Vault. CODE_SNIPPETS.md shows both approaches.
Q: What's with the 86-char tokens?
A: Pattern from existing agent registration. Provides good entropy with alphanumeric + dash/underscore.
Q: How do errors work?
A: JsonResponse builder with error methods. Returns appropriate HTTP status codes. See QUICK_REFERENCE.md.
Q: Do I need Vault?
A: For agents (existing pattern). For sessions, database is simpler. See CODE_SNIPPETS.md.
Q: How do I verify the user owns the deployment?
A: Check if d.user_id.as_deref() != Some(&user_id) { forbidden }. See QUICK_REFERENCE.md.
Login Endpoint
├── POST /api/v1/auth/login
├── Routes: src/routes/auth/login.rs
├── DB: src/db/user.rs (fetch by email)
├── Response: session_token + user + deployments
└── Uses: JsonResponse, AuditLog
Link Endpoint
├── POST /api/v1/agents/link
├── Routes: src/routes/agent/link.rs
├── Auth: session_token validation
├── DB: deployment fetch + verify ownership
├── Response: agent_id + credentials
└── Uses: JsonResponse, AuditLog, Vault
- This file (1 min) ← You are here
- QUICK_REFERENCE.md (10 min)
- CODE_SNIPPETS.md (copy what you need)
- Refer to IMPLEMENTATION_GUIDE.md as needed
If you want to understand the codebase patterns:
- Routes:
src/routes/agent/register.rs(excellent example) - Auth:
src/middleware/authentication/(how tokens are extracted) - DB:
src/db/deployment.rs(query patterns) - Responses:
src/helpers/json.rs(JsonResponse builder) - Middleware:
src/startup.rs(middleware stack)
After implementing, verify:
- Both endpoints respond with 200 OK
- Login returns session_token + user + deployments
- Link returns agent_id + credentials + token
- Invalid credentials return 403 Forbidden
- Missing fields return 400 Bad Request
- Unauthorized users return 403 Forbidden
- Database migrations run successfully
- Audit logs created for both actions
- Token generated (86 characters)
"Route not found" → Check startup.rs scope registration
"User not found"
→ Ensure users table created and user exists
"Invalid credentials" → Check password hashing (bcrypt)
"Deployment not found" → Verify deployment belongs to user
"Unauthorized" → Check session token validity and user ownership
See IMPLEMENTATION_GUIDE.md for detailed error handling patterns.
- ✅ Read QUICK_REFERENCE.md (10 min)
- ✅ Copy code from CODE_SNIPPETS.md (10 min)
- ✅ Update files and run migrations (10 min)
- ✅ Test with curl (5 min)
- 🎉 Done!
Total time: ~35 minutes
Location: /Users/vasilipascal/work/try.direct/stacker/
Good luck! 🚀