Update gateway: store seeding, CORS, JWT auth, Postgres support

.env.example

@@ -2,5 +2,8 @@
 UPSTREAM_API_KEY=replace-me
 GATEWAY_BIND=0.0.0.0:8080
 RUST_LOG=info,gateway=debug,ingestion=debug
+# Auth: set to enable HS256 JWT verification on write endpoints (sub = user id).
+# Unset → dev fallback where the bearer token IS the user id. Set as a Space secret.
+# AUTH_JWT_SECRET=replace-with-a-long-random-secret
 # Comma-separated active regions; ingestion cadence scales with regions×providers, not users (NFR-6.1).
 ACTIVE_REGIONS=PL,GB

Cargo.lock

@@ -275,6 +275,15 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "deranged"
+version = "0.5.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7cd812cc2bc1d69d4764bd80df88b4317eaef9e773c75226407d9bc0876b211c"
+dependencies = [
+ "powerfmt",
+]
+
 [[package]]
 name = "digest"
 version = "0.10.7"
@@ -471,6 +480,7 @@ dependencies = [
  "axum",
  "chrono",
  "domain",
+ "jsonwebtoken",
  "serde",
  "serde_json",
  "store",
@@ -499,8 +509,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
 dependencies = [
  "cfg-if",
+ "js-sys",
  "libc",
  "wasi",
+ "wasm-bindgen",
 ]
 
 [[package]]
@@ -818,6 +830,21 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "jsonwebtoken"
+version = "9.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde"
+dependencies = [
+ "base64",
+ "js-sys",
+ "pem",
+ "ring",
+ "serde",
+ "serde_json",
+ "simple_asn1",
+]
+
 [[package]]
 name = "lazy_static"
 version = "1.5.0"
@@ -939,6 +966,16 @@ dependencies = [
  "windows-sys 0.61.2",
 ]
 
+[[package]]
+name = "num-bigint"
+version = "0.4.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a5e44f723f1133c9deac646763579fdb3ac745e418f2a7af9cd0c431da1f20b9"
+dependencies = [
+ "num-integer",
+ "num-traits",
+]
+
 [[package]]
 name = "num-bigint-dig"
 version = "0.8.6"
@@ -955,6 +992,12 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "num-conv"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "521739c6d2bac4aa25192232afe6841231376b2b26d4d9fae5ecf8ca5772e441"
+
 [[package]]
 name = "num-integer"
 version = "0.1.46"
@@ -1020,6 +1063,16 @@ dependencies = [
  "windows-link",
 ]
 
+[[package]]
+name = "pem"
+version = "3.0.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
+dependencies = [
+ "base64",
+ "serde_core",
+]
+
 [[package]]
 name = "pem-rfc7468"
 version = "0.7.0"
@@ -1083,6 +1136,12 @@ dependencies = [
  "zerovec",
 ]
 
+[[package]]
+name = "powerfmt"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
+
 [[package]]
 name = "ppv-lite86"
 version = "0.2.21"
@@ -1384,6 +1443,18 @@ dependencies = [
  "rand_core",
 ]
 
+[[package]]
+name = "simple_asn1"
+version = "0.6.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0d585997b0ac10be3c5ee635f1bab02d512760d14b7c468801ac8a01d9ae5f1d"
+dependencies = [
+ "num-bigint",
+ "num-traits",
+ "thiserror",
+ "time",
+]
+
 [[package]]
 name = "slab"
 version = "0.4.12"
@@ -1715,6 +1786,37 @@ dependencies = [
  "cfg-if",
 ]
 
+[[package]]
+name = "time"
+version = "0.3.47"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c"
+dependencies = [
+ "deranged",
+ "itoa",
+ "num-conv",
+ "powerfmt",
+ "serde_core",
+ "time-core",
+ "time-macros",
+]
+
+[[package]]
+name = "time-core"
+version = "0.1.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca"
+
+[[package]]
+name = "time-macros"
+version = "0.2.27"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215"
+dependencies = [
+ "num-conv",
+ "time-core",
+]
+
 [[package]]
 name = "tinystr"
 version = "0.8.3"

Cargo.toml

@@ -25,6 +25,7 @@ uuid = { version = "1", features = ["v4", "serde"] }
 async-trait = "0.1"
 thiserror = "2"
 anyhow = "1"
+jsonwebtoken = "9"
 sqlx = { version = "0.8", default-features = false, features = ["runtime-tokio", "tls-rustls", "postgres", "chrono", "macros", "migrate"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }

crates/gateway/Cargo.toml

@@ -19,6 +19,7 @@ tower-http.workspace = true
 serde.workspace = true
 serde_json.workspace = true
 chrono.workspace = true
+jsonwebtoken.workspace = true
 tracing.workspace = true
 tracing-subscriber.workspace = true
 anyhow.workspace = true

crates/gateway/src/auth.rs

@@ -0,0 +1,94 @@
+//! Bearer-token → user-id resolution (B-6).
+//!
+//! Two modes, chosen by the `AUTH_JWT_SECRET` env var:
+//! - **Set:** the bearer must be a valid HS256 JWT; the `sub` claim is the user
+//!   id (signature + expiry verified). This is the production mode — an OAuth
+//!   provider (Google/Apple/Firebase) issues the token; the gateway only verifies.
+//! - **Unset (dev/MVP):** the bearer string *is* the user id (the current stub).
+//!
+//! Keeping the dev fallback means the live deployment works until you provision
+//! a signing secret; setting the secret flips on real verification with no code change.
+
+use std::sync::OnceLock;
+
+use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
+use serde::Deserialize;
+
+#[derive(Debug, Deserialize)]
+struct Claims {
+    sub: String,
+}
+
+/// Cached signing secret (read once). `None` → dev stub mode.
+pub fn jwt_secret() -> Option<&'static str> {
+    static SECRET: OnceLock<Option<String>> = OnceLock::new();
+    SECRET
+        .get_or_init(|| std::env::var("AUTH_JWT_SECRET").ok().filter(|s| !s.is_empty()))
+        .as_deref()
+}
+
+/// Resolves the authenticated user id from a bearer token. Returns `None` when
+/// the token is missing/empty (dev mode) or invalid/expired (JWT mode).
+pub fn user_from_bearer(token: &str, secret: Option<&str>) -> Option<String> {
+    match secret {
+        None => {
+            let t = token.trim();
+            if t.is_empty() {
+                None
+            } else {
+                Some(t.to_string())
+            }
+        }
+        Some(sec) => {
+            // HS256; expiry validated by default when an `exp` claim is present.
+            let validation = Validation::new(Algorithm::HS256);
+            decode::<Claims>(token, &DecodingKey::from_secret(sec.as_bytes()), &validation)
+                .ok()
+                .map(|data| data.claims.sub)
+        }
+    }
+}
+
+#[cfg(test)]
+#[allow(clippy::unwrap_used)]
+mod tests {
+    use super::*;
+    use jsonwebtoken::{encode, EncodingKey, Header};
+    use serde::Serialize;
+
+    #[derive(Serialize)]
+    struct TestClaims {
+        sub: String,
+        exp: usize,
+    }
+
+    fn sign(sub: &str, secret: &str, exp: usize) -> String {
+        encode(
+            &Header::new(Algorithm::HS256),
+            &TestClaims { sub: sub.into(), exp },
+            &EncodingKey::from_secret(secret.as_bytes()),
+        )
+        .unwrap()
+    }
+
+    #[test]
+    fn dev_mode_uses_token_as_user_id() {
+        assert_eq!(user_from_bearer("alice", None), Some("alice".into()));
+        assert_eq!(user_from_bearer("  ", None), None);
+    }
+
+    #[test]
+    fn jwt_mode_accepts_valid_token_and_reads_sub() {
+        let t = sign("alice", "topsecret", 9_999_999_999);
+        assert_eq!(user_from_bearer(&t, Some("topsecret")), Some("alice".into()));
+    }
+
+    #[test]
+    fn jwt_mode_rejects_bad_signature_and_expiry() {
+        let t = sign("alice", "topsecret", 9_999_999_999);
+        assert_eq!(user_from_bearer(&t, Some("wrongsecret")), None); // bad signature
+        let expired = sign("alice", "topsecret", 1); // 1970 → expired
+        assert_eq!(user_from_bearer(&expired, Some("topsecret")), None);
+        assert_eq!(user_from_bearer("not-a-jwt", Some("topsecret")), None);
+    }
+}

crates/gateway/src/main.rs

@@ -1,5 +1,6 @@
 //! WhereToWatch gateway — the ONLY backend the client talks to (NFR-1.3).
 
+mod auth;
 mod catalog;
 mod dto;
 mod routes;

crates/gateway/src/routes.rs

@@ -35,9 +35,9 @@ pub fn routes(state: AppState) -> Router {
 
 // ── Auth guard ───────────────────────────────────────────────────────────
 
-/// Authenticated user. STUB: the bearer token is taken as the user id. Real
-/// OAuth/JWT verification lands in ticket B-6 (FR-9.3); the guard placement is
-/// what matters now — every write handler requires it.
+/// Authenticated user, resolved from the `Authorization: Bearer …` header by
+/// [`crate::auth`]: a verified HS256 JWT's `sub` when `AUTH_JWT_SECRET` is set,
+/// else the token-as-user-id dev fallback (FR-9.3). Every write handler requires it.
 pub struct AuthUser(pub String);
 
 impl<S: Send + Sync> FromRequestParts<S> for AuthUser {
@@ -49,10 +49,11 @@ impl<S: Send + Sync> FromRequestParts<S> for AuthUser {
             .get(axum::http::header::AUTHORIZATION)
             .and_then(|v| v.to_str().ok())
             .and_then(|v| v.strip_prefix("Bearer "))
-            .map(str::trim)
-            .filter(|t| !t.is_empty())
             .ok_or(ApiError::Unauthorized)?;
-        Ok(AuthUser(token.to_string()))
+        // JWT-verified when AUTH_JWT_SECRET is set; else the token is the user id.
+        let user = crate::auth::user_from_bearer(token, crate::auth::jwt_secret())
+            .ok_or(ApiError::Unauthorized)?;
+        Ok(AuthUser(user))
     }
 }