Close #713

Author: ja573

.env.example

@@ -6,6 +6,10 @@ THOTH_EXPORT_API=http://localhost:8181
 DATABASE_URL=postgres://thoth:thoth@localhost/thoth
 # Full redis URL
 REDIS_URL=redis://localhost:6379
+# AWS credentials for file uploads
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+AWS_REGION=
 # Logging level
 RUST_LOG=info
 

Cargo.lock

@@ -163,15 +163,3 @@ pub fn aws_region() -> Arg {
         .help("AWS region for S3/CloudFront")
         .num_args(1)
 }
-
-pub fn session() -> Arg {
-    Arg::new("duration")
-        .short('s')
-        .long("session-length")
-        .value_name("DURATION")
-        .env("SESSION_DURATION_SECONDS")
-        .default_value("3600")
-        .help("Authentication cookie session duration (seconds)")
-        .num_args(1)
-        .value_parser(value_parser!(i64))
-}

src/bin/arguments/mod.rs

@@ -23,7 +23,10 @@ lazy_static! {
         .arg(arguments::keep_alive("GRAPHQL_API_KEEP_ALIVE"))
         .arg(arguments::gql_url())
         .arg(arguments::key())
-        .arg(arguments::zitadel_url());
+        .arg(arguments::zitadel_url())
+        .arg(arguments::aws_access_key_id())
+        .arg(arguments::aws_secret_access_key())
+        .arg(arguments::aws_region());
 }
 
 lazy_static! {

src/bin/commands/mod.rs

@@ -18,7 +18,10 @@ lazy_static! {
                 .arg(arguments::keep_alive("GRAPHQL_API_KEEP_ALIVE"))
                 .arg(arguments::gql_url())
                 .arg(arguments::key())
-                .arg(arguments::zitadel_url()),
+                .arg(arguments::zitadel_url())
+                .arg(arguments::aws_access_key_id())
+                .arg(arguments::aws_secret_access_key())
+                .arg(arguments::aws_region()),
         )
         .subcommand(
             Command::new("export-api")
@@ -45,6 +48,7 @@ pub fn graphql_api(arguments: &ArgMatches) -> ThothResult<()> {
         .get_one::<String>("zitadel-url")
         .unwrap()
         .to_owned();
+
     api_server(
         database_url,
         host,
@@ -54,6 +58,18 @@ pub fn graphql_api(arguments: &ArgMatches) -> ThothResult<()> {
         url,
         private_key,
         zitadel_url,
+        arguments
+            .get_one::<String>("aws-access-key-id")
+            .unwrap()
+            .to_owned(),
+        arguments
+            .get_one::<String>("aws-secret-access-key")
+            .unwrap()
+            .to_owned(),
+        arguments
+            .get_one::<String>("aws-region")
+            .unwrap()
+            .to_owned(),
     )
     .map_err(|e| e.into())
 }

src/bin/commands/start.rs

@@ -17,6 +17,7 @@ use serde::Serialize;
 use thoth_api::{
     db::{init_pool, PgPool},
     graphql::{create_schema, Context, GraphQLRequest, Schema},
+    storage::{create_cloudfront_client, create_s3_client, CloudFrontClient, S3Client},
 };
 use zitadel::{
     actix::introspection::{IntrospectedUser, IntrospectionConfigBuilder},
@@ -87,10 +88,17 @@ async fn graphql_schema(st: Data<Arc<Schema>>) -> HttpResponse {
 async fn graphql(
     st: Data<Arc<Schema>>,
     pool: Data<PgPool>,
+    s3_client: Data<S3Client>,
+    cloudfront_client: Data<CloudFrontClient>,
     user: Option<IntrospectedUser>,
     data: Json<GraphQLRequest>,
 ) -> Result<HttpResponse, Error> {
-    let ctx = Context::new(pool.into_inner(), user);
+    let ctx = Context::new(
+        pool.into_inner(),
+        user,
+        s3_client.into_inner(),
+        cloudfront_client.into_inner(),
+    );
     let result = data.execute(&st, &ctx).await;
     match result.is_ok() {
         true => Ok(HttpResponse::Ok().json(result)),
@@ -109,6 +117,9 @@ pub async fn start_server(
     public_url: String,
     private_key: String,
     zitadel_url: String,
+    aws_access_key_id: String,
+    aws_secret_access_key: String,
+    aws_region: String,
 ) -> io::Result<()> {
     env_logger::init_from_env(env_logger::Env::new().default_filter_or("info"));
 
@@ -123,6 +134,10 @@ pub async fn start_server(
         .await
         .unwrap();
 
+    let s3_client = create_s3_client(&aws_access_key_id, &aws_secret_access_key, &aws_region).await;
+    let cloudfront_client =
+        create_cloudfront_client(&aws_access_key_id, &aws_secret_access_key, &aws_region).await;
+
     HttpServer::new(move || {
         App::new()
             .wrap(Compress::default())
@@ -139,6 +154,8 @@ pub async fn start_server(
             .app_data(auth.clone())
             .app_data(Data::new(ApiConfig::new(public_url.clone())))
             .app_data(Data::new(init_pool(&database_url)))
+            .app_data(Data::new(s3_client.clone()))
+            .app_data(Data::new(cloudfront_client.clone()))
             .app_data(Data::new(Arc::new(create_schema())))
             .service(index)
             .service(graphql_index)

thoth-api-server/src/lib.rs

@@ -28,8 +28,7 @@ backend = [
     "aws-config",
     "aws-credential-types",
     "base64",
-    "hex",
-    "aes-gcm"
+    "hex"
 ]
 
 [dependencies]
@@ -63,7 +62,6 @@ aws-config = { version = "1", optional = true }
 aws-credential-types = { version = "1", optional = true }
 base64 = { version = "0.22", optional = true }
 hex = { version = "0.4", optional = true }
-aes-gcm = { version = "0.10", optional = true }
 
 [dev-dependencies]
 fs2 = "0.4.3"

thoth-api/Cargo.toml

@@ -17,6 +17,7 @@ use crate::model::{
     contact::{Contact, ContactOrderBy, ContactType},
     contribution::{Contribution, ContributionType},
     contributor::Contributor,
+    file::{File, FileType},
     funding::Funding,
     imprint::{Imprint, ImprintField, ImprintOrderBy},
     institution::{CountryCode, Institution},
@@ -40,18 +41,39 @@ use crate::model::{
     Crud, Doi, Isbn, Orcid, Ror, Timestamp,
 };
 use crate::policy::PolicyContext;
+use crate::storage::{CloudFrontClient, S3Client};
 use thoth_errors::ThothError;
 
 impl juniper::Context for Context {}
 
 pub struct Context {
     pub db: Arc<PgPool>,
     pub user: Option<IntrospectedUser>,
+    pub s3_client: Arc<S3Client>,
+    pub cloudfront_client: Arc<CloudFrontClient>,
 }
 
 impl Context {
-    pub fn new(pool: Arc<PgPool>, user: Option<IntrospectedUser>) -> Self {
-        Self { db: pool, user }
+    pub fn new(
+        pool: Arc<PgPool>,
+        user: Option<IntrospectedUser>,
+        s3_client: Arc<S3Client>,
+        cloudfront_client: Arc<CloudFrontClient>,
+    ) -> Self {
+        Self {
+            db: pool,
+            user,
+            s3_client,
+            cloudfront_client,
+        }
+    }
+
+    pub fn s3_client(&self) -> &S3Client {
+        self.s3_client.as_ref()
+    }
+
+    pub fn cloudfront_client(&self) -> &CloudFrontClient {
+        self.cloudfront_client.as_ref()
     }
 }
 
@@ -667,6 +689,10 @@ impl Work {
         )
         .map_err(Into::into)
     }
+    #[graphql(description = "Get the front cover file for this work")]
+    pub fn frontcover(&self, context: &Context) -> FieldResult<Option<File>> {
+        File::from_work_id(&context.db, &self.work_id).map_err(Into::into)
+    }
     #[graphql(description = "Get references cited by this work")]
     pub fn references(
         &self,
@@ -907,12 +933,79 @@ impl Publication {
         .map_err(Into::into)
     }
 
+    #[graphql(description = "Get the publication file for this publication")]
+    pub fn file(&self, context: &Context) -> FieldResult<Option<File>> {
+        File::from_publication_id(&context.db, &self.publication_id).map_err(Into::into)
+    }
+
     #[graphql(description = "Get the work to which this publication belongs")]
     pub fn work(&self, context: &Context) -> FieldResult<Work> {
         Work::from_id(&context.db, &self.work_id).map_err(Into::into)
     }
 }
 
+#[juniper::graphql_object(
+    Context = Context,
+    description = "A file stored in the system (publication file or front cover)."
+)]
+impl File {
+    #[graphql(description = "Thoth ID of the file")]
+    pub fn file_id(&self) -> &Uuid {
+        &self.file_id
+    }
+
+    #[graphql(description = "Type of file (publication or frontcover)")]
+    pub fn file_type(&self) -> &FileType {
+        &self.file_type
+    }
+
+    #[graphql(description = "Thoth ID of the work (for frontcovers)")]
+    pub fn work_id(&self) -> Option<&Uuid> {
+        self.work_id.as_ref()
+    }
+
+    #[graphql(description = "Thoth ID of the publication (for publication files)")]
+    pub fn publication_id(&self) -> Option<&Uuid> {
+        self.publication_id.as_ref()
+    }
+
+    #[graphql(description = "S3 object key (canonical DOI-based path)")]
+    pub fn object_key(&self) -> &String {
+        &self.object_key
+    }
+
+    #[graphql(description = "Public CDN URL")]
+    pub fn cdn_url(&self) -> &String {
+        &self.cdn_url
+    }
+
+    #[graphql(description = "MIME type used when serving the file")]
+    pub fn mime_type(&self) -> &String {
+        &self.mime_type
+    }
+
+    #[graphql(description = "Size of the file in bytes")]
+    pub fn bytes(&self) -> i32 {
+        // GraphQL does not support i64; files larger than 2GB will overflow.
+        self.bytes as i32
+    }
+
+    #[graphql(description = "SHA-256 checksum of the stored file")]
+    pub fn sha256(&self) -> &String {
+        &self.sha256
+    }
+
+    #[graphql(description = "Date and time at which the file record was created")]
+    pub fn created_at(&self) -> Timestamp {
+        self.created_at
+    }
+
+    #[graphql(description = "Date and time at which the file record was last updated")]
+    pub fn updated_at(&self) -> Timestamp {
+        self.updated_at
+    }
+}
+
 #[juniper::graphql_object(Context = Context, description = "An organisation that produces and distributes written texts.")]
 impl Publisher {
     #[graphql(description = "Thoth ID of the publisher")]