fix(cloud_auth): Correctly route users/me

Fix routing of `users/me` endpoint to correctly alias to invoking principal.

Author: dnys1

apps/cli/fixtures/standalone/auth/goldens/ast.resolved.json

@@ -1,11 +1,20 @@
+import 'dart:convert';
+
 import 'package:celest_core/celest_core.dart';
 
 mixin BaseProtocol {
   Never throwError({
     required int statusCode,
     required List<int> bodyBytes,
   }) {
-    final jsonBody = JsonUtf8.decodeMap(bodyBytes);
-    throw CloudException.fromJson(jsonBody, code: statusCode);
+    try {
+      final jsonBody = JsonUtf8.decodeMap(bodyBytes);
+      throw CloudException.fromJson(jsonBody, code: statusCode);
+    } on FormatException {
+      throw CloudException.http(
+        code: statusCode,
+        message: utf8.decode(bodyBytes),
+      );
+    }
   }
 }

apps/cli/fixtures/standalone/auth/goldens/celest.json

@@ -3,6 +3,7 @@
 - feat!: Make database modular
 - refactor!: Rename `AuthDatabase` to `CloudAuthDatabase`
 - refactor!: Rename all entities with `cloud_auth_` prefix
+- fix: Correctly route `users/me`
 - chore: Make `Authorizer` a class
 - chore: Update dependencies
 

apps/cli/fixtures/standalone/data/goldens/ast.resolved.json

@@ -66,6 +66,14 @@ permit (
     resource in ?resource
 );
 
+// Anonymous functions and APIs.
+@id("cloud.functions.anonymous")
+permit (
+    principal in Celest::Role::"anonymous",
+    action == Celest::Action::"invoke",
+    resource in ?resource
+);
+
 // Public functions and APIs.
 @id("cloud.functions.public")
 permit (

apps/cli/fixtures/standalone/data/goldens/celest.json

@@ -33,8 +33,8 @@ extension type Context._(celest.Context _context) implements celest.Context {
     return const EmailOtpProvider();
   }
 
-  Map<String, String>? get routeParameters =>
-      _context.get(contextKeyRouteParameters);
+  Map<String, String> get routeParameters =>
+      _context.expect(contextKeyRouteParameters);
 }
 
 const celest.ContextKey<CedarCork> contextKeyCork = celest.ContextKey('cork');

packages/celest_cloud/lib/src/cloud/base/base_protocol.dart

@@ -1,4 +1,3 @@
-import 'package:cedar/ast.dart' hide Value;
 import 'package:cedar/cedar.dart' hide Value;
 // ignore: invalid_use_of_internal_member
 import 'package:celest/src/runtime/http/cloud_middleware.dart';
@@ -120,18 +119,13 @@ extension type UsersService._(_Deps _deps) implements Object {
       ),
     },
     policySet: PolicySet(
-      policies: {
-        apiId: Policy(
-          effect: Effect.permit,
-          principal: const PrincipalIs('Celest::User'),
-          action: const ActionEquals(CelestAction.invoke),
-          annotations: Annotations({
-            'id': apiId,
-          }),
-          resource: const ResourceIn(apiUid),
-          conditions: [],
+      templateLinks: [
+        TemplateLink(
+          templateId: 'cloud.functions.anonymous',
+          newId: apiId,
+          values: {SlotId.resource: apiUid},
         ),
-      },
+      ],
     ),
   );
 
@@ -165,16 +159,22 @@ extension type UsersService._(_Deps _deps) implements Object {
 
   Future<Response> handleGetUser(Request request) async {
     final principal = context.get(ContextKey.principal);
-    // TODO: Handle users/me
+    final user = await getUser(
+      userId: switch (context.routeParameters['name']!.split('/')) {
+        ['users', 'me'] when principal != null => principal.id,
+        ['users', final userId] => userId,
+        final badName => throw BadRequestException(
+            'Invalid user: $badName. Expected users/{user_id}',
+          ),
+      },
+    );
 
-    final resource = _getResource(request);
     await _authorizer.expectAuthorized(
       principal: principal?.uid,
-      resource: resource,
+      resource: EntityUid.of('Celest::User', user.id),
       action: CelestAction.get,
     );
-    final response = await getUser(userId: principal!.userId);
-    return response.toProto().jsonResponse();
+    return user.toProto().jsonResponse();
   }
 
   @visibleForTesting