feat: improve startup config validation

Author: evansims

crates/infera-management-api/src/handlers/auth.rs

@@ -40,29 +40,97 @@ pub struct AppState {
     pub management_identity: Option<Arc<infera_management_types::ManagementIdentity>>,
 }
 
-impl AppState {
+/// Builder for AppState to avoid too many function parameters
+pub struct AppStateBuilder {
+    storage: Arc<Backend>,
+    config: Arc<infera_management_core::ManagementConfig>,
+    server_client: Arc<ServerApiClient>,
+    worker_id: u16,
+    leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
+    email_service: Option<Arc<infera_management_core::EmailService>>,
+    webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
+    management_identity: Option<Arc<infera_management_types::ManagementIdentity>>,
+}
+
+impl AppStateBuilder {
+    /// Create a new AppStateBuilder with required parameters
     pub fn new(
         storage: Arc<Backend>,
         config: Arc<infera_management_core::ManagementConfig>,
         server_client: Arc<ServerApiClient>,
         worker_id: u16,
-        leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
-        email_service: Option<Arc<infera_management_core::EmailService>>,
-        webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
-        management_identity: Option<Arc<infera_management_types::ManagementIdentity>>,
     ) -> Self {
         Self {
             storage,
             config,
             server_client,
             worker_id,
+            leader: None,
+            email_service: None,
+            webhook_client: None,
+            management_identity: None,
+        }
+    }
+
+    /// Set leader election component (optional)
+    pub fn leader(mut self, leader: Arc<infera_management_core::LeaderElection<Backend>>) -> Self {
+        self.leader = Some(leader);
+        self
+    }
+
+    /// Set email service (optional)
+    pub fn email_service(mut self, email_service: Arc<infera_management_core::EmailService>) -> Self {
+        self.email_service = Some(email_service);
+        self
+    }
+
+    /// Set webhook client (optional)
+    pub fn webhook_client(mut self, webhook_client: Arc<infera_management_core::WebhookClient>) -> Self {
+        self.webhook_client = Some(webhook_client);
+        self
+    }
+
+    /// Set management identity (optional)
+    pub fn management_identity(mut self, management_identity: Arc<infera_management_types::ManagementIdentity>) -> Self {
+        self.management_identity = Some(management_identity);
+        self
+    }
+
+    /// Build the AppState
+    pub fn build(self) -> AppState {
+        AppState {
+            storage: self.storage,
+            config: self.config,
+            server_client: self.server_client,
+            worker_id: self.worker_id,
             start_time: std::time::SystemTime::now(),
-            leader,
-            email_service,
-            webhook_client,
-            management_identity,
+            leader: self.leader,
+            email_service: self.email_service,
+            webhook_client: self.webhook_client,
+            management_identity: self.management_identity,
         }
     }
+}
+
+impl AppState {
+    /// Create AppState using the builder pattern
+    ///
+    /// # Example
+    ///
+    /// ```ignore
+    /// let state = AppState::builder(storage, config, server_client, worker_id)
+    ///     .email_service(email_service)
+    ///     .webhook_client(webhook_client)
+    ///     .build();
+    /// ```
+    pub fn builder(
+        storage: Arc<Backend>,
+        config: Arc<infera_management_core::ManagementConfig>,
+        server_client: Arc<ServerApiClient>,
+        worker_id: u16,
+    ) -> AppStateBuilder {
+        AppStateBuilder::new(storage, config, server_client, worker_id)
+    }
 
     /// Create AppState for testing with default configuration
     /// This is used by both unit tests and integration tests
@@ -134,7 +202,7 @@ server_api:
             start_time: std::time::SystemTime::now(),
             leader: None,
             email_service: Some(Arc::new(email_service)),
-            webhook_client: None, // No webhook client in tests
+            webhook_client: None,      // No webhook client in tests
             management_identity: None, // No management identity in tests
         }
     }

crates/infera-management-api/src/handlers/jwks.rs

@@ -174,15 +174,12 @@ pub async fn get_management_jwks(
     State(state): State<AppState>,
 ) -> Result<Json<JwksResponse>, (StatusCode, String)> {
     // Get the management identity from AppState
-    let identity = state
-        .management_identity
-        .as_ref()
-        .ok_or_else(|| {
-            (
-                StatusCode::SERVICE_UNAVAILABLE,
-                "Management identity not configured".to_string(),
-            )
-        })?;
+    let identity = state.management_identity.as_ref().ok_or_else(|| {
+        (
+            StatusCode::SERVICE_UNAVAILABLE,
+            "Management identity not configured".to_string(),
+        )
+    })?;
 
     let jwks = identity.to_jwks();
 

crates/infera-management-api/src/handlers/organizations.rs

@@ -1,5 +1,6 @@
 use axum::{
     extract::{Path, State},
+    response::IntoResponse,
     Extension, Json,
 };
 use infera_management_core::{error::Error as CoreError, IdGenerator, RepositoryContext};
@@ -21,7 +22,10 @@ use infera_management_types::{
 };
 
 use crate::handlers::auth::{AppState, Result};
-use crate::middleware::{OrganizationContext, SessionContext};
+use crate::middleware::{
+    dual_auth::extract_dual_auth_context, dual_auth::AuthContextType, OrganizationContext,
+    SessionContext,
+};
 
 /// Global limit on total organizations
 const GLOBAL_ORGANIZATION_LIMIT: i64 = 100_000;
@@ -255,6 +259,96 @@ pub async fn get_organization_by_id(
     }))
 }
 
+/// Get organization with dual authentication
+///
+/// GET /v1/organizations/:org
+/// Auth: Session or Server JWT (dual authentication)
+///
+/// This endpoint handles both user requests (with organization membership checks)
+/// and server-to-server requests (without membership checks).
+///
+/// For session auth (users):
+///   - Checks organization membership
+///   - Returns GetOrganizationResponse with user's role
+///   - Returns 403 if user is not a member
+///
+/// For server JWT auth:
+///   - No membership check required
+///   - Returns OrganizationServerResponse with organization status
+pub async fn get_organization_dual_auth(
+    State(state): State<AppState>,
+    Path(org_id): Path<i64>,
+    request: axum::extract::Request,
+) -> Result<axum::response::Response> {
+    let auth_context = extract_dual_auth_context(&request)?;
+
+    match auth_context {
+        AuthContextType::Session(session_ctx) => {
+            // User request - verify membership and return full response
+            let repos = RepositoryContext::new((*state.storage).clone());
+
+            // Check if user is a member of this organization
+            let member = repos
+                .org_member
+                .get_by_org_and_user(org_id, session_ctx.user_id)
+                .await?
+                .ok_or_else(|| {
+                    CoreError::Authz("You are not a member of this organization".to_string())
+                })?;
+
+            // Get organization
+            let org = repos
+                .org
+                .get(org_id)
+                .await?
+                .ok_or_else(|| CoreError::NotFound("Organization not found".to_string()))?;
+
+            // Check if deleted
+            if org.is_deleted() {
+                return Err(CoreError::NotFound("Organization not found".to_string()).into());
+            }
+
+            let response = GetOrganizationResponse {
+                organization: OrganizationResponse {
+                    id: org.id,
+                    name: org.name,
+                    tier: tier_to_string(&org.tier),
+                    created_at: org.created_at.to_rfc3339(),
+                    role: role_to_string(&member.role),
+                },
+            };
+
+            Ok(Json(response).into_response())
+        }
+        AuthContextType::Server(_) => {
+            // Server request - no membership check, return minimal response
+            let repos = RepositoryContext::new((*state.storage).clone());
+
+            // Get organization
+            let org = repos
+                .org
+                .get(org_id)
+                .await?
+                .ok_or_else(|| CoreError::NotFound("Organization not found".to_string()))?;
+
+            // Determine status
+            let status = if org.is_deleted() {
+                OrganizationStatus::Deleted
+            } else {
+                OrganizationStatus::Active
+            };
+
+            let response = OrganizationServerResponse {
+                id: org.id,
+                name: org.name,
+                status,
+            };
+
+            Ok(Json(response).into_response())
+        }
+    }
+}
+
 /// Update organization
 ///
 /// PATCH /v1/organizations/:org
@@ -376,7 +470,9 @@ pub async fn delete_organization(
 
     // Invalidate caches on all servers
     if let Some(ref webhook_client) = state.webhook_client {
-        webhook_client.invalidate_organization(org_ctx.organization_id).await;
+        webhook_client
+            .invalidate_organization(org_ctx.organization_id)
+            .await;
     }
 
     Ok(Json(DeleteOrganizationResponse {

crates/infera-management-api/src/lib.rs

@@ -13,8 +13,8 @@ pub mod pagination;
 pub mod routes;
 
 pub use handlers::AppState;
-pub use infera_management_types::identity::{ManagementIdentity, SharedManagementIdentity};
 pub use infera_management_types::dto::ErrorResponse;
+pub use infera_management_types::identity::{ManagementIdentity, SharedManagementIdentity};
 pub use middleware::{
     extract_session_context, get_user_vault_role, require_admin, require_admin_or_owner,
     require_manager, require_member, require_organization_member, require_owner, require_reader,
@@ -55,28 +55,39 @@ async fn shutdown_signal() {
     }
 }
 
+/// Configuration for optional services in the Management API
+pub struct ServicesConfig {
+    pub leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
+    pub email_service: Option<Arc<infera_management_core::EmailService>>,
+    pub webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
+    pub management_identity: Option<Arc<ManagementIdentity>>,
+}
+
 /// Start the Management API HTTP server
 pub async fn serve(
     storage: Arc<Backend>,
     config: Arc<ManagementConfig>,
     server_client: Arc<ServerApiClient>,
     worker_id: u16,
-    leader: Option<Arc<infera_management_core::LeaderElection<Backend>>>,
-    email_service: Option<Arc<infera_management_core::EmailService>>,
-    webhook_client: Option<Arc<infera_management_core::WebhookClient>>,
-    management_identity: Option<Arc<ManagementIdentity>>,
+    services: ServicesConfig,
 ) -> anyhow::Result<()> {
-    // Create AppState with services
-    let state = AppState::new(
-        storage,
-        config.clone(),
-        server_client,
-        worker_id,
-        leader,
-        email_service,
-        webhook_client,
-        management_identity,
-    );
+    // Create AppState with services using the builder pattern
+    let mut builder = AppState::builder(storage, config.clone(), server_client, worker_id);
+
+    if let Some(leader) = services.leader {
+        builder = builder.leader(leader);
+    }
+    if let Some(email_service) = services.email_service {
+        builder = builder.email_service(email_service);
+    }
+    if let Some(webhook_client) = services.webhook_client {
+        builder = builder.webhook_client(webhook_client);
+    }
+    if let Some(management_identity) = services.management_identity {
+        builder = builder.management_identity(management_identity);
+    }
+
+    let state = builder.build();
 
     let app = create_router_with_state(state);
 

crates/infera-management-api/src/middleware/server_auth.rs

@@ -130,9 +130,9 @@ pub async fn require_server_jwt(
         .map_err(|_| CoreError::Auth("Invalid authorization header".to_string()))?;
 
     // Extract token from "Bearer <token>" format
-    let token = auth_str
-        .strip_prefix("Bearer ")
-        .ok_or_else(|| CoreError::Auth("Authorization header must use Bearer scheme".to_string()))?;
+    let token = auth_str.strip_prefix("Bearer ").ok_or_else(|| {
+        CoreError::Auth("Authorization header must use Bearer scheme".to_string())
+    })?;
 
     // Decode header to get kid
     let header = decode_header(token)
@@ -207,9 +207,7 @@ pub async fn require_server_jwt(
         .to_string();
 
     // Attach server context to request extensions
-    request
-        .extensions_mut()
-        .insert(ServerContext { server_id });
+    request.extensions_mut().insert(ServerContext { server_id });
 
     Ok(next.run(request).await)
 }

crates/infera-management-api/src/routes.rs

@@ -105,11 +105,9 @@ pub fn create_router_with_state(state: AppState) -> axum::Router {
         .route("/v1/organizations/{org}/vaults", get(vaults::list_vaults))
         .route(
             "/v1/organizations/{org}/vaults/{vault}",
-            patch(vaults::update_vault),
-        )
-        .route(
-            "/v1/organizations/{org}/vaults/{vault}",
-            delete(vaults::delete_vault),
+            get(vaults::get_vault)
+                .patch(vaults::update_vault)
+                .delete(vaults::delete_vault),
         )
         // Vault user grant routes
         .route(
@@ -255,7 +253,7 @@ pub fn create_router_with_state(state: AppState) -> axum::Router {
         // Organization GET endpoint - used by users and by server for verification
         .route(
             "/v1/organizations/{org}",
-            get(organizations::get_organization_by_id),
+            get(organizations::get_organization_dual_auth),
         )
         // Vault GET endpoint - used by users and by server for vault ownership verification
         .route("/v1/vaults/{vault}", get(vaults::get_vault_by_id))