chore: sync repository to current working state

Brings azcomputerguru/guru-connect up to the authoritative working copy that
had been maintained in the claudetools monorepo: Phase 1 security and
infrastructure (middleware, metrics, utils, token blacklist, deployment
scripts, security audits) plus the native-remote-control integration spec.
Preserves the repo .gitignore, .cargo, and server/static/downloads.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

server/src/api/auth.rs

@@ -1,7 +1,7 @@
 //! Authentication API endpoints
 
 use axum::{
-    extract::State,
+    extract::{State, Request},
     http::StatusCode,
     Json,
 };

server/src/api/auth_logout.rs

@@ -0,0 +1,191 @@
+//! Logout and token revocation endpoints
+
+use axum::{
+    extract::{Request, State, Path},
+    http::{StatusCode, HeaderMap},
+    Json,
+};
+use uuid::Uuid;
+use serde::Serialize;
+use tracing::{info, warn};
+
+use crate::auth::AuthenticatedUser;
+use crate::AppState;
+
+use super::auth::ErrorResponse;
+
+/// Extract JWT token from Authorization header
+fn extract_token_from_headers(headers: &HeaderMap) -> Result<String, (StatusCode, Json<ErrorResponse>)> {
+    let auth_header = headers
+        .get("Authorization")
+        .and_then(|v| v.to_str().ok())
+        .ok_or_else(|| {
+            (
+                StatusCode::UNAUTHORIZED,
+                Json(ErrorResponse {
+                    error: "Missing Authorization header".to_string(),
+                }),
+            )
+        })?;
+
+    let token = auth_header
+        .strip_prefix("Bearer ")
+        .ok_or_else(|| {
+            (
+                StatusCode::UNAUTHORIZED,
+                Json(ErrorResponse {
+                    error: "Invalid Authorization format".to_string(),
+                }),
+            )
+        })?;
+
+    Ok(token.to_string())
+}
+
+/// Logout response
+#[derive(Debug, Serialize)]
+pub struct LogoutResponse {
+    pub message: String,
+}
+
+/// POST /api/auth/logout - Revoke current token (logout)
+///
+/// Adds the user's current JWT token to the blacklist, effectively logging them out.
+/// The token will no longer be valid for any requests.
+pub async fn logout(
+    State(state): State<AppState>,
+    user: AuthenticatedUser,
+    request: Request,
+) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {
+    // Extract token from headers
+    let token = extract_token_from_headers(request.headers())?;
+
+    // Add token to blacklist
+    state.token_blacklist.revoke(&token).await;
+
+    info!("User {} logged out (token revoked)", user.username);
+
+    Ok(Json(LogoutResponse {
+        message: "Logged out successfully".to_string(),
+    }))
+}
+
+/// POST /api/auth/revoke-token - Revoke own token (same as logout)
+///
+/// Alias for logout endpoint for consistency with revocation terminology.
+pub async fn revoke_own_token(
+    State(state): State<AppState>,
+    user: AuthenticatedUser,
+    request: Request,
+) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {
+    logout(State(state), user, request).await
+}
+
+/// Revoke user request
+#[derive(Debug, serde::Deserialize)]
+pub struct RevokeUserRequest {
+    pub user_id: Uuid,
+}
+
+/// POST /api/auth/admin/revoke-user - Admin endpoint to revoke all tokens for a user
+///
+/// WARNING: This currently only revokes the admin's own token as a demonstration.
+/// Full implementation would require:
+/// 1. Session tracking table to store active JWT tokens
+/// 2. Query to find all tokens for the target user
+/// 3. Add all found tokens to blacklist
+///
+/// For MVP, we're implementing the foundation but not the full user tracking.
+pub async fn revoke_user_tokens(
+    State(state): State<AppState>,
+    admin: AuthenticatedUser,
+    Json(req): Json<RevokeUserRequest>,
+) -> Result<Json<LogoutResponse>, (StatusCode, Json<ErrorResponse>)> {
+    // Verify admin permission
+    if !admin.is_admin() {
+        return Err((
+            StatusCode::FORBIDDEN,
+            Json(ErrorResponse {
+                error: "Admin access required".to_string(),
+            }),
+        ));
+    }
+
+    warn!(
+        "Admin {} attempted to revoke tokens for user {} - NOT IMPLEMENTED (requires session tracking)",
+        admin.username, req.user_id
+    );
+
+    // TODO: Implement session tracking
+    // 1. Query active_sessions table for all tokens belonging to user_id
+    // 2. Add each token to blacklist
+    // 3. Delete session records from database
+
+    Err((
+        StatusCode::NOT_IMPLEMENTED,
+        Json(ErrorResponse {
+            error: "User token revocation not yet implemented - requires session tracking table".to_string(),
+        }),
+    ))
+}
+
+/// GET /api/auth/blacklist/stats - Get blacklist statistics (admin only)
+///
+/// Returns information about the current token blacklist for monitoring.
+#[derive(Debug, Serialize)]
+pub struct BlacklistStatsResponse {
+    pub revoked_tokens_count: usize,
+}
+
+pub async fn get_blacklist_stats(
+    State(state): State<AppState>,
+    admin: AuthenticatedUser,
+) -> Result<Json<BlacklistStatsResponse>, (StatusCode, Json<ErrorResponse>)> {
+    if !admin.is_admin() {
+        return Err((
+            StatusCode::FORBIDDEN,
+            Json(ErrorResponse {
+                error: "Admin access required".to_string(),
+            }),
+        ));
+    }
+
+    let count = state.token_blacklist.len().await;
+
+    Ok(Json(BlacklistStatsResponse {
+        revoked_tokens_count: count,
+    }))
+}
+
+/// POST /api/auth/blacklist/cleanup - Clean up expired tokens from blacklist (admin only)
+///
+/// Removes expired tokens from the blacklist to prevent memory buildup.
+#[derive(Debug, Serialize)]
+pub struct CleanupResponse {
+    pub removed_count: usize,
+    pub remaining_count: usize,
+}
+
+pub async fn cleanup_blacklist(
+    State(state): State<AppState>,
+    admin: AuthenticatedUser,
+) -> Result<Json<CleanupResponse>, (StatusCode, Json<ErrorResponse>)> {
+    if !admin.is_admin() {
+        return Err((
+            StatusCode::FORBIDDEN,
+            Json(ErrorResponse {
+                error: "Admin access required".to_string(),
+            }),
+        ));
+    }
+
+    let removed = state.token_blacklist.cleanup_expired(&state.jwt_config).await;
+    let remaining = state.token_blacklist.len().await;
+
+    info!("Admin {} cleaned up blacklist: {} tokens removed, {} remaining", admin.username, removed, remaining);
+
+    Ok(Json(CleanupResponse {
+        removed_count: removed,
+        remaining_count: remaining,
+    }))
+}

server/src/api/mod.rs

@@ -1,6 +1,7 @@
 //! REST API endpoints
 
 pub mod auth;
+pub mod auth_logout;
 pub mod users;
 pub mod releases;
 pub mod downloads;