universal_web_loco_rewrite/REWRITE_SPEC.md

Universal Web — Loco.rs Rewrite Specification

This document is the implementation spec for re-building the existing Axum app (parent directory ../) on top of Loco.rs. It captures every feature so the rewrite reaches parity. The GUI is being rewritten as part of this effort, so templates/markup are not meant to be ported verbatim — only behaviour and routes.

• Source app: ../ — Axum 0.8, sqlx, Askama, axum-login, OpenDAL.
• Target app: this directory — Loco 0.16 (SaaS, server-side rendered), SeaORM 1.1, Tera.
• Scaffold already generated by loco new: auth controller, users model + migration, auth mailer, background worker example, Tera view engine, i18n.

---

1. Stack mapping (old → Loco)

Concern	Old (Axum)	Loco target
HTTP framework	Axum 0.8 + tower	Loco (Axum under the hood) — controllers/
DB access	sqlx 0.8 (raw SQL, query_as)	SeaORM 1.1 — entities in models/_entities/
Migrations	migrations/*.sql (sqlx-cli)	migration/ crate (SeaORM, Rust DSL)
Templating	Askama (compile-time)	Tera (assets/views/) via view_engine initializer
Auth/session	axum-login + tower-sessions (PG store)	Decision needed — see §3.1. Loco ships JWT auth.
Password hashing	argon2 0.5	Loco built-in (AuthnUser/hash_password) — argon2
File storage	OpenDAL 0.50 (fs/S3/Azure/GCS)	Loco storage module (local/S3/multi-mirror)
Background jobs	none (manual)	Loco workers (workers/) — bg mode async selected
Email	none (verification stored, not sent)	Loco mailers (mailers/) — scaffold already present
API docs	utoipa + Swagger UI + Scalar	Manual — see §13
Validation	garde	validator crate (already a dep)
Config	.env + config.rs singleton	config/{development,production,test}.yaml
Logging	tracing-subscriber	Loco logger (configured in yaml)

---

2. Feature inventory (parity checklist)

The old app ships these feature modules. Each must exist in the rewrite:

• Auth — register, login, logout, current-user, email verification
• RBAC — 4 roles, ~14 permissions, per-request permission loading
• Admin — dashboard, user management, role assignment, audit log
• Blog — articles CRUD, publish workflow, public listing, view counts
• Audio dashboard — albums + tracks + tags CRUD, publish workflow
• Audio streaming — range-aware track/file streaming, raw upload
• Audio player — persistent bottom-bar player (frontend)
• Images — upload + serve, used as cover/featured images
• Theme — per-user light/dark preference
• Storage — pluggable backend (fs default, S3/Azure/GCS capable)
• Home + layout — landing page, dynamic navbar, footer
• Swagger/OpenAPI — API docs (optional, lower priority)

---

3. Key migration decisions / gotchas

3.1 Sessions vs JWT

The old app uses cookie sessions (axum-login + tower-sessions-sqlx-store, 1-day inactivity timeout, PG-backed session table). Loco's SaaS starter ships JWT bearer auth by default.

Because this is a server-side rendered app (forms post HTML, navbar reflects auth state), bearer tokens are awkward. Recommended path:

• Keep Loco's users model + password hashing + the auth controller for the API-style endpoints.
• Add cookie-session middleware for the HTML pages. Loco exposes the Axum router, so tower-sessions can be layered in an initializer (src/initializers/). Store the user id in the session.
• Alternatively store the JWT in an HttpOnly cookie and add an extractor that reads it from the cookie instead of the Authorization header.

Pick one and apply it consistently. The old behaviour to match: login sets a cookie, navbar//auth/me reflect it, logout clears it, ~1-day expiry.

3.2 sqlx → SeaORM

Every raw query becomes a SeaORM entity + ActiveModel. Generate entities from migrations with cargo loco db entities. Slug-uniqueness and ON CONFLICT DO NOTHING semantics must be re-expressed (unique index + handle the error).

3.3 Askama → Tera

Templates are NOT ported. Re-author markup as Tera under assets/views/. The new GUI may keep HTMX + Alpine + DaisyUI (still works with server-rendered Tera) or go a different direction — that is a GUI decision, not a backend one.

3.4 OpenDAL → Loco storage

Loco has its own storage abstraction (local, S3, multi-backend mirror/replica). Map the old Storage/ImageStorage/AudioStorage wrappers onto it. Default to local (uploads/); keep S3/Azure/GCS reachable via config only.

3.5 Range requests for audio

The old stream_track forwards the request so ServeFile honours Range headers (seeking/progressive playback). The Loco equivalent must also emit Accept-Ranges/Content-Range — use tower-http ServeFile/ServeDir or a range-aware handler. Do not regress this; it is required for the player's seek bar.

---

4. Database schema

Old app: 8 migrations under ../migrations/. Re-create as SeaORM migrations in migration/src/ (the loco new scaffold already created m20220101_000001_users). Prefer Loco generators: cargo loco generate model <name> ....

4.1 users

column	type	notes
id	UUID PK	gen_random_uuid()
email	VARCHAR(255)	UNIQUE NOT NULL
password_hash	TEXT	NOT NULL (argon2)
email_verified	BOOLEAN	default FALSE
email_verified_at	TIMESTAMPTZ	nullable
theme	VARCHAR(10)	default 'light'
created_at	TIMESTAMPTZ	default NOW
updated_at	TIMESTAMPTZ	default NOW

Loco's scaffold users table differs (has pid, api_key, reset/verification token columns). Reconcile: either adopt Loco's columns and add theme, or align Loco's model to this schema. Adopting Loco's is less work — it already wires tokens for verification/reset.

4.2 email_verifications

id UUID PK, user_id UUID FK→users ON DELETE CASCADE, token VARCHAR(255) UNIQUE, expires_at TIMESTAMPTZ, created_at TIMESTAMPTZ. Indexes on token, user_id.

Loco's users table already carries verification tokens — this table may become redundant if you adopt Loco's auth columns.

4.3 user_roles

user_id UUID FK→users CASCADE, role VARCHAR(50) (user|moderator|admin| super_admin), assigned_by UUID FK→users ON DELETE SET NULL, assigned_at TIMESTAMPTZ. PK = (user_id, role). Index on user_id. Migration back-fills user role for every existing user.

4.4 blog_articles

id UUID PK, title VARCHAR(500), slug VARCHAR(500) UNIQUE, content TEXT, excerpt VARCHAR(1000) NULL, published BOOL default false, author_id UUID FK→users CASCADE, featured_image_id VARCHAR(500) NULL, view_count INT default 0, created_at, updated_at (trigger-updated), published_at TIMESTAMPTZ NULL. Indexes: slug, (published, published_at DESC), author_id.

4.5 audit_logs

id UUID PK, admin_user_id UUID FK→users CASCADE, action VARCHAR(100), target_type VARCHAR(50) NULL, target_id UUID NULL, details JSONB NULL, ip_address INET NULL, user_agent TEXT NULL, created_at TIMESTAMPTZ. Indexes: admin_user_id, action, (target_type,target_id), created_at DESC.

4.6 audio_albums

id UUID PK, title VARCHAR(500), slug VARCHAR(500) UNIQUE, description TEXT NULL, cover_image_id VARCHAR(500) NULL, artist VARCHAR(500) NULL, release_date DATE NULL, published BOOL default false, uploader_id UUID FK→users CASCADE, view_count INT default 0, created_at, updated_at (trigger), published_at NULL. Indexes: slug, published, uploader_id.

4.7 audio_tracks

id UUID PK, album_id UUID FK→audio_albums CASCADE, title VARCHAR(500), slug VARCHAR(500), audio_file_id VARCHAR(500) NOT NULL, track_number INT NULL, duration INT NULL (seconds), featured BOOL default false, play_count INT default 0, created_at, updated_at (trigger). UNIQUE(album_id, slug).

4.8 audio_tags + audio_track_tags

audio_tags: id UUID PK, name VARCHAR(100) UNIQUE, slug VARCHAR(100) UNIQUE, created_at. audio_track_tags (M:N junction): track_id UUID FK→audio_tracks CASCADE, tag_id UUID FK→audio_tags CASCADE, created_at, PK=(track_id,tag_id).

The old schema uses updated_at triggers. SeaORM convention is to set updated_at in the ActiveModel (before_save hook) instead — either works.

---

5. Routes (parity table)

method path → behaviour (auth requirement). Loco controllers live in src/controllers/; register each with .add_route(...) in app.rs.

Auth (/auth)

• GET /auth/login → login page (public)
• POST /auth/login → login, HTML/HTMX response; sets session cookie
• POST /auth/login/json → login, JSON response
• GET /auth/register → register page (public)
• POST /auth/register → register, HTML/HTMX
• POST /auth/register/json → register, JSON
• POST /auth/logout → clear session
• GET /auth/me → current user (auth required)
• GET /auth/verify?token= → verify email
• POST /auth/verify/resend → resend verification (auth required)

RBAC (/rbac)

• GET /rbac/permissions → list all permissions (public)
• GET /rbac/roles → list all roles (public)
• GET /rbac/me → current user roles+permissions (auth)
• GET /rbac/users/{id}/roles → (auth)
• GET /rbac/users/{id}/permissions → (auth)
• POST /rbac/users/{id}/roles → assign role (SuperAdmin)
• DELETE /rbac/users/{id}/roles/{role} → remove role (SuperAdmin)

Blog

• GET /blog → published articles (public)
• GET /blog/{slug} → article, increments view_count (public)
• GET /admin/blog & /admin/blog/articles → admin list (Moderator+)
• GET|POST /admin/blog/articles/create → create form / submit (Moderator+)
• GET|POST /admin/blog/articles/{id}/edit → edit form / submit (Moderator+)
• GET /admin/blog/articles/{id}/delete → delete (Moderator+)

Admin (/admin)

• GET /admin → redirect to /admin/dashboard
• GET /admin/dashboard → dashboard + system stats (Moderator+)
• GET /admin/users & /admin/users/list → user list, filter+paginate (Admin+)
• GET /admin/users/{id} → user detail (Admin+)
• GET /admin/users/{id}/roles → roles form (Admin+)
• POST /admin/users/{id}/roles/assign → assign (Admin+)
• POST /admin/users/{id}/roles/{role}/remove → remove (Admin+)
• GET /admin/audit-logs → audit log list (Moderator+)

Audio (public + admin)

• POST /audio/upload → raw audio upload (auth)
• GET /audio/stream/{filename} → stream raw file, range-aware (public)
• GET /audio/albums → published albums (public)
• GET /audio/albums/{slug} → album + tracks (public)
• GET /audio/tracks/{id}/stream → stream track, range-aware (public)
• GET /admin/audio/albums → admin album list (Moderator+)
• GET|POST /admin/audio/albums/create → (Moderator+)
• GET|POST /admin/audio/albums/{id}/edit → (Moderator+)
• GET /admin/audio/albums/{id}/delete → (Moderator+)
• GET /admin/audio/albums/{id}/tracks → track list (Moderator+)
• GET /admin/audio/albums/{id}/tracks/upload → upload form (Moderator+)
• POST /admin/audio/albums/{id}/tracks/upload-file → multipart upload, 50 MB (Moderator+)
• GET|POST /admin/audio/tracks/{id}/edit → (Moderator+)
• GET /admin/audio/tracks/{id}/delete → (Moderator+)
• GET /admin/audio/tags → tag list (Moderator+)
• POST /admin/audio/tags → create tag (Moderator+)

Images

• POST /images/upload → upload, validate ext+MIME, max 10 MB (auth)
• GET /images/serve/{filename} → serve with MIME + cache headers (public)

Misc

• GET / → home (public)
• GET /layout/navbar → navbar fragment reflecting auth state (public)
• GET /theme → current theme; GET /theme/set?... → set theme (public)
• GET /static/* → static files
• GET /swagger-ui/, GET /api-docs/openapi.json → API docs

---

6. Feature details

6.1 Auth

• Register: validate email + password (8–64 chars), reject duplicate email, argon2-hash password, insert user, assign default user role.
• Login: look up by email, verify password (constant-time), create session.
• Admin bootstrap: on successful login, if user.email (case-insensitive) equals config admin_email, assign SuperAdmin role (idempotent) and write an audit_logs row with action="admin_bootstrap". This is how the first admin is created — there is no seed user. Keep this behaviour.
• Email verification: token table + email_verified/email_verified_at. The old app stored tokens but never emailed them — the Loco rewrite should actually send the email via the scaffolded mailers/auth.
• Every response that changes auth state should let the navbar refresh (GET /layout/navbar).

6.2 RBAC

• Roles: SuperAdmin, Admin (same perms as SuperAdmin), Moderator, User.
• Permissions (~14): users.{create,read,update,delete,manage_roles}, roles.assign, content.{create,read,update,delete,moderate}, images.{create,read,update,delete}.
• Role→permission mapping:
  • SuperAdmin / Admin → all permissions.
  • Moderator → content.read/update/moderate, users.read, images.read/delete.
  • User (default) → content.read, images.create/read.
• A middleware loads the current user's UserPermissions into request extensions on every request so handlers/views can check access. In Loco, do this with a middleware layer or a custom extractor. Provide guard helpers equivalent to "Moderator+", "Admin+", "SuperAdmin".

6.3 Admin

• Dashboard with system stats (user counts, content counts) — Moderator+.
• User management: list with search filter + pagination, detail view — Admin+.
• Role assign/remove per user, each writing an audit_logs entry — Admin+.
• Audit log viewer — Moderator+.
• AuditLog fields: action, target_type, target_id, JSONB details, ip_address, user_agent. Populate IP + user-agent from request headers.

6.4 Blog

• Public: list published articles (paginate), view by slug (increments view_count).
• Admin (Moderator+): create / edit / delete, draft↔publish (published_at set on publish), drafts visible only in admin.
• Slug auto-generated from title: lowercase, alphanumeric + hyphens, collapse repeats; uniqueness enforced by DB — surface a clear "already exists" error.
• author_id = current user. featured_image_id references an uploaded image id.

6.5 Audio dashboard

• Albums: CRUD, publish workflow, public list shows published only, slug URLs, cover_image_id references an image, view_count.
• Tracks: belong to an album, multipart upload (50 MB cap, extensions mp3 wav ogg flac aac m4a webm), track_number, duration (seconds, nullable — upload does not extract it; the player reads it from the audio element instead), featured, play_count, slug unique per album.
• Tags: create + assign to tracks (M:N). Tag has unique name + slug.

6.6 Audio streaming & player

• stream_track / stream_handler must honour Range requests (see §3.5).
• The old app has a persistent bottom-bar player (templates/player/player.html): hidden <audio> + Alpine.js, play/pause, prev/next, seek bar, volume persisted to localStorage, auto-advance on track end. It is a sibling of the main content so HTMX navigation never tears it down — music keeps playing across pages.
• Pages drive it via one global JS API: MusicPlayer.playQueue(containerSelector, startIndex), reading data-* attributes off track rows (no JSON in markup).
• This is a frontend concern — reproduce the behaviour in the new GUI; the backend only needs the range-aware stream endpoints + track metadata.

6.7 Images

• Upload: multipart, validate extension (jpg jpeg png webp gif) and MIME, max 10 MB, store via storage backend, return a file id.
• Serve: public, correct MIME (guessed from extension), long-cache headers.
• Image ids are referenced by blog_articles.featured_image_id and audio_albums.cover_image_id (stored as strings, not FKs).

6.8 Theme

• Per-user theme column (light/dark); also a cookie for anonymous users.
• GET /theme returns current, GET /theme/set toggles/sets it.
• Maps to DaisyUI themes in the old GUI (winter/dracula). New GUI decides its own theming, but keep the per-user persisted preference.

6.9 Storage

• Default backend: local filesystem under uploads/ (uploads/images, uploads/audio). Keep S3/Azure/GCS reachable via config only.
• Path-traversal protection on every user-supplied filename/path.
• Use Loco's storage module; configure backends in config/*.yaml.

---

7. Configuration / env

Old .env:

DATABASE_URL=postgres://uni_web_user:1@localhost/universal_web
ADMIN_EMAIL=filippriec@gmail.com

In Loco, move these into config/development.yaml (DB url under database:) and add a custom settings: entry for admin_email (read via ctx.config.settings). The old default bind address is 0.0.0.0:3000 — set under server: in the yaml.

---

8. What the Loco scaffold already gives you

Already generated in this directory — reuse, don't rebuild:

• src/controllers/auth.rs — register / login / verify / forgot / reset endpoints.
• src/models/users.rs + _entities/users.rs — user model with password hashing.
• src/mailers/auth/ — welcome / forgot-password / magic-link email templates.
• src/workers/downloader.rs — example background worker (bg mode = async).
• src/initializers/view_engine.rs — Tera view engine + i18n wiring.
• migration/ — SeaORM migration crate.
• config/{development,production,test}.yaml — config files.

---

9. Suggested implementation order

1. DB & models — port all 8 tables as SeaORM migrations; cargo loco db entities; reconcile users with the scaffold (§4.1).
2. Auth + sessions — settle §3.1, get register/login/logout/me working, including admin-bootstrap.
3. RBAC — roles/permissions, the permission-loading middleware, guard helpers.
4. Storage + images — storage backend, image upload/serve (unblocks blog/audio cover images).
5. Blog — CRUD + publish + public pages.
6. Audio dashboard — albums, tracks (multipart upload), tags.
7. Audio streaming + player — range-aware endpoints, then the player in the GUI.
8. Admin — dashboard, user management, role UI, audit log.
9. Theme, home/layout/navbar.
10. Swagger/OpenAPI (optional), tests, polish.

---

10. Testing

The old app has 19 tests (17 integration hitting a live server + 2 multipart upload) plus unit tests; see ../TESTING.md. Loco has a first-class testing story (#[tokio::test] + loco-rs testing feature, serial_test, insta snapshots — all already dev-deps). Re-create integration coverage for every route in §5, especially: public pages return 200, protected routes return 401/403 without auth, multipart uploads, and range requests on the streaming endpoints.

---

11. Notes / known quirks carried over

• Track duration is frequently NULL (upload never extracts it). The player reads duration from the <audio> element's metadata, so the seek bar works anyway — don't block on server-side duration extraction.
• Admin and SuperAdmin have identical permission sets; only role-assignment endpoints are SuperAdmin-gated.
• Image references (featured_image_id, cover_image_id) are plain strings, not foreign keys — the rewrite may upgrade these to real FKs if desired.