Fix schema public permission denied for migrator (#162)

* Add TODOs for authentication errors that was missed with my last PR

* Set the DATABASE_SCHEMA env var for the migrator service to use when applying migrations

* Print out the database schema being used for migrations

* Try setting the schema CLI flag explicitly

Author: jhodapp

docker-compose.yaml

@@ -38,6 +38,7 @@ services:
       ROLE: migrator                        # entrypoint knows to migrate
       RUST_ENV: ${RUST_ENV}                 # development, staging, production
       POSTGRES_SSL_ROOT_CERT: ${POSTGRES_SSL_ROOT_CERT}
+      DATABASE_SCHEMA: ${POSTGRES_SCHEMA:-public}
       DATABASE_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}?${POSTGRES_OPTIONS}
       PLATFORM: ${PLATFORM}
       BACKEND_IMAGE_NAME: ${BACKEND_IMAGE_NAME}
@@ -61,7 +62,7 @@ services:
       POSTGRES_USER: ${POSTGRES_USER}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
       POSTGRES_DB: ${POSTGRES_DB}
-      POSTGRES_SCHEMA: ${POSTGRES_SCHEMA}
+      POSTGRES_SCHEMA: ${POSTGRES_SCHEMA:-public}
       POSTGRES_HOST: ${POSTGRES_HOST}
       POSTGRES_PORT: ${POSTGRES_PORT}
       POSTGRES_SSL_ROOT_CERT: ${POSTGRES_SSL_ROOT_CERT}

entrypoint.sh

@@ -63,12 +63,14 @@ main() {
             log_info "Running in MIGRATOR mode"
             validate_binary "migrationctl"
             validate_env "DATABASE_URL"
+            validate_env "DATABASE_SCHEMA"
             validate_env "RUST_ENV"
 
             log_info "Running in $RUST_ENV environment"
+            log_info "Using schema $DATABASE_SCHEMA to apply the migrations in"
 
             log_success "Running SeaORM migrations..."
-            exec /app/migrationctl up
+            exec /app/migrationctl up -s $DATABASE_SCHEMA
             ;;
 
         app)

web/src/controller/user_session_controller.rs

@@ -38,12 +38,12 @@ pub async fn login(
     mut auth_session: AuthSession,
     Form(creds): Form<Credentials>,
 ) -> WebResult<impl IntoResponse> {
-    debug!("UserSessionController::login()");
-
     let user = match auth_session.authenticate(creds.clone()).await {
         Ok(Some(user)) => user,
         Ok(None) => {
             // No user found - this should also be treated as an authentication error
+            warn!("Authentication failed, invalid user: {:?}", creds.email);
+            // TODO: replace this with a more idiomatic Rust 1-liner using from/into
             return Err(WebError::from(domain::error::Error {
                 source: None,
                 error_kind: domain::error::DomainErrorKind::Internal(
@@ -54,8 +54,10 @@ pub async fn login(
             }));
         }
         Err(auth_error) => {
-            // axum_login errors contain our entity_api::Error in the error field
-            warn!("Authentication failed: {:?}", auth_error);
+            // Convert axum_login error to WebError by creating domain error manually.
+            // This maps EntityApiErrorKind::RecordUnauthenticated to a 401 through the web layer.
+            error!("Authentication failed with error: {:?}", auth_error);
+            // TODO: replace this with a more idiomatic Rust 1-liner using from/into
             return Err(WebError::from(domain::error::Error {
                 source: Some(Box::new(auth_error)),
                 error_kind: domain::error::DomainErrorKind::Internal(