nxtgauge-backend-rust/crates/storage/src/lib.rs

//! Backblaze B2 file storage via S3-compatible API.
//!
//! Configuration (environment variables):
//!   B2_ACCESS_KEY_ID   — Application Key ID (preferred)
//!   B2_SECRET_ACCESS_KEY — Application Key secret (preferred)
//!   B2_KEY_ID          — Legacy alias for access key ID
//!   B2_APPLICATION_KEY — Legacy alias for secret key
//!   B2_BUCKET_NAME     — Bucket name (e.g. Nxtgauge-object)
//!   B2_ENDPOINT        — S3 endpoint (e.g. s3.eu-central-003.backblazeb2.com)
//!   B2_REGION          — Region (e.g. eu-central-003)
//!   B2_USE_PATH_STYLE  — true/false (default true)

use anyhow::{Context, Result};
use aws_config::{BehaviorVersion, Region};
use aws_credential_types::Credentials;
use aws_sdk_s3::Client;
use aws_sdk_s3::config::{Builder as S3ConfigBuilder, SharedCredentialsProvider};
use aws_sdk_s3::primitives::ByteStream;
use bytes::Bytes;
use uuid::Uuid;

#[derive(Clone)]
pub struct StorageClient {
    client: Client,
    bucket: String,
    public_base_url: String,
}

impl StorageClient {
    fn env_required(primary: &str, legacy: &str) -> String {
        std::env::var(primary)
            .or_else(|_| std::env::var(legacy))
            .unwrap_or_else(|_| panic!("{} (or {}) must be set", primary, legacy))
    }

    /// Build from environment variables. Panics if required vars are missing.
    pub async fn from_env() -> Self {
        let key_id = Self::env_required("B2_ACCESS_KEY_ID", "B2_KEY_ID");
        let app_key = Self::env_required("B2_SECRET_ACCESS_KEY", "B2_APPLICATION_KEY");
        let bucket = std::env::var("B2_BUCKET_NAME").expect("B2_BUCKET_NAME must be set");
        let endpoint = std::env::var("B2_ENDPOINT")
            .expect("B2_ENDPOINT must be set")
            .trim_start_matches("https://")
            .trim_start_matches("http://")
            .to_string();
        let region = std::env::var("B2_REGION").expect("B2_REGION must be set");
        let use_path_style = std::env::var("B2_USE_PATH_STYLE")
            .ok()
            .map(|v| matches!(v.to_ascii_lowercase().as_str(), "1" | "true" | "yes" | "y"))
            .unwrap_or(true);

        let creds = Credentials::new(key_id, app_key, None, None, "nxtgauge-storage");
        let endpoint_url = format!("https://{}", endpoint);
        let public_base_url = format!("https://{}/{}", endpoint, bucket);

        let s3_config = S3ConfigBuilder::new()
            .behavior_version(BehaviorVersion::latest())
            .endpoint_url(endpoint_url)
            .region(Region::new(region))
            .credentials_provider(SharedCredentialsProvider::new(creds))
            .force_path_style(use_path_style)
            .build();

        let client = Client::from_conf(s3_config);
        Self { client, bucket, public_base_url }
    }

    /// Upload bytes to B2. Returns the public URL.
    ///
    /// `prefix` — e.g. "portfolio", "resume", "profile"
    /// `ext`    — file extension without dot, e.g. "jpg", "pdf"
    pub async fn upload(&self, prefix: &str, ext: &str, data: Bytes, content_type: &str) -> Result<String> {
        let key = format!("{}/{}.{}", prefix, Uuid::new_v4(), ext);

        self.client
            .put_object()
            .bucket(&self.bucket)
            .key(&key)
            .body(ByteStream::from(data))
            .content_type(content_type)
            .send()
            .await
            .context("B2 upload failed")?;

        Ok(format!("{}/{}", self.public_base_url, key))
    }

    /// Delete a file by its full public URL (best-effort — logs on failure).
    pub async fn delete_by_url(&self, url: &str) {
        let prefix = format!("{}/", self.public_base_url);
        if let Some(key) = url.strip_prefix(&prefix) {
            if let Err(e) = self.client
                .delete_object()
                .bucket(&self.bucket)
                .key(key)
                .send()
                .await
            {
                tracing::warn!("B2 delete failed for key={}: {}", key, e);
            }
        }
    }
}
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`//! Backblaze B2 file storage via S3-compatible API.`
			`//!`
			`//! Configuration (environment variables):`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`//! B2_ACCESS_KEY_ID — Application Key ID (preferred)`
			`//! B2_SECRET_ACCESS_KEY — Application Key secret (preferred)`
			`//! B2_KEY_ID — Legacy alias for access key ID`
			`//! B2_APPLICATION_KEY — Legacy alias for secret key`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`//! B2_BUCKET_NAME — Bucket name (e.g. Nxtgauge-object)`
			`//! B2_ENDPOINT — S3 endpoint (e.g. s3.eu-central-003.backblazeb2.com)`
			`//! B2_REGION — Region (e.g. eu-central-003)`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`//! B2_USE_PATH_STYLE — true/false (default true)`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00
			`use anyhow::{Context, Result};`
chore: sync latest dashboard and role flow updates 2026-04-05 16:52:01 +02:00			`use aws_config::{BehaviorVersion, Region};`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`use aws_credential_types::Credentials;`
			`use aws_sdk_s3::Client;`
			`use aws_sdk_s3::config::{Builder as S3ConfigBuilder, SharedCredentialsProvider};`
			`use aws_sdk_s3::primitives::ByteStream;`
			`use bytes::Bytes;`
			`use uuid::Uuid;`

			`#[derive(Clone)]`
			`pub struct StorageClient {`
			`client: Client,`
			`bucket: String,`
			`public_base_url: String,`
			`}`

			`impl StorageClient {`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`fn env_required(primary: &str, legacy: &str) -> String {`
			`std::env::var(primary)`
			`.or_else(\|_\| std::env::var(legacy))`
			`.unwrap_or_else(\|_\| panic!("{} (or {}) must be set", primary, legacy))`
			`}`

feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`/// Build from environment variables. Panics if required vars are missing.`
			`pub async fn from_env() -> Self {`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`let key_id = Self::env_required("B2_ACCESS_KEY_ID", "B2_KEY_ID");`
			`let app_key = Self::env_required("B2_SECRET_ACCESS_KEY", "B2_APPLICATION_KEY");`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`let bucket = std::env::var("B2_BUCKET_NAME").expect("B2_BUCKET_NAME must be set");`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`let endpoint = std::env::var("B2_ENDPOINT")`
			`.expect("B2_ENDPOINT must be set")`
			`.trim_start_matches("https://")`
			`.trim_start_matches("http://")`
			`.to_string();`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`let region = std::env::var("B2_REGION").expect("B2_REGION must be set");`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`let use_path_style = std::env::var("B2_USE_PATH_STYLE")`
			`.ok()`
			`.map(\|v\| matches!(v.to_ascii_lowercase().as_str(), "1" \| "true" \| "yes" \| "y"))`
			`.unwrap_or(true);`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00
			`let creds = Credentials::new(key_id, app_key, None, None, "nxtgauge-storage");`
			`let endpoint_url = format!("https://{}", endpoint);`
			`let public_base_url = format!("https://{}/{}", endpoint, bucket);`

			`let s3_config = S3ConfigBuilder::new()`
chore: sync latest dashboard and role flow updates 2026-04-05 16:52:01 +02:00			`.behavior_version(BehaviorVersion::latest())`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`.endpoint_url(endpoint_url)`
			`.region(Region::new(region))`
			`.credentials_provider(SharedCredentialsProvider::new(creds))`
feat(backend): enforce profile approvals and complete migration approval flows 2026-03-19 00:30:23 +01:00			`.force_path_style(use_path_style)`
feat: add Redis for OTP, auth tokens, rate limiting, lead dedup and marketplace cache - Add crates/cache with client, otp, rate_limit, token, lead, jobs modules - OTP tokens stored in Redis (15-min TTL, single-use GETDEL on verify) - Refresh tokens stored in Redis (30-day TTL) — removed DB storage - Password reset tokens stored in Redis (1-hour TTL, single-use) - Rate limiting: register (10/hr), login (10/15min), OTP resend (3/hr), lead (5/hr), job post (20/hr) - Lead request deduplication: 24-hour Redis lock per professional+requirement pair - Marketplace listings cached in Redis (5-min TTL per profession+page+limit) - Add ProfessionState{pool, redis} to contracts crate, replacing bare PgPool in all 9 profession apps - All profession handlers and main.rs updated to use ProfessionState - REDIS_URL env var (default: redis://127.0.0.1:6379) used across all services - Fix profession model struct name mangling in 6 handlers (MakeupArtistRepository etc.) - Add custom_data JSONB migration for all 9 profession profile tables - Add onboarding_state model and repository (save_progress, complete, is_complete) - Add onboarding handler accepting roleKey:String (not role_id:UUID) for frontend compat Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> 2026-03-18 22:58:42 +01:00			`.build();`

			`let client = Client::from_conf(s3_config);`
			`Self { client, bucket, public_base_url }`
			`}`

			`/// Upload bytes to B2. Returns the public URL.`
			`///`
			/// `prefix` — e.g. "portfolio", "resume", "profile"
			/// `ext` — file extension without dot, e.g. "jpg", "pdf"
			`pub async fn upload(&self, prefix: &str, ext: &str, data: Bytes, content_type: &str) -> Result<String> {`
			`let key = format!("{}/{}.{}", prefix, Uuid::new_v4(), ext);`

			`self.client`
			`.put_object()`
			`.bucket(&self.bucket)`
			`.key(&key)`
			`.body(ByteStream::from(data))`
			`.content_type(content_type)`
			`.send()`
			`.await`
			`.context("B2 upload failed")?;`

			`Ok(format!("{}/{}", self.public_base_url, key))`
			`}`

			`/// Delete a file by its full public URL (best-effort — logs on failure).`
			`pub async fn delete_by_url(&self, url: &str) {`
			`let prefix = format!("{}/", self.public_base_url);`
			`if let Some(key) = url.strip_prefix(&prefix) {`
			`if let Err(e) = self.client`
			`.delete_object()`
			`.bucket(&self.bucket)`
			`.key(key)`
			`.send()`
			`.await`
			`{`
			`tracing::warn!("B2 delete failed for key={}: {}", key, e);`
			`}`
			`}`
			`}`
			`}`