fix(auth): harden token parsing, improve error handling and config redaction

peer-cat · peer-cat · commit 9a25d3cd04a4 · 2026-04-16T08:02:22.000+02:00
- Fix Bearer token parsing to require the space delimiter ("Bearer "
  instead of "Bearer"), preventing tokens with a "Bearer" prefix from
  being silently accepted with a mangled value
- Rename BearerToken::value() to as_str(), returning &amp;str to avoid
  unnecessary cloning
- Fix double-negative in doc comments: "JWT is not invalid" → "JWT is
  invalid"
- Distinguish RowNotFound from other database errors in
  get_token_generation (mysql + sqlite) instead of mapping all errors
  to UserNotFound
- Propagate database errors properly in verify_token_handler
- Only redact auth config fields when present (Some), avoiding
  overwriting None values; also redact public key fields
- Add tracing::warn when configured key paths don't exist and the
  system falls back to ephemeral keys
- Replace hardcoded JWT tokens in doc examples with &lt;JWT_TOKEN&gt;
  placeholder
- Update e2e test environment redaction to match new config logic
diff --git a/src/config/v2/auth.rs b/src/config/v2/auth.rs
@@ -1,6 +1,7 @@
 use std::path::Path;
 
 use serde::{Deserialize, Serialize};
+use tracing::warn;
 
 /// Default session-token lifetime: 2 weeks (1 209 600 s).
 const DEFAULT_SESSION_TOKEN_LIFETIME_SECS: u64 = 1_209_600;
@@ -123,6 +124,7 @@ impl Auth {
             if Path::new(path).exists() {
                 return Some(std::fs::read(path).unwrap_or_else(|e| panic!("Failed to read RSA private key from `{path}`: {e}")));
             }
+            warn!("configured private_key_path `{path}` does not exist, falling back to ephemeral keys");
         }
 
         None
@@ -151,6 +153,7 @@ impl Auth {
             if Path::new(path).exists() {
                 return Some(std::fs::read(path).unwrap_or_else(|e| panic!("Failed to read RSA public key from `{path}`: {e}")));
             }
+            warn!("configured public_key_path `{path}` does not exist, falling back to ephemeral keys");
         }
 
         None
diff --git a/src/config/v2/mod.rs b/src/config/v2/mod.rs
@@ -111,8 +111,18 @@ impl Settings {
             let _ = self.database.connect_url.set_password(Some("***"));
         }
         "***".clone_into(&mut self.mail.smtp.credentials.password);
-        self.auth.private_key_pem = Some("***-redacted-private-key-pem***".to_owned());
-        self.auth.private_key_path = Some("***-redacted***".to_owned());
+        if let Some(private_key_pem) = self.auth.private_key_pem.as_mut() {
+            "***-redacted-private-key-pem***".clone_into(private_key_pem);
+        }
+        if let Some(private_key_path) = self.auth.private_key_path.as_mut() {
+            "***-redacted***".clone_into(private_key_path);
+        }
+        if let Some(public_key_pem) = self.auth.public_key_pem.as_mut() {
+            "***-redacted-public-key-pem***".clone_into(public_key_pem);
+        }
+        if let Some(public_key_path) = self.auth.public_key_path.as_mut() {
+            "***-redacted***".clone_into(public_key_path);
+        }
     }
 
     /// Encodes the configuration to TOML.
diff --git a/src/databases/mysql.rs b/src/databases/mysql.rs
@@ -304,8 +304,11 @@ impl Database for Mysql {
             .bind(user_id)
             .fetch_one(&self.pool)
             .await
-            .map(|(v,): (i64,)| u64::try_from(v).unwrap_or(0))
-            .map_err(|_| database::Error::UserNotFound)
+            .map_err(|e| match e {
+                sqlx::Error::RowNotFound => database::Error::UserNotFound,
+                _ => database::Error::Error,
+            })
+            .and_then(|(v,): (i64,)| u64::try_from(v).map_err(|_| database::Error::Error))
     }
 
     async fn increment_token_generation(&self, user_id: i64) -> Result<(), database::Error> {
diff --git a/src/databases/sqlite.rs b/src/databases/sqlite.rs
@@ -300,8 +300,11 @@ impl Database for Sqlite {
             .bind(user_id)
             .fetch_one(&self.pool)
             .await
-            .map(|(v,): (i64,)| u64::try_from(v).unwrap_or(0))
-            .map_err(|_| database::Error::UserNotFound)
+            .map_err(|e| match e {
+                sqlx::Error::RowNotFound => database::Error::UserNotFound,
+                _ => database::Error::Error,
+            })
+            .and_then(|(v,): (i64,)| u64::try_from(v).map_err(|_| database::Error::Error))
     }
 
     async fn increment_token_generation(&self, user_id: i64) -> Result<(), database::Error> {
diff --git a/src/web/api/server/v1/auth.rs b/src/web/api/server/v1/auth.rs
@@ -155,7 +155,7 @@ impl Authentication {
     /// This function will return an error if the JWT is invalid, expired,
     /// or if the token's generation has been revoked.
     pub async fn get_user_id_from_bearer_token(&self, token: BearerToken) -> Result<UserId, AuthError> {
-        let claims = self.json_web_token.verify(&token.value())?;
+        let claims = self.json_web_token.verify(token.as_str())?;
         self.validate_token_generation(&claims).await?;
         Ok(claims.sub)
     }
@@ -184,7 +184,7 @@ impl Authentication {
 pub fn parse_token(authorization: &HeaderValue) -> Result<String, AuthError> {
     let header_str = authorization.to_str().map_err(|_| AuthError::TokenInvalid)?;
 
-    let token = header_str.strip_prefix("Bearer").ok_or(AuthError::TokenInvalid)?.trim();
+    let token = header_str.strip_prefix("Bearer ").ok_or(AuthError::TokenInvalid)?.trim();
 
     if token.is_empty() {
         return Err(AuthError::TokenInvalid);
diff --git a/src/web/api/server/v1/contexts/category/mod.rs b/src/web/api/server/v1/contexts/category/mod.rs
@@ -81,7 +81,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request POST \
 //!   --data '{"name":"new category","icon":null}' \
 //!   http://127.0.0.1:3001/v1/category
@@ -119,7 +119,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request DELETE \
 //!   --data '{"name":"new category","icon":null}' \
 //!   http://127.0.0.1:3001/v1/category
diff --git a/src/web/api/server/v1/contexts/proxy/mod.rs b/src/web/api/server/v1/contexts/proxy/mod.rs
@@ -47,7 +47,7 @@
 //!
 //! ```bash
 //! curl \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --header "cache-control: no-cache" \
 //!   --header "pragma: no-cache" \
 //!   --output mandelbrotset.jpg \
diff --git a/src/web/api/server/v1/contexts/settings/mod.rs b/src/web/api/server/v1/contexts/settings/mod.rs
@@ -19,7 +19,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request GET \
 //!   "http://127.0.0.1:3001/v1/settings"
 //! ```
diff --git a/src/web/api/server/v1/contexts/tag/mod.rs b/src/web/api/server/v1/contexts/tag/mod.rs
@@ -61,7 +61,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request POST \
 //!   --data '{"name":"new tag"}' \
 //!   http://127.0.0.1:3001/v1/tag
@@ -98,7 +98,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request DELETE \
 //!   --data '{"tag_id":1}' \
 //!   http://127.0.0.1:3001/v1/tag
diff --git a/src/web/api/server/v1/contexts/torrent/mod.rs b/src/web/api/server/v1/contexts/torrent/mod.rs
@@ -48,7 +48,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: multipart/form-data" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request POST \
 //!   --form "title=MandelbrotSet" \
 //!   --form "description=MandelbrotSet image" \
@@ -87,7 +87,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/x-bittorrent" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --output mandelbrot_2048x2048_infohash_v1.png.torrent \
 //!   "http://127.0.0.1:3001/v1/torrent/download/5452869BE36F9F3350CCEE6B4544E7E76CAAADAB"
 //! ```
@@ -129,7 +129,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request GET \
 //!   "http://127.0.0.1:3001/v1/torrent/5452869BE36F9F3350CCEE6B4544E7E76CAAADAB"
 //! ```
@@ -215,7 +215,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request GET \
 //!   "http://127.0.0.1:3001/v1/torrents"
 //! ```
@@ -279,7 +279,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request PUT \
 //!   --data '{"title":"MandelbrotSet", "description":"MandelbrotSet image"}' \
 //!   "http://127.0.0.1:3001/v1/torrent/5452869BE36F9F3350CCEE6B4544E7E76CAAADAB"
@@ -336,7 +336,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request DELETE \
 //!   "http://127.0.0.1:3001/v1/torrent/5452869BE36F9F3350CCEE6B4544E7E76CAAADAB"
 //! ```
diff --git a/src/web/api/server/v1/contexts/user/handlers.rs b/src/web/api/server/v1/contexts/user/handlers.rs
@@ -72,7 +72,7 @@ pub async fn email_verification_handler(State(app_data): State<Arc<AppData>>, Pa
 /// It returns an error if:
 ///
 /// - Unable to verify the supplied payload as a valid JWT.
-/// - The JWT is not invalid or expired.
+/// - The JWT is invalid or expired.
 #[allow(clippy::unused_async)]
 pub async fn login_handler(
     State(app_data): State<Arc<AppData>>,
@@ -95,7 +95,7 @@ pub async fn login_handler(
 /// It returns an error if:
 ///
 /// - Unable to verify the supplied payload as a valid JWT.
-/// - The JWT is not invalid or expired.
+/// - The JWT is invalid or expired.
 /// - The token's generation has been revoked.
 pub async fn verify_token_handler(
     State(app_data): State<Arc<AppData>>,
@@ -107,8 +107,9 @@ pub async fn verify_token_handler(
     };
 
     // Validate token generation against the database
-    let Ok(current_gen) = app_data.database.get_token_generation(claims.sub).await else {
-        return AuthError::UserNotFound.into_response();
+    let current_gen = match app_data.database.get_token_generation(claims.sub).await {
+        Ok(generation) => generation,
+        Err(e) => return AuthError::from(e).into_response(),
     };
 
     if claims.token_gen < current_gen {
@@ -131,7 +132,7 @@ pub struct UsernameParam(pub String);
 /// It returns an error if:
 ///
 /// - Unable to parse the supplied payload as a valid JWT.
-/// - The JWT is not invalid or expired.
+/// - The JWT is invalid or expired.
 #[allow(clippy::unused_async)]
 pub async fn renew_token_handler(
     State(app_data): State<Arc<AppData>>,
diff --git a/src/web/api/server/v1/contexts/user/mod.rs b/src/web/api/server/v1/contexts/user/mod.rs
@@ -123,7 +123,7 @@
 //!
 //! Name | Type | Description | Required | Example
 //! ---|---|---|---|---
-//! `token` | `String` | The token you want to verify  | Yes | `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak`
+//! `token` | `String` | The token you want to verify  | Yes | `<JWT_TOKEN>`
 //!
 //! Refer to the [`JsonWebToken`](crate::web::api::server::v1::contexts::user::forms::JsonWebToken)
 //! struct for more information about the token.
@@ -134,7 +134,7 @@
 //! curl \
 //!   --header "Content-Type: application/json" \
 //!   --request POST \
-//!   --data '{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak"}' \
+//!   --data '{"token":"<JWT_TOKEN>"}' \
 //!   http://127.0.0.1:3001/v1/user/token/verify
 //! ```
 //!
@@ -169,7 +169,7 @@
 //!
 //! Name | Type | Description | Required | Example
 //! ---|---|---|---|---
-//! `token` | `String` | The current valid token | Yes | `eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak`
+//! `token` | `String` | The current valid token | Yes | `<JWT_TOKEN>`
 //!
 //! Refer to the [`JsonWebToken`](crate::web::api::server::v1::contexts::user::forms::JsonWebToken)
 //! struct for more information about the token.
@@ -180,7 +180,7 @@
 //! curl \
 //!   --header "Content-Type: application/json" \
 //!   --request POST \
-//!   --data '{"token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak"}' \
+//!   --data '{"token":"<JWT_TOKEN>"}' \
 //!   http://127.0.0.1:3001/v1/user/token/renew
 //! ```
 //!
@@ -191,7 +191,7 @@
 //! ```json
 //! {
 //!   "data": {
-//!     "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak",
+//!     "token": "<JWT_TOKEN>",
 //!     "username": "indexadmin",
 //!     "admin": true
 //!   }
@@ -225,7 +225,7 @@
 //! ```bash
 //! curl \
 //!   --header "Content-Type: application/json" \
-//!   --header "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOjEsImlzcyI6InRvcnJ1c3QtaW5kZXgiLCJhdWQiOiJzZXNzaW9uIiwiaWF0IjoxNjg2MjE1Nzg4LCJleHAiOjE2ODc0MjUzODgsInJvbGUiOiJhZG1pbiIsInVzZXJuYW1lIjoiaW5kZXhhZG1pbiJ9.-EfY9CrZz2OLfjiVQzkhxSjV7tWTFivP2yMuzZkbEak" \
+//!   --header "Authorization: Bearer <JWT_TOKEN>" \
 //!   --request DELETE \
 //!   http://127.0.0.1:3001/v1/user/ban/indexadmin
 //! ```
diff --git a/src/web/api/server/v1/extractors/bearer_token.rs b/src/web/api/server/v1/extractors/bearer_token.rs
@@ -23,8 +23,8 @@ pub struct BearerToken(String);
 
 impl BearerToken {
     #[must_use]
-    pub fn value(&self) -> String {
-        self.0.clone()
+    pub fn as_str(&self) -> &str {
+        &self.0
     }
 }
 
diff --git a/tests/e2e/environment.rs b/tests/e2e/environment.rs
@@ -114,7 +114,12 @@ impl TestEnv {
 
                 "***".clone_into(&mut settings.mail.smtp.credentials.password);
 
-                settings.auth.private_key_path = Some("***-redacted***".to_owned());
+                if let Some(private_key_path) = settings.auth.private_key_path.as_mut() {
+                    "***-redacted***".clone_into(private_key_path);
+                }
+                if let Some(public_key_path) = settings.auth.public_key_path.as_mut() {
+                    "***-redacted***".clone_into(public_key_path);
+                }
 
                 Some(settings)
             }

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,7 @@`
`1`	`1`	`use std::path::Path;`
`2`	`2`
`3`	`3`	`use serde::{Deserialize, Serialize};`
	`4`	`+use tracing::warn;`
`4`	`5`
`5`	`6`	`/// Default session-token lifetime: 2 weeks (1 209 600 s).`
`6`	`7`	`const DEFAULT_SESSION_TOKEN_LIFETIME_SECS: u64 = 1_209_600;`
`@@ -123,6 +124,7 @@ impl Auth {`
`123`	`124`	`if Path::new(path).exists() {`
`124`	`125`	return Some(std::fs::read(path).unwrap_or_else(\|e\| panic!("Failed to read RSA private key from `{path}`: {e}")));
`125`	`126`	`}`
	`127`	+ warn!("configured private_key_path `{path}` does not exist, falling back to ephemeral keys");
`126`	`128`	`}`
`127`	`129`
`128`	`130`	`None`
`@@ -151,6 +153,7 @@ impl Auth {`
`151`	`153`	`if Path::new(path).exists() {`
`152`	`154`	return Some(std::fs::read(path).unwrap_or_else(\|e\| panic!("Failed to read RSA public key from `{path}`: {e}")));
`153`	`155`	`}`
	`156`	+ warn!("configured public_key_path `{path}` does not exist, falling back to ephemeral keys");
`154`	`157`	`}`
`155`	`158`
`156`	`159`	`None`