feat: expose CRUD, onboarding, pubsub via web

lib/localiser/web/plugs/admin_required.ex

@@ -0,0 +1,14 @@
+defmodule Localiser.Web.Plugs.AdminRequired do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(%{assigns: %{current_user: %{is_admin: true}}} = conn, _opts), do: conn
+
+  def call(conn, _opts) do
+    conn
+    |> put_resp_content_type("application/json")
+    |> send_resp(403, ~s({"error":"admin required"}))
+    |> halt()
+  end
+end

lib/localiser/web/plugs/auth_required.ex

@@ -0,0 +1,24 @@
+defmodule Localiser.Web.Plugs.AuthRequired do
+  import Plug.Conn
+
+  alias Localiser.Web.Token
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    with ["Bearer " <> token] <- get_req_header(conn, "authorization"),
+         {:ok, claims} <- Token.verify_token(token) do
+      assign(conn, :current_user, %{
+        user_id:  claims["user_id"],
+        username: claims["username"],
+        is_admin: claims["is_admin"]
+      })
+    else
+      _ ->
+        conn
+        |> put_resp_content_type("application/json")
+        |> send_resp(401, ~s({"error":"unauthorised"}))
+        |> halt()
+    end
+  end
+end

lib/localiser/web/plugs/bootstrap_guard.ex

@@ -0,0 +1,19 @@
+defmodule Localiser.Web.Plugs.BootstrapGuard do
+  @moduledoc "Halts with 403 if any users already exist - protects POST /api/setup."
+  import Plug.Conn
+
+  alias Localiser.Domain.Users
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    if Users.any?() do
+      conn
+      |> put_resp_content_type("application/json")
+      |> send_resp(403, ~s({"error":"system already initialised"}))
+      |> halt()
+    else
+      conn
+    end
+  end
+end