pub async fn lookup_user_record(
users_db: &Database,
username: impl AsRef<str>,
) -> Result<(String, UserInfo)>Expand description
Look up a user’s record by username, without requiring the password.
Used by the service daemon’s challenge-response login flow: the daemon
fetches the user’s full UserInfo (including encrypted credentials and the
user’s private-database id) and ships it to the client so the client can
derive the KEK locally, decrypt the root key, sign the challenge, and then
build the User session entirely from the data already carried by the
TrustedLoginChallenge response — no second wire read of _users is
required. The encrypted blob is designed to survive at rest; shipping it
over the local socket is the same trust boundary as filesystem read. See
the Service Architecture doc § Trusted login threat model for the full
rationale.
§Returns
Tuple of (user_uuid, UserInfo) if the user exists and is active.