7 files changed, 512 insertions, 487 deletions
diff --git a/gitolfs3-server/Cargo.toml b/gitolfs3-server/Cargo.toml
index efea78b..5908770 100644
--- a/gitolfs3-server/Cargo.toml
+++ b/gitolfs3-server/Cargo.toml
@@ -1,20 +1,20 @@
 [package]
 name = "gitolfs3-server"
 version = "0.1.0"
-edition = "2021"
+edition = "2024"
 license = "MIT"
 [dependencies]
-aws-config = { version = "1.1.2" }
+aws-config = "1.6"
-aws-sdk-s3 = "1.12.0"
+aws-sdk-s3 = "1.82"
-axum = "0.7"
+axum = "0.8"
-base64 = "0.21"
+base64 = "0.22"
 chrono = { version = "0.4", features = ["serde"] }
 gitolfs3-common = { path = "../gitolfs3-common" }
 mime = "0.3"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-tokio = { version = "1.35", features = ["full"] }
+tokio = { version = "1.44", features = ["full"] }
 tokio-util = "0.7"
-tower = "0.4"
+tower = "0.5"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
diff --git a/gitolfs3-server/src/api.rs b/gitolfs3-server/src/api.rs
index dba7ada..87c1856 100644
--- a/gitolfs3-server/src/api.rs
+++ b/gitolfs3-server/src/api.rs
@@ -1,89 +1,33 @@
 use std::collections::HashMap;
 use axum::{
-    async_trait,
-    extract::{rejection, FromRequest, FromRequestParts, Request},
-    http::{header, request::Parts, HeaderValue, StatusCode},
-    response::{IntoResponse, Response},
    Extension, Json,
+    extract::{FromRequest, FromRequestParts, Request, rejection},
+    http,
+    response::{IntoResponse, Response},
 };
 use chrono::{DateTime, Utc};
 use gitolfs3_common::{Oid, Operation};
-use serde::{de::DeserializeOwned, Deserialize, Serialize};
+use serde::{Deserialize, Serialize, de::DeserializeOwned};
-pub const REPO_NOT_FOUND: GitLfsErrorResponse =
-    make_error_resp(StatusCode::NOT_FOUND, "Repository not found");
-#[derive(Clone)]
-pub struct RepositoryName(pub String);
-pub struct RepositoryNameRejection;
-impl IntoResponse for RepositoryNameRejection {
-    fn into_response(self) -> Response {
-        (StatusCode::INTERNAL_SERVER_ERROR, "Missing repository name").into_response()
-    }
-}
-#[async_trait]
-impl<S: Send + Sync> FromRequestParts<S> for RepositoryName {
-    type Rejection = RepositoryNameRejection;
-    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
-        let Ok(Extension(repo_name)) = Extension::<Self>::from_request_parts(parts, state).await
-        else {
-            return Err(RepositoryNameRejection);
-        };
-        Ok(repo_name)
-    }
-}
-#[derive(Debug, Serialize, Deserialize, PartialEq, Eq, Clone, Copy)]
+// ----------------------- Generic facilities ----------------------
-pub enum TransferAdapter {
-    #[serde(rename = "basic")]
-    Basic,
-    #[serde(other)]
-    Unknown,
-}
-#[derive(Debug, Serialize, Deserialize, PartialEq, Eq, Clone, Copy)]
+pub type GitLfsErrorResponse<'a> = (http::StatusCode, GitLfsJson<GitLfsErrorData<'a>>);
-pub enum HashAlgo {
-    #[serde(rename = "sha256")]
-    Sha256,
-    #[serde(other)]
-    Unknown,
-}
-impl Default for HashAlgo {
+#[derive(Debug, Serialize)]
-    fn default() -> Self {
+pub struct GitLfsErrorData<'a> {
-        Self::Sha256
+    pub message: &'a str,
-    }
-}
-#[derive(Debug, Deserialize, PartialEq, Eq, Clone)]
-pub struct BatchRequestObject {
-    pub oid: Oid,
-    pub size: i64,
-}
-#[derive(Debug, Serialize, Deserialize, Clone)]
-struct BatchRef {
-    name: String,
 }
-fn default_transfers() -> Vec<TransferAdapter> {
+pub const fn make_error_resp<'a>(
-    vec![TransferAdapter::Basic]
+    code: http::StatusCode,
+    message: &'a str,
+) -> GitLfsErrorResponse<'a> {
+    (code, GitLfsJson(Json(GitLfsErrorData { message })))
 }
-#[derive(Debug, Deserialize, PartialEq, Eq, Clone)]
+pub const REPO_NOT_FOUND: GitLfsErrorResponse =
-pub struct BatchRequest {
+    make_error_resp(http::StatusCode::NOT_FOUND, "Repository not found");
-    pub operation: Operation,
-    #[serde(default = "default_transfers")]
-    pub transfers: Vec<TransferAdapter>,
-    pub objects: Vec<BatchRequestObject>,
-    #[serde(default)]
-    pub hash_algo: HashAlgo,
-}
 #[derive(Debug, Clone)]
 pub struct GitLfsJson<T>(pub Json<T>);
@@ -100,7 +44,7 @@ impl IntoResponse for GitLfsJsonRejection {
        match self {
            Self::Json(rej) => rej.into_response(),
            Self::MissingGitLfsJsonContentType => make_error_resp(
-                StatusCode::UNSUPPORTED_MEDIA_TYPE,
+                http::StatusCode::UNSUPPORTED_MEDIA_TYPE,
                &format!("Expected request with `Content-Type: {LFS_MIME}`"),
            )
            .into_response(),
@@ -125,7 +69,7 @@ pub fn is_git_lfs_json_mimetype(mimetype: &str) -> bool {
 }
 fn has_git_lfs_json_content_type(req: &Request) -> bool {
-    let Some(content_type) = req.headers().get(header::CONTENT_TYPE) else {
+    let Some(content_type) = req.headers().get(http::header::CONTENT_TYPE) else {
        return false;
    };
    let Ok(content_type) = content_type.to_str() else {
@@ -134,7 +78,6 @@ fn has_git_lfs_json_content_type(req: &Request) -> bool {
    is_git_lfs_json_mimetype(content_type)
 }
-#[async_trait]
 impl<T, S> FromRequest<S> for GitLfsJson<T>
 where
    T: DeserializeOwned,
@@ -158,46 +101,97 @@ impl<T: Serialize> IntoResponse for GitLfsJson<T> {
        let GitLfsJson(json) = self;
        let mut resp = json.into_response();
        resp.headers_mut().insert(
-            header::CONTENT_TYPE,
+            http::header::CONTENT_TYPE,
-            HeaderValue::from_static("application/vnd.git-lfs+json; charset=utf-8"),
+            http::HeaderValue::from_static("application/vnd.git-lfs+json; charset=utf-8"),
        );
        resp
    }
 }
-#[derive(Debug, Serialize)]
+#[derive(Clone)]
-pub struct GitLfsErrorData<'a> {
+pub struct RepositoryName(pub String);
-    pub message: &'a str,
+pub struct RepositoryNameRejection;
+impl IntoResponse for RepositoryNameRejection {
+    fn into_response(self) -> Response {
+        (
+            http::StatusCode::INTERNAL_SERVER_ERROR,
+            "Missing repository name",
+        )
+            .into_response()
+    }
 }
-pub type GitLfsErrorResponse<'a> = (StatusCode, GitLfsJson<GitLfsErrorData<'a>>);
+impl<S: Send + Sync> FromRequestParts<S> for RepositoryName {
+    type Rejection = RepositoryNameRejection;
-pub const fn make_error_resp(code: StatusCode, message: &str) -> GitLfsErrorResponse {
+    async fn from_request_parts(
-    (code, GitLfsJson(Json(GitLfsErrorData { message })))
+        parts: &mut http::request::Parts,
+        state: &S,
+    ) -> Result<Self, Self::Rejection> {
+        let Ok(Extension(repo_name)) = Extension::<Self>::from_request_parts(parts, state).await
+        else {
+            return Err(RepositoryNameRejection);
+        };
+        Ok(repo_name)
+    }
 }
-#[derive(Debug, Serialize, Clone)]
+// ----------------------- Git LFS Batch API -----------------------
-pub struct BatchResponseObjectAction {
-    pub href: String,
+#[derive(Debug, Deserialize, PartialEq, Eq, Clone)]
-    #[serde(skip_serializing_if = "HashMap::is_empty")]
+pub struct BatchRequest {
-    pub header: HashMap<String, String>,
+    pub operation: Operation,
-    pub expires_at: DateTime<Utc>,
+    #[serde(default = "default_transfers")]
+    pub transfers: Vec<TransferAdapter>,
+    pub objects: Vec<BatchRequestObject>,
+    #[serde(default)]
+    pub hash_algo: HashAlgo,
 }
-#[derive(Default, Debug, Serialize, Clone)]
+#[derive(Debug, Deserialize, PartialEq, Eq, Clone)]
-pub struct BatchResponseObjectActions {
+pub struct BatchRequestObject {
-    #[serde(skip_serializing_if = "Option::is_none")]
+    pub oid: Oid,
-    pub upload: Option<BatchResponseObjectAction>,
+    pub size: i64,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub download: Option<BatchResponseObjectAction>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub verify: Option<BatchResponseObjectAction>,
 }
-#[derive(Debug, Clone, Serialize)]
+#[derive(Debug, Serialize, Deserialize, PartialEq, Eq, Clone, Copy)]
-pub struct BatchResponseObjectError {
+pub enum TransferAdapter {
-    pub code: u16,
+    #[serde(rename = "basic")]
-    pub message: String,
+    Basic,
+    #[serde(other)]
+    Unknown,
+}
+fn default_transfers() -> Vec<TransferAdapter> {
+    vec![TransferAdapter::Basic]
+}
+#[derive(Debug, Serialize, Deserialize, PartialEq, Eq, Clone, Copy)]
+pub enum HashAlgo {
+    #[serde(rename = "sha256")]
+    Sha256,
+    #[serde(other)]
+    Unknown,
+}
+impl Default for HashAlgo {
+    fn default() -> Self {
+        Self::Sha256
+    }
+}
+#[derive(Debug, Serialize, Deserialize, Clone)]
+struct BatchRef {
+    name: String,
+}
+#[derive(Debug, Serialize, Clone)]
+pub struct BatchResponse {
+    pub transfer: TransferAdapter,
+    pub objects: Vec<BatchResponseObject>,
+    pub hash_algo: HashAlgo,
 }
 #[derive(Debug, Serialize, Clone)]
@@ -211,10 +205,16 @@ pub struct BatchResponseObject {
    pub error: Option<BatchResponseObjectError>,
 }
+#[derive(Debug, Clone, Serialize)]
+pub struct BatchResponseObjectError {
+    pub code: u16,
+    pub message: String,
+}
 impl BatchResponseObject {
    pub fn error(
        obj: &BatchRequestObject,
-        code: StatusCode,
+        code: http::StatusCode,
        message: String,
    ) -> BatchResponseObject {
        BatchResponseObject {
@@ -231,10 +231,21 @@ impl BatchResponseObject {
 }
 #[derive(Debug, Serialize, Clone)]
-pub struct BatchResponse {
+pub struct BatchResponseObjectAction {
-    pub transfer: TransferAdapter,
+    pub href: String,
-    pub objects: Vec<BatchResponseObject>,
+    #[serde(skip_serializing_if = "HashMap::is_empty")]
-    pub hash_algo: HashAlgo,
+    pub header: HashMap<String, String>,
+    pub expires_at: DateTime<Utc>,
+}
+#[derive(Default, Debug, Serialize, Clone)]
+pub struct BatchResponseObjectActions {
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub upload: Option<BatchResponseObjectAction>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub download: Option<BatchResponseObjectAction>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub verify: Option<BatchResponseObjectAction>,
 }
 #[test]
diff --git a/gitolfs3-server/src/authz.rs b/gitolfs3-server/src/authz.rs
index 0674cef..c4cb6df 100644
--- a/gitolfs3-server/src/authz.rs
+++ b/gitolfs3-server/src/authz.rs
@@ -1,41 +1,22 @@
 use std::collections::HashSet;
-use axum::http::{header, HeaderMap, StatusCode};
+use axum::http;
 use chrono::{DateTime, Utc};
-use gitolfs3_common::{generate_tag, Claims, Digest, Oid, Operation, SpecificClaims};
+use gitolfs3_common::{Claims, Digest, Oid, Operation, SpecificClaims, generate_tag};
 use crate::{
-    api::{make_error_resp, GitLfsErrorResponse, REPO_NOT_FOUND},
+    api::{GitLfsErrorResponse, REPO_NOT_FOUND, make_error_resp},
    config::AuthorizationConfig,
 };
 pub struct Trusted(pub bool);
-fn forwarded_from_trusted_host(
-    headers: &HeaderMap,
-    trusted: &HashSet<String>,
-) -> Result<bool, GitLfsErrorResponse<'static>> {
-    if let Some(forwarded_host) = headers.get("X-Forwarded-Host") {
-        if let Ok(forwarded_host) = forwarded_host.to_str() {
-            if trusted.contains(forwarded_host) {
-                return Ok(true);
-            }
-        } else {
-            return Err(make_error_resp(
-                StatusCode::NOT_FOUND,
-                "Invalid X-Forwarded-Host header",
-            ));
-        }
-    }
-    Ok(false)
-}
 pub fn authorize_batch(
    conf: &AuthorizationConfig,
    repo_path: &str,
    public: bool,
    operation: Operation,
-    headers: &HeaderMap,
+    headers: &http::HeaderMap,
 ) -> Result<Trusted, GitLfsErrorResponse<'static>> {
    // - No authentication required for downloading exported repos
    // - When authenticated:
@@ -57,7 +38,7 @@ fn authorize_batch_unauthenticated(
    conf: &AuthorizationConfig,
    public: bool,
    operation: Operation,
-    headers: &HeaderMap,
+    headers: &http::HeaderMap,
 ) -> Result<Trusted, GitLfsErrorResponse<'static>> {
    let trusted = forwarded_from_trusted_host(headers, &conf.trusted_forwarded_hosts)?;
    match operation {
@@ -71,7 +52,7 @@ fn authorize_batch_unauthenticated(
                return Err(REPO_NOT_FOUND);
            }
            Err(make_error_resp(
-                StatusCode::FORBIDDEN,
+                http::StatusCode::FORBIDDEN,
                "Authentication required to upload",
            ))
        }
@@ -94,7 +75,7 @@ pub fn authorize_get(
    conf: &AuthorizationConfig,
    repo_path: &str,
    oid: Oid,
-    headers: &HeaderMap,
+    headers: &http::HeaderMap,
 ) -> Result<(), GitLfsErrorResponse<'static>> {
    let claims = VerifyClaimsInput {
        specific_claims: SpecificClaims::Download(oid),
@@ -102,27 +83,48 @@ pub fn authorize_get(
    };
    if !verify_claims(conf, &claims, headers)? {
        return Err(make_error_resp(
-            StatusCode::UNAUTHORIZED,
+            http::StatusCode::UNAUTHORIZED,
            "Repository not found",
        ));
    }
    Ok(())
 }
-pub struct VerifyClaimsInput<'a> {
+fn forwarded_from_trusted_host(
-    pub specific_claims: SpecificClaims,
+    headers: &http::HeaderMap,
-    pub repo_path: &'a str,
+    trusted: &HashSet<String>,
+) -> Result<bool, GitLfsErrorResponse<'static>> {
+    if let Some(forwarded_host) = headers.get("X-Forwarded-Host") {
+        if let Ok(forwarded_host) = forwarded_host.to_str() {
+            if trusted.contains(forwarded_host) {
+                return Ok(true);
+            }
+        } else {
+            return Err(make_error_resp(
+                http::StatusCode::NOT_FOUND,
+                "Invalid X-Forwarded-Host header",
+            ));
+        }
+    }
+    Ok(false)
+}
+struct VerifyClaimsInput<'a> {
+    specific_claims: SpecificClaims,
+    repo_path: &'a str,
 }
 fn verify_claims(
    conf: &AuthorizationConfig,
    claims: &VerifyClaimsInput,
-    headers: &HeaderMap,
+    headers: &http::HeaderMap,
 ) -> Result<bool, GitLfsErrorResponse<'static>> {
-    const INVALID_AUTHZ_HEADER: GitLfsErrorResponse =
+    const INVALID_AUTHZ_HEADER: GitLfsErrorResponse = make_error_resp(
-        make_error_resp(StatusCode::BAD_REQUEST, "Invalid authorization header");
+        http::StatusCode::BAD_REQUEST,
+        "Invalid authorization header",
+    );
-    let Some(authz) = headers.get(header::AUTHORIZATION) else {
+    let Some(authz) = headers.get(http::header::AUTHORIZATION) else {
        return Ok(false);
    };
    let authz = authz.to_str().map_err(|_| INVALID_AUTHZ_HEADER)?;
@@ -141,7 +143,12 @@ fn verify_claims(
        },
        &conf.key,
    )
-    .ok_or_else(|| make_error_resp(StatusCode::INTERNAL_SERVER_ERROR, "Internal server error"))?;
+    .ok_or_else(|| {
+        make_error_resp(
+            http::StatusCode::INTERNAL_SERVER_ERROR,
+            "Internal server error",
+        )
+    })?;
    if tag != expected_tag {
        return Err(INVALID_AUTHZ_HEADER);
    }
@@ -175,8 +182,11 @@ fn test_validate_claims() {
        repo_path: claims.repo_path,
        specific_claims: claims.specific_claims,
    };
-    let mut headers = HeaderMap::new();
+    let mut headers = http::HeaderMap::new();
-    headers.insert(header::AUTHORIZATION, header_value.try_into().unwrap());
+    headers.insert(
+        http::header::AUTHORIZATION,
+        header_value.try_into().unwrap(),
+    );
    assert!(verify_claims(&conf, &verification_claims, &headers).unwrap());
 }
diff --git a/gitolfs3-server/src/config.rs b/gitolfs3-server/src/config.rs
index 75e84dc..5167cca 100644
--- a/gitolfs3-server/src/config.rs
+++ b/gitolfs3-server/src/config.rs
@@ -1,66 +1,6 @@
 use std::collections::HashSet;
-use gitolfs3_common::{load_key, Key};
+use gitolfs3_common::{Key, load_key};
-struct Env {
-    s3_access_key_id: String,
-    s3_secret_access_key: String,
-    s3_bucket: String,
-    s3_region: String,
-    s3_endpoint: String,
-    base_url: String,
-    key_path: String,
-    listen_host: String,
-    listen_port: String,
-    download_limit: String,
-    trusted_forwarded_hosts: String,
-}
-fn require_env(name: &str) -> Result<String, String> {
-    std::env::var(name)
-        .map_err(|_| format!("environment variable {name} should be defined and valid"))
-}
-impl Env {
-    fn load() -> Result<Env, String> {
-        Ok(Env {
-            s3_secret_access_key: require_env("GITOLFS3_S3_SECRET_ACCESS_KEY_FILE")?,
-            s3_access_key_id: require_env("GITOLFS3_S3_ACCESS_KEY_ID_FILE")?,
-            s3_region: require_env("GITOLFS3_S3_REGION")?,
-            s3_endpoint: require_env("GITOLFS3_S3_ENDPOINT")?,
-            s3_bucket: require_env("GITOLFS3_S3_BUCKET")?,
-            base_url: require_env("GITOLFS3_BASE_URL")?,
-            key_path: require_env("GITOLFS3_KEY_PATH")?,
-            listen_host: require_env("GITOLFS3_LISTEN_HOST")?,
-            listen_port: require_env("GITOLFS3_LISTEN_PORT")?,
-            download_limit: require_env("GITOLFS3_DOWNLOAD_LIMIT")?,
-            trusted_forwarded_hosts: std::env::var("GITOLFS3_TRUSTED_FORWARDED_HOSTS")
-                .unwrap_or_default(),
-        })
-    }
-}
-fn get_s3_client(env: &Env) -> Result<aws_sdk_s3::Client, std::io::Error> {
-    let access_key_id = std::fs::read_to_string(&env.s3_access_key_id)?;
-    let secret_access_key = std::fs::read_to_string(&env.s3_secret_access_key)?;
-    let credentials = aws_sdk_s3::config::Credentials::new(
-        access_key_id,
-        secret_access_key,
-        None,
-        None,
-        "gitolfs3-env",
-    );
-    let config = aws_config::SdkConfig::builder()
-        .behavior_version(aws_config::BehaviorVersion::latest())
-        .region(aws_config::Region::new(env.s3_region.clone()))
-        .endpoint_url(&env.s3_endpoint)
-        .credentials_provider(aws_sdk_s3::config::SharedCredentialsProvider::new(
-            credentials,
-        ))
-        .build();
-    Ok(aws_sdk_s3::Client::new(&config))
-}
 pub struct Config {
    pub listen_addr: (String, u16),
@@ -78,19 +18,11 @@ pub struct AuthorizationConfig {
 impl Config {
    pub fn load() -> Result<Self, String> {
-        let env = match Env::load() {
+        let env = Env::load().map_err(|e| format!("failed to load configuration: {e}"))?;
-            Ok(env) => env,
+        let s3_client =
-            Err(e) => return Err(format!("failed to load configuration: {e}")),
+            create_s3_client(&env).map_err(|e| format!("failed to create S3 client: {e}"))?;
-        };
+        let key =
+            load_key(&env.key_path).map_err(|e| format!("failed to load Gitolfs3 key: {e}"))?;
-        let s3_client = match get_s3_client(&env) {
-            Ok(s3_client) => s3_client,
-            Err(e) => return Err(format!("failed to create S3 client: {e}")),
-        };
-        let key = match load_key(&env.key_path) {
-            Ok(key) => key,
-            Err(e) => return Err(format!("failed to load Gitolfs3 key: {e}")),
-        };
        let trusted_forwarded_hosts: HashSet<String> = env
            .trusted_forwarded_hosts
@@ -120,3 +52,63 @@ impl Config {
        })
    }
 }
+fn create_s3_client(env: &Env) -> Result<aws_sdk_s3::Client, std::io::Error> {
+    let access_key_id = std::fs::read_to_string(&env.s3_access_key_id)?;
+    let secret_access_key = std::fs::read_to_string(&env.s3_secret_access_key)?;
+    let credentials = aws_sdk_s3::config::Credentials::new(
+        access_key_id,
+        secret_access_key,
+        None,
+        None,
+        "gitolfs3-env",
+    );
+    let config = aws_config::SdkConfig::builder()
+        .behavior_version(aws_config::BehaviorVersion::latest())
+        .region(aws_config::Region::new(env.s3_region.clone()))
+        .endpoint_url(&env.s3_endpoint)
+        .credentials_provider(aws_sdk_s3::config::SharedCredentialsProvider::new(
+            credentials,
+        ))
+        .build();
+    Ok(aws_sdk_s3::Client::new(&config))
+}
+struct Env {
+    s3_access_key_id: String,
+    s3_secret_access_key: String,
+    s3_bucket: String,
+    s3_region: String,
+    s3_endpoint: String,
+    base_url: String,
+    key_path: String,
+    listen_host: String,
+    listen_port: String,
+    download_limit: String,
+    trusted_forwarded_hosts: String,
+}
+impl Env {
+    fn load() -> Result<Env, String> {
+        Ok(Env {
+            s3_secret_access_key: require_env("GITOLFS3_S3_SECRET_ACCESS_KEY_FILE")?,
+            s3_access_key_id: require_env("GITOLFS3_S3_ACCESS_KEY_ID_FILE")?,
+            s3_region: require_env("GITOLFS3_S3_REGION")?,
+            s3_endpoint: require_env("GITOLFS3_S3_ENDPOINT")?,
+            s3_bucket: require_env("GITOLFS3_S3_BUCKET")?,
+            base_url: require_env("GITOLFS3_BASE_URL")?,
+            key_path: require_env("GITOLFS3_KEY_PATH")?,
+            listen_host: require_env("GITOLFS3_LISTEN_HOST")?,
+            listen_port: require_env("GITOLFS3_LISTEN_PORT")?,
+            download_limit: require_env("GITOLFS3_DOWNLOAD_LIMIT")?,
+            trusted_forwarded_hosts: std::env::var("GITOLFS3_TRUSTED_FORWARDED_HOSTS")
+                .unwrap_or_default(),
+        })
+    }
+}
+fn require_env(name: &str) -> Result<String, String> {
+    std::env::var(name)
+        .map_err(|_| format!("environment variable {name} should be defined and valid"))
+}
diff --git a/gitolfs3-server/src/dlimit.rs b/gitolfs3-server/src/dlimit.rs
index f68bec1..7a82a18 100644
--- a/gitolfs3-server/src/dlimit.rs
+++ b/gitolfs3-server/src/dlimit.rs
@@ -55,7 +55,7 @@ impl DownloadLimiter {
        Ok(true)
    }
-    pub async fn reset(&mut self) {
+    async fn reset(&mut self) {
        self.current = 0;
        if let Err(e) = self.write_new_count().await {
            println!("Failed to reset download counter: {e}");
diff --git a/gitolfs3-server/src/handler.rs b/gitolfs3-server/src/handler.rs
index 6516291..c5d4a61 100644
--- a/gitolfs3-server/src/handler.rs
+++ b/gitolfs3-server/src/handler.rs
@@ -2,24 +2,24 @@ use std::{collections::HashMap, sync::Arc};
 use aws_sdk_s3::{error::SdkError, operation::head_object::HeadObjectOutput};
 use axum::{
+    Json,
    extract::{Path, State},
-    http::{header, HeaderMap, StatusCode},
+    http,
    response::{IntoResponse, Response},
-    Json,
 };
-use base64::{prelude::BASE64_STANDARD, Engine};
+use base64::{Engine, prelude::BASE64_STANDARD};
 use chrono::Utc;
-use gitolfs3_common::{generate_tag, Claims, HexByte, Oid, Operation, SpecificClaims};
+use gitolfs3_common::{Claims, HexByte, Oid, Operation, SpecificClaims, generate_tag};
-use serde::{de, Deserialize};
+use serde::{Deserialize, de};
 use tokio::sync::Mutex;
 use crate::{
    api::{
-        is_git_lfs_json_mimetype, make_error_resp, BatchRequest, BatchRequestObject, BatchResponse,
+        BatchRequest, BatchRequestObject, BatchResponse, BatchResponseObject,
-        BatchResponseObject, BatchResponseObjectAction, BatchResponseObjectActions, GitLfsJson,
+        BatchResponseObjectAction, BatchResponseObjectActions, GitLfsJson, HashAlgo, LFS_MIME,
-        HashAlgo, RepositoryName, TransferAdapter, LFS_MIME, REPO_NOT_FOUND,
+        REPO_NOT_FOUND, RepositoryName, TransferAdapter, is_git_lfs_json_mimetype, make_error_resp,
    },
-    authz::{authorize_batch, authorize_get, Trusted},
+    authz::{Trusted, authorize_batch, authorize_get},
    config::AuthorizationConfig,
    dlimit::DownloadLimiter,
 };
@@ -33,100 +33,44 @@ pub struct AppState {
    pub dl_limiter: Arc<Mutex<DownloadLimiter>>,
 }
-fn validate_checksum(oid: Oid, obj: &HeadObjectOutput) -> bool {
+enum ObjectStatus {
-    if let Some(checksum) = obj.checksum_sha256() {
+    ExistsOk { content_length: Option<i64> },
-        if let Ok(checksum) = BASE64_STANDARD.decode(checksum) {
+    ExistsInconsistent,
-            if let Ok(checksum32b) = TryInto::<[u8; 32]>::try_into(checksum) {
+    DoesNotExist,
-                return Oid::from(checksum32b) == oid;
-            }
-        }
-    }
-    true
 }
-fn validate_size(expected: i64, obj: &HeadObjectOutput) -> bool {
+impl AppState {
-    if let Some(length) = obj.content_length() {
+    async fn check_object(&self, repo: &str, obj: &BatchRequestObject) -> Result<ObjectStatus, ()> {
-        return length == expected;
+        let (oid0, oid1) = (HexByte(obj.oid[0]), HexByte(obj.oid[1]));
-    }
+        let full_path = format!("{repo}/lfs/objects/{}/{}/{}", oid0, oid1, obj.oid);
-    true
-}
-async fn handle_upload_object(
+        let result = match self
-    state: &AppState,
+            .s3_client
-    repo: &str,
+            .head_object()
-    obj: &BatchRequestObject,
+            .bucket(&self.s3_bucket)
-) -> Option<BatchResponseObject> {
+            .key(full_path)
-    let (oid0, oid1) = (HexByte(obj.oid[0]), HexByte(obj.oid[1]));
+            .checksum_mode(aws_sdk_s3::types::ChecksumMode::Enabled)
-    let full_path = format!("{repo}/lfs/objects/{}/{}/{}", oid0, oid1, obj.oid);
+            .send()
+            .await
-    match state
+        {
-        .s3_client
+            Ok(result) => result,
-        .head_object()
+            Err(SdkError::ServiceError(e)) if e.err().is_not_found() => {
-        .bucket(&state.s3_bucket)
+                return Ok(ObjectStatus::DoesNotExist);
-        .key(full_path.clone())
-        .checksum_mode(aws_sdk_s3::types::ChecksumMode::Enabled)
-        .send()
-        .await
-    {
-        Ok(result) => {
-            if validate_size(obj.size, &result) && validate_checksum(obj.oid, &result) {
-                return None;
            }
-        }
+            Err(e) => {
-        Err(SdkError::ServiceError(e)) if e.err().is_not_found() => {}
+                println!("Failed to HeadObject (repo {repo}, OID {}): {e}", obj.oid);
-        Err(e) => {
+                return Err(());
-            println!("Failed to HeadObject (repo {repo}, OID {}): {e}", obj.oid);
+            }
-            return Some(BatchResponseObject::error(
+        };
-                obj,
-                StatusCode::INTERNAL_SERVER_ERROR,
-                "Failed to query object information".to_string(),
-            ));
-        }
-    };
-    let expires_in = std::time::Duration::from_secs(5 * 60);
-    let expires_at = Utc::now() + expires_in;
-    let Ok(config) = aws_sdk_s3::presigning::PresigningConfig::expires_in(expires_in) else {
+        // Scaleway actually doesn't provide SHA256 support, but maybe in the future :)
-        return Some(BatchResponseObject::error(
+        if !s3_validate_checksum(obj.oid, &result) || !s3_validate_size(obj.size, &result) {
-            obj,
+            return Ok(ObjectStatus::ExistsInconsistent);
-            StatusCode::INTERNAL_SERVER_ERROR,
+        }
-            "Failed to generate upload URL".to_string(),
+        Ok(ObjectStatus::ExistsOk {
-        ));
+            content_length: result.content_length(),
-    };
+        })
-    let Ok(presigned) = state
+    }
-        .s3_client
-        .put_object()
-        .bucket(&state.s3_bucket)
-        .key(full_path)
-        .checksum_sha256(obj.oid.to_string())
-        .content_length(obj.size)
-        .presigned(config)
-        .await
-    else {
-        return Some(BatchResponseObject::error(
-            obj,
-            StatusCode::INTERNAL_SERVER_ERROR,
-            "Failed to generate upload URL".to_string(),
-        ));
-    };
-    Some(BatchResponseObject {
-        oid: obj.oid,
-        size: obj.size,
-        authenticated: Some(true),
-        actions: BatchResponseObjectActions {
-            upload: Some(BatchResponseObjectAction {
-                header: presigned
-                    .headers()
-                    .map(|(k, v)| (k.to_owned(), v.to_owned()))
-                    .collect(),
-                expires_at,
-                href: presigned.uri().to_string(),
-            }),
-            ..Default::default()
-        },
-        error: None,
-    })
 }
 async fn handle_download_object(
@@ -138,42 +82,24 @@ async fn handle_download_object(
    let (oid0, oid1) = (HexByte(obj.oid[0]), HexByte(obj.oid[1]));
    let full_path = format!("{repo}/lfs/objects/{}/{}/{}", oid0, oid1, obj.oid);
-    let result = match state
+    let content_length = match state.check_object(repo, obj).await {
-        .s3_client
+        Ok(ObjectStatus::ExistsOk { content_length }) => content_length,
-        .head_object()
+        Ok(_) => {
-        .bucket(&state.s3_bucket)
+            return BatchResponseObject::error(
-        .key(&full_path)
+                obj,
-        .checksum_mode(aws_sdk_s3::types::ChecksumMode::Enabled)
+                http::StatusCode::UNPROCESSABLE_ENTITY,
-        .send()
+                "Object corrupted".to_string(),
-        .await
+            );
-    {
+        }
-        Ok(result) => result,
+        Err(_) => {
-        Err(e) => {
-            println!("Failed to HeadObject (repo {repo}, OID {}): {e}", obj.oid);
            return BatchResponseObject::error(
                obj,
-                StatusCode::INTERNAL_SERVER_ERROR,
+                http::StatusCode::INTERNAL_SERVER_ERROR,
                "Failed to query object information".to_string(),
            );
        }
    };
-    // Scaleway actually doesn't provide SHA256 suport, but maybe in the future :)
-    if !validate_checksum(obj.oid, &result) {
-        return BatchResponseObject::error(
-            obj,
-            StatusCode::UNPROCESSABLE_ENTITY,
-            "Object corrupted".to_string(),
-        );
-    }
-    if !validate_size(obj.size, &result) {
-        return BatchResponseObject::error(
-            obj,
-            StatusCode::UNPROCESSABLE_ENTITY,
-            "Incorrect size specified (or object corrupted)".to_string(),
-        );
-    }
    let expires_in = std::time::Duration::from_secs(5 * 60);
    let expires_at = Utc::now() + expires_in;
@@ -181,7 +107,7 @@ async fn handle_download_object(
        let Ok(config) = aws_sdk_s3::presigning::PresigningConfig::expires_in(expires_in) else {
            return BatchResponseObject::error(
                obj,
-                StatusCode::INTERNAL_SERVER_ERROR,
+                http::StatusCode::INTERNAL_SERVER_ERROR,
                "Failed to generate upload URL".to_string(),
            );
        };
@@ -195,7 +121,7 @@ async fn handle_download_object(
        else {
            return BatchResponseObject::error(
                obj,
-                StatusCode::INTERNAL_SERVER_ERROR,
+                http::StatusCode::INTERNAL_SERVER_ERROR,
                "Failed to generate upload URL".to_string(),
            );
        };
@@ -218,31 +144,31 @@ async fn handle_download_object(
        };
    }
-    if let Some(content_length) = result.content_length() {
+    if let Some(content_length) = content_length
-        if content_length > 0 {
+        && content_length > 0
-            match state
+    {
-                .dl_limiter
+        match state
-                .lock()
+            .dl_limiter
-                .await
+            .lock()
-                .request(content_length as u64)
+            .await
-                .await
+            .request(content_length as u64)
-            {
+            .await
-                Ok(true) => {}
+        {
-                Ok(false) => {
+            Ok(true) => {}
-                    return BatchResponseObject::error(
+            Ok(false) => {
-                        obj,
+                return BatchResponseObject::error(
-                        StatusCode::SERVICE_UNAVAILABLE,
+                    obj,
-                        "Public LFS downloads temporarily unavailable".to_string(),
+                    http::StatusCode::SERVICE_UNAVAILABLE,
-                    );
+                    "Public LFS downloads temporarily unavailable".to_string(),
-                }
+                );
-                Err(e) => {
+            }
-                    println!("Failed to request {content_length} bytes from download limiter: {e}");
+            Err(e) => {
-                    return BatchResponseObject::error(
+                println!("Failed to request {content_length} bytes from download limiter: {e}");
-                        obj,
+                return BatchResponseObject::error(
-                        StatusCode::INTERNAL_SERVER_ERROR,
+                    obj,
-                        "Internal server error".to_string(),
+                    http::StatusCode::INTERNAL_SERVER_ERROR,
-                    );
+                    "Internal server error".to_string(),
-                }
+                );
            }
        }
    }
@@ -257,18 +183,11 @@ async fn handle_download_object(
    ) else {
        return BatchResponseObject::error(
            obj,
-            StatusCode::INTERNAL_SERVER_ERROR,
+            http::StatusCode::INTERNAL_SERVER_ERROR,
            "Internal server error".to_string(),
        );
    };
-    let upload_path = format!(
-        "{repo}/info/lfs/objects/{}/{}/{}",
-        HexByte(obj.oid[0]),
-        HexByte(obj.oid[1]),
-        obj.oid,
-    );
    BatchResponseObject {
        oid: obj.oid,
        size: obj.size,
@@ -284,7 +203,13 @@ async fn handle_download_object(
                    map
                },
                expires_at,
-                href: format!("{}/{upload_path}", state.base_url),
+                href: format!(
+                    "{}/{repo}/info/lfs/objects/{}/{}/{}",
+                    state.base_url,
+                    HexByte(obj.oid[0]),
+                    HexByte(obj.oid[1]),
+                    obj.oid
+                ),
            }),
            ..Default::default()
        },
@@ -292,83 +217,6 @@ async fn handle_download_object(
    }
 }
-fn repo_exists(name: &str) -> bool {
-    let Ok(metadata) = std::fs::metadata(name) else {
-        return false;
-    };
-    metadata.is_dir()
-}
-fn is_repo_public(name: &str) -> Option<bool> {
-    if !repo_exists(name) {
-        return None;
-    }
-    match std::fs::metadata(format!("{name}/git-daemon-export-ok")) {
-        Ok(metadata) if metadata.is_file() => Some(true),
-        Err(e) if e.kind() == std::io::ErrorKind::NotFound => Some(false),
-        _ => None,
-    }
-}
-pub async fn batch(
-    State(state): State<Arc<AppState>>,
-    headers: HeaderMap,
-    RepositoryName(repo): RepositoryName,
-    GitLfsJson(Json(payload)): GitLfsJson<BatchRequest>,
-) -> Response {
-    let Some(public) = is_repo_public(&repo) else {
-        return REPO_NOT_FOUND.into_response();
-    };
-    let Trusted(trusted) = match authorize_batch(
-        &state.authz_conf,
-        &repo,
-        public,
-        payload.operation,
-        &headers,
-    ) {
-        Ok(authn) => authn,
-        Err(e) => return e.into_response(),
-    };
-    if !headers
-        .get_all("Accept")
-        .iter()
-        .filter_map(|v| v.to_str().ok())
-        .any(is_git_lfs_json_mimetype)
-    {
-        let message = format!("Expected `{LFS_MIME}` in list of acceptable response media types");
-        return make_error_resp(StatusCode::NOT_ACCEPTABLE, &message).into_response();
-    }
-    if payload.hash_algo != HashAlgo::Sha256 {
-        let message = "Unsupported hashing algorithm specified";
-        return make_error_resp(StatusCode::CONFLICT, message).into_response();
-    }
-    if !payload.transfers.is_empty() && !payload.transfers.contains(&TransferAdapter::Basic) {
-        let message = "Unsupported transfer adapter specified (supported: basic)";
-        return make_error_resp(StatusCode::CONFLICT, message).into_response();
-    }
-    let mut resp = BatchResponse {
-        transfer: TransferAdapter::Basic,
-        objects: vec![],
-        hash_algo: HashAlgo::Sha256,
-    };
-    for obj in payload.objects {
-        match payload.operation {
-            Operation::Download => resp
-                .objects
-                .push(handle_download_object(&state, &repo, &obj, trusted).await),
-            Operation::Upload => {
-                if let Some(obj_resp) = handle_upload_object(&state, &repo, &obj).await {
-                    resp.objects.push(obj_resp);
-                }
-            }
-        };
-    }
-    GitLfsJson(Json(resp)).into_response()
-}
 #[derive(Deserialize, Copy, Clone)]
 #[serde(remote = "Self")]
 pub struct FileParams {
@@ -382,11 +230,11 @@ impl<'de> Deserialize<'de> for FileParams {
    where
        D: serde::Deserializer<'de>,
    {
-        let unchecked @ FileParams {
+        let unchecked @ Self {
            oid0: HexByte(oid0),
            oid1: HexByte(oid1),
            oid,
-        } = FileParams::deserialize(deserializer)?;
+        } = Self::deserialize(deserializer)?;
        if oid0 != oid.as_bytes()[0] {
            return Err(de::Error::custom(
                "first OID path part does not match first byte of full OID",
@@ -401,9 +249,9 @@ impl<'de> Deserialize<'de> for FileParams {
    }
 }
-pub async fn obj_download(
+pub async fn handle_obj_download(
    State(state): State<Arc<AppState>>,
-    headers: HeaderMap,
+    headers: http::HeaderMap,
    RepositoryName(repo): RepositoryName,
    Path(FileParams { oid0, oid1, oid }): Path<FileParams>,
 ) -> Response {
@@ -425,26 +273,26 @@ pub async fn obj_download(
        Err(e) => {
            println!("Failed to GetObject (repo {repo}, OID {oid}): {e}");
            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
+                http::StatusCode::INTERNAL_SERVER_ERROR,
                "Failed to query object information",
            )
                .into_response();
        }
    };
-    let mut headers = header::HeaderMap::new();
+    let mut headers = http::header::HeaderMap::new();
    if let Some(content_type) = result.content_type {
        let Ok(header_value) = content_type.try_into() else {
            return (
-                StatusCode::INTERNAL_SERVER_ERROR,
+                http::StatusCode::INTERNAL_SERVER_ERROR,
                "Object has invalid content type",
            )
                .into_response();
        };
-        headers.insert(header::CONTENT_TYPE, header_value);
+        headers.insert(http::header::CONTENT_TYPE, header_value);
    }
    if let Some(content_length) = result.content_length {
-        headers.insert(header::CONTENT_LENGTH, content_length.into());
+        headers.insert(http::header::CONTENT_LENGTH, content_length.into());
    }
    let async_read = result.body.into_async_read();
@@ -453,3 +301,168 @@ pub async fn obj_download(
    (headers, body).into_response()
 }
+async fn handle_upload_object(
+    state: &AppState,
+    repo: &str,
+    obj: &BatchRequestObject,
+) -> Option<BatchResponseObject> {
+    let (oid0, oid1) = (HexByte(obj.oid[0]), HexByte(obj.oid[1]));
+    let full_path = format!("{repo}/lfs/objects/{}/{}/{}", oid0, oid1, obj.oid);
+    match state.check_object(repo, obj).await {
+        Ok(ObjectStatus::ExistsOk { .. }) => {
+            return None;
+        }
+        Ok(_) => {}
+        Err(_) => {
+            return Some(BatchResponseObject::error(
+                obj,
+                http::StatusCode::INTERNAL_SERVER_ERROR,
+                "Failed to query object information".to_string(),
+            ));
+        }
+    };
+    let expires_in = std::time::Duration::from_secs(5 * 60);
+    let expires_at = Utc::now() + expires_in;
+    let Ok(config) = aws_sdk_s3::presigning::PresigningConfig::expires_in(expires_in) else {
+        return Some(BatchResponseObject::error(
+            obj,
+            http::StatusCode::INTERNAL_SERVER_ERROR,
+            "Failed to generate upload URL".to_string(),
+        ));
+    };
+    let Ok(presigned) = state
+        .s3_client
+        .put_object()
+        .bucket(&state.s3_bucket)
+        .key(full_path)
+        .checksum_sha256(s3_encode_checksum(obj.oid))
+        .content_length(obj.size)
+        .presigned(config)
+        .await
+    else {
+        return Some(BatchResponseObject::error(
+            obj,
+            http::StatusCode::INTERNAL_SERVER_ERROR,
+            "Failed to generate upload URL".to_string(),
+        ));
+    };
+    Some(BatchResponseObject {
+        oid: obj.oid,
+        size: obj.size,
+        authenticated: Some(true),
+        actions: BatchResponseObjectActions {
+            upload: Some(BatchResponseObjectAction {
+                header: presigned
+                    .headers()
+                    .map(|(k, v)| (k.to_owned(), v.to_owned()))
+                    .collect(),
+                expires_at,
+                href: presigned.uri().to_string(),
+            }),
+            ..Default::default()
+        },
+        error: None,
+    })
+}
+pub async fn handle_batch(
+    State(state): State<Arc<AppState>>,
+    headers: http::HeaderMap,
+    RepositoryName(repo): RepositoryName,
+    GitLfsJson(Json(payload)): GitLfsJson<BatchRequest>,
+) -> Response {
+    let Some(public) = is_repo_public(&repo) else {
+        return REPO_NOT_FOUND.into_response();
+    };
+    let Trusted(trusted) = match authorize_batch(
+        &state.authz_conf,
+        &repo,
+        public,
+        payload.operation,
+        &headers,
+    ) {
+        Ok(authn) => authn,
+        Err(e) => return e.into_response(),
+    };
+    if !headers
+        .get_all("Accept")
+        .iter()
+        .filter_map(|v| v.to_str().ok())
+        .any(is_git_lfs_json_mimetype)
+    {
+        let message = format!("Expected `{LFS_MIME}` in list of acceptable response media types");
+        return make_error_resp(http::StatusCode::NOT_ACCEPTABLE, &message).into_response();
+    }
+    if payload.hash_algo != HashAlgo::Sha256 {
+        let message = "Unsupported hashing algorithm specified";
+        return make_error_resp(http::StatusCode::CONFLICT, message).into_response();
+    }
+    if !payload.transfers.is_empty() && !payload.transfers.contains(&TransferAdapter::Basic) {
+        let message = "Unsupported transfer adapter specified (supported: basic)";
+        return make_error_resp(http::StatusCode::CONFLICT, message).into_response();
+    }
+    let mut resp = BatchResponse {
+        transfer: TransferAdapter::Basic,
+        objects: vec![],
+        hash_algo: HashAlgo::Sha256,
+    };
+    for obj in payload.objects {
+        match payload.operation {
+            Operation::Download => resp
+                .objects
+                .push(handle_download_object(&state, &repo, &obj, trusted).await),
+            Operation::Upload => {
+                if let Some(obj_resp) = handle_upload_object(&state, &repo, &obj).await {
+                    resp.objects.push(obj_resp);
+                }
+            }
+        };
+    }
+    GitLfsJson(Json(resp)).into_response()
+}
+fn s3_encode_checksum(oid: Oid) -> String {
+    BASE64_STANDARD.encode(oid.as_bytes())
+}
+fn s3_validate_checksum(oid: Oid, obj: &HeadObjectOutput) -> bool {
+    if let Some(checksum) = obj.checksum_sha256()
+        && let Ok(checksum) = BASE64_STANDARD.decode(checksum)
+        && let Ok(checksum32b) = TryInto::<[u8; 32]>::try_into(checksum)
+    {
+        return Oid::from(checksum32b) == oid;
+    }
+    true
+}
+fn s3_validate_size(expected: i64, obj: &HeadObjectOutput) -> bool {
+    if let Some(length) = obj.content_length() {
+        return length == expected;
+    }
+    true
+}
+fn repo_exists(name: &str) -> bool {
+    let Ok(metadata) = std::fs::metadata(name) else {
+        return false;
+    };
+    metadata.is_dir()
+}
+fn is_repo_public(name: &str) -> Option<bool> {
+    if !repo_exists(name) {
+        return None;
+    }
+    match std::fs::metadata(format!("{name}/git-daemon-export-ok")) {
+        Ok(metadata) if metadata.is_file() => Some(true),
+        Err(e) if e.kind() == std::io::ErrorKind::NotFound => Some(false),
+        _ => None,
+    }
+}
diff --git a/gitolfs3-server/src/main.rs b/gitolfs3-server/src/main.rs
index c9911ed..c88de76 100644
--- a/gitolfs3-server/src/main.rs
+++ b/gitolfs3-server/src/main.rs
@@ -9,13 +9,14 @@ use config::Config;
 use dlimit::DownloadLimiter;
 use axum::{
+    Router, ServiceExt,
    extract::OriginalUri,
-    http::{StatusCode, Uri},
+    http::{self, Uri},
    routing::{get, post},
-    Router, ServiceExt,
 };
-use handler::AppState;
+use handler::{AppState, handle_batch, handle_obj_download};
 use std::{process::ExitCode, sync::Arc};
+use tokio::net::TcpListener;
 use tower::Layer;
 #[tokio::main]
@@ -39,14 +40,14 @@ async fn main() -> ExitCode {
        dl_limiter,
    });
    let app = Router::new()
-        .route("/batch", post(handler::batch))
+        .route("/batch", post(handle_batch))
-        .route("/:oid0/:oid1/:oid", get(handler::obj_download))
+        .route("/{oid0}/{oid1}/{oid}", get(handle_obj_download))
        .with_state(shared_state);
    let middleware = axum::middleware::map_request(rewrite_url);
    let app_with_middleware = middleware.layer(app);
-    let listener = match tokio::net::TcpListener::bind(conf.listen_addr).await {
+    let listener = match TcpListener::bind(conf.listen_addr).await {
        Ok(listener) => listener,
        Err(e) => {
            println!("Failed to listen: {e}");
@@ -63,25 +64,23 @@ async fn main() -> ExitCode {
    }
 }
-async fn rewrite_url<B>(
+async fn rewrite_url<B>(mut req: http::Request<B>) -> Result<http::Request<B>, http::StatusCode> {
-    mut req: axum::http::Request<B>,
-) -> Result<axum::http::Request<B>, StatusCode> {
    let uri = req.uri();
    let original_uri = OriginalUri(uri.clone());
    let Some(path_and_query) = uri.path_and_query() else {
        // L @ no path & query
-        return Err(StatusCode::BAD_REQUEST);
+        return Err(http::StatusCode::BAD_REQUEST);
    };
    let Some((repo, path)) = path_and_query.path().split_once("/info/lfs/objects") else {
-        return Err(StatusCode::NOT_FOUND);
+        return Err(http::StatusCode::NOT_FOUND);
    };
    let repo = repo
        .trim_start_matches('/')
        .trim_end_matches('/')
        .to_string();
    if !path.starts_with('/') || !repo.ends_with(".git") {
-        return Err(StatusCode::NOT_FOUND);
+        return Err(http::StatusCode::NOT_FOUND);
    }
    let mut parts = uri.clone().into_parts();
@@ -90,7 +89,7 @@ async fn rewrite_url<B>(
        Some(q) => format!("{path}?{q}").try_into().ok(),
    };
    let Ok(new_uri) = Uri::from_parts(parts) else {
-        return Err(StatusCode::INTERNAL_SERVER_ERROR);
+        return Err(http::StatusCode::INTERNAL_SERVER_ERROR);
    };
    *req.uri_mut() = new_uri;