Skip to main content

AuthClient

allowthem_core::auth_client

Trait AuthClient 

Source 
pub trait AuthClient: Send + Sync {
    // Required methods
    fn validate_session<'a>(
        &'a self,
        token: &'a SessionToken,
    ) -> AuthFuture<'a, Option<User>>;
    fn check_role<'a>(
        &'a self,
        user_id: &'a UserId,
        role: &'a RoleName,
    ) -> AuthFuture<'a, bool>;
    fn check_permission<'a>(
        &'a self,
        user_id: &'a UserId,
        permission: &'a PermissionName,
    ) -> AuthFuture<'a, bool>;
    fn logout<'a>(&'a self, token: &'a SessionToken) -> AuthFuture<'a, ()>;
    fn login_url(&self) -> &str;
    fn session_cookie_name(&self) -> &str;
}
Expand description

Abstraction over embedded and external authentication modes.

Consuming projects use this trait instead of AllowThem directly, enabling a config-flag switch between embedded mode (local SQLite) and external mode (OIDC/JWT, Block 11) without changing handler or middleware code.

All session validation, role/permission checks, and logout flow through this trait. Login is intentionally excluded — embedded mode handles credentials directly, external mode redirects to OIDC.

Required Methods§

Source

fn validate_session<'a>( &'a self, token: &'a SessionToken, ) -> AuthFuture<'a, Option<User>>

Validate a session token and return the active user.

Returns Ok(None) when the token is invalid, expired, or the user is inactive. Returns Err only on infrastructure failures (DB, network).

Source

fn check_role<'a>( &'a self, user_id: &'a UserId, role: &'a RoleName, ) -> AuthFuture<'a, bool>

Check whether a user has the given role.

Source

fn check_permission<'a>( &'a self, user_id: &'a UserId, permission: &'a PermissionName, ) -> AuthFuture<'a, bool>

Check whether a user has the given permission (direct or via role).

Source

fn logout<'a>(&'a self, token: &'a SessionToken) -> AuthFuture<'a, ()>

Invalidate a session. Fire-and-forget — non-existent sessions are not errors.

Source

fn login_url(&self) -> &str

The URL/path where users should be directed to log in.

The cookie name used for session tokens.

Implementors§