Skip to main content

Crate arcly_http_identity

Crate arcly_http_identity 

Source
Expand description

§arcly-http-identity — CIAM building-block engine

A storage-agnostic Customer Identity & Access Management (CIAM) engine for arcly-http. It is not a turnkey product (no admin console, no hosted login UI): it ships the traits, services, and (optional) controllers you compose into your own identity provider, in the same spirit as Ory Kratos/Hydra but as an embeddable Rust crate.

§What it gives you

AreaType
User & credential storagestore::UserStore, store::CredentialStore
Password hashingpassword::PasswordHasher + password::Argon2idHasher
Register / login / refresh / logoutidentity::IdentityService
Brute-force protectionlockout::LockoutPolicy
One-time tokens (verify / reset / magic link)ott::OneTimeTokenService
Passwordless (magic link + email/SMS OTP)passwordless::PasswordlessService
MFA (TOTP + recovery codes)mfa
Passkeys / WebAuthnmfa::passkey (feature passkey)
Adaptive / risk-based authrisk::RiskEngine
Consent (GDPR)consent::ConsentStore
OIDC Provideroidc (feature oidc)

§Design contract (matches the framework)

  • All I/O is behind a trait — you supply the Postgres/Redis/email backends; the crate links no database or mail SDK.
  • Provide services via DI in an ArclyPlugin::on_init (ctx.provide(IdentityService::new(...))), then resolve with Inject<T>.
  • Tokens are minted through the framework’s JwtService so every existing guard (JWT_AUTH, RoleGuard, perms, ABAC) keeps working.
  • CPU-bound work runs off the reactor via spawn_blocking.

Re-exports§

pub use error::IdentityError;
pub use identity::IdentityConfig;
pub use identity::IdentityService;
pub use model::AccountStatus;
pub use model::Identity;
pub use model::LoginOutcome;
pub use model::MfaState;
pub use model::TokenResponse;
pub use password::Argon2idHasher;
pub use password::PasswordHasher;
pub use store::CredentialStore;
pub use store::UserStore;

Modules§

consent
Consent capture & withdrawal (GDPR / privacy). A ConsentStore records which purposes a subject has agreed to, with a timestamp and version, so the app can prove lawful basis and honour withdrawal.
dpop
DPoP — Demonstration of Proof-of-Possession (RFC 9449), i.e. sender-constrained access tokens (H3).
error
Error type for the identity engine, with a mapping to the framework’s HttpException so handlers can ? directly and get RFC-7807 problem responses with the right status codes.
federation
Secure federated login (“Sign in with Google / Facebook / an enterprise IdP”). This is the relying-party side — the app consumes an external identity — as opposed to crate::oidc, which is an identity provider.
identity
IdentityService — the orchestrator that ties stores, hashing, JWT minting, lockout, and MFA together into the register / login / refresh / logout flows. Provide it via DI and call it from your controllers (or mount the ready-made ones behind the controllers feature).
lockout
Brute-force / credential-stuffing lockout, backed by a pluggable counter.
mfa
Multi-factor authentication: the MfaVerifier hook the login flow calls, plus concrete factors (TOTP today, passkeys behind the passkey feature).
model
Canonical identity records and the DTOs the flows exchange.
notify
Delivery of identity messages (verification links, reset links, OTP codes, magic links). The app supplies the transport — the crate links no mail/SMS SDK, matching the OAuth2Provider / SecretSource pattern.
oidc
OpenID Connect Provider — turn the app into an identity provider.
ott
One-time tokens: the shared primitive behind email/phone verification, password reset, magic-link login, and login OTP.
password
Password hashing behind a trait, with an Argon2id default and transparent bcrypt-verification so legacy hashes migrate on next login.
passwordless
Passwordless authentication built on OneTimeTokenService + Notifier: magic-links (email) and one-time codes (email or SMS).
prelude
One-line prelude for CIAM apps.
risk
Adaptive / risk-based authentication. A RiskEngine scores a login attempt from environmental signals; the login flow uses the verdict to allow, force step-up MFA, or deny.
session
Server-side token state: refresh-token rotation, pending MFA challenges, and the per-user device/session index used for “log out everywhere” and back-channel revocation (Phase 4).
store
Storage traits — the app supplies the backends (Postgres, Redis, …). The crate links no database. An in-memory implementation (MemoryStore) is provided for tests, examples, and local development.