pub struct IdentityService { /* private fields */ }Expand description
Composes every collaborator needed for the core auth flows. Cheap to clone
(all fields are Arc), so it can be provided and injected freely.
Implementations§
Source§impl IdentityService
impl IdentityService
Sourcepub fn builder(
users: Arc<dyn UserStore>,
creds: Arc<dyn CredentialStore>,
hasher: Arc<dyn PasswordHasher>,
jwt: Arc<JwtService>,
refresh: Arc<dyn RefreshStore>,
challenges: Arc<dyn ChallengeStore>,
) -> IdentityServiceBuilder
pub fn builder( users: Arc<dyn UserStore>, creds: Arc<dyn CredentialStore>, hasher: Arc<dyn PasswordHasher>, jwt: Arc<JwtService>, refresh: Arc<dyn RefreshStore>, challenges: Arc<dyn ChallengeStore>, ) -> IdentityServiceBuilder
Start building. Required collaborators are passed here; optional ones (lockout, MFA) and config are attached fluently.
Sourcepub async fn register(&self, req: RegisterRequest) -> Result<Identity>
pub async fn register(&self, req: RegisterRequest) -> Result<Identity>
Register a new user. Hashes the password (if any) off the reactor, stores the identity, and returns it. Does not issue tokens — callers usually send a verification email first.
Sourcepub async fn login(
&self,
tenant: Option<&str>,
email: &str,
password: &str,
) -> Result<LoginOutcome>
pub async fn login( &self, tenant: Option<&str>, email: &str, password: &str, ) -> Result<LoginOutcome>
Authenticate with email + password. Returns either issued tokens or an
MFA challenge. principal_ip seeds lockout before the user is known.
Sourcepub async fn login_bound(
&self,
tenant: Option<&str>,
email: &str,
password: &str,
cnf_jkt: Option<&str>,
) -> Result<LoginOutcome>
pub async fn login_bound( &self, tenant: Option<&str>, email: &str, password: &str, cnf_jkt: Option<&str>, ) -> Result<LoginOutcome>
Like login but sender-constrains the issued access
token to a DPoP key (cnf_jkt from a verified proof, RFC 9449 / H3). The
binding is applied on the direct-auth path; when MFA is enrolled the
challenge path mints in verify_mfa (unbound for now).
Sourcepub async fn verify_mfa(
&self,
challenge_id: &str,
method: &str,
code: &str,
) -> Result<TokenResponse>
pub async fn verify_mfa( &self, challenge_id: &str, method: &str, code: &str, ) -> Result<TokenResponse>
Complete a pending MFA challenge with a factor response (method = e.g.
"totp" / "recovery", code = the user-supplied value).
Sourcepub async fn login_federated(
&self,
tenant: Option<&str>,
profile: &FederatedProfile,
signal: Option<RiskSignal>,
) -> Result<FederatedOutcome>
pub async fn login_federated( &self, tenant: Option<&str>, profile: &FederatedProfile, signal: Option<RiskSignal>, ) -> Result<FederatedOutcome>
Authenticate a user from an external identity provider (social login /
enterprise SSO), applying the takeover-safe linking policy, optional risk
step-up, and auditing — then minting through the same path as password
login. signal (when a RiskEngine is configured) drives adaptive MFA.
See crate::federation for the security rationale behind each branch.
Sourcepub async fn link_federated(
&self,
user_id: &str,
profile: &FederatedProfile,
) -> Result<()>
pub async fn link_federated( &self, user_id: &str, profile: &FederatedProfile, ) -> Result<()>
Explicitly link an external identity to an already-authenticated local
user (user_id). This is the takeover-proof path the app runs after the
user proves ownership of the local account, in response to a
FederatedOutcome::LinkRequired.
Sourcepub async fn refresh(&self, refresh_token: &str) -> Result<TokenResponse>
pub async fn refresh(&self, refresh_token: &str) -> Result<TokenResponse>
Rotate a refresh token: validate signature + stored jti, atomically
consume the old jti, and issue a fresh pair. Reuse of a consumed token
fails closed.
Sourcepub async fn logout(&self, refresh_token: &str) -> Result<()>
pub async fn logout(&self, refresh_token: &str) -> Result<()>
Revoke a specific refresh token (single-device logout).
Sourcepub async fn logout_all(&self, user_id: &str) -> Result<()>
pub async fn logout_all(&self, user_id: &str) -> Result<()>
Revoke every refresh token for a user (“log out everywhere”).
Sourcepub async fn me(&self, user_id: &str) -> Result<Identity>
pub async fn me(&self, user_id: &str) -> Result<Identity>
Fetch the current identity by id (for /auth/me).
Sourcepub async fn mint(&self, user: &Identity) -> Result<TokenResponse>
pub async fn mint(&self, user: &Identity) -> Result<TokenResponse>
Mint an access+refresh pair for an authenticated identity and persist the
refresh jti for rotation.
Sourcepub async fn mint_bound(
&self,
user: &Identity,
cnf_jkt: Option<&str>,
) -> Result<TokenResponse>
pub async fn mint_bound( &self, user: &Identity, cnf_jkt: Option<&str>, ) -> Result<TokenResponse>
Trait Implementations§
Source§impl Clone for IdentityService
impl Clone for IdentityService
Source§fn clone(&self) -> IdentityService
fn clone(&self) -> IdentityService
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreAuto Trait Implementations§
impl !RefUnwindSafe for IdentityService
impl !UnwindSafe for IdentityService
impl Freeze for IdentityService
impl Send for IdentityService
impl Sync for IdentityService
impl Unpin for IdentityService
impl UnsafeUnpin for IdentityService
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
impl<ST, DT> CastableFrom<ST, Initialized, Initialized> for DT
impl<ST, DT> CastableFrom<ST, Uninit, Uninit> for DT
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> FutureExt for T
impl<T> FutureExt for T
Source§fn with_context(self, otel_cx: Context) -> WithContext<Self>
fn with_context(self, otel_cx: Context) -> WithContext<Self>
Source§fn with_current_context(self) -> WithContext<Self>
fn with_current_context(self) -> WithContext<Self>
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoRequest<T> for T
impl<T> IntoRequest<T> for T
Source§fn into_request(self) -> Request<T>
fn into_request(self) -> Request<T>
T in a tonic::Request