arcly_http_identity/lib.rs
1//! # arcly-http-identity — CIAM building-block engine
2//!
3//! A storage-agnostic Customer Identity & Access Management (CIAM) *engine* for
4//! `arcly-http`. It is **not** a turnkey product (no admin console, no hosted
5//! login UI): it ships the traits, services, and (optional) controllers you
6//! compose into your own identity provider, in the same spirit as Ory
7//! Kratos/Hydra but as an embeddable Rust crate.
8//!
9//! ## What it gives you
10//!
11//! | Area | Type |
12//! |------|------|
13//! | User & credential storage | [`store::UserStore`], [`store::CredentialStore`] |
14//! | Password hashing | [`password::PasswordHasher`] + [`password::Argon2idHasher`] |
15//! | Register / login / refresh / logout | [`identity::IdentityService`] |
16//! | Brute-force protection | [`lockout::LockoutPolicy`] |
17//! | One-time tokens (verify / reset / magic link) | [`ott::OneTimeTokenService`] |
18//! | Passwordless (magic link + email/SMS OTP) | [`passwordless::PasswordlessService`] |
19//! | MFA (TOTP + recovery codes) | [`mfa`] |
20//! | Passkeys / WebAuthn | [`mfa::passkey`] (feature `passkey`) |
21//! | Adaptive / risk-based auth | [`risk::RiskEngine`] |
22//! | Consent (GDPR) | [`consent::ConsentStore`] |
23//! | OIDC Provider | [`oidc`] (feature `oidc`) |
24//!
25//! ## Design contract (matches the framework)
26//!
27//! * **All I/O is behind a trait** — you supply the Postgres/Redis/email
28//! backends; the crate links no database or mail SDK.
29//! * **Provide services via DI** in an `ArclyPlugin::on_init`
30//! (`ctx.provide(IdentityService::new(...))`), then resolve with `Inject<T>`.
31//! * **Tokens are minted through the framework's [`JwtService`](arcly_http_core::auth::JwtService)** so every
32//! existing guard (`JWT_AUTH`, `RoleGuard`, perms, ABAC) keeps working.
33//! * **CPU-bound work runs off the reactor** via `spawn_blocking`.
34
35pub mod consent;
36pub mod dpop;
37pub mod error;
38pub mod federation;
39pub mod identity;
40pub mod lockout;
41pub mod mfa;
42pub mod model;
43pub mod notify;
44pub mod ott;
45pub mod password;
46pub mod passwordless;
47pub mod risk;
48pub mod session;
49pub mod store;
50
51#[cfg(feature = "oidc")]
52pub mod oidc;
53
54pub use error::IdentityError;
55pub use identity::{IdentityConfig, IdentityService};
56pub use model::{AccountStatus, Identity, LoginOutcome, MfaState, TokenResponse};
57pub use password::{Argon2idHasher, PasswordHasher};
58pub use store::{CredentialStore, UserStore};
59
60/// One-line prelude for CIAM apps.
61pub mod prelude {
62 pub use crate::dpop::{
63 DpopProof, DpopReplayStore, DpopResourceGuard, DpopVerifier, MemoryDpopReplayStore,
64 };
65 pub use crate::error::IdentityError;
66 pub use crate::federation::{
67 BackChannelLogout, FederatedIdentity, FederatedIdentityStore, FederatedOutcome,
68 FederatedProfile, FederationAudit, IdTokenVerifier, IdpConfig, IdpKind, IdpRegistry,
69 JwtIdTokenVerifier, LinkingConfig, VerifiedIdToken,
70 };
71 pub use crate::identity::{IdentityConfig, IdentityService};
72 pub use crate::lockout::LockoutPolicy;
73 #[cfg(feature = "totp")]
74 pub use crate::mfa::totp::{TotpEnrollment, TotpService};
75 pub use crate::model::{
76 AccountStatus, Identity, LoginOutcome, MfaState, RegisterRequest, TokenResponse,
77 };
78 pub use crate::notify::{Notification, Notifier};
79 pub use crate::ott::{OneTimeTokenService, OttPurpose};
80 pub use crate::password::{Argon2idHasher, BreachChecker, PasswordHasher, PasswordPolicy};
81 pub use crate::passwordless::PasswordlessService;
82 pub use crate::risk::{RiskEngine, RiskSignal, RiskVerdict};
83 pub use crate::store::{CredentialStore, EncryptingUserStore, PiiCipher, UserStore};
84}