bytedocs_rs/core/

auth.rs

use crate::core::types::AuthConfig;
use crate::core::session_auth::SessionAuthMiddleware;
use axum::{
    extract::Request,
    http::{HeaderMap, StatusCode},
    middleware::Next,
    response::{IntoResponse, Response},
    Json,
};
use base64::prelude::*;
use serde_json::json;
use std::collections::HashMap;
use subtle::ConstantTimeEq;

pub async fn auth_middleware(
    config: Option<&AuthConfig>,
    request: Request,
    next: Next,
) -> Result<Response, StatusCode> {
    if let Some(config) = config {
        if !config.enabled {
            return Ok(next.run(request).await);
        }

        if config.r#type == "session" {
            // Handle session auth separately
            let session_auth = SessionAuthMiddleware::new(config).await
                .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
            return session_auth.handle(request, next).await;
        }

        if let Err(err) = authenticate_request(&request, config) {
            return Ok(handle_auth_error(config, &err).into_response());
        }
    }

    Ok(next.run(request).await)
}

fn authenticate_request(request: &Request, config: &AuthConfig) -> Result<(), String> {
    match config.r#type.as_str() {
        "basic" => authenticate_basic(request, config),
        "api_key" => authenticate_api_key(request, config),
        "bearer" => authenticate_bearer(request, config),
        _ => Err(format!("unsupported auth type: {}", config.r#type)),
    }
}

fn authenticate_basic(request: &Request, config: &AuthConfig) -> Result<(), String> {
    let headers = request.headers();
    let auth_header = headers
        .get("authorization")
        .ok_or("missing Authorization header")?
        .to_str()
        .map_err(|_| "invalid Authorization header")?;

    if !auth_header.starts_with("Basic ") {
        return Err("invalid Authorization header format".to_string());
    }

    let payload = BASE64_STANDARD
        .decode(&auth_header[6..])
        .map_err(|_| "invalid base64 in Authorization header")?;

    let credentials = String::from_utf8(payload)
        .map_err(|_| "invalid UTF-8 in credentials")?;

    let parts: Vec<&str> = credentials.splitn(2, ':').collect();
    if parts.len() != 2 {
        return Err("invalid credential format".to_string());
    }

    let (username, password) = (parts[0], parts[1]);

    if username.as_bytes().ct_eq(config.username.as_bytes()).unwrap_u8() != 1
        || password.as_bytes().ct_eq(config.password.as_bytes()).unwrap_u8() != 1
    {
        return Err("invalid credentials".to_string());
    }

    Ok(())
}

fn authenticate_api_key(request: &Request, config: &AuthConfig) -> Result<(), String> {
    let header_name = if config.api_key_header.is_empty() {
        "x-api-key"
    } else {
        &config.api_key_header
    };

    let headers = request.headers();
    let api_key = headers
        .get(header_name)
        .ok_or_else(|| format!("missing {} header", header_name))?
        .to_str()
        .map_err(|_| "invalid API key header")?;

    if api_key.as_bytes().ct_eq(config.api_key.as_bytes()).unwrap_u8() != 1 {
        return Err("invalid API key".to_string());
    }

    Ok(())
}

fn authenticate_bearer(request: &Request, config: &AuthConfig) -> Result<(), String> {
    let headers = request.headers();
    let auth_header = headers
        .get("authorization")
        .ok_or("missing Authorization header")?
        .to_str()
        .map_err(|_| "invalid Authorization header")?;

    if !auth_header.starts_with("Bearer ") {
        return Err("invalid Authorization header format".to_string());
    }

    let token = auth_header[7..].trim();
    if token.is_empty() {
        return Err("missing bearer token".to_string());
    }

    if token.as_bytes().ct_eq(config.api_key.as_bytes()).unwrap_u8() != 1 {
        return Err("invalid bearer token".to_string());
    }

    Ok(())
}

fn handle_auth_error(config: &AuthConfig, _error: &str) -> impl IntoResponse {
    let mut headers = HeaderMap::new();

    match config.r#type.as_str() {
        "basic" => {
            let realm = if config.realm.is_empty() {
                "Bytedocs API Documentation"
            } else {
                &config.realm
            };
            headers.insert(
                "www-authenticate",
                format!(r#"Basic realm="{}""#, realm).parse().unwrap(),
            );
        }
        "bearer" => {
            headers.insert(
                "www-authenticate",
                r#"Bearer realm="Bytedocs API Documentation""#.parse().unwrap(),
            );
        }
        _ => {}
    }

    let mut error_response = HashMap::new();
    error_response.insert("error", "Authentication required");
    error_response.insert("message", "Access to this resource requires authentication");
    error_response.insert("type", &config.r#type);

    let hint = match config.r#type.as_str() {
        "basic" => "Use HTTP Basic Authentication with username and password",
        "api_key" => {
            let header_name = if config.api_key_header.is_empty() {
                "X-API-Key"
            } else {
                &config.api_key_header
            };
            return (
                StatusCode::UNAUTHORIZED,
                headers,
                Json(json!({
                    "error": "Authentication required",
                    "message": "Access to this resource requires authentication",
                    "type": config.r#type,
                    "hint": format!("Provide API key in {} header", header_name)
                })),
            );
        }
        "bearer" => "Use Authorization: Bearer <token> header",
        _ => "Authentication required",
    };

    error_response.insert("hint", hint);

    (
        StatusCode::UNAUTHORIZED,
        headers,
        Json(json!(error_response)),
    )
}