acton-htmx 1.0.0-beta.7

Opinionated Rust web framework for HTMX applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350

//! Core OAuth2 types and configuration
//!
//! This module defines the foundational types for OAuth2 authentication,
//! including provider configurations, tokens, and user information.

use oauth2::basic::BasicClient;
use oauth2::{EndpointNotSet, EndpointSet};
use serde::{Deserialize, Serialize};
use std::str::FromStr;
use std::time::{Duration, SystemTime};

/// Type alias for a configured OAuth2 client with auth and token endpoints set
///
/// This is the standard client type used by all OAuth2 providers (Google, GitHub, OIDC).
/// The type parameters indicate which endpoints are configured:
/// - `EndpointSet` for `HasAuthUrl` - Authorization endpoint is configured
/// - `EndpointNotSet` for `HasDeviceAuthUrl` - Device auth not used
/// - `EndpointNotSet` for `HasIntrospectionUrl` - Token introspection not used
/// - `EndpointNotSet` for `HasRevocationUrl` - Token revocation not used
/// - `EndpointSet` for `HasTokenUrl` - Token exchange endpoint is configured
pub type ConfiguredClient = BasicClient<
    EndpointSet,    // HasAuthUrl
    EndpointNotSet, // HasDeviceAuthUrl
    EndpointNotSet, // HasIntrospectionUrl
    EndpointNotSet, // HasRevocationUrl
    EndpointSet,    // HasTokenUrl
>;

/// OAuth2 provider identifier
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, Serialize, Deserialize)]
#[serde(rename_all = "lowercase")]
pub enum OAuthProvider {
    /// Google OAuth2
    Google,
    /// GitHub OAuth2
    GitHub,
    /// Generic OpenID Connect provider
    Oidc,
}

impl OAuthProvider {
    /// Get the provider as a string (lowercase)
    #[must_use]
    pub const fn as_str(&self) -> &'static str {
        match self {
            Self::Google => "google",
            Self::GitHub => "github",
            Self::Oidc => "oidc",
        }
    }
}

impl FromStr for OAuthProvider {
    type Err = OAuthError;

    fn from_str(s: &str) -> Result<Self, Self::Err> {
        match s.to_lowercase().as_str() {
            "google" => Ok(Self::Google),
            "github" => Ok(Self::GitHub),
            "oidc" => Ok(Self::Oidc),
            _ => Err(OAuthError::UnknownProvider(s.to_string())),
        }
    }
}

/// Configuration for an OAuth2 provider
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ProviderConfig {
    /// OAuth2 client ID
    pub client_id: String,
    /// OAuth2 client secret
    pub client_secret: String,
    /// Redirect URI (callback URL)
    pub redirect_uri: String,
    /// OAuth2 scopes to request
    pub scopes: Vec<String>,
    /// Authorization endpoint (for generic OIDC)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_url: Option<String>,
    /// Token endpoint (for generic OIDC)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub token_url: Option<String>,
    /// UserInfo endpoint (for generic OIDC)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub userinfo_url: Option<String>,
}

/// Complete OAuth2 configuration for all providers
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuthConfig {
    /// Google OAuth2 configuration
    #[serde(skip_serializing_if = "Option::is_none")]
    pub google: Option<ProviderConfig>,
    /// GitHub OAuth2 configuration
    #[serde(skip_serializing_if = "Option::is_none")]
    pub github: Option<ProviderConfig>,
    /// Generic OIDC configuration
    #[serde(skip_serializing_if = "Option::is_none")]
    pub oidc: Option<ProviderConfig>,
}

impl OAuthConfig {
    /// Create a new empty OAuth2 configuration
    #[must_use]
    pub const fn new() -> Self {
        Self {
            google: None,
            github: None,
            oidc: None,
        }
    }

    /// Get a reference to the provider configuration option
    ///
    /// This is a helper method to reduce code duplication in provider lookups.
    /// Returns `Option<&ProviderConfig>` following Rust idioms for optional references.
    const fn provider_config(&self, provider: OAuthProvider) -> Option<&ProviderConfig> {
        match provider {
            OAuthProvider::Google => self.google.as_ref(),
            OAuthProvider::GitHub => self.github.as_ref(),
            OAuthProvider::Oidc => self.oidc.as_ref(),
        }
    }

    /// Get configuration for a specific provider
    ///
    /// # Errors
    ///
    /// Returns error if the provider is not configured
    pub fn get_provider(&self, provider: OAuthProvider) -> Result<&ProviderConfig, OAuthError> {
        self.provider_config(provider)
            .ok_or(OAuthError::ProviderNotConfigured(provider))
    }

    /// Check if a provider is configured
    #[must_use]
    pub const fn is_provider_configured(&self, provider: OAuthProvider) -> bool {
        self.provider_config(provider).is_some()
    }
}

impl Default for OAuthConfig {
    fn default() -> Self {
        Self::new()
    }
}

/// OAuth2 CSRF state token
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuthState {
    /// The state token
    pub token: String,
    /// Provider for this state
    pub provider: OAuthProvider,
    /// When the state expires
    pub expires_at: SystemTime,
}

impl OAuthState {
    /// Generate a new state token
    #[must_use]
    pub fn generate(provider: OAuthProvider) -> Self {
        use rand::Rng;

        // Generate 32 bytes of random data and encode as hex
        let random_bytes: [u8; 32] = rand::rng().random();
        let token = hex::encode(random_bytes);

        Self {
            token,
            provider,
            expires_at: SystemTime::now() + Duration::from_secs(600), // 10 minutes
        }
    }

    /// Check if the state token has expired
    #[must_use]
    pub fn is_expired(&self) -> bool {
        SystemTime::now() > self.expires_at
    }
}

/// OAuth2 access token
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuthToken {
    /// Access token
    pub access_token: String,
    /// Refresh token (if provided)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub refresh_token: Option<String>,
    /// Token type (usually "Bearer")
    pub token_type: String,
    /// When the token expires
    #[serde(skip_serializing_if = "Option::is_none")]
    pub expires_at: Option<SystemTime>,
    /// OAuth2 scopes granted
    #[serde(skip_serializing_if = "Option::is_none")]
    pub scopes: Option<Vec<String>>,
}

impl OAuthToken {
    /// Check if the access token has expired
    #[must_use]
    pub fn is_expired(&self) -> bool {
        self.expires_at
            .is_some_and(|expires| SystemTime::now() > expires)
    }
}

/// User information from OAuth2 provider
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct OAuthUserInfo {
    /// Provider-specific user ID
    pub provider_user_id: String,
    /// Email address
    pub email: String,
    /// Display name
    #[serde(skip_serializing_if = "Option::is_none")]
    pub name: Option<String>,
    /// Avatar/profile picture URL
    #[serde(skip_serializing_if = "Option::is_none")]
    pub avatar_url: Option<String>,
    /// Whether email is verified
    pub email_verified: bool,
}

/// OAuth2 errors
#[derive(Debug, thiserror::Error)]
pub enum OAuthError {
    /// Unknown provider
    #[error("Unknown OAuth2 provider: {0}")]
    UnknownProvider(String),

    /// Provider not configured
    #[error("OAuth2 provider not configured: {0:?}")]
    ProviderNotConfigured(OAuthProvider),

    /// Invalid state token
    #[error("Invalid or expired OAuth2 state token")]
    InvalidState,

    /// State token mismatch (potential CSRF attack)
    #[error("OAuth2 state token mismatch (potential CSRF attack)")]
    StateMismatch,

    /// Authorization code exchange failed
    #[error("Failed to exchange authorization code for token: {0}")]
    TokenExchangeFailed(String),

    /// Failed to fetch user info
    #[error("Failed to fetch user information: {0}")]
    UserInfoFailed(String),

    /// Token expired
    #[error("OAuth2 token has expired")]
    TokenExpired,

    /// Generic OAuth2 error
    #[error("OAuth2 error: {0}")]
    Generic(String),
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_provider_as_str() {
        assert_eq!(OAuthProvider::Google.as_str(), "google");
        assert_eq!(OAuthProvider::GitHub.as_str(), "github");
        assert_eq!(OAuthProvider::Oidc.as_str(), "oidc");
    }

    #[test]
    fn test_provider_from_str() {
        assert_eq!(
            "google".parse::<OAuthProvider>().unwrap(),
            OAuthProvider::Google
        );
        assert_eq!(
            "GOOGLE".parse::<OAuthProvider>().unwrap(),
            OAuthProvider::Google
        );
        assert_eq!(
            "github".parse::<OAuthProvider>().unwrap(),
            OAuthProvider::GitHub
        );
        assert_eq!(
            "oidc".parse::<OAuthProvider>().unwrap(),
            OAuthProvider::Oidc
        );
        assert!("invalid".parse::<OAuthProvider>().is_err());
    }

    #[test]
    fn test_oauth_config_default() {
        let config = OAuthConfig::default();
        assert!(config.google.is_none());
        assert!(config.github.is_none());
        assert!(config.oidc.is_none());
    }

    #[test]
    fn test_oauth_config_is_provider_configured() {
        let mut config = OAuthConfig::default();
        assert!(!config.is_provider_configured(OAuthProvider::Google));

        config.google = Some(ProviderConfig {
            client_id: "test".to_string(),
            client_secret: "test".to_string(),
            redirect_uri: "http://localhost/callback".to_string(),
            scopes: vec!["email".to_string()],
            auth_url: None,
            token_url: None,
            userinfo_url: None,
        });

        assert!(config.is_provider_configured(OAuthProvider::Google));
        assert!(!config.is_provider_configured(OAuthProvider::GitHub));
    }

    #[test]
    fn test_oauth_state_generation() {
        let state = OAuthState::generate(OAuthProvider::Google);
        assert_eq!(state.provider, OAuthProvider::Google);
        assert!(!state.is_expired());
        assert_eq!(state.token.len(), 64); // 32 bytes encoded as hex
    }

    #[test]
    fn test_oauth_token_is_expired() {
        let token = OAuthToken {
            access_token: "test".to_string(),
            refresh_token: None,
            token_type: "Bearer".to_string(),
            expires_at: None,
            scopes: None,
        };
        assert!(!token.is_expired());

        let expired_token = OAuthToken {
            access_token: "test".to_string(),
            refresh_token: None,
            token_type: "Bearer".to_string(),
            expires_at: Some(SystemTime::now() - Duration::from_secs(3600)),
            scopes: None,
        };
        assert!(expired_token.is_expired());
    }
}