arcgis 0.1.3

Type-safe Rust SDK for the ArcGIS REST API with compile-time guarantees
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369

//! OAuth 2.0 Client Credentials Flow for automated authentication.
//!
//! This module implements the OAuth 2.0 Client Credentials grant type,
//! which is designed for server-to-server authentication without requiring
//! user interaction or browser-based authorization.
//!
//! # Use Cases
//!
//! - Server applications and backend services
//! - Automated scripts and CLI tools
//! - CI/CD pipelines
//! - Any scenario without human interaction
//!
//! # Security
//!
//! - Client secret must be kept confidential
//! - Tokens are short-lived (typically 2 hours)
//! - Automatic token refresh before expiration
//! - HTTPS required (enforced by ArcGIS)
//!
//! # Example
//!
//! ```no_run
//! use arcgis::ClientCredentialsAuth;
//!
//! # async fn example() -> arcgis::Result<()> {
//! // Load credentials from .env file (ARCGIS_CLIENT_ID and ARCGIS_CLIENT_SECRET)
//! let auth = ClientCredentialsAuth::from_env()?;
//!
//! // Token is fetched automatically on first use
//! let client = arcgis::ArcGISClient::new(auth);
//! # Ok(())
//! # }
//! ```

use crate::{AuthProvider, Result};
use async_trait::async_trait;
use secrecy::{ExposeSecret, SecretString};
use serde::{Deserialize, Serialize};
use std::sync::Arc;
use std::time::{Duration, Instant};
use tokio::sync::RwLock;
use tracing::instrument;

/// Token response from ArcGIS OAuth endpoint.
#[derive(Debug, Clone, Deserialize, Serialize)]
struct TokenResponse {
    /// The access token
    access_token: String,
    /// Token lifetime in seconds (typically 7200 = 2 hours)
    expires_in: u64,
}

/// Stored token with expiration tracking.
#[derive(Debug, Clone)]
struct StoredToken {
    /// The access token
    access_token: String,
    /// When the token was fetched
    fetched_at: Instant,
    /// Token lifetime in seconds
    expires_in: u64,
}

/// OAuth 2.0 Client Credentials authentication provider.
///
/// Implements automated server-to-server authentication using the
/// OAuth 2.0 Client Credentials grant type. This provider:
///
/// - Fetches tokens automatically on first use
/// - Refreshes tokens automatically before expiration
/// - Requires no human interaction or browser
/// - Is thread-safe for concurrent use
///
/// # Security Features
///
/// - Short-lived tokens (typically 2 hours)
/// - Automatic refresh with 5-minute expiration buffer
/// - SSRF prevention (HTTP redirects disabled)
/// - Secure client secret handling
///
/// # Example
///
/// ```no_run
/// use arcgis::{ClientCredentialsAuth, ArcGISClient, AuthProvider};
///
/// # async fn example() -> arcgis::Result<()> {
/// // Create authenticator
/// let auth = ClientCredentialsAuth::new(
///     "your_client_id".to_string(),
///     "your_client_secret".to_string(),
/// )?;
///
/// // Get token (fetched automatically)
/// let token = auth.get_token().await?;
///
/// // Or use with client (token management is automatic)
/// let client = ArcGISClient::new(auth);
/// # Ok(())
/// # }
/// ```
pub struct ClientCredentialsAuth {
    /// Client ID from ArcGIS Developer dashboard
    client_id: String,
    /// Client secret (kept confidential, never logged)
    client_secret: SecretString,
    /// HTTP client with security configuration
    http_client: reqwest::Client,
    /// Stored access token
    token: Arc<RwLock<Option<StoredToken>>>,
}

impl ClientCredentialsAuth {
    /// Creates a new OAuth Client Credentials authenticator.
    ///
    /// # Arguments
    ///
    /// * `client_id` - Application client ID from ArcGIS Developer dashboard
    /// * `client_secret` - Application client secret (keep confidential)
    ///
    /// # Security
    ///
    /// The HTTP client is configured to prevent SSRF attacks by disabling
    /// automatic redirect following.
    ///
    /// # Errors
    ///
    /// Returns an error if the token URL is invalid or if the HTTP client
    /// cannot be created.
    ///
    /// # Example
    ///
    /// ```no_run
    /// use arcgis::ClientCredentialsAuth;
    ///
    /// # fn example() -> Result<(), Box<dyn std::error::Error>> {
    /// let auth = ClientCredentialsAuth::new(
    ///     std::env::var("ARCGIS_CLIENT_ID")?,
    ///     std::env::var("ARCGIS_CLIENT_SECRET")?,
    /// )?;
    /// # Ok(())
    /// # }
    /// ```
    #[instrument(skip(client_id, client_secret))]
    pub fn new(client_id: String, client_secret: String) -> Result<Self> {
        tracing::debug!("Creating OAuth Client Credentials authenticator");

        // Security: disable redirects to prevent SSRF vulnerabilities
        let http_client = reqwest::Client::builder()
            .redirect(reqwest::redirect::Policy::none())
            .build()?;

        tracing::debug!("OAuth Client Credentials authenticator created");

        Ok(Self {
            client_id,
            client_secret: SecretString::new(client_secret.into_boxed_str()),
            http_client,
            token: Arc::new(RwLock::new(None)),
        })
    }

    /// Creates a new OAuth Client Credentials authenticator from environment variables.
    ///
    /// This method automatically loads `.env` file and reads the `ARCGIS_CLIENT_ID` and
    /// `ARCGIS_CLIENT_SECRET` environment variables.
    ///
    /// # Environment Variables
    ///
    /// - `ARCGIS_CLIENT_ID` - Application client ID from ArcGIS Developer dashboard
    /// - `ARCGIS_CLIENT_SECRET` - Application client secret (keep confidential)
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The `ARCGIS_CLIENT_ID` environment variable is not set
    /// - The `ARCGIS_CLIENT_SECRET` environment variable is not set
    /// - The HTTP client cannot be created
    ///
    /// The error preserves the original `std::env::VarError` in the error chain.
    ///
    /// # Example
    ///
    /// ```no_run
    /// use arcgis::ClientCredentialsAuth;
    ///
    /// # fn example() -> arcgis::Result<()> {
    /// // Reads ARCGIS_CLIENT_ID and ARCGIS_CLIENT_SECRET from .env file
    /// let auth = ClientCredentialsAuth::from_env()?;
    /// # Ok(())
    /// # }
    /// ```
    #[instrument]
    pub fn from_env() -> Result<Self> {
        tracing::debug!("Loading OAuth credentials from environment");

        // Get global configuration (automatically loads .env on first access)
        let config = crate::EnvConfig::global();

        // Read ARCGIS_CLIENT_ID from config
        let client_id = config.arcgis_client_id.as_ref().ok_or_else(|| {
            tracing::error!("ARCGIS_CLIENT_ID environment variable not set or invalid");
            crate::Error::from(crate::ErrorKind::Env(crate::EnvError::new(
                std::env::VarError::NotPresent,
            )))
        })?;

        // Read ARCGIS_CLIENT_SECRET from config
        let client_secret = config.arcgis_client_secret.as_ref().ok_or_else(|| {
            tracing::error!("ARCGIS_CLIENT_SECRET environment variable not set or invalid");
            crate::Error::from(crate::ErrorKind::Env(crate::EnvError::new(
                std::env::VarError::NotPresent,
            )))
        })?;

        tracing::debug!("Successfully loaded OAuth credentials from environment");

        Self::new(
            client_id.expose_secret().to_string(),
            client_secret.expose_secret().to_string(),
        )
    }

    /// Fetches a new access token from the ArcGIS token endpoint.
    ///
    /// This method makes a POST request to the OAuth token endpoint with
    /// the client credentials to obtain a new access token.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - The HTTP request fails
    /// - The credentials are invalid
    /// - The ArcGIS server returns an error
    #[instrument(skip(self))]
    async fn fetch_token(&self) -> Result<()> {
        tracing::debug!("Fetching new access token via client credentials flow");

        let params = [
            ("client_id", self.client_id.as_str()),
            ("client_secret", self.client_secret.expose_secret()),
            ("grant_type", "client_credentials"),
            ("f", "json"), // ArcGIS requires this for JSON response
        ];

        let response = self
            .http_client
            .post("https://www.arcgis.com/sharing/rest/oauth2/token")
            .form(&params)
            .send()
            .await?;

        if !response.status().is_success() {
            let status = response.status();
            let body = response
                .text()
                .await
                .unwrap_or_else(|_| "<no body>".to_string());
            return Err(crate::ErrorKind::OAuth(format!(
                "Token request failed with status {}: {}",
                status, body
            ))
            .into());
        }

        let token_response: TokenResponse = response.json().await?;

        tracing::info!(
            expires_in = token_response.expires_in,
            "Access token obtained successfully"
        );

        let stored_token = StoredToken {
            access_token: token_response.access_token,
            fetched_at: Instant::now(),
            expires_in: token_response.expires_in,
        };

        *self.token.write().await = Some(stored_token);

        Ok(())
    }

    /// Checks if the current token is expired or will expire soon.
    ///
    /// Returns `true` if:
    /// - Token will expire within 5 minutes
    ///
    /// The 5-minute buffer prevents race conditions where a token
    /// expires between retrieval and use.
    fn is_token_expired(token: &StoredToken) -> bool {
        let age = token.fetched_at.elapsed();
        let expires_in = Duration::from_secs(token.expires_in);
        let buffer = Duration::from_secs(300); // 5-minute buffer

        age + buffer >= expires_in
    }
}

#[async_trait]
impl AuthProvider for ClientCredentialsAuth {
    /// Returns the current access token, fetching or refreshing if necessary.
    ///
    /// This method:
    /// - Fetches a token on first use
    /// - Returns the cached token if valid
    /// - Automatically refreshes tokens expiring within 5 minutes
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - Token fetch fails (invalid credentials, network error)
    /// - Token refresh fails
    ///
    /// # Example
    ///
    /// ```no_run
    /// use arcgis::{ClientCredentialsAuth, AuthProvider};
    ///
    /// # async fn example() -> arcgis::Result<()> {
    /// let auth = ClientCredentialsAuth::new(
    ///     "client_id".to_string(),
    ///     "client_secret".to_string(),
    /// )?;
    ///
    /// // First call fetches token
    /// let token1 = auth.get_token().await?;
    ///
    /// // Second call returns cached token
    /// let token2 = auth.get_token().await?;
    ///
    /// assert_eq!(token1, token2);
    /// # Ok(())
    /// # }
    /// ```
    #[instrument(skip(self))]
    async fn get_token(&self) -> Result<String> {
        let token_guard = self.token.read().await;

        if let Some(token) = token_guard.as_ref() {
            // Check if token is expired or expiring soon
            if Self::is_token_expired(token) {
                drop(token_guard);
                tracing::debug!("Token expiring soon, fetching new token");
                self.fetch_token().await?;

                let new_guard = self.token.read().await;
                let token = new_guard.as_ref().ok_or_else(|| {
                    crate::ErrorKind::OAuth("Token missing after successful fetch".to_string())
                })?;
                return Ok(token.access_token.clone());
            }

            tracing::debug!("Returning cached access token");
            Ok(token.access_token.clone())
        } else {
            // No token exists - fetch one
            drop(token_guard);
            tracing::debug!("No token exists, fetching initial token");
            self.fetch_token().await?;

            let guard = self.token.read().await;
            let token = guard.as_ref().ok_or_else(|| {
                crate::ErrorKind::OAuth("Token missing after successful fetch".to_string())
            })?;
            Ok(token.access_token.clone())
        }
    }
}