arcly-http-identity 0.9.0

CIAM building-block engine for arcly-http: identity store traits, password hashing, MFA (TOTP), passwordless & account lifecycle, risk signals, and an OIDC provider — storage-agnostic, zero-lock, all I/O behind traits.
Documentation
//! # arcly-http-identity — CIAM building-block engine
//!
//! A storage-agnostic Customer Identity & Access Management (CIAM) *engine* for
//! `arcly-http`. It is **not** a turnkey product (no admin console, no hosted
//! login UI): it ships the traits, services, and (optional) controllers you
//! compose into your own identity provider, in the same spirit as Ory
//! Kratos/Hydra but as an embeddable Rust crate.
//!
//! ## What it gives you
//!
//! | Area | Type |
//! |------|------|
//! | User & credential storage | [`store::UserStore`], [`store::CredentialStore`] |
//! | Password hashing | [`password::PasswordHasher`] + [`password::Argon2idHasher`] |
//! | Register / login / refresh / logout | [`identity::IdentityService`] |
//! | Brute-force protection | [`lockout::LockoutPolicy`] |
//! | One-time tokens (verify / reset / magic link) | [`ott::OneTimeTokenService`] |
//! | Passwordless (magic link + email/SMS OTP) | [`passwordless::PasswordlessService`] |
//! | MFA (TOTP + recovery codes) | [`mfa`] |
//! | Passkeys / WebAuthn | [`mfa::passkey`] (feature `passkey`) |
//! | Adaptive / risk-based auth | [`risk::RiskEngine`] |
//! | Consent (GDPR) | [`consent::ConsentStore`] |
//! | OIDC Provider | [`oidc`] (feature `oidc`) |
//!
//! ## Design contract (matches the framework)
//!
//! * **All I/O is behind a trait** — you supply the Postgres/Redis/email
//!   backends; the crate links no database or mail SDK.
//! * **Provide services via DI** in an `ArclyPlugin::on_init`
//!   (`ctx.provide(IdentityService::new(...))`), then resolve with `Inject<T>`.
//! * **Tokens are minted through the framework's [`JwtService`](arcly_http_core::auth::JwtService)** so every
//!   existing guard (`JWT_AUTH`, `RoleGuard`, perms, ABAC) keeps working.
//! * **CPU-bound work runs off the reactor** via `spawn_blocking`.

pub mod consent;
pub mod dpop;
pub mod error;
pub mod federation;
pub mod identity;
pub mod lockout;
pub mod mfa;
pub mod model;
pub mod notify;
pub mod ott;
pub mod password;
pub mod passwordless;
pub mod risk;
pub mod session;
pub mod store;

#[cfg(feature = "oidc")]
pub mod oidc;

pub use error::IdentityError;
pub use identity::{IdentityConfig, IdentityService};
pub use model::{AccountStatus, Identity, LoginOutcome, MfaState, TokenResponse};
pub use password::{Argon2idHasher, PasswordHasher};
pub use store::{CredentialStore, UserStore};

/// One-line prelude for CIAM apps.
pub mod prelude {
    pub use crate::dpop::{
        DpopProof, DpopReplayStore, DpopResourceGuard, DpopVerifier, MemoryDpopReplayStore,
    };
    pub use crate::error::IdentityError;
    pub use crate::federation::{
        BackChannelLogout, FederatedIdentity, FederatedIdentityStore, FederatedOutcome,
        FederatedProfile, FederationAudit, IdTokenVerifier, IdpConfig, IdpKind, IdpRegistry,
        JwtIdTokenVerifier, LinkingConfig, VerifiedIdToken,
    };
    pub use crate::identity::{IdentityConfig, IdentityService};
    pub use crate::lockout::LockoutPolicy;
    #[cfg(feature = "totp")]
    pub use crate::mfa::totp::{TotpEnrollment, TotpService};
    pub use crate::model::{
        AccountStatus, Identity, LoginOutcome, MfaState, RegisterRequest, TokenResponse,
    };
    pub use crate::notify::{Notification, Notifier};
    pub use crate::ott::{OneTimeTokenService, OttPurpose};
    pub use crate::password::{Argon2idHasher, BreachChecker, PasswordHasher, PasswordPolicy};
    pub use crate::passwordless::PasswordlessService;
    pub use crate::risk::{RiskEngine, RiskSignal, RiskVerdict};
    pub use crate::store::{CredentialStore, EncryptingUserStore, PiiCipher, UserStore};
}