auth-framework 0.4.2

A comprehensive, production-ready authentication and authorization framework for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354

/*!
# Auth Framework

A comprehensive authentication and authorization framework for Rust applications.

This crate provides a unified interface for various authentication methods,
token management, permission checking, and secure credential handling with
a focus on distributed systems.

## Features

- Multiple authentication methods (OAuth, API keys, JWT, etc.)
- Token issuance, validation, and refresh with RSA and HMAC signing
- RSA key format support: PKCS#1 and PKCS#8 formats auto-detected
- Role-based access control integration
- Permission checking and enforcement
- Secure credential storage
- Authentication middleware for web frameworks
- Distributed authentication with cross-node validation
- Single sign-on capabilities
- Multi-factor authentication support
- Audit logging of authentication events
- Rate limiting and brute force protection
- Session management
- Password hashing and validation
- Customizable authentication flows

## Quick Start


```rust,no_run
use auth_framework::{AuthFramework, AuthConfig, methods::JwtMethod};
use std::time::Duration;

# #[tokio::main]
# async fn main() -> Result<(), Box<dyn std::error::Error>> {
    // Configure the auth framework
    let config = AuthConfig::new()
        .token_lifetime(Duration::from_secs(3600))
        .refresh_token_lifetime(Duration::from_secs(86400 * 7));

    // Create the auth framework
    let mut auth = AuthFramework::new(config);

    // Register a JWT authentication method
    let jwt_method = JwtMethod::new()
        .secret_key("your-secret-key")
        .issuer("your-service");

    auth.register_method("jwt", auth_framework::methods::AuthMethodEnum::Jwt(jwt_method));

    // Initialize the framework
    auth.initialize().await?;

    // Create a token
    let token = auth.create_auth_token(
        "user123",
        vec!["read".to_string(), "write".to_string()],
        "jwt",
        None,
    ).await?;

    // Validate the token
    if auth.validate_token(&token).await? {
        println!("Token is valid!");

        // Check permissions
        if auth.check_permission(&token, "read", "documents").await? {
            println!("User has permission to read documents");
        }
    }
# Ok(())
# }
```

## Security Considerations

- Always use HTTPS in production
- Use strong, unique secrets for token signing
- Enable rate limiting to prevent brute force attacks
- Regularly rotate secrets and keys
- Monitor authentication events for suspicious activity
- Follow the principle of least privilege for permissions

See the [Security Policy](https://github.com/yourusername/auth-framework/blob/main/SECURITY.md)
for comprehensive security guidelines.
*/

// REST API Server - NEW!
#[cfg(feature = "api-server")]
pub mod api;

// ## Quick Start
//
// ```rust,no_run
// use auth_framework::{AuthFramework, AuthConfig};
// use auth_framework::methods::JwtMethod;
// use std::time::Duration;
//
// # #[tokio::main]
// # async fn main() -> Result<(), Box<dyn std::error::Error>> {
// // Configure the auth framework
// let config = AuthConfig::new()
//     .token_lifetime(Duration::from_secs(3600))
//     .refresh_token_lifetime(Duration::from_secs(86400 * 7));
//
// // Create the auth framework
// let mut auth = AuthFramework::new(config);
//
// // Register a JWT authentication method
// let jwt_method = JwtMethod::new()
//     .secret_key("your-secret-key")
//     .issuer("your-service");
//
// auth.register_method("jwt", Box::new(jwt_method));
//
// // Initialize the framework
// auth.initialize().await?;
//
// // Create a token
// let token = auth.create_auth_token(
//     "user123",
//     vec!["read".to_string(), "write".to_string()],
//     "jwt",
//     None,
// ).await?;
//
// // Validate the token
// if auth.validate_token(&token).await? {
//     println!("Token is valid!");
//
//     // Check permissions
//     if auth.check_permission(&token, "read", "documents").await? {
//         println!("User has permission to read documents");
//     }
// }
// # Ok(())
// # }
// ```
//
// ## Security Considerations
//
// - Always use HTTPS in production
// - Use strong, unique secrets for token signing
// - Enable rate limiting to prevent brute force attacks
// - Regularly rotate secrets and keys
// - Monitor authentication events for suspicious activity
// - Follow the principle of least privilege for permissions
//
// See the [Security Policy](https://github.com/yourusername/auth-framework/blob/main/SECURITY.md)
// for comprehensive security guidelines.

// Admin interface (conditional on admin-binary feature)
#[cfg(feature = "admin-binary")]
pub mod admin;

pub mod auth;
pub mod auth_modular; // Modular authentication components
pub mod authentication; // Reorganized authentication modules
pub mod errors;
pub mod methods;
pub mod permissions;
pub mod profile_utils;
pub mod providers;

// SDK generation for multiple languages
#[cfg(feature = "enhanced-rbac")]
pub mod sdks;

pub mod server;
pub mod storage;
pub mod testing; // Reorganized testing modules
pub mod threat_intelligence; // Automated threat intelligence feed management
pub mod tokens;
pub mod utils;

// Migration utilities for role-system v1.0 integration
pub mod migration;

// Analytics and monitoring for RBAC systems
pub mod analytics;

// Production deployment automation and monitoring
pub mod deployment;

// User context and session management
pub mod user_context;

// Enhanced OAuth2 storage with proper validation
pub mod oauth2_enhanced_storage;

// OAuth2 server implementation
// Secure OAuth2 server implementation
pub mod oauth2_server;

// Consolidated security modules
pub mod audit;
pub mod authorization;
#[cfg(feature = "role-system")]
pub mod authorization_enhanced;
pub mod distributed_rate_limiting; // Advanced distributed rate limiting
pub mod security;
pub mod session; // Reorganized session modules

// Configuration management
pub mod config;

// Monitoring and metrics collection
pub mod monitoring;

// Enhanced observability
#[cfg(feature = "enhanced-observability")]
pub mod observability;

// Architecture enhancements
#[cfg(feature = "event-sourcing")]
pub mod architecture;

// Web framework integrations
pub mod integrations {
    #[cfg(feature = "axum-integration")]
    pub mod axum;

    #[cfg(feature = "actix-integration")]
    pub mod actix_web;

    #[cfg(feature = "warp-integration")]
    pub mod warp;
}

// Database migrations
pub mod migrations;

// CLI tools
pub mod cli;

// Ergonomic builders and prelude for better developer experience
pub mod builders;
pub mod prelude;

// WS-Security 1.1 and SAML 2.0 support
pub mod saml_assertions;
pub mod ws_security;
pub mod ws_trust;

// Re-exports - Main modular auth framework components
pub use crate::auth::{AuthFramework, AuthResult, AuthStats, UserInfo};
pub use authentication::credentials::Credential;
pub use config::{
    AuthConfig,
    app_config::{AppConfig, ConfigBuilder},
};
pub use errors::{AuthError, Result};
pub use methods::{
    ApiKeyMethod, AuthMethod, JwtMethod, MethodResult, OAuth2Method, PasswordMethod,
};

// REST API Server exports
#[cfg(feature = "api-server")]
pub use api::{ApiError, ApiResponse, ApiServer, ApiState};

// SAML support (feature-gated)
#[cfg(feature = "saml")]
pub use methods::saml;

// PKCE support functions
pub use providers::generate_pkce;

// WS-Security and WS-Trust support
pub use permissions::{Permission, PermissionChecker, Role};
pub use profile_utils::{ExtractProfile, TokenToProfile};
pub use providers::{DeviceAuthorizationResponse, OAuthProvider, OAuthProviderConfig, UserProfile};
pub use tokens::AuthToken;
pub use ws_security::{UsernameToken, WsSecurityClient, WsSecurityConfig, WsSecurityHeader};
pub use ws_trust::RequestSecurityToken;

// Server-side authentication and authorization - Now working!
pub use server::oidc::{
    Address, AuthorizationValidationResult, IdTokenClaims, Jwk, JwkSet, LogoutResponse,
    OidcAuthorizationRequest, OidcConfig, OidcDiscoveryDocument, OidcProvider, SubjectType,
    UserInfo as OidcUserInfo,
};

// Phase 2: Logout & Security Ecosystem specifications
pub use server::oidc::{
    oidc_backchannel_logout::{
        BackChannelLogoutConfig, BackChannelLogoutManager, BackChannelLogoutRequest,
        BackChannelLogoutResponse, LogoutEvents, LogoutTokenClaims, NotificationResult,
        RpBackChannelConfig,
    },
    oidc_frontchannel_logout::{
        FailedNotification, FrontChannelLogoutConfig, FrontChannelLogoutManager,
        FrontChannelLogoutRequest, FrontChannelLogoutResponse, RpFrontChannelConfig,
    },
};

// OAuth2 server types and configurations
pub use oauth2_server::{
    AuthorizationRequest, GrantType, OAuth2Config, OAuth2Server, ResponseType, TokenRequest,
    TokenResponse,
};

// Server configuration types
pub use server::{
    ClientRegistrationRequest, ClientType, WorkingServerConfig,
    core::{
        client_registration::ClientRegistrationRequest as ServerClientRegistrationRequest,
        client_registry::ClientType as ServerClientType,
    },
};

// Advanced server modules and RFC implementations
pub use server::{
    DpopManager, MetadataProvider, OAuth2Server as ServerOAuth2Server, PARManager,
    PrivateKeyJwtManager, TokenIntrospectionService,
};

// Security and authentication module re-exports
pub use audit::{AuditEvent, AuditEventType, AuditLogger, EventOutcome, RiskLevel};
pub use authentication::mfa::{MfaManager as LegacyMfaManager, MfaMethodType, TotpProvider};
pub use authorization::{
    AccessCondition, AuthorizationEngine, Permission as AuthzPermission, Role as AuthzRole,
};
pub use security::secure_jwt::{SecureJwtClaims, SecureJwtConfig, SecureJwtValidator};
pub use security::secure_mfa::SecureMfaService;
pub use security::secure_session::{
    DeviceFingerprint, SecureSession, SecureSessionConfig, SecureSessionManager, SecurityFlags,
    SessionState as SecureSessionState,
};
pub use security::secure_utils::{SecureComparison, SecureRandomGen};
pub use session::manager::{
    DeviceInfo, Session, SessionConfig, SessionManager as LegacySessionManager, SessionState,
};
pub use utils::rate_limit::RateLimiter;

// Monitoring and metrics
pub use monitoring::{
    HealthCheckResult, HealthStatus, MetricDataPoint, MetricType, MonitoringConfig,
    MonitoringManager, PerformanceMetrics, SecurityEvent, SecurityEventSeverity, SecurityEventType,
};

// Session coordination stats from auth module
pub use auth::SessionCoordinationStats;

// Re-export testing utilities when available
#[cfg(any(test, feature = "testing"))]
pub use testing::{MockAuthMethod, MockStorage}; // Removed helpers temporarily

// Re-export test infrastructure for bulletproof testing
#[cfg(any(test, feature = "testing"))]
pub use testing::{
    test_infrastructure::{TestEnvironmentGuard, test_data},
    utilities::*,
};