axum-authentik-auth 0.1.0

Axum extractor and middleware for authentik Proxy Provider forward auth
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

use axum::http::Request;
use std::fmt;
use std::task::{Context, Poll};
use tower::Service;

/// A newtype wrapper that holds a custom header prefix for authentik headers.
///
/// Inserted into request extensions by the [`AuthentikLayer`] so that the
/// extractor can pick it up.
#[derive(Debug, Clone)]
pub struct HeaderPrefix(pub String);

/// Configuration for the authentik authentication layer.
///
/// # Example
///
/// ```ignore
/// let config = AuthentikConfig::default();
/// let layer = AuthentikLayer::with_config(config);
/// ```
#[derive(Debug, Clone)]
pub struct AuthentikConfig {
    /// Prefix for authentik proxy headers, defaults to `"x-authentik"`.
    ///
    /// For example, with the default prefix the extractor reads headers like:
    /// `x-authentik-username`, `x-authentik-email`, etc.
    pub header_prefix: String,

    /// If `true` (the default), requests missing auth headers return 401.
    /// If `false`, the extraction is optional (`Option<AuthentikUser>`).
    pub require_auth: bool,
}

impl Default for AuthentikConfig {
    fn default() -> Self {
        Self {
            header_prefix: "x-authentik".to_string(),
            require_auth: true,
        }
    }
}

impl AuthentikConfig {
    /// Creates a new `AuthentikConfig` with the given header prefix.
    pub fn with_prefix(header_prefix: impl Into<String>) -> Self {
        Self {
            header_prefix: header_prefix.into(),
            require_auth: true,
        }
    }
}

/// A tower [`Layer`] that injects the authentik header prefix into request extensions.
///
/// This layer must be added to the router when you use a custom header prefix
/// other than the default `x-authentik`.
///
/// # Example
///
/// ```ignore
/// use axum_authentik_auth::layer::{AuthentikLayer, AuthentikConfig};
///
/// let app = Router::new()
///     .route("/api/me", get(me_handler))
///     .layer(AuthentikLayer::new()); // uses default config
/// ```
pub struct AuthentikLayer {
    config: AuthentikConfig,
}

impl AuthentikLayer {
    /// Creates a new layer with default configuration (prefix `x-authentik`, require auth).
    pub fn new() -> Self {
        Self {
            config: AuthentikConfig::default(),
        }
    }

    /// Creates a new layer with a custom configuration.
    pub fn with_config(config: AuthentikConfig) -> Self {
        Self { config }
    }
}

impl Default for AuthentikLayer {
    fn default() -> Self {
        Self::new()
    }
}

impl<S> tower::Layer<S> for AuthentikLayer {
    type Service = AuthentikMiddleware<S>;

    fn layer(&self, inner: S) -> Self::Service {
        AuthentikMiddleware {
            inner,
            config: self.config.clone(),
        }
    }
}

impl fmt::Debug for AuthentikLayer {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("AuthentikLayer")
            .field("header_prefix", &self.config.header_prefix)
            .field("require_auth", &self.config.require_auth)
            .finish()
    }
}

/// Middleware service that injects the custom header prefix into each request.
///
/// You normally don't need to use this directly; prefer [`AuthentikLayer`].
#[derive(Clone)]
pub struct AuthentikMiddleware<S> {
    inner: S,
    config: AuthentikConfig,
}

impl<S, ReqBody> Service<Request<ReqBody>> for AuthentikMiddleware<S>
where
    S: Service<Request<ReqBody>> + Clone + Send + 'static,
    S::Future: Send + 'static,
    ReqBody: Send + 'static,
{
    type Response = S::Response;
    type Error = S::Error;
    type Future = futures_util::future::BoxFuture<'static, Result<Self::Response, Self::Error>>;

    fn poll_ready(&mut self, cx: &mut Context<'_>) -> Poll<Result<(), Self::Error>> {
        self.inner.poll_ready(cx)
    }

    fn call(&mut self, mut req: Request<ReqBody>) -> Self::Future {
        // Inject the configured header prefix into request extensions
        req.extensions_mut()
            .insert(HeaderPrefix(self.config.header_prefix.clone()));

        let inner = self.inner.clone();
        let mut inner = std::mem::replace(&mut self.inner, inner);

        Box::pin(async move { inner.call(req).await })
    }
}

impl<S: fmt::Debug> fmt::Debug for AuthentikMiddleware<S> {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        f.debug_struct("AuthentikMiddleware")
            .field("inner", &self.inner)
            .field("header_prefix", &self.config.header_prefix)
            .finish()
    }
}