axum-gate 1.1.0

Flexible authentication and authorization for Axum with JWT cookies or bearer tokens, optional OAuth2, and role/group/permission RBAC. Suitable for single-node and distributed systems.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375

//! OAuth2 errors for `gate::oauth2`.
//!
//! These error types model failures that can occur while configuring or executing the
//! OAuth2 Authorization Code + PKCE flow within `OAuth2Gate`.
//!
//! Design goals:
//! - Provide a small, expressive enum for all OAuth2-related failures
//! - Keep messages safe for end users; avoid leaking sensitive details
//! - Include deterministic support codes per variant for service/support workflows
//! - Avoid hard dependencies on specific HTTP clients; store messages instead of foreign errors
//!
//! Integration:
//! - The enum implements `crate::errors::UserFriendlyError` for consistent messaging
//! - A local `Result<T>` alias is provided for gate-internal use
//! - The crate-level integration (e.g., adding a new top-level variant in `crate::errors::Error`)
//!   can be done separately if/when you want to surface OAuth2 errors consistently across the crate.

use crate::errors::{ErrorSeverity, UserFriendlyError};
use std::fmt;
use thiserror::Error;

/// OAuth2 cookie kinds used in validation errors.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum OAuth2CookieKind {
    /// CSRF state cookie used during the authorization redirect round-trip.
    State,
    /// PKCE verifier cookie used to complete the token exchange.
    Pkce,
    /// First‑party auth cookie (e.g., JWT) set after successful callback.
    Auth,
}

impl fmt::Display for OAuth2CookieKind {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            OAuth2CookieKind::State => f.write_str("state"),
            OAuth2CookieKind::Pkce => f.write_str("pkce"),
            OAuth2CookieKind::Auth => f.write_str("auth"),
        }
    }
}

/// OAuth2-specific error type for `OAuth2Gate`.
///
/// This enum intentionally uses string messages for external/foreign errors to keep this module
/// decoupled from particular HTTP or OAuth client implementations. Prefer mapping concrete errors
/// into one of these variants at the boundary layers.
#[derive(Debug, Error)]
pub enum OAuth2Error {
    // Configuration and setup
    /// A required configuration field is missing on the `OAuth2Gate` builder.
    #[error("OAuth2 misconfiguration: missing {field}")]
    ConfigMissing {
        /// Name of the missing field (e.g., "auth_url", "token_url", "client_id", "redirect_url").
        field: &'static str,
    },

    /// A provided URL failed validation or parsing.
    #[error("Invalid OAuth2 URL for {field}: {reason}")]
    InvalidUrl {
        /// Which URL field failed (e.g., "auth_url", "token_url", "redirect_url").
        field: &'static str,
        /// Reason or parser message (redacted for end users).
        reason: String,
    },

    /// A cookie template used by the OAuth2 flow failed validation.
    #[error("Invalid {which} cookie template: {reason}")]
    CookieTemplateInvalid {
        /// Which cookie template failed validation (state, pkce, or auth).
        which: OAuth2CookieKind,
        /// Reason or validator message (redacted for end users).
        reason: String,
    },

    // Redirect and callback flow
    /// Required state cookie is missing at callback time.
    #[error("Missing OAuth2 state cookie")]
    MissingStateCookie,

    /// Required PKCE cookie is missing at callback time.
    #[error("Missing OAuth2 PKCE cookie")]
    MissingPkceCookie,

    /// Provider returned an error to the callback endpoint.
    #[error("OAuth2 provider returned error: {error}")]
    ProviderReturnedError {
        /// Provider error identifier.
        error: String,
        /// Optional provider-supplied description.
        description: Option<String>,
    },

    /// The state parameter from the provider did not match the stored cookie.
    #[error("OAuth2 state mismatch")]
    StateMismatch,

    /// The provider callback did not include an authorization code.
    #[error("OAuth2 callback missing authorization code")]
    MissingAuthorizationCode,

    /// Token exchange with the provider failed.
    #[error("OAuth2 token exchange failed: {message}")]
    TokenExchange {
        /// Failure message (e.g., request or response parsing reason).
        message: String,
    },

    // Session issuance after successful token exchange
    /// Mapping the provider token response to a domain `Account` failed.
    #[error("OAuth2 account mapping failed: {message}")]
    AccountMapping {
        /// Failure message (e.g., userinfo retrieval/mapping reason).
        message: String,
    },

    /// Persisting or loading the account prior to JWT issuance failed.
    #[error("OAuth2 account persistence failed: {message}")]
    AccountPersistence {
        /// Failure message (e.g., repository/backend reason).
        message: String,
    },

    /// Encoding the first‑party JWT failed.
    #[error("OAuth2 JWT encoding failed: {message}")]
    JwtEncoding {
        /// Failure message (e.g., codec/serialization reason).
        message: String,
    },

    /// The JWT produced by the encoder was not valid UTF‑8.
    #[error("OAuth2 JWT is not valid UTF‑8")]
    JwtNotUtf8,
}

impl OAuth2Error {
    // Convenience constructors

    /// Helper to construct a `ConfigMissing` error.
    #[must_use]
    pub fn missing(field: &'static str) -> Self {
        Self::ConfigMissing { field }
    }

    /// Helper to construct an `InvalidUrl` error.
    #[must_use]
    pub fn invalid_url(field: &'static str, reason: impl Into<String>) -> Self {
        Self::InvalidUrl {
            field,
            reason: reason.into(),
        }
    }

    /// Helper to construct a `CookieTemplateInvalid` error.
    #[must_use]
    pub fn cookie_invalid(which: OAuth2CookieKind, reason: impl Into<String>) -> Self {
        Self::CookieTemplateInvalid {
            which,
            reason: reason.into(),
        }
    }

    /// Helper to construct a `ProviderReturnedError` error.
    #[must_use]
    pub fn provider_error(error: impl Into<String>, description: Option<String>) -> Self {
        Self::ProviderReturnedError {
            error: error.into(),
            description,
        }
    }

    /// Helper to construct a `TokenExchange` error.
    #[must_use]
    pub fn token_exchange(message: impl Into<String>) -> Self {
        Self::TokenExchange {
            message: message.into(),
        }
    }

    /// Helper to construct an `AccountMapping` error.
    #[must_use]
    pub fn account_mapping(message: impl Into<String>) -> Self {
        Self::AccountMapping {
            message: message.into(),
        }
    }

    /// Helper to construct an `AccountPersistence` error.
    #[must_use]
    pub fn account_persistence(message: impl Into<String>) -> Self {
        Self::AccountPersistence {
            message: message.into(),
        }
    }

    /// Helper to construct a `JwtEncoding` error.
    #[must_use]
    pub fn jwt_encoding(message: impl Into<String>) -> Self {
        Self::JwtEncoding {
            message: message.into(),
        }
    }
}

/// Local `Result` alias for OAuth2 flows.
pub type Result<T> = std::result::Result<T, OAuth2Error>;

impl UserFriendlyError for OAuth2Error {
    fn user_message(&self) -> String {
        match self {
            // Configuration/validation (users see a generic message)
            OAuth2Error::ConfigMissing { .. }
            | OAuth2Error::InvalidUrl { .. }
            | OAuth2Error::CookieTemplateInvalid { .. } => {
                "We’re experiencing a technical issue with sign-in. Please try again later."
                    .to_string()
            }

            // Redirect/callback issues (safe messages)
            OAuth2Error::MissingStateCookie
            | OAuth2Error::MissingPkceCookie
            | OAuth2Error::ProviderReturnedError { .. }
            | OAuth2Error::StateMismatch
            | OAuth2Error::MissingAuthorizationCode
            | OAuth2Error::TokenExchange { .. } => {
                "We couldn’t complete the sign-in with your provider. Please try again.".to_string()
            }

            // Session issuance issues (safe messages)
            OAuth2Error::AccountMapping { .. }
            | OAuth2Error::AccountPersistence { .. }
            | OAuth2Error::JwtEncoding { .. }
            | OAuth2Error::JwtNotUtf8 => {
                "We signed you in, but couldn’t complete the session setup. Please try again."
                    .to_string()
            }
        }
    }

    fn developer_message(&self) -> String {
        match self {
            OAuth2Error::ConfigMissing { field } => {
                format!("OAuth2Gate configuration missing required field: {field}")
            }
            OAuth2Error::InvalidUrl { field, reason } => {
                format!("Invalid OAuth2 URL for {field}: {reason}")
            }
            OAuth2Error::CookieTemplateInvalid { which, reason } => {
                format!("Invalid {which} cookie template: {reason}")
            }
            OAuth2Error::MissingStateCookie => "Missing OAuth2 state cookie at callback".into(),
            OAuth2Error::MissingPkceCookie => "Missing OAuth2 PKCE cookie at callback".into(),
            OAuth2Error::ProviderReturnedError { error, description } => format!(
                "OAuth2 provider returned error: {error} {:?}",
                description.as_deref()
            ),
            OAuth2Error::StateMismatch => "OAuth2 state parameter mismatch".into(),
            OAuth2Error::MissingAuthorizationCode => {
                "OAuth2 callback missing authorization code".into()
            }
            OAuth2Error::TokenExchange { message } => {
                format!("OAuth2 token exchange failed: {message}")
            }
            OAuth2Error::AccountMapping { message } => {
                format!("OAuth2 account mapping failed: {message}")
            }
            OAuth2Error::AccountPersistence { message } => {
                format!("OAuth2 account persistence failed: {message}")
            }
            OAuth2Error::JwtEncoding { message } => {
                format!("OAuth2 JWT encoding failed: {message}")
            }
            OAuth2Error::JwtNotUtf8 => "OAuth2 JWT is not valid UTF‑8".into(),
        }
    }

    fn support_code(&self) -> String {
        // Deterministic, human-parseable support codes by variant
        match self {
            OAuth2Error::ConfigMissing { .. } => "OAUTH2-CONFIG-MISSING-001".into(),
            OAuth2Error::InvalidUrl { .. } => "OAUTH2-URL-INVALID-002".into(),
            OAuth2Error::CookieTemplateInvalid { .. } => "OAUTH2-COOKIE-INVALID-003".into(),
            OAuth2Error::MissingStateCookie => "OAUTH2-STATE-MISSING-004".into(),
            OAuth2Error::MissingPkceCookie => "OAUTH2-PKCE-MISSING-005".into(),
            OAuth2Error::ProviderReturnedError { .. } => "OAUTH2-PROVIDER-ERROR-006".into(),
            OAuth2Error::StateMismatch => "OAUTH2-STATE-MISMATCH-007".into(),
            OAuth2Error::MissingAuthorizationCode => "OAUTH2-CODE-MISSING-008".into(),
            OAuth2Error::TokenExchange { .. } => "OAUTH2-TOKEN-EXCHANGE-009".into(),
            OAuth2Error::AccountMapping { .. } => "OAUTH2-ACCOUNT-MAP-010".into(),
            OAuth2Error::AccountPersistence { .. } => "OAUTH2-ACCOUNT-PERSIST-011".into(),
            OAuth2Error::JwtEncoding { .. } => "OAUTH2-JWT-ENCODE-012".into(),
            OAuth2Error::JwtNotUtf8 => "OAUTH2-JWT-NONUTF8-013".into(),
        }
    }

    fn severity(&self) -> ErrorSeverity {
        match self {
            // Misconfiguration and invalid templates are deployment-time issues
            OAuth2Error::ConfigMissing { .. }
            | OAuth2Error::InvalidUrl { .. }
            | OAuth2Error::CookieTemplateInvalid { .. } => ErrorSeverity::Error,

            // Callback-level issues vary; treat as warnings unless systemic
            OAuth2Error::MissingStateCookie
            | OAuth2Error::MissingPkceCookie
            | OAuth2Error::ProviderReturnedError { .. }
            | OAuth2Error::StateMismatch
            | OAuth2Error::MissingAuthorizationCode => ErrorSeverity::Warning,

            // Network/exchange or backend failures
            OAuth2Error::TokenExchange { .. }
            | OAuth2Error::AccountMapping { .. }
            | OAuth2Error::AccountPersistence { .. }
            | OAuth2Error::JwtEncoding { .. }
            | OAuth2Error::JwtNotUtf8 => ErrorSeverity::Error,
        }
    }

    fn suggested_actions(&self) -> Vec<String> {
        match self {
            OAuth2Error::ConfigMissing { field } => vec![format!(
                "Set OAuth2Gate builder field: {field} (auth_url, token_url, client_id, redirect_url)"
            )],
            OAuth2Error::InvalidUrl { field, .. } => {
                vec![format!("Verify URL format and scheme for {field}")]
            }
            OAuth2Error::CookieTemplateInvalid { which, .. } => vec![format!(
                "Review {} cookie template (SameSite/Secure/Max-Age). SameSite=None requires Secure=true",
                which
            )],
            OAuth2Error::MissingStateCookie | OAuth2Error::MissingPkceCookie => vec![
                "Ensure cookies are set for the same domain and path during /login → /callback"
                    .into(),
                "Check SameSite and Secure attributes for OAuth redirect round-trip".into(),
            ],
            OAuth2Error::ProviderReturnedError { .. } => vec![
                "Verify client id/secret and callback URL in provider settings".into(),
                "Check provider status and retry later".into(),
            ],
            OAuth2Error::StateMismatch => vec![
                "Ensure the same domain/protocol is used during the OAuth redirect round-trip"
                    .into(),
                "Avoid navigating away or opening multiple OAuth tabs simultaneously".into(),
            ],
            OAuth2Error::MissingAuthorizationCode => {
                vec!["Retry sign-in; ensure the provider granted access".into()]
            }
            OAuth2Error::TokenExchange { .. } => vec![
                "Verify token endpoint URL and client credentials".into(),
                "Check network egress, DNS, and request timeouts".into(),
            ],
            OAuth2Error::AccountMapping { .. } => {
                vec!["Review userinfo call and mapping logic; handle missing fields".into()]
            }
            OAuth2Error::AccountPersistence { .. } => {
                vec!["Check repository connectivity and unique constraints".into()]
            }
            OAuth2Error::JwtEncoding { .. } => {
                vec!["Verify JWT codec configuration and payload serialization".into()]
            }
            OAuth2Error::JwtNotUtf8 => {
                vec!["Ensure JWT codec returns UTF‑8 compatible bytes for transport".into()]
            }
        }
    }

    fn is_retryable(&self) -> bool {
        matches!(
            self,
            OAuth2Error::ProviderReturnedError { .. }
                | OAuth2Error::TokenExchange { .. }
                | OAuth2Error::AccountPersistence { .. }
        )
    }
}