beep_authz/config.rs
1use clap::Parser;
2
3/// Configuration for connecting to a SpiceDB instance.
4///
5/// `SpiceDbConfig` contains the necessary connection parameters for establishing
6/// a gRPC connection to SpiceDB. It supports configuration via environment variables
7/// or command-line arguments using `clap`.
8///
9/// # Configuration Methods
10///
11/// You can configure SpiceDB connection in three ways:
12///
13/// 1. **Directly in code** - Create the struct manually
14/// 2. **Environment variables** - Set `SPICEDB_ENDPOINT` and `SPICEDB_TOKEN`
15/// 3. **Command-line arguments** - Use `--spicedb-endpoint` and `--spicedb-token`
16///
17/// # Examples
18///
19/// ## Manual configuration
20///
21/// ```
22/// use authz::SpiceDbConfig;
23///
24/// let config = SpiceDbConfig {
25/// endpoint: "localhost:50051".to_string(),
26/// token: Some("your-preshared-key".to_string()),
27/// };
28/// ```
29///
30/// ## From environment variables
31///
32/// ```bash
33/// export SPICEDB_ENDPOINT="grpc.authzed.com:443"
34/// export SPICEDB_TOKEN="your-preshared-key"
35/// ```
36///
37/// ```no_run
38/// use authz::SpiceDbConfig;
39/// use clap::Parser;
40///
41/// let config = SpiceDbConfig::parse();
42/// ```
43///
44/// ## From command-line arguments
45///
46/// ```bash
47/// cargo run -- --spicedb-endpoint localhost:50051 --spicedb-token mykey
48/// ```
49///
50/// # Security Note
51///
52/// The `token` field contains a sensitive preshared key. Ensure it is:
53/// - Never hardcoded in version control
54/// - Stored securely (e.g., environment variables, secrets manager)
55/// - Transmitted only over secure connections (TLS/SSL)
56#[derive(Debug, Clone, Parser)]
57pub struct SpiceDbConfig {
58 /// The SpiceDB endpoint URL.
59 ///
60 /// This should be the gRPC endpoint of your SpiceDB server, including the port.
61 /// The scheme (http:// or https://) is optional and will be added automatically
62 /// if not present.
63 ///
64 /// # Examples
65 ///
66 /// - `"localhost:50051"` - Local development
67 /// - `"grpc.authzed.com:443"` - AuthZed managed service
68 /// - `"spicedb.example.com:443"` - Custom deployment
69 ///
70 /// # Environment Variable
71 ///
72 /// Can be set via `SPICEDB_ENDPOINT` environment variable.
73 ///
74 /// # Default
75 ///
76 /// Defaults to `"localhost:50051"` if not specified.
77 #[arg(
78 long = "spicedb-endpoint",
79 env = "SPICEDB_ENDPOINT",
80 default_value = "localhost:50051"
81 )]
82 pub endpoint: String,
83
84 /// The preshared key for authenticating with SpiceDB.
85 ///
86 /// This is a secret token used to authenticate your application with the
87 /// SpiceDB server. If `None`, the connection will be made without authentication
88 /// (useful for local development with SpiceDB running in insecure mode).
89 ///
90 /// # Security
91 ///
92 /// This token grants access to your authorization data. Keep it secure:
93 /// - Never commit it to version control
94 /// - Use environment variables or a secrets manager
95 /// - Rotate it regularly
96 /// - Use different tokens for different environments
97 ///
98 /// # Environment Variable
99 ///
100 /// Can be set via `SPICEDB_TOKEN` environment variable.
101 ///
102 /// # Examples
103 ///
104 /// ```
105 /// use authz::SpiceDbConfig;
106 ///
107 /// // With authentication
108 /// let secure_config = SpiceDbConfig {
109 /// endpoint: "grpc.authzed.com:443".to_string(),
110 /// token: Some("tc_my_secret_token_abc123".to_string()),
111 /// };
112 ///
113 /// // Without authentication (local dev only)
114 /// let local_config = SpiceDbConfig {
115 /// endpoint: "localhost:50051".to_string(),
116 /// token: None,
117 /// };
118 /// ```
119 #[arg(long = "spicedb-token", env = "SPICEDB_TOKEN")]
120 pub token: Option<String>,
121}