bitwarden-auth 3.0.0

Internal crate for the bitwarden crate. Do not use.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203

use serde::{Deserialize, Serialize};

use crate::{
    api::enums::{GrantType, Scope},
    send_access::{SendAccessCredentials, SendAccessTokenRequest},
};

/// Represents the shape of the credentials used in the send access token payload.
#[derive(Serialize, Debug)]
// untagged allows for different variants to be serialized without a type tag
// example: { "password_hash_b64": "example_hash" } instead of { "Password": { "password_hash_b64":
// "example_hash" } }
#[serde(untagged)]
pub(crate) enum SendAccessTokenPayloadCredentials {
    // Uses inline variant syntax for these as we don't need to reference them as independent
    // types elsewhere.
    #[allow(missing_docs)]
    Password { password_hash_b64: String },
    #[allow(missing_docs)]
    Email { email: String },
    #[allow(missing_docs)]
    EmailOtp { email: String, otp: String },
    /// Represents an anonymous request, which does not require credentials.
    Anonymous,
}

impl From<Option<SendAccessCredentials>> for SendAccessTokenPayloadCredentials {
    fn from(credentials: Option<SendAccessCredentials>) -> Self {
        match credentials {
            Some(SendAccessCredentials::Password(credentials)) => {
                SendAccessTokenPayloadCredentials::Password {
                    password_hash_b64: credentials.password_hash_b64,
                }
            }
            Some(SendAccessCredentials::Email(credentials)) => {
                SendAccessTokenPayloadCredentials::Email {
                    email: credentials.email,
                }
            }
            Some(SendAccessCredentials::EmailOtp(credentials)) => {
                SendAccessTokenPayloadCredentials::EmailOtp {
                    email: credentials.email,
                    otp: credentials.otp,
                }
            }
            None => SendAccessTokenPayloadCredentials::Anonymous,
        }
    }
}

/// Enum representing the type of client requesting a send access token.
/// Eventually, this could / should be merged with the existing `ClientType` enum
#[derive(Serialize, Deserialize, Debug)]
pub(crate) enum SendAccessClientType {
    /// Represents a Send client.
    /// This is a standalone client that lives within the BW web app, but has no context of a BW
    /// user.
    #[serde(rename = "send")]
    Send,
}

/// Represents the actual request payload for requesting a send access token.
/// It converts the `SendAccessTokenRequest` into a format suitable for sending to the API.
#[derive(Serialize, Debug)]
pub(crate) struct SendAccessTokenRequestPayload {
    // Standard OAuth2 fields
    /// The client ID for the send access client.
    pub(crate) client_id: SendAccessClientType,

    /// The grant type for the send access token request.
    /// SendAccess is a custom grant type for send access tokens.
    /// It is used to differentiate send access requests from other OAuth2 flows.
    pub(crate) grant_type: GrantType,

    /// The scope for the send access token request.
    /// This is set to "api.send" to indicate that the token is for send access.
    /// It allows the token to be used for accessing send-related resources.
    pub(crate) scope: Scope,

    // Custom fields
    /// The ID of the send for which the access token is being requested.
    pub(crate) send_id: String,

    /// The credentials used for the send access request.
    /// This can be password, email, email OTP, or anonymous.
    // Flatten allows us to serialize the variant directly into the payload without a wrapper
    // example: { "password_hash_b64": "example_hash" } instead of { "variant": {
    // "password_hash_b64": "example_hash" } }
    #[serde(flatten)]
    pub(crate) credentials: SendAccessTokenPayloadCredentials,
}

const SEND_ACCESS_CLIENT_ID: SendAccessClientType = SendAccessClientType::Send;
const SEND_ACCESS_GRANT_TYPE: GrantType = GrantType::SendAccess;
const SEND_ACCESS_SCOPE: Scope = Scope::ApiSendAccess;

/// Implement a way to convert from our request model to the payload model
impl From<SendAccessTokenRequest> for SendAccessTokenRequestPayload {
    fn from(request: SendAccessTokenRequest) -> Self {
        // Returns a new instance of `SendAccessTokenPayload` based on the provided
        // `SendAccessTokenRequest`. It extracts the necessary fields from the request and
        // matches on the credentials to determine the variant
        SendAccessTokenRequestPayload {
            client_id: SEND_ACCESS_CLIENT_ID,
            grant_type: SEND_ACCESS_GRANT_TYPE,
            scope: SEND_ACCESS_SCOPE,
            send_id: request.send_id,
            credentials: request.send_access_credentials.into(),
        }
    }
}

#[cfg(test)]
mod tests {
    use serde_json;

    use super::*;

    /// Unit tests for `SendAccessTokenPayload` serialization
    mod send_access_token_payload_tests {
        use super::*;
        #[test]
        fn test_serialize_send_access_token_password_payload() {
            let payload = SendAccessTokenRequestPayload {
                client_id: SendAccessClientType::Send,
                grant_type: GrantType::SendAccess,
                scope: Scope::ApiSendAccess,
                send_id: "example_send_id".into(),
                credentials: SendAccessTokenPayloadCredentials::Password {
                    password_hash_b64: "example_hash".into(),
                },
            };

            let serialized = serde_json::to_string_pretty(&payload).unwrap();

            // Parse both sides to JSON values and compare structurally.
            let got: serde_json::Value = serde_json::from_str(&serialized).unwrap();
            let want = serde_json::json!({
                "client_id": "send",
                "grant_type": "send_access",
                "scope": "api.send.access",
                "send_id": "example_send_id",
                "password_hash_b64": "example_hash"
            });

            assert_eq!(got, want);
        }

        #[test]
        fn test_serialize_send_access_token_email_payload() {
            let payload = SendAccessTokenRequestPayload {
                client_id: SendAccessClientType::Send,
                grant_type: GrantType::SendAccess,
                scope: Scope::ApiSendAccess,
                send_id: "example_send_id".into(),
                credentials: SendAccessTokenPayloadCredentials::Email {
                    email: "example_email".into(),
                },
            };

            let serialized = serde_json::to_string_pretty(&payload).unwrap();

            // Parse both sides to JSON values and compare structurally.
            let got: serde_json::Value = serde_json::from_str(&serialized).unwrap();
            let want = serde_json::json!({
                "client_id": "send",
                "grant_type": "send_access",
                "scope": "api.send.access",
                "send_id": "example_send_id",
                "email": "example_email"
            });

            assert_eq!(got, want);
        }

        #[test]
        fn test_serialize_send_access_token_email_otp_payload() {
            let payload = SendAccessTokenRequestPayload {
                client_id: SendAccessClientType::Send,
                grant_type: GrantType::SendAccess,
                scope: Scope::ApiSendAccess,
                send_id: "example_send_id".into(),
                credentials: SendAccessTokenPayloadCredentials::EmailOtp {
                    email: "example_email".into(),
                    otp: "example_otp".into(),
                },
            };
            let serialized = serde_json::to_string_pretty(&payload).unwrap();
            // Parse both sides to JSON values and compare structurally.
            let got: serde_json::Value = serde_json::from_str(&serialized).unwrap();
            let want = serde_json::json!({
                "client_id": "send",
                "grant_type": "send_access",
                "scope": "api.send.access",
                "send_id": "example_send_id",
                "email": "example_email",
                "otp": "example_otp"
            });

            assert_eq!(got, want);
        }
    }
}