brylix 0.2.7

GraphQL framework for AWS Lambda with SeaORM and multi-tenant support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242

//! Multi-role authentication support.
//!
//! Provides role-based authentication with support for multiple JWT secrets,
//! allowing different token types (user, admin, custom) to coexist.
//!
//! # Usage
//!
//! ```rust,ignore
//! use brylix::auth::roles::{AuthRole, MultiRoleJwtConfig};
//!
//! // Configure multiple JWT secrets
//! let jwt_config = MultiRoleJwtConfig::new()
//!     .add_role("user", std::env::var("JWT_SECRET").unwrap())
//!     .add_role("admin", std::env::var("ADMIN_JWT_SECRET").unwrap());
//!
//! // Validate a token against all configured secrets
//! if let Some(role) = jwt_config.validate(token) {
//!     match &role {
//!         AuthRole::Admin(id) => println!("Admin: {}", id),
//!         AuthRole::User(id) => println!("User: {}", id),
//!         AuthRole::Custom(name, id) => println!("{}: {}", name, id),
//!     }
//! }
//! ```

use async_graphql::{Context, Error as GqlError};
use jsonwebtoken::{decode, DecodingKey, Validation};

use super::Claims;
use crate::errors::{gql_error, gql_unauthorized};
use crate::graphql::ContextData;

/// Authentication role representing the type and identity of an authenticated user.
#[derive(Debug, Clone, PartialEq)]
pub enum AuthRole {
    /// Regular user with their user ID
    User(i64),

    /// Admin user with their user ID
    Admin(i64),

    /// Custom role with a role name and user ID
    Custom(String, i64),
}

impl AuthRole {
    /// Get the user ID regardless of role type.
    pub fn id(&self) -> i64 {
        match self {
            AuthRole::User(id) => *id,
            AuthRole::Admin(id) => *id,
            AuthRole::Custom(_, id) => *id,
        }
    }

    /// Check if this is an admin role.
    pub fn is_admin(&self) -> bool {
        matches!(self, AuthRole::Admin(_))
    }

    /// Check if this is a regular user role.
    pub fn is_user(&self) -> bool {
        matches!(self, AuthRole::User(_))
    }

    /// Get the role name as a string.
    pub fn role_name(&self) -> &str {
        match self {
            AuthRole::User(_) => "user",
            AuthRole::Admin(_) => "admin",
            AuthRole::Custom(name, _) => name,
        }
    }
}

/// Multi-secret JWT configuration for role-based authentication.
///
/// Each role has its own JWT secret, allowing different token types
/// to be issued and validated independently.
///
/// # Example
///
/// ```rust,ignore
/// use brylix::auth::roles::MultiRoleJwtConfig;
///
/// let config = MultiRoleJwtConfig::new()
///     .add_role("user", user_secret)
///     .add_role("admin", admin_secret);
///
/// // Returns the first role whose secret successfully validates the token
/// let role = config.validate(token);
/// ```
pub struct MultiRoleJwtConfig {
    secrets: Vec<(String, String)>,
}

impl MultiRoleJwtConfig {
    /// Create a new empty configuration.
    pub fn new() -> Self {
        Self {
            secrets: Vec::new(),
        }
    }

    /// Add a role with its JWT secret.
    ///
    /// Roles are tried in the order they are added during validation.
    pub fn add_role(mut self, name: &str, secret: String) -> Self {
        self.secrets.push((name.to_string(), secret));
        self
    }

    /// Validate a JWT token against all configured role secrets.
    ///
    /// Returns the first matching `AuthRole`, or `None` if no secret validates the token.
    pub fn validate(&self, token: &str) -> Option<AuthRole> {
        for (role_name, secret) in &self.secrets {
            let decoding_key = DecodingKey::from_secret(secret.as_ref());
            let validation = Validation::default();

            if let Ok(decoded) = decode::<Claims>(token, &decoding_key, &validation) {
                let user_id: i64 = decoded.claims.sub.parse().ok()?;

                return Some(match role_name.as_str() {
                    "user" => AuthRole::User(user_id),
                    "admin" => AuthRole::Admin(user_id),
                    other => AuthRole::Custom(other.to_string(), user_id),
                });
            }
        }
        None
    }
}

impl Default for MultiRoleJwtConfig {
    fn default() -> Self {
        Self::new()
    }
}

/// Require admin authentication from the GraphQL context.
///
/// # Arguments
///
/// * `ctx` - The GraphQL context
///
/// # Returns
///
/// The admin's user ID as i64
///
/// # Errors
///
/// Returns UNAUTHORIZED if not authenticated, or FORBIDDEN if not an admin
///
/// # Example
///
/// ```rust,ignore
/// use brylix::auth::roles::require_admin;
///
/// async fn admin_resolver(ctx: &Context<'_>) -> Result<Vec<User>> {
///     let admin_id = require_admin(ctx)?;
///     // Only admins reach here
///     UserService::list_all(db).await
/// }
/// ```
pub fn require_admin(ctx: &Context<'_>) -> Result<i64, GqlError> {
    let data = ctx.data_unchecked::<ContextData>();
    match &data.role {
        Some(role) if role.is_admin() => Ok(role.id()),
        Some(_) => Err(gql_error("FORBIDDEN", "Admin access required")),
        None => Err(gql_unauthorized()),
    }
}

/// Get the authentication role from the GraphQL context.
///
/// Returns `None` if the request is not authenticated or has no role.
///
/// # Example
///
/// ```rust,ignore
/// use brylix::auth::roles::get_auth_role;
///
/// async fn my_resolver(ctx: &Context<'_>) -> Result<String> {
///     if let Some(role) = get_auth_role(ctx) {
///         Ok(format!("You are a {} with id {}", role.role_name(), role.id()))
///     } else {
///         Ok("Not authenticated".to_string())
///     }
/// }
/// ```
pub fn get_auth_role<'a>(ctx: &'a Context<'a>) -> Option<&'a AuthRole> {
    let data = ctx.data_unchecked::<ContextData>();
    data.role.as_ref()
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_auth_role_user() {
        let role = AuthRole::User(42);
        assert_eq!(role.id(), 42);
        assert!(role.is_user());
        assert!(!role.is_admin());
        assert_eq!(role.role_name(), "user");
    }

    #[test]
    fn test_auth_role_admin() {
        let role = AuthRole::Admin(1);
        assert_eq!(role.id(), 1);
        assert!(role.is_admin());
        assert!(!role.is_user());
        assert_eq!(role.role_name(), "admin");
    }

    #[test]
    fn test_auth_role_custom() {
        let role = AuthRole::Custom("moderator".to_string(), 99);
        assert_eq!(role.id(), 99);
        assert!(!role.is_admin());
        assert!(!role.is_user());
        assert_eq!(role.role_name(), "moderator");
    }

    #[test]
    fn test_multi_role_config_builder() {
        let config = MultiRoleJwtConfig::new()
            .add_role("user", "secret1".to_string())
            .add_role("admin", "secret2".to_string());

        assert_eq!(config.secrets.len(), 2);
    }

    #[test]
    fn test_multi_role_config_default() {
        let config = MultiRoleJwtConfig::default();
        assert!(config.secrets.is_empty());
    }
}