calimero_client/

auth.rs

//! Authentication implementations for Calimero client
//!
//! This module provides various authentication implementations including
//! CLI-based authentication and other authentication methods.

// Standard library
use std::io::{self, Write};

// External crates
use async_trait::async_trait;
use eyre::Result;
use url::Url;
use webbrowser;

// Local crate
use crate::storage::JwtToken;
use crate::traits::ClientAuthenticator;

/// CLI-specific implementation of ClientAuthenticator
///
/// This authenticator is designed for command-line interfaces and provides
/// browser-based authentication flows suitable for interactive use.
pub struct CliAuthenticator {
    /// Output handler for user interaction
    output: Box<dyn OutputHandler + Send + Sync>,
}

impl std::fmt::Debug for CliAuthenticator {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("CliAuthenticator")
            .field("output", &"<dyn OutputHandler>")
            .finish()
    }
}

impl Clone for CliAuthenticator {
    fn clone(&self) -> Self {
        // Create a new authenticator with console output
        Self::new()
    }
}

/// Trait for handling output during authentication
pub trait OutputHandler: Send + Sync {
    /// Display a message to the user
    fn display_message(&self, message: &str);

    /// Display an error message
    fn display_error(&self, error: &str);

    /// Display success message
    fn display_success(&self, message: &str);

    /// Open a URL in the default browser
    fn open_browser(&self, url: &Url) -> Result<()>;

    /// Wait for user input
    fn wait_for_input(&self, prompt: &str) -> Result<String>;
}

/// Simple console output handler
#[derive(Debug, Clone, Copy)]
pub struct ConsoleOutputHandler;

impl OutputHandler for ConsoleOutputHandler {
    fn display_message(&self, message: &str) {
        println!("{}", message);
    }

    fn display_error(&self, error: &str) {
        eprintln!("Error: {}", error);
    }

    fn display_success(&self, message: &str) {
        println!("✓ {}", message);
    }

    fn open_browser(&self, url: &Url) -> Result<()> {
        webbrowser::open(url.as_str())?;
        Ok(())
    }

    fn wait_for_input(&self, prompt: &str) -> Result<String> {
        print!("{}", prompt);
        io::stdout().flush()?;

        let mut input = String::new();
        let _ = io::stdin().read_line(&mut input)?;

        Ok(input.trim().to_owned())
    }
}

impl CliAuthenticator {
    /// Create a new CLI authenticator with console output
    pub fn new() -> Self {
        Self {
            output: Box::new(ConsoleOutputHandler),
        }
    }

    /// Create a new CLI authenticator with custom output handler
    pub fn with_output(output: Box<dyn OutputHandler + Send + Sync>) -> Self {
        Self { output }
    }

    /// Get the output handler
    pub fn output(&self) -> &dyn OutputHandler {
        self.output.as_ref()
    }
}

#[async_trait]
impl ClientAuthenticator for CliAuthenticator {
    async fn authenticate(&self, api_url: &Url) -> Result<JwtToken> {
        self.output.display_message("Starting authentication...");

        // For now, this is a placeholder implementation
        // In a real implementation, this would:
        // 1. Check if authentication is required
        // 2. Open browser for OAuth flow
        // 3. Handle the callback
        // 4. Return the tokens

        self.output
            .display_message(&format!("Please authenticate at: {}", api_url));

        // Simulate authentication process
        let access_token = self.output.wait_for_input("Enter access token: ")?;

        if access_token.is_empty() {
            return Err(eyre::eyre!("Access token cannot be empty"));
        }

        let refresh_token = self
            .output
            .wait_for_input("Enter refresh token (optional): ")?;

        let token = if refresh_token.is_empty() {
            JwtToken::new(access_token)
        } else {
            JwtToken::with_refresh(access_token, refresh_token)
        };

        self.output.display_success("Authentication successful!");
        Ok(token)
    }

    async fn refresh_tokens(&self, _refresh_token: &str) -> Result<JwtToken> {
        self.output
            .display_message("Refreshing authentication tokens...");

        // For now, this is a placeholder implementation
        // In a real implementation, this would:
        // 1. Send refresh token to the API
        // 2. Receive new access token
        // 3. Return the new tokens

        self.output
            .display_message("Please provide new access token:");
        let access_token = self.output.wait_for_input("Enter new access token: ")?;

        if access_token.is_empty() {
            return Err(eyre::eyre!("Access token cannot be empty"));
        }

        let token = JwtToken::new(access_token);
        self.output.display_success("Token refresh successful!");
        Ok(token)
    }

    async fn handle_auth_failure(&self, api_url: &Url) -> Result<JwtToken> {
        self.output
            .display_error("Authentication failed. Please try again.");

        // Try to open the authentication URL in the browser
        if let Err(e) = self.output.open_browser(api_url) {
            self.output
                .display_error(&format!("Failed to open browser: {}", e));
            self.output
                .display_message(&format!("Please manually visit: {}", api_url));
        }

        // Wait for user to complete authentication
        self.output
            .display_message("Please complete authentication in your browser, then press Enter.");
        drop(self.output.wait_for_input("Press Enter when done: ")?);

        // Try to authenticate again
        self.authenticate(api_url).await
    }

    async fn check_auth_required(&self, _api_url: &Url) -> Result<bool> {
        // For now, assume all APIs require authentication
        // In a real implementation, this would check the API health endpoint
        Ok(true)
    }

    fn get_auth_method(&self) -> &'static str {
        "CLI Browser-based OAuth"
    }

    fn supports_refresh(&self) -> bool {
        true
    }
}

/// Headless authenticator for non-interactive environments
#[derive(Debug, Clone)]
pub struct HeadlessAuthenticator {
    /// Pre-configured tokens
    tokens: Option<JwtToken>,
}

impl HeadlessAuthenticator {
    /// Create a new headless authenticator
    pub fn new() -> Self {
        Self { tokens: None }
    }

    /// Create a new headless authenticator with pre-configured tokens
    pub fn with_tokens(tokens: JwtToken) -> Self {
        Self {
            tokens: Some(tokens),
        }
    }

    /// Set tokens for the authenticator
    pub fn set_tokens(&mut self, tokens: JwtToken) {
        self.tokens = Some(tokens);
    }
}

#[async_trait]
impl ClientAuthenticator for HeadlessAuthenticator {
    async fn authenticate(&self, _api_url: &Url) -> Result<JwtToken> {
        if let Some(tokens) = &self.tokens {
            Ok(tokens.clone())
        } else {
            Err(eyre::eyre!(
                "No tokens configured for headless authenticator"
            ))
        }
    }

    async fn refresh_tokens(&self, _refresh_token: &str) -> Result<JwtToken> {
        Err(eyre::eyre!("Token refresh not supported in headless mode"))
    }

    async fn handle_auth_failure(&self, _api_url: &Url) -> Result<JwtToken> {
        Err(eyre::eyre!(
            "Cannot handle authentication failure in headless mode"
        ))
    }

    async fn check_auth_required(&self, _api_url: &Url) -> Result<bool> {
        Ok(true)
    }

    fn get_auth_method(&self) -> &'static str {
        "Headless Pre-configured Tokens"
    }

    fn supports_refresh(&self) -> bool {
        false
    }
}

/// API key authenticator for simple API key authentication
#[derive(Debug, Clone)]
pub struct ApiKeyAuthenticator {
    /// API key for authentication
    api_key: String,
}

impl ApiKeyAuthenticator {
    /// Create a new API key authenticator
    pub fn new(api_key: String) -> Self {
        Self { api_key }
    }

    /// Get the API key
    pub fn api_key(&self) -> &str {
        &self.api_key
    }
}

#[async_trait]
impl ClientAuthenticator for ApiKeyAuthenticator {
    async fn authenticate(&self, _api_url: &Url) -> Result<JwtToken> {
        // For API key auth, we create a simple token
        let token = JwtToken::new(self.api_key.clone())
            .with_metadata("auth_type".to_owned(), serde_json::json!("api_key"));
        Ok(token)
    }

    async fn refresh_tokens(&self, _refresh_token: &str) -> Result<JwtToken> {
        // API keys don't refresh, just return the same
        Err(eyre::eyre!("API keys do not support token refresh"))
    }

    async fn handle_auth_failure(&self, _api_url: &Url) -> Result<JwtToken> {
        Err(eyre::eyre!("API key authentication failed"))
    }

    async fn check_auth_required(&self, _api_url: &Url) -> Result<bool> {
        Ok(true)
    }

    fn get_auth_method(&self) -> &'static str {
        "API Key"
    }

    fn supports_refresh(&self) -> bool {
        false
    }
}

/// Trait for meroctl output handling during authentication
pub trait MeroctlOutputHandler: Send + Sync {
    /// Display a message to the user
    fn display_message(&self, message: &str);

    /// Display an error message
    fn display_error(&self, error: &str);

    /// Display success message
    fn display_success(&self, message: &str);

    /// Open a URL in the default browser
    fn open_browser(&self, url: &Url) -> Result<()>;

    /// Wait for user input
    fn wait_for_input(&self, prompt: &str) -> Result<String>;
}