cedros-login-server 0.0.28

Authentication server for cedros-login with email/password, Google OAuth, and Solana wallet sign-in
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

//! Post-login action computation
//!
//! Determines what action (if any) the client should take after successful authentication.
//! Priority order: MFA Setup > Welcome > Complete Account > Redirect URL.

use crate::models::PostLoginAction;
use crate::repositories::{CredentialRepository, CredentialType, TotpRepository, UserEntity};
use crate::services::SettingsService;

/// Compute the post-login action for a user based on admin settings.
///
/// Returns `None` if no action is needed (all features disabled or not applicable).
///
/// Priority:
/// 1. MFA setup — if `security_require_mfa` is enabled and the user has a password but no TOTP
/// 2. Welcome (one-time onboarding) — if enabled and user hasn't completed it
/// 3. Complete profile — if enabled and user is missing a name
/// 4. Redirect URL — if a redirect URL is configured
///
/// MFA requirement only applies to users with password credentials. OAuth, passkey,
/// and wallet users already have strong auth via their providers.
pub async fn compute_post_login(
    user: &UserEntity,
    settings: &SettingsService,
    totp_repo: &dyn TotpRepository,
    credential_repo: &dyn CredentialRepository,
) -> Option<PostLoginAction> {
    // 1. MFA requirement check (highest priority — security enforcement)
    let mfa_required = settings
        .get_bool("security_require_mfa")
        .await
        .unwrap_or(None);
    if mfa_required == Some(true) {
        let has_mfa = totp_repo.has_mfa_enabled(user.id).await.unwrap_or(false);
        if !has_mfa {
            let has_password = credential_repo
                .has_credential_type(user.id, CredentialType::Password)
                .await
                .unwrap_or(false);
            if has_password {
                return Some(PostLoginAction {
                    action: "setup_mfa".to_string(),
                    redirect_url: None,
                });
            }
        }
    }

    // 2. Welcome flow: one-time onboarding page
    let welcome_enabled = settings
        .get_bool("postlogin_welcome_enabled")
        .await
        .unwrap_or(None);
    if welcome_enabled == Some(true) && user.welcome_completed_at.is_none() {
        let route = settings
            .get("postlogin_welcome_route")
            .await
            .unwrap_or(None)
            .filter(|r| !r.is_empty())
            .unwrap_or_else(|| "/welcome".to_string());
        return Some(PostLoginAction {
            action: "welcome".to_string(),
            redirect_url: Some(route),
        });
    }

    // 2. Complete profile: prompt for missing name
    // Only checks name because email cannot be updated via the profile API.
    let complete_enabled = settings
        .get_bool("postlogin_complete_enabled")
        .await
        .unwrap_or(None);
    if complete_enabled == Some(true) && user.name.is_none() {
        return Some(PostLoginAction {
            action: "complete_profile".to_string(),
            redirect_url: None,
        });
    }

    // 3. Redirect URL
    let redirect_url = settings
        .get("postlogin_redirect_url")
        .await
        .unwrap_or(None)
        .filter(|url| !url.is_empty());
    if let Some(url) = redirect_url {
        return Some(PostLoginAction {
            action: "redirect".to_string(),
            redirect_url: Some(url),
        });
    }

    None
}