ggen-auth 5.1.3

Authentication system for ggen: OAuth2, JWT, and API key management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! API key management

use chrono::{DateTime, Duration, Utc};
use hex;
use sha2::{Digest, Sha256};
use uuid::Uuid;

/// API key hash for storage
#[derive(Debug, Clone)]
pub struct ApiKeyHash {
    pub id: String,
    pub hash: String,
    pub name: String,
    pub created_at: DateTime<Utc>,
    pub expires_at: Option<DateTime<Utc>>,
    pub last_used: Option<DateTime<Utc>>,
    pub active: bool,
}

/// API key manager
pub struct ApiKeyManager {
    secret_salt: String,
}

impl ApiKeyManager {
    /// Create a new API key manager
    pub fn new(secret_salt: String) -> Self {
        Self { secret_salt }
    }

    /// Generate a new API key
    pub fn generate_key(&self) -> (String, String) {
        let key = format!("ggen_{}", Uuid::new_v4().to_string().replace("-", ""));
        let hash = self.hash_key(&key);
        (key, hash)
    }

    /// Hash an API key for storage
    pub fn hash_key(&self, key: &str) -> String {
        let mut hasher = Sha256::new();
        hasher.update(format!("{}{}", key, self.secret_salt).as_bytes());
        hex::encode(hasher.finalize())
    }

    /// Verify an API key against a hash
    pub fn verify_key(&self, key: &str, hash: &str) -> bool {
        let computed_hash = self.hash_key(key);
        // Constant-time comparison
        computed_hash.as_bytes().len() == hash.len()
            && computed_hash
                .as_bytes()
                .iter()
                .zip(hash.as_bytes().iter())
                .all(|(a, b)| a == b)
    }

    /// Check if a key is expired
    pub fn is_expired(key_hash: &ApiKeyHash) -> bool {
        if let Some(expires_at) = key_hash.expires_at {
            expires_at < Utc::now()
        } else {
            false
        }
    }

    /// Check if a key is valid (active and not expired)
    pub fn is_valid(key_hash: &ApiKeyHash) -> bool {
        key_hash.active && !Self::is_expired(key_hash)
    }

    /// Create an API key hash entry
    pub fn create_hash(
        &self,
        key: &str,
        name: String,
        expires_in_days: Option<u32>,
    ) -> ApiKeyHash {
        let expires_at = expires_in_days.map(|days| {
            Utc::now() + Duration::days(days as i64)
        });

        ApiKeyHash {
            id: Uuid::new_v4().to_string(),
            hash: self.hash_key(key),
            name,
            created_at: Utc::now(),
            expires_at,
            last_used: None,
            active: true,
        }
    }

    /// Revoke an API key
    pub fn revoke(&self, key_hash: &mut ApiKeyHash) {
        key_hash.active = false;
    }

    /// Record key usage
    pub fn record_usage(key_hash: &mut ApiKeyHash) {
        key_hash.last_used = Some(Utc::now());
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_generate_and_verify_key() {
        let manager = ApiKeyManager::new("salt".to_string());
        let (key, _hash) = manager.generate_key();
        assert!(key.starts_with("ggen_"));
    }

    #[test]
    fn test_hash_verification() {
        let manager = ApiKeyManager::new("salt".to_string());
        let key = "test_key";
        let hash = manager.hash_key(key);
        assert!(manager.verify_key(key, &hash));
    }

    #[test]
    fn test_key_expiration() {
        let manager = ApiKeyManager::new("salt".to_string());
        let key = "test";
        let mut key_hash = manager.create_hash(key, "test".to_string(), Some(0));
        assert!(ApiKeyManager::is_expired(&key_hash));
    }
}