heliosdb-nano 3.26.0

PostgreSQL-compatible embedded database with TDE + ZKE encryption, HNSW vector search, Product Quantization, git-like branching, time-travel queries, materialized views, row-level security, and 50+ enterprise features
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

//! JWT Authentication for REST API
//!
//! Provides secure authentication using JSON Web Tokens (JWT).

use chrono::{Duration, Utc};
use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, Header, Validation};
use serde::{Deserialize, Serialize};
use uuid::Uuid;

use crate::Error;

/// JWT Claims structure
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
pub struct Claims {
    /// Subject (user ID)
    pub sub: String,

    /// Tenant ID for multi-tenancy support
    pub tenant_id: String,

    /// Client ID
    pub client_id: Uuid,

    /// Expiration timestamp (Unix timestamp)
    pub exp: u64,

    /// Issued at timestamp (Unix timestamp)
    pub iat: u64,

    /// Not before timestamp (Unix timestamp)
    pub nbf: u64,

    /// JWT ID (unique identifier for this token)
    pub jti: String,

    /// Issuer
    pub iss: String,

    /// Audience
    pub aud: String,

    /// Scopes/Permissions
    pub scopes: Vec<String>,
}

impl Claims {
    /// Create new claims with default values
    pub fn new(
        user_id: String,
        tenant_id: String,
        client_id: Uuid,
        expires_in: Duration,
    ) -> Self {
        let now = Utc::now();
        let exp = (now + expires_in).timestamp() as u64;
        let iat = now.timestamp() as u64;
        let nbf = iat;

        Self {
            sub: user_id,
            tenant_id,
            client_id,
            exp,
            iat,
            nbf,
            jti: Uuid::new_v4().to_string(),
            iss: "heliosdb-api".to_string(),
            aud: "heliosdb-client".to_string(),
            scopes: vec!["api:read".to_string(), "api:write".to_string()],
        }
    }

    /// Check if token is expired
    pub fn is_expired(&self) -> bool {
        let now = Utc::now().timestamp() as u64;
        self.exp < now
    }

    /// Check if token is active (not before time has passed)
    pub fn is_active(&self) -> bool {
        let now = Utc::now().timestamp() as u64;
        self.nbf <= now
    }

    /// Check if token has a specific scope
    pub fn has_scope(&self, scope: &str) -> bool {
        self.scopes.iter().any(|s| s == scope)
    }
}

/// JWT Token Manager
pub struct JwtManager {
    encoding_key: EncodingKey,
    decoding_key: DecodingKey,
    validation: Validation,
    default_expiry: Duration,
}

impl JwtManager {
    /// Create a new JWT manager with a secret key
    pub fn new(secret: &[u8]) -> Self {
        let mut validation = Validation::new(Algorithm::HS256);
        validation.set_issuer(&["heliosdb-api"]);
        validation.set_audience(&["heliosdb-client"]);
        validation.validate_exp = true;
        validation.validate_nbf = true;

        Self {
            encoding_key: EncodingKey::from_secret(secret),
            decoding_key: DecodingKey::from_secret(secret),
            validation,
            default_expiry: Duration::hours(1),
        }
    }

    /// Generate an access token
    pub fn generate_token(
        &self,
        user_id: String,
        tenant_id: String,
        client_id: Uuid,
    ) -> Result<String, Error> {
        let claims = Claims::new(user_id, tenant_id, client_id, self.default_expiry);
        encode(&Header::default(), &claims, &self.encoding_key)
            .map_err(|e| Error::Generic(format!("JWT encode error: {}", e)))
    }

    /// Validate and decode a token
    pub fn validate_token(&self, token: &str) -> Result<Claims, Error> {
        let token_data = decode::<Claims>(token, &self.decoding_key, &self.validation)
            .map_err(|e| Error::Generic(format!("JWT decode error: {}", e)))?;
        Ok(token_data.claims)
    }
}

#[cfg(test)]
#[allow(clippy::unwrap_used, clippy::expect_used)]
mod tests {
    use super::*;

    #[test]
    fn test_jwt_roundtrip() {
        let manager = JwtManager::new(b"test-secret-key");
        let token = manager
            .generate_token(
                "user123".to_string(),
                "tenant456".to_string(),
                Uuid::new_v4(),
            )
            .unwrap();

        let claims = manager.validate_token(&token).unwrap();
        assert_eq!(claims.sub, "user123");
        assert_eq!(claims.tenant_id, "tenant456");
    }
}