micromegas-auth 0.15.0

Authentication providers for Micromegas (API keys, OIDC)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

//! Axum middleware for HTTP authentication
//!
//! Provides authentication middleware for Axum HTTP services that:
//! 1. Extracts request parts (headers, method, URI)
//! 2. Validates using configured AuthProvider
//! 3. Injects AuthContext into request extensions
//! 4. Returns 401 Unauthorized on auth failures

use crate::types::{AuthProvider, HttpRequestParts, RequestParts};
use axum::{
    extract::Request,
    http::StatusCode,
    middleware::Next,
    response::{IntoResponse, Response},
};
use micromegas_tracing::prelude::*;
use std::sync::Arc;

/// Axum middleware for request-based authentication
///
/// This middleware extracts request parts (headers, method, URI),
/// validates them using the provided AuthProvider, and injects the resulting
/// AuthContext into the request extensions.
///
/// # Example
///
/// ```rust,ignore
/// use axum::{Router, middleware};
/// use micromegas_auth::axum::auth_middleware;
/// use micromegas_auth::api_key::ApiKeyAuthProvider;
/// use std::sync::Arc;
///
/// let auth_provider = Arc::new(ApiKeyAuthProvider::new(keyring));
/// let app = Router::new()
///     .layer(middleware::from_fn(move |req, next| {
///         auth_middleware(auth_provider.clone(), req, next)
///     }));
/// ```
pub async fn auth_middleware(
    auth_provider: Arc<dyn AuthProvider>,
    mut req: Request,
    next: Next,
) -> Result<Response, AuthError> {
    // Extract request parts for authentication
    let parts = HttpRequestParts {
        headers: req.headers().clone(),
        method: req.method().clone(),
        uri: req.uri().clone(),
    };

    // Validate request using auth provider
    let auth_ctx = auth_provider
        .validate_request(&parts as &dyn RequestParts)
        .await
        .map_err(|e| {
            warn!("authentication failed: {e}");
            AuthError::InvalidToken
        })?;

    // Log successful authentication
    info!(
        "authenticated: subject={} email={:?} issuer={} admin={}",
        auth_ctx.subject, auth_ctx.email, auth_ctx.issuer, auth_ctx.is_admin
    );

    // Inject auth context into request extensions for downstream handlers
    req.extensions_mut().insert(auth_ctx);

    // Continue to next middleware/handler
    Ok(next.run(req).await)
}

/// Authentication errors for HTTP responses
#[derive(Debug)]
pub enum AuthError {
    /// Token validation failed
    InvalidToken,
}

impl IntoResponse for AuthError {
    fn into_response(self) -> Response {
        let (status, message) = match self {
            AuthError::InvalidToken => (StatusCode::UNAUTHORIZED, "Invalid token"),
        };

        (status, message).into_response()
    }
}