Skip to main content

modo/auth/
mod.rs

1//! # modo::auth
2//!
3//! Identity and access — session, JWT, OAuth, API keys, roles, and gating guards.
4//!
5//! This is the umbrella module for everything related to authenticating callers
6//! and gating routes. Each capability lives in its own submodule; the
7//! [`guard`] submodule houses the route-level layers (`require_authenticated`,
8//! `require_role`, `require_scope`) that compose with the rest.
9//!
10//! Always available — no feature flag required.
11//!
12//! ## Submodules
13//!
14//! | Module           | Purpose |
15//! |------------------|---------|
16//! | [`session`]      | Database-backed HTTP session management (cookie and JWT sessions) |
17//! | [`apikey`]       | Prefixed API key issuance, verification, and lifecycle |
18//! | [`role`]         | Role-based gating (extractor + middleware) |
19//! | [`guard`]        | Route-level gating layers (`require_authenticated`, `require_role`, `require_scope`) |
20//! | [`jwt`]          | JWT encoding, decoding, signing, and axum Tower middleware (alias for [`session::jwt`]) |
21//! | [`oauth`]        | OAuth 2.0 provider integrations (GitHub, Google) |
22//! | [`password`]     | Argon2id password hashing and verification |
23//! | [`otp`]          | Numeric one-time password generation and verification |
24//! | [`totp`]         | RFC 6238 TOTP authenticator (Google Authenticator compatible) |
25//! | [`backup`]       | One-time backup recovery code generation and verification |
26//!
27//! ## Convenience re-exports
28//!
29//! The following types are re-exported at the `modo::auth` level for convenience:
30//!
31//! - [`PasswordConfig`] — Argon2id hashing parameters
32//! - [`Totp`] — TOTP authenticator instance
33//! - [`TotpConfig`] — TOTP algorithm parameters
34//! - [`Claims`] — standard JWT registered claims; axum extractor
35//! - [`JwtSessionsConfig`] — YAML configuration (signing secret, TTLs, token sources)
36//! - [`JwtConfig`] — back-compat alias for [`JwtSessionsConfig`]
37//! - [`JwtEncoder`] — signs any `Serialize` payload into a JWT string
38//! - [`JwtDecoder`] — verifies and deserializes any JWT string
39//! - [`JwtLayer`] — Tower middleware that enforces JWT auth on axum routes
40//! - [`JwtError`] — typed JWT error enum with static `code()` strings
41//! - [`Bearer`] — axum extractor for raw Bearer token strings
42//! - [`HmacSigner`] — HMAC-SHA256 (HS256) signer/verifier
43//! - [`TokenSigner`], [`TokenVerifier`] — JWT signing traits
44//! - [`TokenSource`], [`TokenSourceConfig`] — pluggable token extraction trait and YAML config
45//! - [`ValidationConfig`] — JWT validation policy (leeway, issuer, audience)
46
47pub mod apikey;
48pub mod backup;
49pub mod guard;
50pub mod otp;
51pub mod password;
52pub mod role;
53pub mod session;
54pub mod totp;
55
56pub mod oauth;
57
58// Back-compat re-export — jwt now lives at `auth::session::jwt`.
59// This alias keeps `modo::auth::jwt::*` working without breakage.
60pub use crate::auth::session::jwt;
61
62// Convenience re-exports
63pub use password::PasswordConfig;
64pub use totp::{Totp, TotpConfig};
65
66pub use jwt::{
67    Bearer, Claims, HmacSigner, JwtConfig, JwtDecoder, JwtEncoder, JwtError, JwtLayer,
68    JwtSessionsConfig, TokenSigner, TokenSource, TokenSourceConfig, TokenVerifier,
69    ValidationConfig,
70};