neocrates 0.1.44

A comprehensive Rust library for various utilities and helpers
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152

# Middlewares Module

The `middlewares` module contains the request-interception layer for Neocrates-based Axum services. It handles token lookup, optional BASIC auth for PMS-style routes, request IP extraction, and request-body enrichment for common auditing fields.

See also: [root README](../../README.md)

---

## Feature

Enable with:

```toml
neocrates = { version = "0.1", default-features = false, features = ["web", "crypto"] }
```

If you want Redis-backed token storage, enable `redis` too.

Practical note:

- the current interceptor references `crypto::core::Crypto`, so `crypto` is part of the practical feature set for this module today

---

## Main building blocks

- `interceptor::interceptor` — the Axum middleware function
- `token_store::TokenStore` — pluggable storage abstraction
- `token_store::InMemoryTokenStore` — default local implementation
- `token_store::RedisTokenStore` — Redis-backed implementation when `redis` is enabled
- `models::AuthModel` and `models::AuthTokenResult` — shared auth DTOs
- `models::MiddlewareConfig` — runtime configuration for the middleware
- `ip::get_request_host` — extract client IP and URI details

---

## Quick start

```rust
use std::sync::Arc;

use neocrates::axum::{Router, middleware, routing::get};
use neocrates::middlewares::{
    interceptor::interceptor,
    models::MiddlewareConfig,
    token_store::default_in_memory_store,
};

async fn health() -> &'static str {
    "ok"
}

fn router() -> Router {
    let config = Arc::new(MiddlewareConfig {
        token_store: default_in_memory_store(),
        ignore_urls: vec!["/health".into()],
        pms_ignore_urls: vec![],
        prefix: "app:".into(),
        auth_basics: vec![],
    });

    Router::new()
        .route("/health", get(health))
        .layer(middleware::from_fn_with_state(config, interceptor))
}
```

---

## Step-by-step tutorial

## 1. Decide where tokens live

For local development or tests:

```rust
use neocrates::middlewares::token_store::default_in_memory_store;

let store = default_in_memory_store();
```

For Redis-backed storage:

```rust
#[cfg(feature = "redis")]
use std::sync::Arc;
#[cfg(feature = "redis")]
use neocrates::middlewares::token_store::redis_store;
#[cfg(feature = "redis")]
use neocrates::rediscache::RedisPool;

#[cfg(feature = "redis")]
async fn redis_store_example() -> neocrates::anyhow::Result<()> {
    let pool = Arc::new(RedisPool::from_env().await?);
    let store = redis_store(pool, "app:");
    let _ = store;
    Ok(())
}
```

## 2. Configure bypass routes

`MiddlewareConfig` supports two bypass lists:

- `ignore_urls`: skip auth entirely
- `pms_ignore_urls`: bypass token auth, but require a BASIC auth header that matches `auth_basics`

```rust
use neocrates::middlewares::models::MiddlewareConfig;

let cfg = MiddlewareConfig {
    token_store: neocrates::middlewares::token_store::default_in_memory_store(),
    ignore_urls: vec!["/health".into(), "/auth/login".into()],
    pms_ignore_urls: vec!["/admin/internal".into()],
    prefix: "app:".into(),
    auth_basics: vec!["<double-base64 user:pass>".into()],
};
```

## 3. Understand what the interceptor does

For non-bypassed routes it:

1. Reads the token from `Authorization: Bearer ...` or `?accessToken=...`
2. Loads `AuthModel` from the configured `TokenStore`
3. Inserts `AuthModel` into request extensions
4. If the body is JSON, injects audit fields:
   - POST: `creator`, `creator_by`, `updater`, `updater_by`
   - PUT: `updater`, `updater_by`

This makes it convenient to build auditing-aware CRUD APIs without repeating the same body transformation logic in every handler.

---

## Key points and gotchas

- URL matching is **prefix-based** (`starts_with`), not regex-based.
- The middleware reads and rewrites JSON request bodies; non-JSON bodies pass through unchanged.
- `MiddlewareConfig.prefix` exists, but the current interceptor implementation hardcodes an empty prefix internally.
- Token lookup prefers the Bearer header over the query parameter fallback.
- BASIC auth entries in `auth_basics` must already be encoded in the format expected by `Crypto::decode_basic_auth_key`.

---

## Roadmap

Useful next improvements:

1. Make `prefix` active in the interceptor instead of ignored.
2. Add cookie and header customization for token extraction.
3. Extend audit-field injection to PATCH or make it configurable.
4. Add first-class permission hooks instead of leaving PMS logic partially specialized.