nestrs 0.3.5

NestJS-like API framework for Rust on top of Axum and Tower.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130

//! Authentication helpers and reusable guards (Nest **Passport**-style strategies stay in your app; these wire into [`CanActivate`](crate::core::CanActivate) and Axum extractors).

use crate::core::{AuthStrategy, CanActivate, GuardError, HandlerKey, MetadataRegistry};
use crate::UnauthorizedException;
use async_trait::async_trait;
use axum::extract::FromRequestParts;
use axum::http::header::AUTHORIZATION;
use axum::http::request::Parts;
use std::marker::PhantomData;

/// Parses `Authorization: Bearer <token>` (case-insensitive scheme). Returns the token slice without allocating.
pub fn parse_authorization_bearer(auth_header: &str) -> Option<&str> {
    let mut iter = auth_header.splitn(2, char::is_whitespace);
    let scheme = iter.next()?.trim_end_matches(':');
    if !scheme.eq_ignore_ascii_case("bearer") {
        return None;
    }
    let token = iter.next()?.trim();
    if token.is_empty() {
        None
    } else {
        Some(token)
    }
}

/// Comma-separated `roles` metadata for the current route (from [`MetadataRegistry`]), if any.
pub fn route_roles_csv(parts: &Parts) -> Option<String> {
    let handler = parts.extensions.get::<HandlerKey>().map(|h| h.0)?;
    MetadataRegistry::get(handler, "roles")
}

/// Requires a non-empty `Authorization: Bearer …` header and exposes the token (UTF-8).
#[derive(Debug, Clone)]
pub struct BearerToken(pub String);

#[async_trait]
impl<S> FromRequestParts<S> for BearerToken
where
    S: Send + Sync,
{
    type Rejection = crate::HttpException;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let raw = parts
            .headers
            .get(AUTHORIZATION)
            .and_then(|v| v.to_str().ok())
            .ok_or_else(|| UnauthorizedException::new("missing Authorization header"))?;
        let token = parse_authorization_bearer(raw)
            .ok_or_else(|| UnauthorizedException::new("expected Bearer token"))?;
        Ok(BearerToken(token.to_string()))
    }
}

/// Same as [`BearerToken`] but yields `None` when the header is missing or not a Bearer token.
#[derive(Debug, Clone, Default)]
pub struct OptionalBearerToken(pub Option<String>);

#[async_trait]
impl<S> FromRequestParts<S> for OptionalBearerToken
where
    S: Send + Sync,
{
    type Rejection = std::convert::Infallible;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let v = parts
            .headers
            .get(AUTHORIZATION)
            .and_then(|h| h.to_str().ok())
            .and_then(parse_authorization_bearer)
            .map(str::to_string);
        Ok(OptionalBearerToken(v))
    }
}

/// Runs [`AuthStrategy::validate`] for `S: Default` (JWT/API-key strategies you implement and mark `Default` when stateless).
#[derive(Debug)]
pub struct AuthStrategyGuard<S>(PhantomData<S>);

impl<S> Default for AuthStrategyGuard<S> {
    fn default() -> Self {
        Self(PhantomData)
    }
}

#[async_trait]
impl<S> CanActivate for AuthStrategyGuard<S>
where
    S: AuthStrategy + Default + Send + Sync + 'static,
{
    async fn can_activate(&self, parts: &Parts) -> Result<(), GuardError> {
        S::default()
            .validate(parts)
            .await
            .map_err(|e| GuardError::unauthorized(e.message))?;
        Ok(())
    }
}

/// Reads the caller role from the `x-role` header and checks it against `#[roles("a,b")]` metadata (same pattern as Nest metadata + guard).
#[derive(Debug, Default)]
pub struct XRoleMetadataGuard;

#[async_trait]
impl CanActivate for XRoleMetadataGuard {
    async fn can_activate(&self, parts: &Parts) -> Result<(), GuardError> {
        let handler = parts
            .extensions
            .get::<HandlerKey>()
            .map(|h| h.0)
            .ok_or_else(|| GuardError::forbidden("missing handler key"))?;

        let allowed = MetadataRegistry::get(handler, "roles")
            .ok_or_else(|| GuardError::forbidden("missing roles metadata"))?;

        let role = parts
            .headers
            .get("x-role")
            .and_then(|v| v.to_str().ok())
            .unwrap_or("");

        let is_allowed = allowed.split(',').any(|r| r.trim() == role);
        if is_allowed {
            Ok(())
        } else {
            Err(GuardError::forbidden("forbidden"))
        }
    }
}