openauth-plugins 0.0.4

Official OpenAuth plugin modules.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

use ::http::StatusCode;
use openauth_core::error::OpenAuthError;

use crate::organization::http;
use crate::organization::models::Member;
use crate::organization::options::OrganizationOptions;
use crate::organization::permissions::is_known_static_role;
use crate::organization::store::OrganizationStore;

pub(super) async fn require_session(
    context: &openauth_core::context::AuthContext,
    request: &openauth_core::api::ApiRequest,
    store: &OrganizationStore<'_>,
) -> Result<crate::organization::http::CurrentSession, OpenAuthError> {
    match http::current_session(context, request, store).await? {
        Some(session) => Ok(session),
        None => Err(OpenAuthError::Api("UNAUTHORIZED".to_owned())),
    }
}

pub(super) fn query_param(request: &openauth_core::api::ApiRequest, name: &str) -> Option<String> {
    request.uri().query().and_then(|query| {
        query.split('&').find_map(|pair| {
            let (key, value) = pair.split_once('=').unwrap_or((pair, ""));
            (key == name).then(|| value.to_owned())
        })
    })
}

pub(super) fn valid_email(email: &str) -> bool {
    let Some((local, domain)) = email.split_once('@') else {
        return false;
    };
    !local.is_empty()
        && !domain.is_empty()
        && domain.contains('.')
        && !domain.starts_with('.')
        && !domain.ends_with('.')
        && !email.contains(char::is_whitespace)
}

pub(super) async fn roles_exist(
    store: &OrganizationStore<'_>,
    organization_id: &str,
    roles: &str,
    options: &OrganizationOptions,
) -> Result<bool, OpenAuthError> {
    for role in roles
        .split(',')
        .map(str::trim)
        .filter(|role| !role.is_empty())
    {
        if is_known_static_role(role, options) {
            continue;
        }
        if !options.dynamic_access_control.enabled {
            return Ok(false);
        }
        if store
            .organization_role_by_name(organization_id, role)
            .await?
            .is_none()
        {
            return Ok(false);
        }
    }
    Ok(true)
}

pub(super) async fn is_last_owner(
    store: &OrganizationStore<'_>,
    organization_id: &str,
    member: &Member,
    options: &OrganizationOptions,
) -> Result<bool, OpenAuthError> {
    Ok(member
        .role
        .split(',')
        .any(|role| role.trim() == options.creator_role)
        && owners(store, organization_id, options).await? <= 1)
}

pub(super) async fn owners(
    store: &OrganizationStore<'_>,
    organization_id: &str,
    options: &OrganizationOptions,
) -> Result<usize, OpenAuthError> {
    Ok(store
        .members(organization_id)
        .await?
        .iter()
        .filter(|member| {
            member
                .role
                .split(',')
                .any(|role| role.trim() == options.creator_role)
        })
        .count())
}

pub(super) fn invalid_body() -> Result<openauth_core::api::ApiResponse, OpenAuthError> {
    http::error(
        StatusCode::BAD_REQUEST,
        "INVALID_REQUEST_BODY",
        "Invalid request body",
    )
}