oxide-framework-core 0.1.0

Core runtime and framework logic for the Oxide web framework.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

//! Extractors: [`Authenticated`], [`OptionalAuth`], [`RequireRole`].

use std::marker::PhantomData;

use axum::extract::FromRequestParts;
use axum::http::request::Parts;
use axum::response::{IntoResponse, Response};

use super::claims::AuthClaims;
use crate::response::ApiResponse;

/// Requires a valid JWT (middleware must run — use [`crate::App::auth`]).
pub struct Authenticated(pub AuthClaims);

impl<S: Send + Sync> FromRequestParts<S> for Authenticated {
    type Rejection = AuthRejection;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        parts
            .extensions
            .get::<AuthClaims>()
            .cloned()
            .map(Authenticated)
            .ok_or(AuthRejection::Unauthorized)
    }
}

/// Present when the client sent a valid JWT; [`None`] for anonymous requests.
pub struct OptionalAuth(pub Option<AuthClaims>);

impl<S: Send + Sync> FromRequestParts<S> for OptionalAuth {
    type Rejection = std::convert::Infallible;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        Ok(OptionalAuth(parts.extensions.get::<AuthClaims>().cloned()))
    }
}

/// Map a zero-sized type to a role name (see [`RequireRole`]).
///
/// ```rust,ignore
/// struct Admin;
/// impl RoleName for Admin {
///     const ROLE: &'static str = "admin";
/// }
///
/// async fn admin_only(_: RequireRole<Admin>) -> ApiResponse<()> {
///     ApiResponse::ok(())
/// }
/// ```
pub trait RoleName: Send + Sync + 'static {
    const ROLE: &'static str;
}

/// Role guard: `RequireRole<YourRoleMarker>` where `YourRoleMarker: RoleName`.
#[derive(Debug, Clone, Copy)]
pub struct RequireRole<R: RoleName>(PhantomData<R>);

impl<S: Send + Sync, R: RoleName> FromRequestParts<S> for RequireRole<R> {
    type Rejection = AuthRejection;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let claims = parts
            .extensions
            .get::<AuthClaims>()
            .ok_or(AuthRejection::Unauthorized)?;
        if claims.has_role(R::ROLE) {
            Ok(RequireRole(PhantomData))
        } else {
            Err(AuthRejection::Forbidden)
        }
    }
}

/// Rejection for auth extractors.
#[derive(Debug)]
pub enum AuthRejection {
    Unauthorized,
    Forbidden,
}

impl IntoResponse for AuthRejection {
    fn into_response(self) -> Response {
        match self {
            AuthRejection::Unauthorized => {
                ApiResponse::<serde_json::Value>::unauthorized("authentication required").into_response()
            }
            AuthRejection::Forbidden => {
                ApiResponse::<serde_json::Value>::forbidden("insufficient permissions").into_response()
            }
        }
    }
}