oxidite-auth 2.2.2

Authentication and authorization for Oxidite (RBAC, JWT, OAuth2, 2FA, API keys)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198

use oxidite_core::{OxiditeRequest, Result as OxiditeResult, Error};
use oxidite_db::Database;
use oxidite_db::sqlx::Row;
use std::sync::Arc;
use crate::rbac::{Role, Permission};

/// Middleware to require a specific role
pub struct RequireRole {
    role_name: String,
    db: Arc<dyn Database>,
}

impl RequireRole {
    pub fn new(role_name: impl Into<String>, db: Arc<dyn Database>) -> Self {
        Self {
            role_name: role_name.into(),
            db,
        }
    }
    
    pub async fn check(&self, req: &OxiditeRequest) -> OxiditeResult<bool> {
        // Get user_id from request extensions (set by auth middleware)
        let user_id = req.extensions()
            .get::<i64>()
            .ok_or_else(|| Error::Unauthorized("User not authenticated".to_string()))?;
        
        // Check if user has the required role
        let query = oxidite_db::sqlx::query(
            "SELECT 1 FROM roles r
             INNER JOIN user_roles ur ON r.id = ur.role_id
             WHERE ur.user_id = ? AND r.name = ?
             LIMIT 1"
        )
            .bind(*user_id)
            .bind(&self.role_name);

        let row = self.db.fetch_one(query).await
            .map_err(|_| Error::InternalServerError("Database error".to_string()))?;

        Ok(row.is_some())
    }
}

/// Middleware to require a specific permission
pub struct RequirePermission {
    permission_name: String,
    db: Arc<dyn Database>,
}

impl RequirePermission {
    pub fn new(permission_name: impl Into<String>, db: Arc<dyn Database>) -> Self {
        Self {
            permission_name: permission_name.into(),
            db,
        }
    }
    
    pub async fn check(&self, req: &OxiditeRequest) -> OxiditeResult<bool> {
        // Get user_id from request extensions
        let user_id = req.extensions()
            .get::<i64>()
            .ok_or_else(|| Error::Unauthorized("User not authenticated".to_string()))?;
        
        // Check if user has the required permission through any of their roles
        let query = oxidite_db::sqlx::query(
            "SELECT 1 FROM permissions p
             INNER JOIN role_permissions rp ON p.id = rp.permission_id
             INNER JOIN user_roles ur ON rp.role_id = ur.role_id
             WHERE ur.user_id = ? AND p.name = ?
             LIMIT 1"
        )
            .bind(*user_id)
            .bind(&self.permission_name);

        let row = self.db.fetch_one(query).await
            .map_err(|_| Error::InternalServerError("Database error".to_string()))?;

        Ok(row.is_some())
    }
}

/// Utility functions for authorization checks
pub struct AuthorizationService {
    db: Arc<dyn Database>,
}

impl AuthorizationService {
    pub fn new(db: Arc<dyn Database>) -> Self {
        Self { db }
    }
    
    /// Check if user has a specific role
    pub async fn user_has_role(&self, user_id: i64, role_name: &str) -> oxidite_db::Result<bool> {
        let query = oxidite_db::sqlx::query(
            "SELECT COUNT(*) as count FROM user_roles ur
             INNER JOIN roles r ON ur.role_id = r.id
             WHERE ur.user_id = ? AND r.name = ?"
        )
            .bind(user_id)
            .bind(role_name);

        let row = self.db.fetch_one(query).await?;
        Ok(row
            .and_then(|r| r.try_get::<i64, _>("count").ok())
            .unwrap_or(0) > 0)
    }
    
    /// Check if user has a specific permission
    pub async fn user_can(&self, user_id: i64, permission_name: &str) -> oxidite_db::Result<bool> {
        let query = oxidite_db::sqlx::query(
            "SELECT COUNT(*) as count FROM permissions p
             INNER JOIN role_permissions rp ON p.id = rp.permission_id
             INNER JOIN user_roles ur ON rp.role_id = ur.role_id
             WHERE ur.user_id = ? AND p.name = ?"
        )
            .bind(user_id)
            .bind(permission_name);

        let row = self.db.fetch_one(query).await?;
        Ok(row
            .and_then(|r| r.try_get::<i64, _>("count").ok())
            .unwrap_or(0) > 0)
    }
    
    /// Get all roles for a user
    pub async fn user_roles(&self, user_id: i64) -> oxidite_db::Result<Vec<Role>> {
        use oxidite_db::sqlx::FromRow;
        
        let query = oxidite_db::sqlx::query(
            "SELECT r.* FROM roles r
             INNER JOIN user_roles ur ON r.id = ur.role_id
             WHERE ur.user_id = ?"
        )
            .bind(user_id);

        let rows = self.db.fetch_all(query).await?;
        let mut roles = Vec::new();
        
        for row in rows {
            roles.push(Role::from_row(&row)?);
        }
        
        Ok(roles)
    }
    
    /// Get all permissions for a user (through their roles)
    pub async fn user_permissions(&self, user_id: i64) -> oxidite_db::Result<Vec<Permission>> {
        use oxidite_db::sqlx::FromRow;
        
        let query = oxidite_db::sqlx::query(
            "SELECT DISTINCT p.* FROM permissions p
             INNER JOIN role_permissions rp ON p.id = rp.permission_id
             INNER JOIN user_roles ur ON rp.role_id = ur.role_id
             WHERE ur.user_id = ?"
        )
            .bind(user_id);

        let rows = self.db.fetch_all(query).await?;
        let mut permissions = Vec::new();
        
        for row in rows {
            permissions.push(Permission::from_row(&row)?);
        }
        
        Ok(permissions)
    }
    
    /// Assign role to user
    pub async fn assign_role(&self, user_id: i64, role_id: i64) -> oxidite_db::Result<()> {
        // Use SELECT before INSERT for backend portability.
        let exists_query = oxidite_db::sqlx::query(
            "SELECT 1 FROM user_roles WHERE user_id = ? AND role_id = ? LIMIT 1"
        )
            .bind(user_id)
            .bind(role_id);

        if self.db.fetch_one(exists_query).await?.is_none() {
            let insert_query = oxidite_db::sqlx::query(
                "INSERT INTO user_roles (user_id, role_id) VALUES (?, ?)"
            )
                .bind(user_id)
                .bind(role_id);
            self.db.execute_query(insert_query).await?;
        }
        Ok(())
    }
    
    /// Remove role from user
    pub async fn remove_role(&self, user_id: i64, role_id: i64) -> oxidite_db::Result<()> {
        let query = oxidite_db::sqlx::query(
            "DELETE FROM user_roles WHERE user_id = ? AND role_id = ?"
        )
            .bind(user_id)
            .bind(role_id);
        self.db.execute_query(query).await?;
        Ok(())
    }
}