pleme-auth-sessions 0.1.2

pleme-auth-sessions library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437

//! Device trust and fingerprinting
//!
//! Manages trusted devices for enhanced security:
//! - Device fingerprinting
//! - Trust level management
//! - Enhanced sessions for trusted devices
//! - Security alerts for new devices

use crate::error::SessionError;
use chrono::{DateTime, Utc};
use redis::AsyncCommands;
use serde::{Deserialize, Serialize};
use std::fmt;
use tracing::{debug, info, warn};
use uuid::Uuid;

/// Device trust level
#[derive(Debug, Clone, Copy, Serialize, Deserialize, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum TrustLevel {
    /// New/unknown device - require additional verification
    Untrusted,
    /// Recognized device - standard security
    Recognized,
    /// Trusted device - extended session duration
    Trusted,
    /// Compromised device - block access
    Compromised,
}

impl fmt::Display for TrustLevel {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            TrustLevel::Untrusted => write!(f, "untrusted"),
            TrustLevel::Recognized => write!(f, "recognized"),
            TrustLevel::Trusted => write!(f, "trusted"),
            TrustLevel::Compromised => write!(f, "compromised"),
        }
    }
}

/// Device information
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct DeviceInfo {
    /// Unique device identifier (fingerprint hash)
    pub device_id: String,
    /// User agent string
    pub user_agent: String,
    /// IP address
    pub ip_address: String,
    /// Device type (mobile, desktop, tablet)
    pub device_type: String,
    /// Browser name
    pub browser: Option<String>,
    /// Operating system
    pub os: Option<String>,
    /// Screen resolution (for fingerprinting)
    pub screen_resolution: Option<String>,
    /// Timezone
    pub timezone: Option<String>,
    /// Language
    pub language: Option<String>,
}

impl DeviceInfo {
    /// Create device info from headers and fingerprint data
    pub fn new(
        device_id: String,
        user_agent: String,
        ip_address: String,
        device_type: String,
    ) -> Self {
        Self {
            device_id,
            user_agent,
            ip_address,
            device_type,
            browser: None,
            os: None,
            screen_resolution: None,
            timezone: None,
            language: None,
        }
    }

    /// Create fingerprint from device characteristics
    pub fn fingerprint(&self) -> String {
        use sha2::{Digest, Sha256};

        let mut hasher = Sha256::new();
        hasher.update(self.user_agent.as_bytes());
        hasher.update(self.device_type.as_bytes());

        if let Some(ref browser) = self.browser {
            hasher.update(browser.as_bytes());
        }
        if let Some(ref os) = self.os {
            hasher.update(os.as_bytes());
        }
        if let Some(ref resolution) = self.screen_resolution {
            hasher.update(resolution.as_bytes());
        }
        if let Some(ref timezone) = self.timezone {
            hasher.update(timezone.as_bytes());
        }

        format!("{:x}", hasher.finalize())
    }
}

/// Trusted device record
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TrustedDevice {
    /// Device ID
    pub device_id: String,
    /// User ID
    pub user_id: Uuid,
    /// Device information
    pub device_info: DeviceInfo,
    /// Trust level
    pub trust_level: TrustLevel,
    /// When device was first seen
    pub first_seen: DateTime<Utc>,
    /// When device was last used
    pub last_used: DateTime<Utc>,
    /// When device was marked as trusted
    pub trusted_at: Option<DateTime<Utc>>,
    /// Device name (user-friendly)
    pub device_name: Option<String>,
    /// Number of successful logins from this device
    pub login_count: u32,
}

impl TrustedDevice {
    /// Create new untrusted device
    pub fn new(device_id: String, user_id: Uuid, device_info: DeviceInfo) -> Self {
        Self {
            device_id,
            user_id,
            device_info,
            trust_level: TrustLevel::Untrusted,
            first_seen: Utc::now(),
            last_used: Utc::now(),
            trusted_at: None,
            device_name: None,
            login_count: 1,
        }
    }

    /// Mark device as trusted
    pub fn mark_trusted(&mut self, device_name: Option<String>) {
        self.trust_level = TrustLevel::Trusted;
        self.trusted_at = Some(Utc::now());
        self.device_name = device_name;
        info!("Device {} marked as trusted", self.device_id);
    }

    /// Update last used timestamp
    pub fn touch(&mut self) {
        self.last_used = Utc::now();
        self.login_count += 1;
    }

    /// Check if device should be auto-trusted (e.g., after N successful logins)
    pub fn should_auto_trust(&self, min_login_count: u32) -> bool {
        self.trust_level == TrustLevel::Untrusted && self.login_count >= min_login_count
    }
}

/// Device manager for trust management
pub struct DeviceManager {
    /// Minimum logins before auto-trust
    min_login_count_for_trust: u32,
    /// Maximum trusted devices per user
    max_trusted_devices: usize,
}

impl DeviceManager {
    /// Create new device manager
    pub fn new(min_login_count_for_trust: u32, max_trusted_devices: usize) -> Self {
        Self {
            min_login_count_for_trust,
            max_trusted_devices,
        }
    }

    /// Get device by ID
    pub async fn get_device(
        &self,
        device_id: &str,
        user_id: Uuid,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<Option<TrustedDevice>, SessionError> {
        let key = format!("user:{}:device:{}", user_id, device_id);

        let value: Option<String> = redis.get(&key).await?;

        if let Some(json) = value {
            let device = serde_json::from_str::<TrustedDevice>(&json)?;
            Ok(Some(device))
        } else {
            Ok(None)
        }
    }

    /// Save device
    pub async fn save_device(
        &self,
        device: &TrustedDevice,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<(), SessionError> {
        let key = format!("user:{}:device:{}", device.user_id, device.device_id);
        let value = serde_json::to_string(device)?;

        // Store device with 90-day expiration
        let _: () = redis.set_ex(&key, value, 90 * 24 * 60 * 60).await?;

        // Add to user's device list
        let list_key = format!("user:{}:devices", device.user_id);
        let _: () = redis.sadd(&list_key, &device.device_id).await?;
        let _: () = redis.expire(&list_key, 90 * 24 * 60 * 60).await?;

        debug!("Saved device {} for user {}", device.device_id, device.user_id);

        Ok(())
    }

    /// Get all devices for a user
    pub async fn get_user_devices(
        &self,
        user_id: Uuid,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<Vec<TrustedDevice>, SessionError> {
        let list_key = format!("user:{}:devices", user_id);

        let device_ids: Vec<String> = redis.smembers(&list_key).await.unwrap_or_default();

        let mut devices = Vec::new();
        for device_id in device_ids {
            if let Some(device) = self.get_device(&device_id, user_id, redis).await? {
                devices.push(device);
            }
        }

        // Sort by last used (most recent first)
        devices.sort_by(|a, b| b.last_used.cmp(&a.last_used));

        Ok(devices)
    }

    /// Register or update device
    pub async fn register_device(
        &self,
        device_id: String,
        user_id: Uuid,
        device_info: DeviceInfo,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<TrustedDevice, SessionError> {
        if let Some(mut device) = self.get_device(&device_id, user_id, redis).await? {
            // Update existing device
            device.touch();

            // Auto-trust if meets criteria
            if device.should_auto_trust(self.min_login_count_for_trust) {
                device.mark_trusted(Some(format!(
                    "{} - Auto-trusted",
                    device.device_info.device_type
                )));
                info!("Auto-trusted device {} after {} logins", device_id, device.login_count);
            }

            self.save_device(&device, redis).await?;
            Ok(device)
        } else {
            // Create new device
            let device = TrustedDevice::new(device_id, user_id, device_info);
            self.save_device(&device, redis).await?;

            info!("Registered new device {} for user {}", device.device_id, user_id);

            Ok(device)
        }
    }

    /// Mark device as trusted
    pub async fn trust_device(
        &self,
        device_id: &str,
        user_id: Uuid,
        device_name: Option<String>,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<(), SessionError> {
        let mut device = self
            .get_device(device_id, user_id, redis)
            .await?
            .ok_or_else(|| SessionError::DeviceNotFound(device_id.to_string()))?;

        // Enforce max trusted devices limit
        let trusted_devices = self
            .get_user_devices(user_id, redis)
            .await?
            .into_iter()
            .filter(|d| d.trust_level == TrustLevel::Trusted)
            .count();

        if trusted_devices >= self.max_trusted_devices {
            return Err(SessionError::TooManyTrustedDevices);
        }

        device.mark_trusted(device_name);
        self.save_device(&device, redis).await?;

        Ok(())
    }

    /// Revoke trust from device
    pub async fn untrust_device(
        &self,
        device_id: &str,
        user_id: Uuid,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<(), SessionError> {
        let mut device = self
            .get_device(device_id, user_id, redis)
            .await?
            .ok_or_else(|| SessionError::DeviceNotFound(device_id.to_string()))?;

        device.trust_level = TrustLevel::Untrusted;
        device.trusted_at = None;

        self.save_device(&device, redis).await?;

        info!("Revoked trust from device {}", device_id);

        Ok(())
    }

    /// Mark device as compromised (blocks all access)
    pub async fn mark_compromised(
        &self,
        device_id: &str,
        user_id: Uuid,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<(), SessionError> {
        let mut device = self
            .get_device(device_id, user_id, redis)
            .await?
            .ok_or_else(|| SessionError::DeviceNotFound(device_id.to_string()))?;

        device.trust_level = TrustLevel::Compromised;

        self.save_device(&device, redis).await?;

        warn!("Device {} marked as compromised", device_id);

        Ok(())
    }

    /// Check if device is trusted
    pub async fn is_trusted(
        &self,
        device_id: &str,
        user_id: Uuid,
        redis: &mut redis::aio::ConnectionManager,
    ) -> Result<bool, SessionError> {
        if let Some(device) = self.get_device(device_id, user_id, redis).await? {
            Ok(device.trust_level == TrustLevel::Trusted)
        } else {
            Ok(false)
        }
    }

    /// Get session duration multiplier based on device trust
    pub fn get_session_duration_multiplier(&self, trust_level: TrustLevel) -> f32 {
        match trust_level {
            TrustLevel::Trusted => 3.0,      // 3x longer sessions
            TrustLevel::Recognized => 1.0,   // Normal duration
            TrustLevel::Untrusted => 0.5,    // 50% shorter sessions
            TrustLevel::Compromised => 0.0,  // No session
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_trust_levels() {
        assert_eq!(TrustLevel::Trusted.to_string(), "trusted");
        assert_eq!(TrustLevel::Untrusted.to_string(), "untrusted");
    }

    #[test]
    fn test_device_creation() {
        let device_info = DeviceInfo::new(
            "device123".to_string(),
            "Mozilla/5.0".to_string(),
            "192.168.1.1".to_string(),
            "desktop".to_string(),
        );

        let user_id = Uuid::new_v4();
        let device = TrustedDevice::new("device123".to_string(), user_id, device_info);

        assert_eq!(device.trust_level, TrustLevel::Untrusted);
        assert_eq!(device.login_count, 1);
    }

    #[test]
    fn test_auto_trust() {
        let device_info = DeviceInfo::new(
            "device123".to_string(),
            "Mozilla/5.0".to_string(),
            "192.168.1.1".to_string(),
            "desktop".to_string(),
        );

        let user_id = Uuid::new_v4();
        let mut device = TrustedDevice::new("device123".to_string(), user_id, device_info);

        assert!(!device.should_auto_trust(5));

        device.login_count = 5;
        assert!(device.should_auto_trust(5));
    }

    #[test]
    fn test_session_duration_multiplier() {
        let manager = DeviceManager::new(5, 10);

        assert_eq!(manager.get_session_duration_multiplier(TrustLevel::Trusted), 3.0);
        assert_eq!(manager.get_session_duration_multiplier(TrustLevel::Recognized), 1.0);
        assert_eq!(manager.get_session_duration_multiplier(TrustLevel::Untrusted), 0.5);
        assert_eq!(manager.get_session_duration_multiplier(TrustLevel::Compromised), 0.0);
    }
}