pocopine_auth/lib.rs
1//! Native auth contracts for pocopine server functions.
2//!
3//! The crate stays provider-neutral. Pocopine's generated server routes
4//! build a host-only request context before decoding the server-function
5//! body; host middleware can validate a session/JWT/provider token and
6//! insert an [`AuthUser`] or [`Principal`] into request extensions.
7//! Guards then inspect that context through ordinary Rust functions.
8//!
9//! ## Module layout
10//!
11//! - [`role`] — [`Role`] and [`Permission`] (stringly-typed grant tokens)
12//! - [`user`] — [`AuthUser`] (the canonical user payload + claim bag)
13//! - [`principal`] — [`Principal`] (request identity) and [`Session`]
14//! - [`context`] — [`RequestContext`] and `ensure_*`/`require_*` guards
15//! (host-only)
16//! - [`provider`] — [`AuthProvider`], [`SessionStore`], [`AuthError`]
17//! - [`predicate`] — [`Predicate`] trait, [`Decision`] outcome, and
18//! combinators (`any_of`, `all_of`, `require_auth`, `require_role`,
19//! `require_permission`)
20
21mod predicate;
22mod principal;
23mod provider;
24mod role;
25mod user;
26
27#[cfg(not(target_arch = "wasm32"))]
28mod context;
29
30pub use predicate::{
31 all_of, any_of, require_auth, require_permission, require_role, Decision, DenyReason, Predicate,
32};
33pub use principal::{Principal, Session};
34pub use role::{Permission, Role};
35pub use user::AuthUser;
36
37#[cfg(not(target_arch = "wasm32"))]
38pub use context::{
39 ensure_login, ensure_permission, ensure_role, require_admin, require_login, require_staff,
40 RequestContext, SESSION_COOKIE,
41};
42pub use provider::{AuthError, AuthResult};
43#[cfg(not(target_arch = "wasm32"))]
44pub use provider::{AuthFuture, AuthProvider, SessionStore};