pocopine-auth 0.1.0

First-party auth contracts and guards for pocopine server functions.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199

//! Server-side request context plus the sync/async guard helpers
//! that read it. All host-only — wasm clients use
//! `pocopine-auth-client`.

#![cfg(not(target_arch = "wasm32"))]

use http::{Extensions, HeaderMap, Method, Uri};
use pocopine_core::{ServerError, ServerResult};

use crate::principal::Principal;
use crate::role::{Permission, Role};
use crate::user::AuthUser;

/// Default session cookie name used by the simple auth helpers.
pub const SESSION_COOKIE: &str = "pocopine_session";

/// Request metadata available to server-function auth guards.
///
/// Host-only — wasm clients don't construct a `RequestContext`
/// because they're not on the receiving end of HTTP requests.
/// The client-side equivalent for "what identity is active right
/// now" is `pocopine_auth_client::AuthSession`, which exposes the
/// reactive [`Principal`] without the request-shaped fields
/// (`method`, `uri`, `headers`, cookies, bearer token) that only
/// make sense on the server. A single [`Predicate`](crate::Predicate)
/// value plugs into both surfaces.
#[derive(Clone, Debug)]
pub struct RequestContext {
    method: Method,
    uri: Uri,
    headers: HeaderMap,
    /// Auth principal extracted from host middleware request extensions.
    pub user: Principal,
}

impl RequestContext {
    /// Build an anonymous request context from HTTP request parts.
    pub fn new(method: Method, uri: Uri, headers: HeaderMap) -> Self {
        Self {
            method,
            uri,
            headers,
            user: Principal::anonymous(),
        }
    }

    /// Build a request context and pull auth identity from extensions.
    ///
    /// Middleware may insert either [`Principal`] or [`AuthUser`]. If both
    /// are present, [`Principal`] wins.
    pub fn from_parts(
        method: Method,
        uri: Uri,
        headers: HeaderMap,
        extensions: Extensions,
    ) -> Self {
        let user = extensions
            .get::<Principal>()
            .cloned()
            .or_else(|| {
                extensions
                    .get::<AuthUser>()
                    .cloned()
                    .map(Principal::from_user)
            })
            .unwrap_or_else(Principal::anonymous);

        Self {
            method,
            uri,
            headers,
            user,
        }
    }

    /// Attach an authenticated user.
    pub fn with_user(mut self, user: AuthUser) -> Self {
        self.user = Principal::from_user(user);
        self
    }

    /// Attach a principal.
    pub fn with_principal(mut self, principal: Principal) -> Self {
        self.user = principal;
        self
    }

    /// HTTP method used for the server-function call.
    pub fn method(&self) -> &Method {
        &self.method
    }

    /// Request URI used for the server-function call.
    pub fn uri(&self) -> &Uri {
        &self.uri
    }

    /// All request headers.
    pub fn headers(&self) -> &HeaderMap {
        &self.headers
    }

    /// Header value as UTF-8 text.
    pub fn header(&self, name: &str) -> Option<&str> {
        self.headers.get(name).and_then(|value| value.to_str().ok())
    }

    /// Bearer token from the `Authorization` header, if present.
    pub fn bearer_token(&self) -> Option<&str> {
        let value = self.header("authorization")?;
        let (scheme, token) = value.split_once(' ')?;
        if scheme.eq_ignore_ascii_case("bearer") && !token.trim().is_empty() {
            Some(token.trim())
        } else {
            None
        }
    }

    /// Cookie value by name from the `Cookie` header.
    ///
    /// This deliberately small parser is intended for simple session
    /// cookies. It does not implement full RFC 6265 quoted-value parsing —
    /// apps that need that should reach for the `cookie` crate.
    pub fn cookie(&self, name: &str) -> Option<&str> {
        let cookies = self.header("cookie")?;
        for part in cookies.split(';') {
            if let Some((key, value)) = part.trim().split_once('=') {
                if key.trim() == name {
                    return Some(value.trim());
                }
            }
        }
        None
    }

    /// Session id from the default pocopine auth cookie.
    pub fn session_id(&self) -> Option<&str> {
        self.cookie(SESSION_COOKIE)
    }

    /// Require an authenticated user.
    pub fn require_user(&self) -> ServerResult<&AuthUser> {
        self.user.require_user()
    }
}

/// Ensure the request is authenticated.
pub fn ensure_login(ctx: &RequestContext) -> ServerResult<()> {
    ctx.require_user().map(|_| ())
}

/// Ensure the request has a role.
pub fn ensure_role(ctx: &RequestContext, role: &Role) -> ServerResult<()> {
    if !ctx.user.is_authenticated() {
        return Err(ServerError::unauthorized("login required"));
    }

    if ctx.user.has_role(role) {
        Ok(())
    } else {
        Err(ServerError::forbidden(format!(
            "missing role `{}`",
            role.as_str()
        )))
    }
}

/// Ensure the request has a permission.
pub fn ensure_permission(ctx: &RequestContext, permission: &Permission) -> ServerResult<()> {
    if !ctx.user.is_authenticated() {
        return Err(ServerError::unauthorized("login required"));
    }

    if ctx.user.has_permission(permission) {
        Ok(())
    } else {
        Err(ServerError::forbidden(format!(
            "missing permission `{}`",
            permission.as_str()
        )))
    }
}

/// Built-in `#[server(guard = ...)]` guard requiring any logged-in user.
pub async fn require_login(ctx: RequestContext) -> ServerResult<()> {
    ensure_login(&ctx)
}

/// Built-in `#[server(guard = ...)]` guard requiring the conventional
/// `admin` role (matched by string).
pub async fn require_admin(ctx: RequestContext) -> ServerResult<()> {
    ensure_role(&ctx, &Role::admin())
}

/// Built-in `#[server(guard = ...)]` guard requiring the conventional
/// `staff` role (matched by string).
pub async fn require_staff(ctx: RequestContext) -> ServerResult<()> {
    ensure_role(&ctx, &Role::staff())
}