reifydb-auth 0.4.12

Authentication and authorization module for ReifyDB
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214

// SPDX-License-Identifier: Apache-2.0
// Copyright (c) 2025 ReifyDB

//! Authentication service for ReifyDB.
//!
//! Provides a unified authentication API used by all transports (HTTP, WebSocket,
//! gRPC) and embedded mode. Supports pluggable authentication methods including
//! single-step (password, token) and multi-step challenge-response flows.

mod authenticate;
mod solana;
mod token;

use std::{collections::HashMap, ops::Deref, sync::Arc, time::Duration};

use reifydb_catalog::{catalog::Catalog, create_token};
use reifydb_core::interface::catalog::token::Token;
use reifydb_runtime::context::{clock::Clock, rng::Rng as SystemRng};
use reifydb_transaction::transaction::{admin::AdminTransaction, query::QueryTransaction};
use reifydb_type::{
	error::Error,
	value::{datetime::DateTime, identity::IdentityId},
};

use crate::{challenge::ChallengeStore, registry::AuthenticationRegistry};

/// Trait abstracting the engine operations needed by the authentication service.
///
/// This allows the auth crate to remain independent of the engine crate while
/// still being able to create transactions and access the catalog.
///
/// All transactions are created with system identity — authentication operates
/// at a privileged level.
pub trait AuthEngine: Send + Sync {
	fn begin_admin(&self) -> Result<AdminTransaction, Error>;
	fn begin_query(&self) -> Result<QueryTransaction, Error>;
	fn catalog(&self) -> Catalog;
}

/// Response from an authentication attempt.
#[derive(Debug, Clone)]
pub enum AuthResponse {
	/// Authentication succeeded. Contains the session token and identity.
	Authenticated {
		identity: IdentityId,
		token: String,
	},
	/// The provider requires a challenge-response round-trip.
	Challenge {
		challenge_id: String,
		payload: HashMap<String, String>,
	},
	/// Authentication failed (wrong credentials, unknown identity, etc.).
	Failed {
		reason: String,
	},
}

/// Configurator for the authentication service.
pub struct AuthConfigurator {
	session_ttl: Option<Duration>,
	challenge_ttl: Duration,
}

impl Default for AuthConfigurator {
	fn default() -> Self {
		Self::new()
	}
}

impl AuthConfigurator {
	pub fn new() -> Self {
		Self {
			session_ttl: Some(Duration::from_secs(24 * 60 * 60)), // 24 hours
			challenge_ttl: Duration::from_secs(60),
		}
	}

	pub fn session_ttl(mut self, ttl: Duration) -> Self {
		self.session_ttl = Some(ttl);
		self
	}

	pub fn no_session_ttl(mut self) -> Self {
		self.session_ttl = None;
		self
	}

	pub fn challenge_ttl(mut self, ttl: Duration) -> Self {
		self.challenge_ttl = ttl;
		self
	}

	pub fn configure(self) -> AuthServiceConfig {
		AuthServiceConfig {
			session_ttl: self.session_ttl,
			challenge_ttl: self.challenge_ttl,
		}
	}
}

/// Immutable configuration for the authentication service.
#[derive(Debug, Clone)]
pub struct AuthServiceConfig {
	/// Default session token TTL. `None` means tokens don't expire.
	pub session_ttl: Option<Duration>,
	/// TTL for pending challenges (default: 60 seconds).
	pub challenge_ttl: Duration,
}

impl Default for AuthServiceConfig {
	fn default() -> Self {
		AuthConfigurator::new().configure()
	}
}

pub struct Inner {
	pub(crate) engine: Arc<dyn AuthEngine>,
	pub(crate) auth_registry: Arc<AuthenticationRegistry>,
	pub(crate) challenges: ChallengeStore,
	pub(crate) rng: SystemRng,
	pub(crate) clock: Clock,
	pub(crate) session_ttl: Option<Duration>,
}

/// Shared authentication service.
///
/// Coordinates between the identity catalog, authentication providers, and
/// token/challenge stores. All transports and embedded mode call through
/// this single service.
///
/// Cheap to clone — uses `Arc` internally.
#[derive(Clone)]
pub struct AuthService(Arc<Inner>);

impl Deref for AuthService {
	type Target = Inner;
	fn deref(&self) -> &Inner {
		&self.0
	}
}

impl AuthService {
	pub fn new(
		engine: Arc<dyn AuthEngine>,
		auth_registry: Arc<AuthenticationRegistry>,
		rng: SystemRng,
		clock: Clock,
		config: AuthServiceConfig,
	) -> Self {
		Self(Arc::new(Inner {
			engine,
			auth_registry,
			challenges: ChallengeStore::new(config.challenge_ttl),
			rng,
			clock,
			session_ttl: config.session_ttl,
		}))
	}

	/// Get the current time as a DateTime.
	pub(super) fn now(&self) -> Result<DateTime, Error> {
		Ok(DateTime::from_nanos(self.clock.now_nanos()))
	}

	/// Compute the expiration DateTime from the configured session TTL.
	pub(super) fn expires_at(&self) -> Result<Option<DateTime>, Error> {
		match self.session_ttl {
			Some(ttl) => {
				let ttl_nanos = ttl.as_nanos() as u64;
				let nanos = self.clock.now_nanos().saturating_add(ttl_nanos);
				Ok(Some(DateTime::from_nanos(nanos)))
			}
			None => Ok(None),
		}
	}

	/// Persist a session token to the database using the configured session TTL.
	pub(super) fn persist_token(&self, token: &str, identity: IdentityId) -> Result<Token, Error> {
		let mut admin = self.engine.begin_admin()?;

		let def = create_token(&mut admin, token, identity, self.expires_at()?, self.now()?)?;

		admin.commit()?;
		Ok(def)
	}

	/// Create a token for an identity with an explicit expiration.
	///
	/// Unlike `persist_token` (which uses the configured session TTL), this
	/// accepts an explicit `expires_at` — pass `None` for non-expiring tokens.
	///
	/// Used by applications to issue API tokens.
	pub fn create_token(
		&self,
		token: &str,
		identity: IdentityId,
		expires_at: Option<DateTime>,
	) -> Result<Token, Error> {
		let mut admin = self.engine.begin_admin()?;
		let def = create_token(&mut admin, token, identity, expires_at, self.now()?)?;
		admin.commit()?;
		Ok(def)
	}
}

/// Generate a session token (64 hex characters) using the infrastructure RNG stream.
///
/// Uses `infra_bytes_32` so that session token generation does not consume
/// from the primary RNG, ensuring deterministic test output across runners.
pub(super) fn generate_session_token(rng: &SystemRng) -> String {
	let bytes = rng.infra_bytes_32();
	bytes.iter().map(|b| format!("{:02x}", b)).collect()
}