reinhardt-auth 0.1.1

Authentication and authorization system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177

// This module uses the deprecated User trait for backward compatibility.
// AuthBackend and CompositeAuthBackend are keyed on User to preserve existing APIs
// until a full migration to AuthIdentity is complete.
#![allow(deprecated)]
use async_trait::async_trait;

use crate::core::user::User;

/// Authentication backend trait
///
/// Implement this trait to create custom authentication backends.
/// A backend handles user authentication (login) and user retrieval.
///
/// # Examples
///
/// ```
/// use reinhardt_auth::{AuthBackend, User, SimpleUser, PasswordHasher};
/// #[cfg(feature = "argon2-hasher")]
/// use reinhardt_auth::Argon2Hasher;
/// use async_trait::async_trait;
/// use std::collections::HashMap;
/// use uuid::Uuid;
///
/// # #[cfg(feature = "argon2-hasher")]
/// # {
/// struct InMemoryAuthBackend {
///     users: HashMap<String, (String, SimpleUser)>, // username -> (password_hash, user)
///     hasher: Argon2Hasher,
/// }
///
/// impl InMemoryAuthBackend {
///     fn new() -> Self {
///         let mut users = HashMap::new();
///         let hasher = Argon2Hasher::new();
///
///         let user = SimpleUser {
///             id: Uuid::now_v7(),
///             username: "alice".to_string(),
///             email: "alice@example.com".to_string(),
///             is_active: true,
///             is_admin: false,
///             is_staff: false,
///             is_superuser: false,
///         };
///         let hash = hasher.hash("password123").unwrap();
///         users.insert("alice".to_string(), (hash, user));
///
///         Self { users, hasher }
///     }
/// }
///
/// #[async_trait]
/// impl AuthBackend for InMemoryAuthBackend {
///     type User = SimpleUser;
///
///     async fn authenticate(&self, username: &str, password: &str)
///         -> Result<Option<Self::User>, reinhardt_core::exception::Error> {
///         if let Some((hash, user)) = self.users.get(username) {
///             if self.hasher.verify(password, hash)? {
///                 return Ok(Some(user.clone()));
///             }
///         }
///         Ok(None)
///     }
///
///     async fn get_user(&self, user_id: &str)
///         -> Result<Option<Self::User>, reinhardt_core::exception::Error> {
///         Ok(self.users.values()
///             .find(|(_, u)| u.id.to_string() == user_id)
///             .map(|(_, u)| u.clone()))
///     }
/// }
/// # }
/// ```
#[async_trait]
pub trait AuthBackend: Send + Sync {
	/// The user type this backend works with
	type User: User;

	/// Authenticates a user with username and password
	///
	/// Returns `Ok(Some(user))` if authentication succeeds,
	/// `Ok(None)` if credentials are invalid,
	/// `Err(_)` if an error occurs.
	///
	/// # Arguments
	///
	/// * `username` - The username or email to authenticate
	/// * `password` - The plaintext password to verify
	async fn authenticate(
		&self,
		username: &str,
		password: &str,
	) -> Result<Option<Self::User>, reinhardt_core::exception::Error>;

	/// Retrieves a user by their ID
	///
	/// Returns `Ok(Some(user))` if found, `Ok(None)` if not found,
	/// `Err(_)` if an error occurs.
	///
	/// # Arguments
	///
	/// * `user_id` - The user's unique identifier as a string
	async fn get_user(
		&self,
		user_id: &str,
	) -> Result<Option<Self::User>, reinhardt_core::exception::Error>;
}

/// Composite auth backend - tries multiple backends in order
///
/// This backend allows you to configure multiple authentication backends
/// and try them in sequence until one succeeds.
///
/// # Examples
///
/// ```
/// use reinhardt_auth::{CompositeAuthBackend, SimpleUser};
///
/// let backend: CompositeAuthBackend<SimpleUser> = CompositeAuthBackend::new();
/// // Add custom backends with backend.add_backend(Box::new(my_backend))
/// ```
pub struct CompositeAuthBackend<U: User> {
	backends: Vec<Box<dyn AuthBackend<User = U>>>,
}

impl<U: User> CompositeAuthBackend<U> {
	/// Creates a new composite authentication backend with no backends
	pub fn new() -> Self {
		Self {
			backends: Vec::new(),
		}
	}

	/// Adds an authentication backend to the composite
	///
	/// Backends are tried in the order they are added.
	pub fn add_backend(&mut self, backend: Box<dyn AuthBackend<User = U>>) {
		self.backends.push(backend);
	}
}

impl<U: User> Default for CompositeAuthBackend<U> {
	fn default() -> Self {
		Self::new()
	}
}

#[async_trait]
impl<U: User + 'static> AuthBackend for CompositeAuthBackend<U> {
	type User = U;

	async fn authenticate(
		&self,
		username: &str,
		password: &str,
	) -> Result<Option<Self::User>, reinhardt_core::exception::Error> {
		for backend in &self.backends {
			if let Some(user) = backend.authenticate(username, password).await? {
				return Ok(Some(user));
			}
		}
		Ok(None)
	}

	async fn get_user(
		&self,
		user_id: &str,
	) -> Result<Option<Self::User>, reinhardt_core::exception::Error> {
		for backend in &self.backends {
			if let Some(user) = backend.get_user(user_id).await? {
				return Ok(Some(user));
			}
		}
		Ok(None)
	}
}