reinhardt-http 0.1.0-rc.29

HTTP primitives, request and response handling for Reinhardt
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256

//! Authentication state stored in request extensions.
//!
//! This module provides [`AuthState`], a helper struct that stores
//! authentication information in request extensions.
//!
//! `AuthState` uses a private validation marker to prevent external construction
//! via struct literal syntax. Only the provided constructors
//! ([`AuthState::authenticated`], [`AuthState::anonymous`], [`AuthState::from_extensions`])
//! can create valid instances, preventing type collision attacks where
//! malicious code could insert a spoofed auth state into request extensions.

use crate::Extensions;
use crate::extensions::{IsActive, IsAdmin, IsAuthenticated};

/// Private marker to validate that an `AuthState` was created through
/// official constructors, not through external struct literal construction.
#[derive(Clone, Debug, PartialEq, Eq)]
struct AuthStateMarker;

/// Helper struct to store authentication state in request extensions.
///
/// This struct is used by authentication middleware to communicate
/// the authenticated user's information to downstream handlers.
///
/// The struct contains a private field to prevent external construction
/// via struct literal syntax. Use the provided constructors instead.
///
/// # Security Note
///
/// If this state is serialized and sent to client-side code (e.g., in
/// a WASM SPA), the permission checks (`is_authenticated()`,
/// `is_admin()`, `is_active()`) should only be used for **UI display
/// purposes** (showing/hiding elements). An attacker can modify
/// client-side state, so all authorization decisions must be enforced
/// server-side through authentication middleware and permission
/// classes (see `reinhardt-auth`).
///
/// # Example
///
/// ```rust,no_run
/// # use reinhardt_http::AuthState;
/// # struct Request { extensions: Extensions }
/// # struct Extensions;
/// # impl Extensions {
/// #     fn insert<T>(&mut self, _value: T) {}
/// #     fn get<T>(&self) -> Option<T> { None }
/// # }
/// # let mut request = Request { extensions: Extensions };
/// // In middleware (after authentication)
/// request.extensions.insert(AuthState::authenticated("123", false, true));
///
/// // In handler (via CurrentUser or directly)
/// let auth_state: Option<AuthState> = request.extensions.get();
/// ```
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct AuthState {
	/// The authenticated user's ID as a string.
	///
	/// This is typically a UUID or database primary key serialized to string.
	user_id: String,

	/// Whether the user is authenticated.
	is_authenticated: bool,

	/// Whether the user has admin/superuser privileges.
	is_admin: bool,

	/// Whether the user's account is active.
	is_active: bool,

	/// Private validation marker to prevent external construction.
	_marker: AuthStateMarker,
}

impl AuthState {
	/// Creates a new authenticated state.
	///
	/// # Arguments
	///
	/// * `user_id` - The authenticated user's ID
	/// * `is_admin` - Whether the user has admin privileges
	/// * `is_active` - Whether the user's account is active
	pub fn authenticated(user_id: impl Into<String>, is_admin: bool, is_active: bool) -> Self {
		Self {
			user_id: user_id.into(),
			is_authenticated: true,
			is_admin,
			is_active,
			_marker: AuthStateMarker,
		}
	}

	/// Creates an anonymous (unauthenticated) state.
	pub fn anonymous() -> Self {
		Self {
			user_id: String::new(),
			is_authenticated: false,
			is_admin: false,
			is_active: false,
			_marker: AuthStateMarker,
		}
	}

	/// Create auth state from request extensions.
	///
	/// This method first attempts to retrieve an `AuthState` object that was
	/// inserted directly into extensions (e.g., by custom middleware). If no
	/// `AuthState` object is found, it falls back to reconstructing one from
	/// individual newtype-wrapped entries (`IsAuthenticated`, `IsAdmin`,
	/// `IsActive`) stored in extensions by legacy middleware.
	///
	/// # Returns
	///
	/// Returns `Some(AuthState)` if an `AuthState` object is found or if both
	/// user_id and `IsAuthenticated` individual entries exist, `None` otherwise.
	pub fn from_extensions(extensions: &Extensions) -> Option<Self> {
		// Primary: try to get AuthState object directly
		if let Some(state) = extensions.get::<AuthState>() {
			return Some(state);
		}
		// Fallback: reconstruct from individual extension entries (backward compatibility)
		let user_id = extensions.get::<String>()?;
		let is_authenticated = extensions
			.get::<IsAuthenticated>()
			.map(|v| v.0)
			.unwrap_or(false);
		let is_admin = extensions.get::<IsAdmin>().map(|v| v.0).unwrap_or(false);
		let is_active = extensions.get::<IsActive>().map(|v| v.0).unwrap_or(false);
		Some(Self {
			user_id,
			is_authenticated,
			is_admin,
			is_active,
			_marker: AuthStateMarker,
		})
	}

	/// Get the authenticated user's ID.
	pub fn user_id(&self) -> &str {
		&self.user_id
	}

	/// Check if the user is authenticated.
	pub fn is_authenticated(&self) -> bool {
		self.is_authenticated
	}

	/// Check if the user has admin privileges.
	pub fn is_admin(&self) -> bool {
		self.is_admin
	}

	/// Check if the user's account is active.
	pub fn is_active(&self) -> bool {
		self.is_active
	}

	/// Check if user is anonymous (not authenticated).
	pub fn is_anonymous(&self) -> bool {
		!self.is_authenticated
	}
}

#[cfg(test)]
mod tests {
	use super::*;
	use rstest::rstest;

	#[test]
	fn test_authenticated() {
		let state = AuthState::authenticated("user-123", true, true);

		assert_eq!(state.user_id(), "user-123");
		assert!(state.is_authenticated());
		assert!(state.is_admin());
		assert!(state.is_active());
	}

	#[test]
	fn test_anonymous() {
		let state = AuthState::anonymous();

		assert!(state.user_id().is_empty());
		assert!(!state.is_authenticated());
		assert!(!state.is_admin());
		assert!(!state.is_active());
	}

	#[rstest]
	fn test_from_extensions_with_authstate_object() {
		// Arrange
		let extensions = Extensions::new();
		let state = AuthState::authenticated("user-456", true, true);
		extensions.insert(state.clone());

		// Act
		let result = AuthState::from_extensions(&extensions);

		// Assert
		assert_eq!(result, Some(state));
		let retrieved = result.unwrap();
		assert_eq!(retrieved.user_id(), "user-456");
		assert!(retrieved.is_authenticated());
		assert!(retrieved.is_admin());
		assert!(retrieved.is_active());
	}

	#[rstest]
	fn test_from_extensions_with_individual_values() {
		// Arrange
		let extensions = Extensions::new();
		extensions.insert("user-789".to_string());
		extensions.insert(IsAuthenticated(true));

		// Act
		let result = AuthState::from_extensions(&extensions);

		// Assert
		assert!(result.is_some());
		let retrieved = result.unwrap();
		assert_eq!(retrieved.user_id(), "user-789");
		assert!(retrieved.is_authenticated());
		assert!(!retrieved.is_admin());
		assert!(!retrieved.is_active());
	}

	#[rstest]
	fn test_from_extensions_empty() {
		// Arrange
		let extensions = Extensions::new();

		// Act
		let result = AuthState::from_extensions(&extensions);

		// Assert
		assert_eq!(result, None);
	}

	#[rstest]
	fn test_from_extensions_preserves_admin_and_active() {
		// Arrange
		let extensions = Extensions::new();
		let state = AuthState::authenticated("admin-user", true, true);
		extensions.insert(state);

		// Act
		let result = AuthState::from_extensions(&extensions);

		// Assert
		let retrieved = result.unwrap();
		assert_eq!(retrieved.user_id(), "admin-user");
		assert!(retrieved.is_authenticated());
		assert!(retrieved.is_admin());
		assert!(retrieved.is_active());
	}
}