riley-cms-api 0.1.0

HTTP API server for riley_cms - Axum-based REST endpoints
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

//! Middleware for riley-cms-api
//!
//! Authentication middleware for protected endpoints.

use axum::{
    extract::{Request, State},
    http::header,
    middleware::Next,
    response::Response,
};
use sha2::{Digest, Sha256};
use std::sync::Arc;
use subtle::ConstantTimeEq;

use crate::AppState;

/// Authentication status for the current request.
///
/// This is inserted into request extensions by the auth middleware
/// and can be extracted by handlers to make authorization decisions.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum AuthStatus {
    /// Unauthenticated public request
    Public,
    /// Authenticated admin request (valid Bearer token provided)
    Admin,
}

/// Authentication middleware that validates Bearer tokens.
///
/// This middleware runs on every request and:
/// 1. Checks for an `Authorization: Bearer <token>` header
/// 2. Validates the token against the configured `auth.api_token`
/// 3. Sets `AuthStatus::Admin` if valid, `AuthStatus::Public` otherwise
/// 4. Inserts the status into request extensions for handlers to check
pub async fn auth_middleware(
    State(state): State<Arc<AppState>>,
    mut request: Request,
    next: Next,
) -> Response {
    let mut auth_status = AuthStatus::Public;

    // Check for configured API token
    if let Some(ref auth_config) = state.config.auth
        && let Some(ref token_config) = auth_config.api_token
    {
        // Resolve the token (supports "env:VAR_NAME" syntax)
        match token_config.resolve() {
            Ok(expected_token) => {
                if expected_token.is_empty() {
                    tracing::warn!("API token resolves to empty string. Admin auth disabled.");
                } else {
                    // Check Authorization header for Bearer token
                    if let Some(auth_header) = request.headers().get(header::AUTHORIZATION)
                        && let Ok(auth_str) = auth_header.to_str()
                        && let Some(provided_token) = auth_str.strip_prefix("Bearer ")
                    {
                        // Hash both tokens before comparing to prevent
                        // leaking token length via timing side-channel.
                        // SHA-256 produces fixed 32-byte hashes regardless
                        // of input length.
                        let provided_hash = Sha256::digest(provided_token.trim().as_bytes());
                        let expected_hash = Sha256::digest(expected_token.as_bytes());
                        if provided_hash.ct_eq(&expected_hash).into() {
                            auth_status = AuthStatus::Admin;
                        }
                    }
                }
            }
            Err(e) => {
                tracing::warn!("Failed to resolve API token: {}. Admin auth disabled.", e);
            }
        }
    }

    // Insert status into extensions so handlers can read it
    request.extensions_mut().insert(auth_status);

    next.run(request).await
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_auth_status_equality() {
        assert_eq!(AuthStatus::Public, AuthStatus::Public);
        assert_eq!(AuthStatus::Admin, AuthStatus::Admin);
        assert_ne!(AuthStatus::Public, AuthStatus::Admin);
    }
}