rs-auth-core 0.1.2

Core types, crypto, and domain logic for rs-auth.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151

use oauth2::{
    AuthUrl, AuthorizationCode, ClientId, ClientSecret, CsrfToken, EndpointNotSet, EndpointSet,
    PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, RefreshToken, Scope, TokenResponse, TokenUrl,
    basic::BasicClient,
};

use crate::error::{AuthError, OAuthError};
use crate::oauth::{OAuthProviderConfig, OAuthTokens};

// Type alias for a fully configured OAuth client
type ConfiguredClient = BasicClient<
    EndpointSet,    // HasAuthUrl
    EndpointNotSet, // HasDeviceAuthUrl
    EndpointNotSet, // HasIntrospectionUrl
    EndpointNotSet, // HasRevocationUrl
    EndpointSet,    // HasTokenUrl
>;

/// Result of building an OAuth authorization URL.
pub struct OAuthAuthorization {
    pub authorize_url: String,
    pub csrf_state: String,
    pub pkce_verifier: String,
}

/// Build an OAuth authorization URL with PKCE.
pub fn build_authorization(config: &OAuthProviderConfig) -> Result<OAuthAuthorization, AuthError> {
    let client = build_client(config)?;
    let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();

    let mut auth_request = client.authorize_url(CsrfToken::new_random);
    auth_request = auth_request.set_pkce_challenge(pkce_challenge);
    for scope in &config.scopes {
        auth_request = auth_request.add_scope(Scope::new(scope.clone()));
    }
    let (auth_url, csrf_token) = auth_request.url();

    Ok(OAuthAuthorization {
        authorize_url: auth_url.to_string(),
        csrf_state: csrf_token.secret().clone(),
        pkce_verifier: pkce_verifier.secret().clone(),
    })
}

/// Exchange an authorization code for access and refresh tokens.
pub async fn exchange_code(
    config: &OAuthProviderConfig,
    code: &str,
    pkce_verifier: &str,
) -> Result<OAuthTokens, AuthError> {
    let client = build_client(config)?;

    // Create a reqwest client that doesn't follow redirects (to prevent SSRF)
    let http_client = reqwest::Client::builder()
        .redirect(reqwest::redirect::Policy::none())
        .build()
        .map_err(|_| AuthError::OAuth(OAuthError::ExchangeFailed))?;

    let token_response = client
        .exchange_code(AuthorizationCode::new(code.to_string()))
        .set_pkce_verifier(PkceCodeVerifier::new(pkce_verifier.to_string()))
        .request_async(&http_client)
        .await
        .map_err(|_| AuthError::OAuth(OAuthError::ExchangeFailed))?;

    let access_token = token_response.access_token().secret().clone();
    let refresh_token = token_response.refresh_token().map(|t| t.secret().clone());

    // Extract expires_in and convert from std::time::Duration to time::Duration
    let expires_in = token_response
        .expires_in()
        .and_then(|d| time::Duration::try_from(d).ok());

    // Extract scopes and join them into a single string
    let scope = token_response.scopes().map(|scopes| {
        scopes
            .iter()
            .map(|s| s.as_str())
            .collect::<Vec<_>>()
            .join(" ")
    });

    Ok(OAuthTokens {
        access_token: Some(access_token),
        refresh_token,
        expires_in,
        scope,
    })
}

/// Refresh an access token using a stored refresh token.
pub async fn refresh_access_token(
    config: &OAuthProviderConfig,
    refresh_token_str: &str,
) -> Result<OAuthTokens, AuthError> {
    let client = build_client(config)?;

    let http_client = reqwest::Client::builder()
        .redirect(reqwest::redirect::Policy::none())
        .build()
        .map_err(|_| AuthError::OAuth(OAuthError::RefreshFailed))?;

    let token_response = client
        .exchange_refresh_token(&RefreshToken::new(refresh_token_str.to_string()))
        .request_async(&http_client)
        .await
        .map_err(|_| AuthError::OAuth(OAuthError::RefreshFailed))?;

    let access_token = token_response.access_token().secret().clone();
    let refresh_token = token_response.refresh_token().map(|t| t.secret().clone());

    let expires_in = token_response
        .expires_in()
        .and_then(|d| time::Duration::try_from(d).ok());

    let scope = token_response.scopes().map(|scopes| {
        scopes
            .iter()
            .map(|s| s.as_str())
            .collect::<Vec<_>>()
            .join(" ")
    });

    Ok(OAuthTokens {
        access_token: Some(access_token),
        refresh_token,
        expires_in,
        scope,
    })
}

fn build_client(config: &OAuthProviderConfig) -> Result<ConfiguredClient, AuthError> {
    let client = BasicClient::new(ClientId::new(config.client_id.clone()))
        .set_client_secret(ClientSecret::new(config.client_secret.clone()))
        .set_auth_uri(AuthUrl::new(config.auth_url.clone()).map_err(|e| {
            AuthError::OAuth(OAuthError::Misconfigured {
                message: format!("invalid auth_url: {e}"),
            })
        })?)
        .set_token_uri(TokenUrl::new(config.token_url.clone()).map_err(|e| {
            AuthError::OAuth(OAuthError::Misconfigured {
                message: format!("invalid token_url: {e}"),
            })
        })?)
        .set_redirect_uri(RedirectUrl::new(config.redirect_url.clone()).map_err(|e| {
            AuthError::OAuth(OAuthError::Misconfigured {
                message: format!("invalid redirect_url: {e}"),
            })
        })?);
    Ok(client)
}