rustapi-extras 0.1.450

Production-ready middleware collection for RustAPI. Includes JWT auth, CORS, Rate Limiting, SQLx integration, and OpenTelemetry observability.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

//! API Key authentication middleware
//!
//! This module provides API key-based authentication for securing endpoints.
//! Supports both header-based and query parameter API keys.
//!
//! # Example
//!
//! ```rust,no_run
//! use rustapi_core::RustApi;
//! use rustapi_extras::ApiKeyLayer;
//!
//! #[tokio::main]
//! async fn main() {
//!     let app = RustApi::new()
//!         .layer(
//!             ApiKeyLayer::new()
//!                 .header("X-API-Key")
//!                 .add_key("your-secret-api-key-here")
//!         )
//!         .run("0.0.0.0:3000")
//!         .await
//!         .unwrap();
//! }
//! ```

use rustapi_core::{
    middleware::{BoxedNext, MiddlewareLayer},
    Request, Response, ResponseBody,
};
use std::collections::HashSet;
use std::future::Future;
use std::pin::Pin;
use std::sync::Arc;

/// API Key authentication configuration
#[derive(Clone)]
pub struct ApiKeyConfig {
    /// Valid API keys
    pub keys: Arc<HashSet<String>>,
    /// Header name to check for API key
    pub header_name: String,
    /// Query parameter name to check for API key
    pub query_param_name: Option<String>,
    /// Paths to skip API key validation
    pub skip_paths: Vec<String>,
}

impl Default for ApiKeyConfig {
    fn default() -> Self {
        Self {
            keys: Arc::new(HashSet::new()),
            header_name: "X-API-Key".to_string(),
            query_param_name: None,
            skip_paths: vec!["/health".to_string(), "/docs".to_string()],
        }
    }
}

/// API Key authentication middleware
#[derive(Clone)]
pub struct ApiKeyLayer {
    config: ApiKeyConfig,
}

impl ApiKeyLayer {
    /// Create a new API key layer with default configuration
    pub fn new() -> Self {
        Self {
            config: ApiKeyConfig::default(),
        }
    }

    /// Set the header name to check for API key
    pub fn header(mut self, name: impl Into<String>) -> Self {
        self.config.header_name = name.into();
        self
    }

    /// Enable query parameter API key checking
    pub fn query_param(mut self, name: impl Into<String>) -> Self {
        self.config.query_param_name = Some(name.into());
        self
    }

    /// Add a valid API key
    pub fn add_key(mut self, key: impl Into<String>) -> Self {
        let keys = Arc::make_mut(&mut self.config.keys);
        keys.insert(key.into());
        self
    }

    /// Add multiple valid API keys
    pub fn add_keys(mut self, keys: Vec<String>) -> Self {
        let key_set = Arc::make_mut(&mut self.config.keys);
        for key in keys {
            key_set.insert(key);
        }
        self
    }

    /// Skip API key validation for specific paths
    pub fn skip_path(mut self, path: impl Into<String>) -> Self {
        self.config.skip_paths.push(path.into());
        self
    }
}

impl Default for ApiKeyLayer {
    fn default() -> Self {
        Self::new()
    }
}

impl MiddlewareLayer for ApiKeyLayer {
    fn call(
        &self,
        req: Request,
        next: BoxedNext,
    ) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>> {
        let config = self.config.clone();

        Box::pin(async move {
            let path = req.uri().path();

            // Check if this path should skip validation
            if config.skip_paths.iter().any(|p| path.starts_with(p)) {
                return next(req).await;
            }

            // Try to extract API key from header
            let api_key = if let Some(header_value) = req.headers().get(&config.header_name) {
                header_value.to_str().ok()
            } else {
                None
            };

            // If not in header, try query parameter
            let api_key = if api_key.is_none() {
                if let Some(query_param) = &config.query_param_name {
                    req.uri().query().and_then(|q| {
                        q.split('&').find_map(|param| {
                            let mut parts = param.split('=');
                            if parts.next()? == query_param {
                                parts.next()
                            } else {
                                None
                            }
                        })
                    })
                } else {
                    None
                }
            } else {
                api_key
            };

            // Validate API key
            match api_key {
                Some(key) if config.keys.contains(key) => {
                    // Valid API key, proceed
                    next(req).await
                }
                Some(_) => {
                    // Invalid API key
                    create_unauthorized_response("Invalid API key")
                }
                None => {
                    // Missing API key
                    create_unauthorized_response("Missing API key")
                }
            }
        })
    }

    fn clone_box(&self) -> Box<dyn MiddlewareLayer> {
        Box::new(self.clone())
    }
}

fn create_unauthorized_response(message: &str) -> Response {
    let error_body = serde_json::json!({
        "error": {
            "type": "unauthorized",
            "message": message
        }
    });

    let body = serde_json::to_vec(&error_body).unwrap_or_default();

    http::Response::builder()
        .status(401)
        .header("Content-Type", "application/json")
        .body(ResponseBody::Full(http_body_util::Full::new(
            bytes::Bytes::from(body),
        )))
        .unwrap()
}

#[cfg(test)]
mod tests {
    use super::*;
    use bytes::Bytes;
    use std::sync::Arc;

    #[tokio::test]
    async fn api_key_valid_header() {
        let layer = ApiKeyLayer::new()
            .header("X-API-Key")
            .add_key("test-key-123");

        let next: BoxedNext = Arc::new(|_req: Request| {
            Box::pin(async {
                http::Response::builder()
                    .status(200)
                    .body(ResponseBody::Full(http_body_util::Full::new(
                        bytes::Bytes::from("OK"),
                    )))
                    .unwrap()
            }) as Pin<Box<dyn Future<Output = Response> + Send + 'static>>
        });

        let req = http::Request::builder()
            .method("GET")
            .uri("/api/users")
            .header("X-API-Key", "test-key-123")
            .body(())
            .unwrap();
        let req = Request::from_http_request(req, Bytes::new());

        let response = layer.call(req, next).await;
        assert_eq!(response.status(), 200);
    }

    #[tokio::test]
    async fn api_key_invalid_header() {
        let layer = ApiKeyLayer::new()
            .header("X-API-Key")
            .add_key("test-key-123");

        let next: BoxedNext = Arc::new(|_req: Request| {
            Box::pin(async {
                http::Response::builder()
                    .status(200)
                    .body(ResponseBody::Full(http_body_util::Full::new(
                        bytes::Bytes::from("OK"),
                    )))
                    .unwrap()
            }) as Pin<Box<dyn Future<Output = Response> + Send + 'static>>
        });

        let req = http::Request::builder()
            .method("GET")
            .uri("/api/users")
            .header("X-API-Key", "wrong-key")
            .body(())
            .unwrap();
        let req = Request::from_http_request(req, Bytes::new());

        let response = layer.call(req, next).await;
        assert_eq!(response.status(), 401);
    }

    #[tokio::test]
    async fn api_key_missing() {
        let layer = ApiKeyLayer::new()
            .header("X-API-Key")
            .add_key("test-key-123");

        let next: BoxedNext = Arc::new(|_req: Request| {
            Box::pin(async {
                http::Response::builder()
                    .status(200)
                    .body(ResponseBody::Full(http_body_util::Full::new(
                        bytes::Bytes::from("OK"),
                    )))
                    .unwrap()
            }) as Pin<Box<dyn Future<Output = Response> + Send + 'static>>
        });

        let req = http::Request::builder()
            .method("GET")
            .uri("/api/users")
            .body(())
            .unwrap();
        let req = Request::from_http_request(req, Bytes::new());

        let response = layer.call(req, next).await;
        assert_eq!(response.status(), 401);
    }

    #[tokio::test]
    async fn api_key_skips_health_check() {
        let layer = ApiKeyLayer::new()
            .header("X-API-Key")
            .add_key("test-key-123");

        let next: BoxedNext = Arc::new(|_req: Request| {
            Box::pin(async {
                http::Response::builder()
                    .status(200)
                    .body(ResponseBody::Full(http_body_util::Full::new(
                        bytes::Bytes::from("OK"),
                    )))
                    .unwrap()
            }) as Pin<Box<dyn Future<Output = Response> + Send + 'static>>
        });

        let req = http::Request::builder()
            .method("GET")
            .uri("/health")
            .body(())
            .unwrap();
        let req = Request::from_http_request(req, Bytes::new());

        let response = layer.call(req, next).await;
        assert_eq!(response.status(), 200);
    }

    #[tokio::test]
    async fn api_key_query_param() {
        let layer = ApiKeyLayer::new()
            .query_param("api_key")
            .add_key("test-key-123");

        let next: BoxedNext = Arc::new(|_req: Request| {
            Box::pin(async {
                http::Response::builder()
                    .status(200)
                    .body(ResponseBody::Full(http_body_util::Full::new(
                        bytes::Bytes::from("OK"),
                    )))
                    .unwrap()
            }) as Pin<Box<dyn Future<Output = Response> + Send + 'static>>
        });

        let req = http::Request::builder()
            .method("GET")
            .uri("/api/users?api_key=test-key-123")
            .body(())
            .unwrap();
        let req = Request::from_http_request(req, Bytes::new());

        let response = layer.call(req, next).await;
        assert_eq!(response.status(), 200);
    }
}