spec-ai 0.8.4

A framework for building AI agents with structured outputs, policy enforcement, and execution tracking
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382

//! Authentication module for the HTTP API
//!
//! Provides:
//! - User credential management (loaded from JSON file)
//! - Password verification using PBKDF2-HMAC-SHA256
//! - Bearer token generation and validation using HMAC-SHA256

use anyhow::{Context, Result};
use base64::{Engine, engine::general_purpose::URL_SAFE_NO_PAD};
use ring::{hmac, pbkdf2, rand as ring_rand};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::num::NonZeroU32;
use std::path::Path;
use std::sync::Arc;

/// Number of PBKDF2 iterations for password hashing
const PBKDF2_ITERATIONS: u32 = 100_000;

/// Length of the salt for password hashing
const SALT_LENGTH: usize = 16;

/// Length of the derived key for password hashing
const CREDENTIAL_LENGTH: usize = 32;

/// Token validity duration default (24 hours in seconds)
const DEFAULT_TOKEN_EXPIRY_SECS: u64 = 86400;

/// A user credential stored in the credentials file
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct UserCredential {
    /// Username for authentication
    pub username: String,
    /// PBKDF2-hashed password (base64 encoded: salt + derived_key)
    pub password_hash: String,
}

/// Token payload that gets signed
#[derive(Debug, Clone, Serialize, Deserialize)]
struct TokenPayload {
    /// Username this token belongs to
    pub sub: String,
    /// Token issue timestamp (Unix epoch seconds)
    pub iat: u64,
    /// Token expiration timestamp (Unix epoch seconds)
    pub exp: u64,
    /// Unique token ID
    pub jti: String,
}

/// Authentication service that manages credentials and tokens
#[derive(Clone)]
pub struct AuthService {
    /// Map of username to credential
    credentials: Arc<HashMap<String, UserCredential>>,
    /// HMAC key for signing tokens
    signing_key: Arc<hmac::Key>,
    /// Token expiry duration in seconds
    token_expiry_secs: u64,
    /// Whether auth is enabled
    enabled: bool,
}

impl std::fmt::Debug for AuthService {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("AuthService")
            .field("credentials_count", &self.credentials.len())
            .field("token_expiry_secs", &self.token_expiry_secs)
            .field("enabled", &self.enabled)
            .finish()
    }
}

impl AuthService {
    /// Create a new AuthService
    ///
    /// # Arguments
    /// * `credentials_file` - Optional path to JSON file containing credentials
    /// * `token_secret` - Optional secret for signing tokens (random if not provided)
    /// * `token_expiry_secs` - Token expiry duration in seconds
    /// * `enabled` - Whether authentication is enabled
    pub fn new(
        credentials_file: Option<&Path>,
        token_secret: Option<&str>,
        token_expiry_secs: Option<u64>,
        enabled: bool,
    ) -> Result<Self> {
        // Load credentials if file is provided
        let credentials = if let Some(path) = credentials_file {
            Self::load_credentials(path)?
        } else {
            HashMap::new()
        };

        // Create signing key from provided secret or generate random
        let signing_key = if let Some(secret) = token_secret {
            hmac::Key::new(hmac::HMAC_SHA256, secret.as_bytes())
        } else {
            let rng = ring_rand::SystemRandom::new();
            hmac::Key::generate(hmac::HMAC_SHA256, &rng)
                .map_err(|_| anyhow::anyhow!("Failed to generate signing key"))?
        };

        Ok(Self {
            credentials: Arc::new(credentials),
            signing_key: Arc::new(signing_key),
            token_expiry_secs: token_expiry_secs.unwrap_or(DEFAULT_TOKEN_EXPIRY_SECS),
            enabled,
        })
    }

    /// Create a disabled AuthService (no authentication required)
    pub fn disabled() -> Self {
        Self {
            credentials: Arc::new(HashMap::new()),
            signing_key: Arc::new(hmac::Key::new(hmac::HMAC_SHA256, b"disabled-auth-not-used")),
            token_expiry_secs: DEFAULT_TOKEN_EXPIRY_SECS,
            enabled: false,
        }
    }

    /// Check if authentication is enabled
    pub fn is_enabled(&self) -> bool {
        self.enabled
    }

    /// Load credentials from a JSON file
    fn load_credentials(path: &Path) -> Result<HashMap<String, UserCredential>> {
        let content = std::fs::read_to_string(path)
            .with_context(|| format!("Failed to read credentials file: {}", path.display()))?;

        let credentials: Vec<UserCredential> = serde_json::from_str(&content)
            .with_context(|| format!("Failed to parse credentials file: {}", path.display()))?;

        let mut map = HashMap::new();
        for cred in credentials {
            map.insert(cred.username.clone(), cred);
        }

        tracing::info!("Loaded {} user credentials", map.len());
        Ok(map)
    }

    /// Verify a username/password combination
    pub fn verify_password(&self, username: &str, password: &str) -> bool {
        let Some(credential) = self.credentials.get(username) else {
            return false;
        };

        // Decode the stored hash (base64: salt + derived_key)
        let Ok(stored_bytes) = URL_SAFE_NO_PAD.decode(&credential.password_hash) else {
            tracing::warn!("Invalid base64 in password hash for user: {}", username);
            return false;
        };

        if stored_bytes.len() != SALT_LENGTH + CREDENTIAL_LENGTH {
            tracing::warn!("Invalid password hash length for user: {}", username);
            return false;
        }

        let (salt, stored_hash) = stored_bytes.split_at(SALT_LENGTH);

        // Verify the password using PBKDF2
        pbkdf2::verify(
            pbkdf2::PBKDF2_HMAC_SHA256,
            NonZeroU32::new(PBKDF2_ITERATIONS).unwrap(),
            salt,
            password.as_bytes(),
            stored_hash,
        )
        .is_ok()
    }

    /// Generate a bearer token for a user
    pub fn generate_token(&self, username: &str) -> Result<String> {
        let now = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .context("System time before Unix epoch")?
            .as_secs();

        let payload = TokenPayload {
            sub: username.to_string(),
            iat: now,
            exp: now + self.token_expiry_secs,
            jti: uuid::Uuid::new_v4().to_string(),
        };

        // Serialize payload to JSON
        let payload_json = serde_json::to_string(&payload)?;
        let payload_b64 = URL_SAFE_NO_PAD.encode(payload_json.as_bytes());

        // Sign the payload
        let signature = hmac::sign(&self.signing_key, payload_b64.as_bytes());
        let signature_b64 = URL_SAFE_NO_PAD.encode(signature.as_ref());

        // Token format: payload.signature (both base64 encoded)
        Ok(format!("{}.{}", payload_b64, signature_b64))
    }

    /// Validate a bearer token and return the username if valid
    pub fn validate_token(&self, token: &str) -> Option<String> {
        let parts: Vec<&str> = token.split('.').collect();
        if parts.len() != 2 {
            return None;
        }

        let payload_b64 = parts[0];
        let signature_b64 = parts[1];

        // Verify signature
        let Ok(signature_bytes) = URL_SAFE_NO_PAD.decode(signature_b64) else {
            return None;
        };

        if hmac::verify(&self.signing_key, payload_b64.as_bytes(), &signature_bytes).is_err() {
            return None;
        }

        // Decode and validate payload
        let Ok(payload_json) = URL_SAFE_NO_PAD.decode(payload_b64) else {
            return None;
        };

        let Ok(payload): Result<TokenPayload, _> = serde_json::from_slice(&payload_json) else {
            return None;
        };

        // Check expiration
        let now = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .ok()?
            .as_secs();

        if now > payload.exp {
            return None;
        }

        Some(payload.sub)
    }

    /// Hash a password for storage
    /// Returns base64-encoded salt + derived_key
    pub fn hash_password(password: &str) -> Result<String> {
        let rng = ring_rand::SystemRandom::new();

        // Generate random salt
        let mut salt = [0u8; SALT_LENGTH];
        ring_rand::SecureRandom::fill(&rng, &mut salt)
            .map_err(|_| anyhow::anyhow!("Failed to generate salt"))?;

        // Derive key from password
        let mut derived_key = [0u8; CREDENTIAL_LENGTH];
        pbkdf2::derive(
            pbkdf2::PBKDF2_HMAC_SHA256,
            NonZeroU32::new(PBKDF2_ITERATIONS).unwrap(),
            &salt,
            password.as_bytes(),
            &mut derived_key,
        );

        // Combine salt + derived_key and encode
        let mut combined = Vec::with_capacity(SALT_LENGTH + CREDENTIAL_LENGTH);
        combined.extend_from_slice(&salt);
        combined.extend_from_slice(&derived_key);

        Ok(URL_SAFE_NO_PAD.encode(&combined))
    }
}

/// Request body for token generation
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenRequest {
    /// Username for authentication
    pub username: String,
    /// Password for authentication
    pub password: String,
}

/// Response body for successful token generation
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct TokenResponse {
    /// Bearer token
    pub token: String,
    /// Token type (always "Bearer")
    pub token_type: String,
    /// Seconds until token expires
    pub expires_in: u64,
}

#[cfg(test)]
mod tests {
    use super::*;
    use std::io::Write;
    use tempfile::NamedTempFile;

    #[test]
    fn test_password_hashing() {
        let password = "my_secret_password";
        let hash = AuthService::hash_password(password).unwrap();

        // Hash should be base64 encoded
        let decoded = URL_SAFE_NO_PAD.decode(&hash).unwrap();
        assert_eq!(decoded.len(), SALT_LENGTH + CREDENTIAL_LENGTH);
    }

    #[test]
    fn test_password_verification() {
        let password = "test_password_123";
        let hash = AuthService::hash_password(password).unwrap();

        // Create a credentials file
        let credentials = vec![UserCredential {
            username: "testuser".to_string(),
            password_hash: hash,
        }];

        let mut file = NamedTempFile::new().unwrap();
        write!(file, "{}", serde_json::to_string(&credentials).unwrap()).unwrap();

        let auth =
            AuthService::new(Some(file.path()), Some("test_secret"), Some(3600), true).unwrap();

        // Correct password should verify
        assert!(auth.verify_password("testuser", password));

        // Wrong password should fail
        assert!(!auth.verify_password("testuser", "wrong_password"));

        // Unknown user should fail
        assert!(!auth.verify_password("unknown", password));
    }

    #[test]
    fn test_token_generation_and_validation() {
        let auth = AuthService::new(None, Some("test_secret"), Some(3600), true).unwrap();

        let token = auth.generate_token("testuser").unwrap();

        // Token should validate and return correct username
        let username = auth.validate_token(&token);
        assert_eq!(username, Some("testuser".to_string()));

        // Invalid token should fail
        assert!(auth.validate_token("invalid.token").is_none());
        assert!(auth.validate_token("notavalidtoken").is_none());
    }

    #[test]
    fn test_expired_token() {
        // Create auth service with 0 second expiry
        let auth = AuthService::new(None, Some("test_secret"), Some(0), true).unwrap();

        let token = auth.generate_token("testuser").unwrap();

        // Wait more than 1 second so the token is definitely expired
        // (expiry is checked at second granularity)
        std::thread::sleep(std::time::Duration::from_millis(1100));

        assert!(auth.validate_token(&token).is_none());
    }

    #[test]
    fn test_disabled_auth() {
        let auth = AuthService::disabled();
        assert!(!auth.is_enabled());
    }

    #[test]
    fn test_token_tampering() {
        let auth = AuthService::new(None, Some("test_secret"), Some(3600), true).unwrap();

        let token = auth.generate_token("testuser").unwrap();
        let parts: Vec<&str> = token.split('.').collect();

        // Tamper with payload
        let tampered_payload = URL_SAFE_NO_PAD
            .encode(b"{\"sub\":\"admin\",\"iat\":0,\"exp\":9999999999,\"jti\":\"fake\"}");
        let tampered_token = format!("{}.{}", tampered_payload, parts[1]);

        assert!(auth.validate_token(&tampered_token).is_none());
    }
}