sui-id-core 0.59.0

Authentication / authorization core (OIDC / OAuth2 + PKCE) for sui-id, a self-hosted Rust OIDC provider.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276

//! Persistent email outbox — sender and background worker (RFC 001).
//!
//! `OutboxMailSender` implements `MailSender` by persisting each outgoing
//! mail to the `email_outbox` table and returning immediately. The actual
//! SMTP delivery is handled by `OutboxWorker`, which runs as a background
//! task alongside `gc::spawn`.
//!
//! ## Retry schedule (defaults)
//!
//! | Attempt | Delay before retry |
//! |---|---|
//! | 1 | 30 seconds |
//! | 2 | 2 minutes |
//! | 3 | 10 minutes |
//! | 4 | 1 hour |
//! | 5 | 6 hours |
//! | (final) | → `failed`, no further retries |
//!
//! These defaults are configurable via `Config::email_outbox_*`. Dev mode
//! sets `max_attempts = 0` (no retry) and uses the direct `SmtpMailSender`.

use std::sync::Arc;
use std::time::Duration;

use chrono::{DateTime, Utc};
use sui_id_shared::ids::EmailOutboxId;
use sui_id_store::repos::email_outbox;
use sui_id_store::models::{EmailOutboxRow, EmailOutboxState};
use sui_id_store::Database;

use crate::errors::{CoreError, CoreResult};
use crate::mail::{MailSender, MailSendOutcome, OutgoingMail, SmtpMailSender};
use crate::time::SharedClock;

// ── Encryption helpers ────────────────────────────────────────────────────────

fn encrypt_field(db: &Database, plaintext: &[u8], aad: &[u8]) -> CoreResult<Vec<u8>> {
    sui_id_store::crypto::seal(db.key(), plaintext, aad)
        .map_err(|_| CoreError::Internal)
}

/// Symmetric pair of `encrypt_field` reserved for a future
/// outbox replay / inspection path; currently no live caller.
#[allow(dead_code)]
fn decrypt_field(db: &Database, ciphertext: &[u8], aad: &[u8]) -> CoreResult<Vec<u8>> {
    sui_id_store::crypto::open(db.key(), ciphertext, aad)
        .map_err(|_| CoreError::Internal)
}

// ── OutboxMailSender ──────────────────────────────────────────────────────────

/// `MailSender` implementation that enqueues mail to the persistent outbox.
/// Returns immediately; delivery is handled by `OutboxWorker`.
#[derive(Clone)]
pub struct OutboxMailSender {
    db:    Database,
    clock: SharedClock,
}

impl OutboxMailSender {
    pub fn new(db: Database, clock: SharedClock) -> Self {
        Self { db, clock }
    }
}

impl MailSender for OutboxMailSender {
    fn send<'a>(
        &'a self,
        mail: OutgoingMail,
    ) -> std::pin::Pin<Box<dyn std::future::Future<Output = CoreResult<MailSendOutcome>> + Send + 'a>> {
        Box::pin(async move {
            let now = self.clock.now();
            let recipient_enc = encrypt_field(&self.db, mail.to.as_bytes(), email_outbox::RECIPIENT_AAD)?;
            let payload = serde_json::to_vec(&OutboxPayload {
                to:        mail.to.clone(),
                subject:   mail.subject.clone(),
                text_body: mail.text_body.clone(),
                html_body: mail.html_body.clone(),
            }).map_err(|_| CoreError::Internal)?;
            let payload_enc = encrypt_field(&self.db, &payload, email_outbox::PAYLOAD_AAD)?;

            let row = EmailOutboxRow {
                id:              EmailOutboxId::new(),
                state:           EmailOutboxState::Queued,
                template:        "direct".into(),
                recipient_enc,
                payload_enc,
                attempt_count:   0,
                next_attempt_at: now,
                last_error:      None,
                // locale is resolved at the call site and stored here so the
                // worker renders in the recipient's language (RFC 002 § C).
                locale:          mail.locale.map(|l| l.tag().to_owned()),
                created_at:      now,
                updated_at:      now,
            };
            email_outbox::enqueue(&self.db, row).await.map_err(CoreError::from)?;

            // Return a synthetic outcome — actual delivery happens asynchronously.
            Ok(MailSendOutcome {
                from:    "(queued)".into(),
                to:      mail.to,
                subject: mail.subject,
            })
        })
    }
}

// ── Serialised payload ────────────────────────────────────────────────────────

#[derive(Debug, serde::Serialize, serde::Deserialize)]
struct OutboxPayload {
    to:        String,
    subject:   String,
    text_body: String,
    html_body: Option<String>,
}

// ── Retry schedule ────────────────────────────────────────────────────────────

/// Seconds to wait before each retry attempt (0-indexed by `attempt_count`).
const BACKOFF_SECS: &[i64] = &[30, 120, 600, 3600, 21600];

fn next_attempt_at(attempt_count: i64, now: DateTime<Utc>) -> DateTime<Utc> {
    let delay = BACKOFF_SECS
        .get(attempt_count as usize)
        .copied()
        .unwrap_or(*BACKOFF_SECS.last().unwrap_or(&21600));
    now + chrono::Duration::seconds(delay)
}

// ── OutboxWorker ──────────────────────────────────────────────────────────────

/// Background task that drains the outbox by attempting SMTP delivery.
pub struct OutboxWorker {
    db:           Database,
    smtp:         Arc<SmtpMailSender>,
    clock:        SharedClock,
    /// How long to sleep between drain cycles when the queue is empty.
    idle_tick:    Duration,
    /// Maximum delivery attempts before a row is marked permanently failed.
    max_attempts: u32,
}

impl OutboxWorker {
    pub fn new(
        db: Database,
        smtp: Arc<SmtpMailSender>,
        clock: SharedClock,
        idle_tick_secs: u64,
        max_attempts: u32,
    ) -> Self {
        Self {
            db,
            smtp,
            clock,
            idle_tick: Duration::from_secs(idle_tick_secs),
            max_attempts,
        }
    }

    /// Spawn the worker as a Tokio background task. Returns a `JoinHandle`;
    /// callers typically drop it (fire-and-forget).
    pub fn spawn(self) -> tokio::task::JoinHandle<()> {
        tokio::spawn(async move {
            self.run().await;
        })
    }

    async fn run(self) {
        // Reset any rows that were mid-send when the process last exited.
        let stuck_threshold = self.clock.now() - chrono::Duration::seconds(60);
        if let Err(e) = email_outbox::requeue_stuck_sending(
            &self.db, stuck_threshold, self.clock.now()
        ).await {
            tracing::warn!(error = %e, "outbox: could not reset stuck rows at startup");
        }

        loop {
            let now = self.clock.now();
            match email_outbox::claim_one_eligible(&self.db, now).await {
                Ok(Some(row)) => {
                    self.process_row(row).await;
                    // Continue immediately — there may be more.
                }
                Ok(None) => {
                    tokio::time::sleep(self.idle_tick).await;
                }
                Err(e) => {
                    tracing::error!(error = %e, "outbox: claim_one_eligible failed");
                    tokio::time::sleep(self.idle_tick).await;
                }
            }
        }
    }

    async fn process_row(&self, row: EmailOutboxRow) {
        let now = self.clock.now();

        // Decrypt payload.
        let payload_bytes = match sui_id_store::crypto::open(
            self.db.key(),
            &row.payload_enc,
            email_outbox::PAYLOAD_AAD,
        ) {
            Ok(b) => b,
            Err(_) => {
                tracing::error!(id = %row.id, "outbox: payload decryption failed — marking failed");
                let _ = email_outbox::mark_permanently_failed(
                    &self.db, row.id, "decryption_error".into(), now
                ).await;
                return;
            }
        };
        let payload: OutboxPayload = match serde_json::from_slice(&payload_bytes) {
            Ok(p) => p,
            Err(e) => {
                tracing::error!(id = %row.id, error = %e, "outbox: payload deserialisation failed");
                let _ = email_outbox::mark_permanently_failed(
                    &self.db, row.id, format!("deserialise_error: {e}"), now
                ).await;
                return;
            }
        };

        let mail = OutgoingMail {
            to:        payload.to,
            subject:   payload.subject,
            text_body: payload.text_body,
            html_body: payload.html_body,
        locale: None,
    };

        // Attempt delivery.
        match self.smtp.send(mail).await {
            Ok(outcome) => {
                tracing::debug!(id = %row.id, to = %outcome.to, "outbox: mail sent");
                let _ = email_outbox::mark_sent(&self.db, row.id, now).await;
            }
            Err(e) => {
                let attempt = row.attempt_count + 1;
                let err_str = redact_smtp_error(&e.to_string());
                if attempt >= self.max_attempts as i64 {
                    tracing::warn!(
                        id = %row.id, attempts = attempt,
                        "outbox: permanent failure after max attempts"
                    );
                    let _ = email_outbox::mark_permanently_failed(
                        &self.db, row.id, err_str, now
                    ).await;
                } else {
                    let next = next_attempt_at(attempt, now);
                    tracing::debug!(
                        id = %row.id, attempt, ?next,
                        "outbox: transient failure, scheduled retry"
                    );
                    let _ = email_outbox::record_failure(
                        &self.db, row.id, err_str, next, now
                    ).await;
                }
            }
        }
    }
}

/// Redact potential credential leakage from SMTP error strings.
/// Strips anything that looks like a password or auth token.
fn redact_smtp_error(s: &str) -> String {
    // Simple: truncate to 200 chars and strip newlines.
    let cleaned = s.replace(['\r', '\n'], " ");
    if cleaned.len() > 200 {
        format!("{}", &cleaned[..200])
    } else {
        cleaned
    }
}