use anyhow::Result;
use chrono::{Duration, Utc};
use jsonwebtoken::{Algorithm, EncodingKey, Header, encode};
use systemprompt_identifiers::{SessionId, SessionToken, UserId};
use systemprompt_models::auth::{
JwtAudience, JwtClaims, Permission, RateLimitTier, TokenType, UserType,
};
#[derive(Debug)]
pub struct SessionParams<'a> {
pub user_id: &'a UserId,
pub session_id: &'a SessionId,
pub email: &'a str,
pub duration: Duration,
pub user_type: UserType,
pub permissions: Vec<Permission>,
pub roles: Vec<String>,
pub rate_limit_tier: RateLimitTier,
}
#[derive(Debug)]
pub struct SessionGenerator {
jwt_secret: String,
issuer: String,
}
impl SessionGenerator {
pub fn new(jwt_secret: impl Into<String>, issuer: impl Into<String>) -> Self {
Self {
jwt_secret: jwt_secret.into(),
issuer: issuer.into(),
}
}
pub fn generate(&self, params: &SessionParams<'_>) -> Result<SessionToken> {
let now = Utc::now();
let expiry = now + params.duration;
let claims = JwtClaims {
sub: params.user_id.to_string(),
iat: now.timestamp(),
exp: expiry.timestamp(),
iss: self.issuer.clone(),
aud: JwtAudience::standard(),
jti: uuid::Uuid::new_v4().to_string(),
scope: params.permissions.clone(),
username: params.email.to_string(),
email: params.email.to_string(),
user_type: params.user_type,
roles: params.roles.clone(),
client_id: None,
token_type: TokenType::Bearer,
auth_time: now.timestamp(),
session_id: Some(params.session_id.to_string()),
rate_limit_tier: Some(params.rate_limit_tier),
};
let header = Header::new(Algorithm::HS256);
let token = encode(
&header,
&claims,
&EncodingKey::from_secret(self.jwt_secret.as_bytes()),
)?;
Ok(SessionToken::new(token))
}
}