ultimo 0.5.0

Modern Rust web framework with automatic TypeScript client generation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

//! Integration tests for the API-key auth middleware (feature `api-key`).
#![cfg(feature = "api-key")]

use http_body_util::Full;
use hyper::Request as HyperRequest;
use ultimo::auth::api_key::{ApiKey, StaticKeys};
use ultimo::{Context, Ultimo};

fn empty() -> Full<bytes::Bytes> {
    Full::new(bytes::Bytes::new())
}

fn store() -> StaticKeys {
    StaticKeys::new()
        .insert("key-abc", "service-a")
        .with_scopes("key-def", "service-b", ["read", "write"])
}

fn app(api: ApiKey<StaticKeys>) -> Ultimo {
    let mut app = Ultimo::new_without_defaults();
    app.use_middleware(api.build());
    app.get("/me", |ctx: Context| async move {
        match ctx.api_key().await {
            Some(id) => {
                ctx.json(serde_json::json!({ "id": id.id, "scopes": id.scopes }))
                    .await
            }
            None => ctx.json(serde_json::json!({ "id": null })).await,
        }
    });
    app
}

#[tokio::test]
async fn valid_key_is_accepted_and_identity_attached() {
    let req = HyperRequest::builder()
        .uri("/me")
        .header("x-api-key", "key-def")
        .body(empty())
        .unwrap();
    let res = app(ApiKey::new(store())).oneshot(req).await;
    assert_eq!(res.status(), 200);
    let body = collect(res).await;
    assert!(body.contains("service-b"));
    assert!(body.contains("read"));
    assert!(body.contains("write"));
}

#[tokio::test]
async fn invalid_key_is_rejected_with_401() {
    let req = HyperRequest::builder()
        .uri("/me")
        .header("x-api-key", "wrong")
        .body(empty())
        .unwrap();
    let res = app(ApiKey::new(store())).oneshot(req).await;
    assert_eq!(res.status(), 401);
}

#[tokio::test]
async fn missing_key_is_rejected_with_401() {
    let req = HyperRequest::builder().uri("/me").body(empty()).unwrap();
    let res = app(ApiKey::new(store())).oneshot(req).await;
    assert_eq!(res.status(), 401);
}

#[tokio::test]
async fn optional_mode_passes_through_without_key() {
    let req = HyperRequest::builder().uri("/me").body(empty()).unwrap();
    let res = app(ApiKey::new(store()).optional()).oneshot(req).await;
    assert_eq!(res.status(), 200); // handler sees no identity
}

#[tokio::test]
async fn query_source_reads_key_from_query_param() {
    let req = HyperRequest::builder()
        .uri("/me?api_key=key-abc")
        .body(empty())
        .unwrap();
    let res = app(ApiKey::new(store()).from_query("api_key"))
        .oneshot(req)
        .await;
    assert_eq!(res.status(), 200);
    assert!(collect(res).await.contains("service-a"));
}

#[tokio::test]
async fn custom_header_name_is_honored() {
    let req = HyperRequest::builder()
        .uri("/me")
        .header("authorization", "key-abc")
        .body(empty())
        .unwrap();
    let res = app(ApiKey::new(store()).header_name("authorization"))
        .oneshot(req)
        .await;
    assert_eq!(res.status(), 200);
}

#[tokio::test]
async fn guarded_route_uses_api_key_scopes() {
    // A route guarded by require_scope, behind the api-key middleware. The
    // identity's scopes flow into the Principal the guard reads.
    fn guarded() -> Ultimo {
        let mut app = Ultimo::new_without_defaults();
        app.use_middleware(ApiKey::new(store()).build());
        app.get("/admin", |ctx: Context| async move {
            ctx.require_scope("write").await?;
            ctx.json(serde_json::json!({ "ok": true })).await
        });
        app
    }

    // key-def has scopes [read, write] → allowed.
    let req = HyperRequest::builder()
        .uri("/admin")
        .header("x-api-key", "key-def")
        .body(empty())
        .unwrap();
    assert_eq!(guarded().oneshot(req).await.status(), 200);

    // key-abc has no scopes → 403.
    let req = HyperRequest::builder()
        .uri("/admin")
        .header("x-api-key", "key-abc")
        .body(empty())
        .unwrap();
    assert_eq!(guarded().oneshot(req).await.status(), 403);
}

async fn collect(res: ultimo::response::Response) -> String {
    use http_body_util::BodyExt;
    let bytes = res.into_body().collect().await.unwrap().to_bytes();
    String::from_utf8(bytes.to_vec()).unwrap()
}