umbral-auth 0.0.1

Authentication plugin for umbral: User model, argon2 password hashing, login helpers.
Documentation

umbral-auth — the built-in authentication plugin.

The first crate under plugins/ and the proof of the M7 plugin contract: a real built-in expressed through umbral::prelude::Plugin with no special-casing inside umbral-core. Auth is the most common Django plugin, so getting it right here also pressure-tests the contract for the rest.

M9 v1 scope

  • [AuthUser] model: the canonical Django-shape User (username, email, password hash, is_active / is_staff / is_superuser, date_joined, last_login).
  • [UserModel] trait: the minimum surface a custom user model must satisfy so AuthPlugin<U> can swap in any user type. Default impls cover the optional flag methods so a minimal custom user struct only has to implement the load-bearing four.
  • argon2 password hashing via [hash_password] / [verify_password].
  • [create_user], [authenticate], [set_password] helpers. authenticate and set_password are generic over any U: UserModel.
  • [AuthPlugin] registers the user model (which becomes a migration) plus the /auth routes and management commands. The type parameter defaults to [AuthUser] so existing apps need no changes.
  • [login_required] module: LoginRequired config, LoggedIn<U> extractor, LoginRequiredLayer middleware, and the login_required() / login_required_html() convenience constructors. Django's @login_required in two shapes.

Custom user models

// 1. Declare a custom user struct.
#[derive(Debug, Clone, sqlx::FromRow, Serialize, Deserialize, umbral::orm::Model)]
pub struct TenantUser {
    pub id: i64,
    pub username: String,
    pub password_hash: String,
    pub tenant_id: i64,
    pub is_active: bool,
}

// 2. Implement UserModel (only the four required methods).
impl umbral_auth::UserModel for TenantUser {
    fn id(&self) -> i64               { self.id }
    fn username(&self) -> &str        { &self.username }
    fn password_hash(&self) -> &str   { &self.password_hash }
    fn set_password_hash(&mut self, h: String) { self.password_hash = h; }
}

// 3. Wire the plugin with your type.
App::builder()
    .plugin(AuthPlugin::<TenantUser>::default())
    .build()?

Deferred (per docs/specs/outlines/auth-and-sessions.md)

  • Permissions, groups, the auth-backend chain.
  • The Auth<U> request extractor + #[login_required] middleware. Needs Plugin::middleware() lifted (M7 deferral).
  • Login / logout / password-reset HTTP flows. Needs the full umbral-sessions session middleware wired end-to-end.
  • Periodic session cleanup via umbral-tasks.