volga 0.8.9

Easy & Fast Web Framework for Rust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

//! Utilities for custom claims

use serde::de::DeserializeOwned;

/// Trait representing extractable authorization claims from a JWT payload.
///
/// Types implementing this trait allow the framework to access optional authorization
/// information such as roles or permissions, enabling role-based or permission-based
/// access control.
///
/// This trait is intended to be implemented by your custom claims struct, which is typically
/// deserialized from the JWT payload. All methods are optional; by default, they return `None`.
/// You can override only the methods relevant to your use case.
///
/// # Example
///
/// ```no_run
/// use serde::Deserialize;
/// use volga::auth::AuthClaims;
///
/// #[derive(Debug, Clone, Deserialize)]
/// struct MyClaims {
///     sub: String,
///     role: String,
/// }
///
/// impl AuthClaims for MyClaims {
///     fn role(&self) -> Option<&str> {
///         Some(&self.role)
///     }
/// }
/// ```
pub trait AuthClaims: DeserializeOwned + Clone {
    /// Returns the primary role associated with the claims.
    ///
    /// This is useful for role-based access control (RBAC) where only a single role is expected.
    /// If multiple roles are used, prefer implementing the [`AuthClaims::roles()`] method.
    ///
    /// By default, returns `None`.
    fn role(&self) -> Option<&str> {
        None
    }

    /// Returns the list of roles associated with the claims.
    ///
    /// Useful when a subject can have multiple roles.
    /// If a single role is used instead, you may override [`AuthClaims::role()`] instead.
    ///
    /// By default, returns `None`.
    fn roles(&self) -> Option<&[String]> {
        None
    }

    /// Returns the list of permissions granted to the subject.
    ///
    /// By default, returns `None`.
    fn permissions(&self) -> Option<&[String]> {
        None
    }
}

/// Declares a structure as JWT claims and implements [`AuthClaims`] trait
#[macro_export]
macro_rules! claims {
    (
        $(#[$meta:meta])*
        $vis:vis struct $name:ident {
            $(
                $(#[$field_meta:meta])*
                $field:ident : $type:ty
            ),* $(,)?
        }
    ) => {
        $(#[$meta])*
        $vis struct $name {
            $(
                $(#[$field_meta])*
                pub $field: $type,
            )*
        }

        impl $crate::auth::AuthClaims for $name {
            $(
                claims!(@gen_impl $field);
            )*
        }
    };

    (@gen_impl role) => {
        fn role(&self) -> Option<&str> {
            Some(&self.role)
        }
    };
    (@gen_impl roles) => {
        fn roles(&self) -> Option<&[String]> {
            Some(&self.roles)
        }
    };
    (@gen_impl permissions) => {
        fn permissions(&self) -> Option<&[String]> {
            Some(&self.permissions)
        }
    };

    (@gen_impl $field:ident) => {};
}

#[cfg(test)]
mod tests {
    use super::super::{Authorizer, permissions, predicate, role, roles};
    use serde::{Deserialize, Serialize};

    claims! {
        #[derive(Clone, Debug, Serialize, Deserialize)]
        struct MyClaims {
            sub: String,
            role: String,
            permissions: Vec<String>,
        }
    }

    claims! {
        #[derive(Clone, Debug, Serialize, Deserialize)]
        struct MyClaims2 {
            sub: String,
            roles: Vec<String>,
        }
    }

    #[test]
    fn it_creates_claims_and_test_role() {
        let claims = MyClaims {
            sub: "123".to_string(),
            role: "admin".to_string(),
            permissions: vec!["read".to_string(), "write".to_string()],
        };

        let validate: Authorizer<MyClaims> = role("admin");
        assert!(validate.validate(&claims))
    }

    #[test]
    fn it_creates_claims_and_test_roles() {
        let claims = MyClaims2 {
            sub: "123".to_string(),
            roles: vec!["admin".to_string(), "user".to_string()],
        };

        let validate: Authorizer<MyClaims2> = roles(["admin", "user", "editor"]);
        assert!(validate.validate(&claims))
    }

    #[test]
    fn it_creates_claims_and_test_permissions() {
        let claims = MyClaims {
            sub: "123".to_string(),
            role: "user".to_string(),
            permissions: vec!["read".to_string(), "write".to_string()],
        };

        let validate: Authorizer<MyClaims> = permissions(["write"]);
        assert!(validate.validate(&claims))
    }

    #[test]
    fn it_creates_claims_and_test_predicate() {
        let claims = MyClaims {
            sub: "123".to_string(),
            role: "user".to_string(),
            permissions: vec!["read".to_string(), "write".to_string()],
        };
        let validate = predicate(|c: &MyClaims| c.sub == "123");
        assert!(validate.validate(&claims))
    }
}