webgates 1.0.0

Application-facing composition crate for webgates authentication and authorization.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166

# webgates

User-focused composition crate for building a practical `webgates` application stack.

`webgates` builds on `webgates-core` and adds optional higher-level capabilities such as authentication workflows, framework-agnostic gate builders, cookie configuration, JWT support, sessions, secrets, OAuth2, and observability.

Most application developers should start here rather than wiring lower-level crates together manually.

## Who this crate is for

Use `webgates` when you want to:

- depend on one crate as the main application-facing entry point
- configure framework-agnostic cookie, bearer, or OAuth2 gates
- use higher-level login/logout orchestration
- add optional JWT, cookie, repository, secret, and session support through features
- keep transport-specific concerns in adapter crates while application auth logic stays here

If you only need the domain model and authorization primitives, use `webgates-core` directly.

## What you work with in this crate

Most developers can approach `webgates` through four ideas:

- `gate` gives you framework-agnostic gate builders and policy composition
- `authn` gives you higher-level authentication workflows
- feature flags add lower-level capabilities such as codecs, cookies, secrets, repositories, sessions, audit logging, and Prometheus integration
- adapter crates translate this crate into framework-specific HTTP or gRPC behavior

## Install

Standard dependency declaration:

```toml
[dependencies]
webgates = "1.0.0"
```

This crate enables no optional features by default. Use `default-features = false`
when you want to make that choice explicit in your manifest or pair it with an
explicit feature list.

Minimal setup with no optional features:

```toml
[dependencies]
webgates = { version = "1.0.0", default-features = false }
```

Custom setup with only selected capabilities:

```toml
[dependencies]
webgates = { version = "1.0.0", default-features = false, features = ["codecs", "cookies", "authn"] }
```

## Quick start

```rust
use std::sync::Arc;
use webgates::accounts::Account;
use webgates::authz::access_policy::AccessPolicy;
use webgates::codecs::jwt::{JsonWebToken, JwtClaims};
use webgates::gate::Gate;
use webgates::groups::Group;
use webgates::roles::Role;

type AppClaims = JwtClaims<Account<Role, Group>>;
let codec = Arc::new(JsonWebToken::<AppClaims>::default());

let gate = Gate::cookie::<_, Role, Group>("my-app", Arc::clone(&codec))
    .require_login()
    .with_policy(AccessPolicy::<Role, Group>::require_permission("admin:read"));
```

## Core concepts

### 1. Gates are the main runtime-facing concept

Framework-agnostic access gates include:

- `Gate::cookie("issuer", codec)` for JWTs in HTTP-only cookies
- `Gate::bearer("issuer", codec)` for `Authorization: Bearer`
- `with_static_token(...)` for static bearer-token mode
- `allow_anonymous_with_optional_user()` for non-blocking optional user context
- `require_login()` for baseline role plus supervisors

### 2. Policies stay explicit and composable

Authorization policies are explicit and composable:

- `AccessPolicy::require_role(..)`
- `AccessPolicy::require_role_or_supervisor(..)`
- `AccessPolicy::require_group(..)`
- `AccessPolicy::require_permission("domain:action")`

### 3. Features control how much stack you bring in

The `webgates` crate ships with no enabled default features. Enable only the features you need.

- `default = []` (no default features)
- `full`: enables the standard composed stack
- `authn`: authentication services
- `codecs`: JWT codec support via `webgates-codecs`
- `cookies`: cookie templates and cookie-backed helpers
- `oauth2`: OAuth2 support
- `repositories`: repository contracts used by higher-level workflows
- `secrets`: hashing and secret handling via `webgates-secrets`
- `sessions`: framework-agnostic session lifecycle and renewal primitives via `webgates-sessions`
- `audit-logging`: structured audit events with `tracing`
- `prometheus`: Prometheus metrics support; implies `audit-logging`
- `wasm`: WASM-oriented build support

## Session-backed authentication

Enable the `sessions` feature when you want short-lived auth JWTs backed by long-lived refresh-token session state.

This adds access to the framework-agnostic session layer through `webgates::sessions`, including:

- typed session and session-family models
- session issuance, renewal, and revocation services
- opaque refresh-token generation and hashing primitives
- repository contracts for session persistence, rotation, leases, and revocation
- an in-memory repository for tests and local development

Typical composition for session-backed login and renewal:

```toml
[dependencies]
webgates = { version = "1.0.0", default-features = false, features = ["authn", "codecs", "cookies", "repositories", "secrets", "sessions"] }
```

For HTTP adapters, keep cookie extraction and response mutation in the adapter crate. In the Axum integration, use:

- `webgates_axum::route_handlers::login_with_sessions`
- `webgates_axum::route_handlers::logout_with_sessions`
- `webgates_axum::session::CookieSessionLayer`

## Recommended onboarding path

If you are new to this crate, I recommend this order:

1. `gate`
2. `authz::access_policy`
3. `authn` if you need login/logout workflows
4. feature-specific areas such as `codecs`, `cookies`, `sessions`, or `oauth2`
5. the adapter crate that matches your transport layer

## Security checklist

- use a persistent JWT key in production
- keep issuer strings identical between login and gates
- align cookie names and templates between writers and readers
- set `Secure`, `HttpOnly`, and `SameSite` appropriately
- rate-limit login and validate inputs at boundaries
- avoid logging secrets or tokens
- use correlation IDs for observability
- enable `audit-logging` and `prometheus` where appropriate

## License

MIT

Additional backend note:

- SurrealDB support is provided by `webgates-repositories` through its `surrealdb` feature. Review and comply with SurrealDB's BUSL-1.1 terms before enabling it in production.