dsp_cli/render/auth.rs
1//! Auth renderer-input shapes — typed values passed to `Renderer::auth_*` methods.
2//!
3//! These are render-layer types, not domain model types. They live here rather
4//! than in `src/model/` because they flow from the action layer into the
5//! renderer, not across the client→action boundary. See ADR-0008 for the
6//! layer split.
7
8use chrono::{DateTime, Utc};
9
10/// Outcome passed to `Renderer::auth_login` on a successful login.
11pub struct AuthLoginOutcome {
12 /// Resolved server URL (after `Config::resolve`).
13 pub server: String,
14 /// Authenticated user identifier (email, username, or IRI) — echoed from
15 /// the `--user` value the user supplied.
16 pub user: String,
17 /// Token expiry derived from the JWT `exp` claim, if present.
18 pub expires_at: Option<DateTime<Utc>>,
19}
20
21/// Outcome passed to `Renderer::auth_status` — either logged-in or not.
22pub enum AuthStatusOutcome {
23 /// A token for this server exists in the auth cache.
24 LoggedIn {
25 /// Resolved server URL.
26 server: String,
27 /// Username stored in the cache, if any.
28 user: Option<String>,
29 /// Token expiry stored in the cache, if any.
30 expires_at: Option<DateTime<Utc>>,
31 /// `true` when `expires_at` is set and is in the past.
32 expired: bool,
33 },
34 /// A token was supplied via the `DSP_TOKEN` environment variable, which
35 /// overrides the cached token (ADR-0007). No user is available (the cached
36 /// `user` comes from the login response body, not from the token itself).
37 /// Expiry is read via `client::jwt::extract_exp` for display only; if the
38 /// token is not a parseable JWT, `expires_at` is `None` ("expiry unknown").
39 AuthenticatedViaEnv {
40 /// Resolved server URL.
41 server: String,
42 /// Token expiry derived from the JWT `exp` claim, if parseable.
43 /// `None` means the token's `exp` was unreadable ("expiry unknown").
44 expires_at: Option<DateTime<Utc>>,
45 /// `true` when `expires_at` is `Some` and the timestamp is in the past.
46 expired: bool,
47 },
48 /// No token for this server in the auth cache (or no cache file).
49 NotLoggedIn {
50 /// Resolved server URL.
51 server: String,
52 },
53}
54
55/// Outcome passed to `Renderer::auth_logout`.
56pub struct AuthLogoutOutcome {
57 /// Resolved server URL.
58 pub server: String,
59 /// `true` when an entry was actually removed from the cache.
60 pub was_cached: bool,
61}
62
63/// Outcome passed to `Renderer::auth_set_token` after caching a stdin-provided token.
64pub struct AuthSetTokenOutcome {
65 /// Resolved server URL (after `Config::resolve`).
66 pub server: String,
67 /// User identifier from the JWT `sub` claim (a user IRI); `None` if the
68 /// claim is absent. This is display-only metadata — it is **not** verified
69 /// and must not be used as an access-control input.
70 pub user: Option<String>,
71 /// Token expiry derived from the JWT `exp` claim, if present.
72 pub expires_at: Option<DateTime<Utc>>,
73}