forge_core/auth/
role_resolver.rs

1use std::sync::Arc;
2
3use crate::function::AuthContext;
4
5/// Extension point for role resolution.
6///
7/// The default implementation returns the flat `roles` JWT claim.
8/// Register a custom resolver via `ForgeBuilder::with_role_resolver` for
9/// hierarchy expansion, group lookups, or remote permission services.
10///
11/// Called once per `require_role` check. Keep implementations cheap — the
12/// result is not cached between calls.
13pub trait RoleResolver: Send + Sync + 'static {
14    fn resolve(&self, auth: &AuthContext) -> Vec<String>;
15}
16
17/// Default resolver — returns the `roles` JWT claim as-is.
18pub struct DefaultRoleResolver;
19
20impl RoleResolver for DefaultRoleResolver {
21    fn resolve(&self, auth: &AuthContext) -> Vec<String> {
22        auth.roles().to_vec()
23    }
24}
25
26/// Shared resolver handle used throughout the runtime.
27pub type SharedRoleResolver = Arc<dyn RoleResolver>;
28
29/// Create a shared handle to the default resolver.
30pub fn default_role_resolver() -> SharedRoleResolver {
31    Arc::new(DefaultRoleResolver)
32}
forge_core/auth/role_resolver.rs

forge_core/auth/
role_resolver.rs
