Skip to main content

fraiseql_auth/
lib.rs

1//! Authentication, authorization, and session management for FraiseQL.
2//!
3//! Handles JWT validation, OAuth/OIDC flows, session management, and authorization.
4
5#![forbid(unsafe_code)]
6#![allow(clippy::needless_pass_by_value)] // Reason: axum extractors require owned types
7#![allow(clippy::doc_markdown)] // Reason: technical terms (OAuth2, PKCE, OIDC, HMAC) throughout docs
8
9pub mod audit;
10pub mod constant_time;
11pub mod error;
12pub mod error_sanitizer;
13pub mod handlers;
14pub mod jwks;
15pub mod jwt;
16pub mod middleware;
17pub mod monitoring;
18pub mod oauth;
19pub mod oidc_provider;
20pub mod oidc_server_client;
21pub mod operation_rbac;
22pub mod pkce;
23pub mod provider;
24pub mod providers;
25pub mod proxy;
26pub mod rate_limiting;
27pub mod security_config;
28pub mod security_init;
29pub mod session;
30pub mod session_postgres;
31pub mod state_encryption;
32pub mod state_store;
33
34#[cfg(test)]
35mod security_tests;
36
37#[cfg(test)]
38mod error_sanitization_tests;
39
40#[cfg(test)]
41mod constant_time_tests;
42
43#[cfg(test)]
44mod state_encryption_tests;
45
46#[cfg(test)]
47mod rate_limiting_tests;
48
49#[cfg(test)]
50mod integration_security_tests;
51
52pub use audit::logger::{
53    AuditEntry, AuditEventType, AuditExt, AuditLogger, SecretType, StructuredAuditLogger,
54    get_audit_logger, init_audit_logger,
55};
56pub use constant_time::ConstantTimeOps;
57pub use error::{AuthError, Result};
58pub use error_sanitizer::{
59    AuthErrorSanitizer, Sanitize, SanitizedError, messages as error_messages,
60};
61pub use handlers::{
62    AuthCallbackQuery, AuthLogoutRequest, AuthRefreshRequest, AuthStartRequest, AuthState,
63    auth_callback, auth_logout, auth_refresh, auth_start,
64};
65pub use jwks::{JwksCache, JwksError};
66pub use jwt::{Claims, JwtValidator, generate_hs256_token, generate_rs256_token};
67pub use middleware::{AuthMiddleware, AuthenticatedUser};
68pub use monitoring::{AuthEvent, AuthMetrics, OperationTimer};
69pub use oauth::{
70    AuthorizationRequest, ExternalAuthProvider, IdTokenClaims, NonceParameter, OAuth2Client,
71    OAuth2ClientConfig, OAuthAuditEvent, OAuthSession, OIDCClient, OIDCProviderConfig,
72    PKCEChallenge, ProviderFailoverManager, ProviderRegistry, ProviderType, StateParameter,
73    TokenRefreshScheduler, TokenRefreshWorker, TokenRefresher,
74};
75pub use oidc_provider::OidcProvider;
76pub use oidc_server_client::{OidcEndpoints, OidcServerClient, OidcTokenResponse};
77pub use operation_rbac::{OperationPermission, RBACPolicy, Role};
78pub use pkce::{ConsumedPkceState, PkceError, PkceStateStore};
79pub use provider::{OAuthProvider, PkceChallenge, TokenResponse, UserInfo};
80pub use providers::{AzureADOAuth, GitHubOAuth, GoogleOAuth, KeycloakOAuth, create_provider};
81pub use proxy::ProxyConfig;
82pub use rate_limiting::{AuthRateLimitConfig, KeyedRateLimiter, RateLimiters};
83pub use security_config::{
84    AuditLoggingSettings, ErrorSanitizationSettings, RateLimitingSettings,
85    SecurityConfigFromSchema, StateEncryptionSettings,
86};
87pub use security_init::{
88    init_default_security_config, init_security_config, log_security_config,
89    validate_security_config,
90};
91pub use session::{SessionData, SessionStore, TokenPair};
92pub use session_postgres::PostgresSessionStore;
93pub use state_encryption::{
94    DecryptionError, EncryptedState, EncryptionAlgorithm, KeyError, StateEncryption,
95    StateEncryptionConfig, StateEncryptionService, generate_state_encryption_key,
96};
97pub use state_store::{InMemoryStateStore, StateStore};