libauth_rs/middleware/

axum.rs

use crate::error::{AuthError, AuthResult};
use crate::providers::AuthProvider;
use crate::types::{AuthProvider as AuthProviderType, AuthToken, UserContext};
use axum::{
    extract::{FromRequestParts, Request},
    http::{request::Parts, StatusCode},
    response::{IntoResponse, Response},
};
use std::collections::HashMap;
use std::sync::Arc;

/// Extension for accessing UserContext in handlers
#[derive(Debug, Clone)]
pub struct AuthExtension {
    pub user: UserContext,
    /// Reference to the provider that authenticated this user
    /// This allows for provider-specific authorization checks
    provider_index: usize,
}

impl AuthExtension {
    /// Get the user context
    pub fn user(&self) -> &UserContext {
        &self.user
    }

    /// Get mutable user context
    pub fn user_mut(&mut self) -> &mut UserContext {
        &mut self.user
    }
}

/// Authentication state that holds configured providers
#[derive(Clone)]
pub struct AuthState {
    providers: Arc<Vec<Box<dyn AuthProvider>>>,
    required: bool,
    /// Optional mapping from issuer to provider type for issuer-based routing
    issuer_to_provider: Arc<Option<HashMap<String, AuthProviderType>>>,
}

impl AuthState {
    /// Create a new auth state with providers
    pub fn new(providers: Vec<Box<dyn AuthProvider>>) -> Self {
        Self {
            providers: Arc::new(providers),
            required: false,
            issuer_to_provider: Arc::new(None),
        }
    }

    /// Set whether authentication is required (returns 401 if not authenticated)
    pub fn required(mut self, required: bool) -> Self {
        self.required = required;
        self
    }

    /// Set issuer-to-provider mapping for routing based on JWT issuer (iss) claim
    pub fn with_issuer_mapping(mut self, mapping: HashMap<String, AuthProviderType>) -> Self {
        self.issuer_to_provider = Arc::new(Some(mapping));
        self
    }

    /// Extract issuer (iss) from JWT token without full verification
    fn extract_issuer_from_token(&self, token: &str) -> Option<String> {
        use base64::Engine;

        let parts: Vec<&str> = token.split('.').collect();
        if parts.len() != 3 {
            return None;
        }

        // Decode payload
        let payload = base64::engine::general_purpose::URL_SAFE_NO_PAD
            .decode(parts[1])
            .ok()?;

        let payload: serde_json::Value = serde_json::from_slice(&payload).ok()?;

        // Extract issuer (iss) claim
        payload
            .get("iss")
            .and_then(|v| v.as_str())
            .map(|s| s.to_string())
    }

    /// Try to authenticate a token using configured providers
    /// If issuer-based routing is configured, routes to the appropriate provider first
    /// Returns (UserContext, provider_index)
    async fn authenticate_token(&self, token: &AuthToken) -> AuthResult<(UserContext, usize)> {
        // Try issuer-based routing first if configured
        if let Some(ref issuer_map) = *self.issuer_to_provider {
            if let Some(issuer) = self.extract_issuer_from_token(&token.token) {
                if let Some(target_provider_type) = issuer_map.get(&issuer) {
                    // Find the provider that matches the target type
                    for (index, provider) in self.providers.iter().enumerate() {
                        if provider.provider_type() == *target_provider_type {
                            tracing::debug!(
                                "Routing to provider {:?} based on issuer: {}",
                                target_provider_type,
                                issuer
                            );
                            let user = provider.authenticate(token).await?;
                            return Ok((user, index));
                        }
                    }
                    tracing::warn!(
                        "Provider {:?} not found for issuer: {}",
                        target_provider_type,
                        issuer
                    );
                }
            }
        }

        // Fallback: try all providers using can_handle
        for (index, provider) in self.providers.iter().enumerate() {
            if provider.can_handle(token).await {
                let user = provider.authenticate(token).await?;
                return Ok((user, index));
            }
        }

        Err(AuthError::ProviderError(
            "No provider could handle the token".to_string(),
        ))
    }

    /// Get a provider by index (used for authorization checks)
    pub fn get_provider(&self, index: usize) -> Option<&dyn AuthProvider> {
        self.providers.get(index).map(|p| p.as_ref())
    }
}

/// Tower Layer for authentication middleware
#[derive(Clone)]
pub struct AuthLayer {
    state: AuthState,
}

impl AuthLayer {
    /// Create a new auth layer with providers
    pub fn new(providers: Vec<Box<dyn AuthProvider>>) -> Self {
        Self {
            state: AuthState::new(providers),
        }
    }

    /// Set whether authentication is required
    pub fn required(mut self, required: bool) -> Self {
        self.state = self.state.required(required);
        self
    }

    /// Set issuer-to-provider mapping for routing based on JWT issuer (iss) claim
    ///
    /// # Example
    /// ```rust,ignore
    /// let config = AuthConfig::default();
    /// let tenant_id = config.azure_tenant_id.as_ref().unwrap();
    ///
    /// let auth_layer = AuthLayer::new(providers)
    ///     .with_issuer_mapping(HashMap::from([
    ///         ("https://clerk.example.com".to_string(), AuthProvider::Clerk),
    ///         (format!("https://login.microsoftonline.com/{}/v2.0", tenant_id), AuthProvider::Msal),
    ///         (format!("https://sts.windows.net/{}/", tenant_id), AuthProvider::Msal),
    ///     ]));
    /// ```
    pub fn with_issuer_mapping(mut self, mapping: HashMap<String, AuthProviderType>) -> Self {
        self.state = self.state.with_issuer_mapping(mapping);
        self
    }

    /// Automatically build issuer mapping from the configured providers
    /// This uses each provider's `expected_issuers()` method to build the mapping
    ///
    /// # Example
    /// ```rust,ignore
    /// let auth_layer = AuthLayer::new(providers)
    ///     .with_auto_issuer_mapping(); // Automatically maps based on provider config
    /// ```
    pub fn with_auto_issuer_mapping(mut self) -> Self {
        let mut mapping = HashMap::new();

        for provider in self.state.providers.iter() {
            let provider_type = provider.provider_type();
            for issuer in provider.expected_issuers() {
                mapping.insert(issuer, provider_type);
            }
        }

        if !mapping.is_empty() {
            self.state = self.state.with_issuer_mapping(mapping);
        }

        self
    }
}

impl<S> tower_layer::Layer<S> for AuthLayer {
    type Service = AuthMiddleware<S>;

    fn layer(&self, inner: S) -> Self::Service {
        AuthMiddleware {
            inner,
            state: self.state.clone(),
        }
    }
}

/// Middleware service
#[derive(Clone)]
pub struct AuthMiddleware<S> {
    inner: S,
    state: AuthState,
}

impl<S> tower::Service<Request> for AuthMiddleware<S>
where
    S: tower::Service<Request, Response = Response> + Clone + Send + 'static,
    S::Future: Send + 'static,
{
    type Response = S::Response;
    type Error = S::Error;
    type Future = std::pin::Pin<
        Box<dyn std::future::Future<Output = Result<Self::Response, Self::Error>> + Send>,
    >;

    fn poll_ready(
        &mut self,
        cx: &mut std::task::Context<'_>,
    ) -> std::task::Poll<Result<(), Self::Error>> {
        self.inner.poll_ready(cx)
    }

    fn call(&mut self, mut req: Request) -> Self::Future {
        let clone = self.inner.clone();
        let mut inner = std::mem::replace(&mut self.inner, clone);
        let state = self.state.clone();

        Box::pin(async move {
            // Try to extract token from Authorization header
            let auth_header = req
                .headers()
                .get(axum::http::header::AUTHORIZATION)
                .and_then(|h| h.to_str().ok());

            let auth_result = if let Some(header_value) = auth_header {
                if let Some(token) = AuthToken::from_auth_header(header_value) {
                    match state.authenticate_token(&token).await {
                        Ok((user, provider_index)) => {
                            // Security: Log successful authentication
                            tracing::info!(
                                user_id = %user.user_id,
                                provider = %user.provider,
                                "Authentication successful"
                            );
                            Some((user, provider_index))
                        }
                        Err(e) => {
                            // Security: Log failed authentication attempt
                            tracing::warn!(
                                error = %e,
                                provider = ?e.provider(),
                                "Authentication failed"
                            );
                            if state.required {
                                return Ok(StatusCode::UNAUTHORIZED.into_response());
                            }
                            None
                        }
                    }
                } else {
                    // Security: Log malformed auth header
                    tracing::warn!("Malformed Authorization header");
                    if state.required {
                        return Ok(StatusCode::UNAUTHORIZED.into_response());
                    }
                    None
                }
            } else {
                // Security: Log missing auth when required
                if state.required {
                    tracing::warn!("Missing Authorization header for protected endpoint");
                    return Ok(StatusCode::UNAUTHORIZED.into_response());
                }
                None
            };

            // Insert user context into request extensions if authenticated
            if let Some((user, provider_index)) = auth_result {
                req.extensions_mut().insert(AuthExtension {
                    user,
                    provider_index,
                });
                req.extensions_mut().insert(state.clone());
            }

            inner.call(req).await
        })
    }
}

/// Extractor for UserContext from request
impl<S> FromRequestParts<S> for AuthExtension
where
    S: Send + Sync,
{
    type Rejection = AuthRejection;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        parts
            .extensions
            .get::<AuthExtension>()
            .cloned()
            .ok_or(AuthRejection::MissingAuth)
    }
}

/// Extractor for optional UserContext
pub struct OptionalAuth(pub Option<UserContext>);

impl<S> FromRequestParts<S> for OptionalAuth
where
    S: Send + Sync,
{
    type Rejection = std::convert::Infallible;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        Ok(OptionalAuth(
            parts
                .extensions
                .get::<AuthExtension>()
                .map(|ext| ext.user.clone()),
        ))
    }
}

/// Extractor for AuthContext with provider access
/// This allows handlers to perform provider-specific authorization checks
pub struct AuthContext {
    pub user: UserContext,
    state: AuthState,
    provider_index: usize,
}

impl AuthContext {
    /// Get the user context
    pub fn user(&self) -> &UserContext {
        &self.user
    }

    /// Check if user has a specific permission (provider-specific)
    pub async fn check_permission(&self, permission: &str) -> AuthResult<bool> {
        if let Some(provider) = self.state.get_provider(self.provider_index) {
            provider.check_permission(&self.user, permission).await
        } else {
            Ok(false)
        }
    }

    /// Check if user has a specific role (provider-specific)
    pub async fn check_role(&self, role: &str) -> AuthResult<bool> {
        if let Some(provider) = self.state.get_provider(self.provider_index) {
            provider.check_role(&self.user, role).await
        } else {
            Ok(false)
        }
    }

    /// Get all user roles (provider-specific)
    pub async fn get_roles(&self) -> AuthResult<Vec<String>> {
        if let Some(provider) = self.state.get_provider(self.provider_index) {
            provider.get_user_roles(&self.user).await
        } else {
            Ok(vec![])
        }
    }

    /// Check if user belongs to a specific organization (provider-specific)
    pub async fn check_organization(&self, org_id: &str) -> AuthResult<bool> {
        if let Some(provider) = self.state.get_provider(self.provider_index) {
            provider.check_organization(&self.user, org_id).await
        } else {
            Ok(false)
        }
    }

    /// Require a specific permission or return 403 Forbidden
    pub async fn require_permission(&self, permission: &str) -> Result<(), StatusCode> {
        if self.check_permission(permission).await.unwrap_or(false) {
            Ok(())
        } else {
            Err(StatusCode::FORBIDDEN)
        }
    }

    /// Require a specific role or return 403 Forbidden
    pub async fn require_role(&self, role: &str) -> Result<(), StatusCode> {
        if self.check_role(role).await.unwrap_or(false) {
            Ok(())
        } else {
            Err(StatusCode::FORBIDDEN)
        }
    }
}

impl<S> FromRequestParts<S> for AuthContext
where
    S: Send + Sync,
{
    type Rejection = AuthRejection;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let auth_ext = parts
            .extensions
            .get::<AuthExtension>()
            .ok_or(AuthRejection::MissingAuth)?;

        let state = parts
            .extensions
            .get::<AuthState>()
            .ok_or(AuthRejection::MissingAuth)?;

        Ok(AuthContext {
            user: auth_ext.user.clone(),
            state: state.clone(),
            provider_index: auth_ext.provider_index,
        })
    }
}

/// Rejection type for auth extraction
#[derive(Debug)]
pub enum AuthRejection {
    MissingAuth,
}

impl IntoResponse for AuthRejection {
    fn into_response(self) -> Response {
        let (status, message) = match self {
            AuthRejection::MissingAuth => (StatusCode::UNAUTHORIZED, "Authentication required"),
        };

        (status, message).into_response()
    }
}

// Example usage documentation module
#[doc = r##"
# Example Usage

Using the authentication middleware in an Axum router:

```rust,ignore
use axum::{Router, routing::get, http::StatusCode};
use libauth_rs::middleware::{AuthLayer, AuthExtension, AuthContext};
use libauth_rs::providers::{AuthConfig, ClerkProvider, MsalProvider};

#[tokio::main]
async fn main() {
    let config = AuthConfig::default();

    // Create multiple providers
    let clerk = ClerkProvider::new(&config).await.unwrap();
    let msal = MsalProvider::new(&config).await.unwrap();

    // Create auth layer with automatic issuer-based routing
    let auth_layer = AuthLayer::new(vec![Box::new(clerk), Box::new(msal)])
        .with_auto_issuer_mapping() // Automatically route based on JWT issuer
        .required(false);

    let app = Router::new()
        .route("/public", get(public_handler))
        .route("/protected", get(protected_handler))
        .route("/admin", get(admin_handler))
        .layer(auth_layer);

    // Run your server...
}

// Public handler - no auth required
async fn public_handler(OptionalAuth(user): OptionalAuth) -> String {
    match user {
        Some(u) => format!("Hello, {}!", u.user_id),
        None => "Hello, anonymous!".to_string(),
    }
}

// Protected handler - auth required, basic user info
async fn protected_handler(AuthExtension { user, .. }: AuthExtension) -> String {
    format!("Welcome, {}!", user.user_id)
}

// Admin handler - auth required + role check using AuthContext
async fn admin_handler(auth: AuthContext) -> Result<String, StatusCode> {
    // Use provider-specific authorization
    auth.require_role("admin").await?;

    let roles = auth.get_roles().await.unwrap_or_default();
    Ok(format!("Admin access granted! Your roles: {:?}", roles))
}

// Per-provider routers example
async fn setup_per_provider_routers() -> Router {
    let config = AuthConfig::default();
    let clerk = ClerkProvider::new(&config).await.unwrap();
    let msal = MsalProvider::new(&config).await.unwrap();

    // Clerk-specific routes
    let clerk_router = Router::new()
        .route("/org/:org_id/members", get(clerk_org_members))
        .layer(AuthLayer::new(vec![Box::new(clerk)]).required(true));

    // MSAL-specific routes
    let msal_router = Router::new()
        .route("/azure/groups", get(msal_groups))
        .layer(AuthLayer::new(vec![Box::new(msal)]).required(true));

    // Combine routers
    Router::new()
        .nest("/clerk", clerk_router)
        .nest("/msal", msal_router)
}
```
"##]
pub(crate) mod _example {}