libauth_rs/middleware/

axum.rs

use crate::error::{AuthError, AuthResult};
use crate::traits::Authn;
use crate::types::{AuthProvider as AuthProviderType, AuthToken, UserContext};
use axum::{
    extract::{FromRequestParts, Request},
    http::{request::Parts, StatusCode},
    response::{IntoResponse, Response},
};
use std::collections::HashMap;
use std::sync::Arc;

/// Extension for accessing UserContext in handlers
#[derive(Debug, Clone)]
pub struct AuthExtension {
    pub user: UserContext,
    /// Reference to the provider that authenticated this user
    /// This allows for provider-specific authorization checks
    provider_index: usize,
}

impl AuthExtension {
    /// Get the user context
    pub fn user(&self) -> &UserContext {
        &self.user
    }

    /// Get mutable user context
    pub fn user_mut(&mut self) -> &mut UserContext {
        &mut self.user
    }
}

/// Authentication state that holds configured providers
#[derive(Clone)]
pub struct AuthState {
    providers: Arc<Vec<Box<dyn Authn>>>,
    required: bool,
    /// Optional mapping from issuer to provider type for issuer-based routing
    issuer_to_provider: Arc<Option<HashMap<String, AuthProviderType>>>,
}

impl AuthState {
    /// Create a new auth state with providers
    pub fn new(providers: Vec<Box<dyn Authn>>) -> Self {
        Self {
            providers: Arc::new(providers),
            required: false,
            issuer_to_provider: Arc::new(None),
        }
    }

    /// Set whether authentication is required (returns 401 if not authenticated)
    pub fn required(mut self, required: bool) -> Self {
        self.required = required;
        self
    }

    /// Set issuer-to-provider mapping for routing based on JWT issuer (iss) claim
    pub fn with_issuer_mapping(mut self, mapping: HashMap<String, AuthProviderType>) -> Self {
        self.issuer_to_provider = Arc::new(Some(mapping));
        self
    }

    /// Extract issuer (iss) from JWT token without full verification
    fn extract_issuer_from_token(&self, token: &str) -> Option<String> {
        use base64::Engine;

        let parts: Vec<&str> = token.split('.').collect();
        if parts.len() != 3 {
            return None;
        }

        // Decode payload (JWT part 1 is payload)
        let payload = base64::engine::general_purpose::URL_SAFE_NO_PAD
            .decode(parts[1])
            .ok()?;

        let payload: serde_json::Value = serde_json::from_slice(&payload).ok()?;

        // Extract issuer (iss) claim
        payload
            .get("iss")
            .and_then(|v| v.as_str())
            .map(|s| s.to_string())
    }

    /// Try to authenticate using issuer-based routing (fast path)
    ///
    /// Returns:
    /// - Some(Ok(...)) if issuer found and authentication succeeded
    /// - Some(Err(...)) if issuer found but authentication failed or issuer not in allowlist
    /// - None if issuer-based routing is not configured or token has no issuer
    async fn try_issuer_based_auth(
        &self,
        token: &AuthToken,
    ) -> Option<AuthResult<(UserContext, usize)>> {
        let issuer_map = self.issuer_to_provider.as_ref().as_ref()?;

        // Extract issuer from token - if no issuer, return None to fallback
        let issuer = match self.extract_issuer_from_token(&token.token) {
            Some(iss) => iss,
            None => return None, // Token has no issuer, use fallback
        };

        // Check if issuer is in our allowlist
        let target_provider_type = match issuer_map.get(&issuer) {
            Some(provider_type) => provider_type,
            None => {
                // Issuer-based routing IS configured and token HAS an issuer,
                // but issuer is NOT in allowlist - reject immediately for security
                tracing::warn!(
                    issuer = %issuer,
                    "Token rejected: issuer not in allowlist"
                );
                return Some(Err(AuthError::InvalidToken {
                    message: format!("Token issuer '{}' is not trusted", issuer),
                    provider: None,
                }));
            }
        };

        // Try authenticating with the first provider (issuer routing simplified)
        // Note: With the new trait system, we can't query provider_type anymore
        // so we just try to authenticate and see if it works
        for (index, provider) in self.providers.iter().enumerate() {
            tracing::debug!(
                issuer = %issuer,
                provider_index = index,
                "Attempting authentication via issuer-based routing"
            );
            match provider.authenticate(&token.token).await {
                Ok(user) => return Some(Ok((user, index))),
                Err(e) => {
                    tracing::debug!(
                        error = %e,
                        "Provider authentication failed, trying next"
                    );
                    continue;
                }
            }
        }

        tracing::error!(
            provider = ?target_provider_type,
            issuer = %issuer,
            "Provider not found for issuer - configuration error"
        );
        Some(Err(AuthError::ConfigurationError {
            message: format!("Provider for issuer '{}' not found", issuer),
        }))
    }

    /// Try to authenticate using all providers (fallback path)
    async fn try_fallback_auth(&self, token: &AuthToken) -> AuthResult<(UserContext, usize)> {
        tracing::debug!("Trying fallback authentication");

        for (index, provider) in self.providers.iter().enumerate() {
            tracing::debug!(
                provider_index = index,
                "Attempting authentication with provider"
            );
            match provider.authenticate(&token.token).await {
                Ok(user) => return Ok((user, index)),
                Err(e) => {
                    tracing::debug!(
                        provider_index = index,
                        error = %e,
                        "Provider authentication failed, trying next"
                    );
                    continue;
                }
            }
        }

        Err(AuthError::ProviderError(
            "No provider could handle the token".to_string(),
        ))
    }

    /// Try to authenticate a token using configured providers
    /// If issuer-based routing is configured, routes to the appropriate provider first
    /// Returns (UserContext, provider_index)
    async fn authenticate_token(&self, token: &AuthToken) -> AuthResult<(UserContext, usize)> {
        // Try issuer-based routing first if configured (fast path)
        if let Some(result) = self.try_issuer_based_auth(token).await {
            return result;
        }

        // Fallback: try all providers using can_handle
        self.try_fallback_auth(token).await
    }

    /// Get a provider by index (used for authorization checks)
    pub fn get_provider(&self, index: usize) -> Option<&dyn Authn> {
        self.providers.get(index).map(|p| p.as_ref())
    }
}

/// Tower Layer for authentication middleware
#[derive(Clone)]
pub struct AuthLayer {
    state: AuthState,
}

impl AuthLayer {
    /// Create a new auth layer with providers
    pub fn new(providers: Vec<Box<dyn Authn>>) -> Self {
        Self {
            state: AuthState::new(providers),
        }
    }

    /// Set whether authentication is required
    pub fn required(mut self, required: bool) -> Self {
        self.state = self.state.required(required);
        self
    }

    /// Set issuer-to-provider mapping for routing based on JWT issuer (iss) claim
    ///
    /// # Example
    /// ```rust,ignore
    /// let config = AuthConfig::default();
    /// let tenant_id = config.azure_tenant_id.as_ref().unwrap();
    ///
    /// let auth_layer = AuthLayer::new(providers)
    ///     .with_issuer_mapping(HashMap::from([
    ///         ("https://clerk.example.com".to_string(), AuthProvider::Clerk),
    ///         (format!("https://login.microsoftonline.com/{}/v2.0", tenant_id), AuthProvider::Msal),
    ///         (format!("https://sts.windows.net/{}/", tenant_id), AuthProvider::Msal),
    ///     ]));
    /// ```
    pub fn with_issuer_mapping(mut self, mapping: HashMap<String, AuthProviderType>) -> Self {
        self.state = self.state.with_issuer_mapping(mapping);
        self
    }

    /// Automatically build issuer mapping from the configured providers
    ///
    /// NOTE: This method is currently disabled with the new trait system.
    /// Use `with_issuer_mapping()` to manually configure issuer routing.
    ///
    /// # Example
    /// ```rust,ignore
    /// let auth_layer = AuthLayer::new(providers)
    ///     .with_issuer_mapping([
    ///         ("stytch.com/project-id".to_string(), AuthProviderType::Stytch),
    ///     ]);
    /// ```
    #[deprecated(
        note = "Auto issuer mapping not supported with new trait system. Use with_issuer_mapping() instead."
    )]
    pub fn with_auto_issuer_mapping(self) -> Self {
        tracing::warn!("with_auto_issuer_mapping() is deprecated and has no effect. Use with_issuer_mapping() instead.");
        self
    }

    /// Create AuthLayer from modern ProviderConfig enums
    ///
    /// This is the recommended way to configure authentication providers.
    ///
    /// # Example
    /// ```rust,ignore
    /// use libauth_rs::provider::Config;
    /// use libauth_rs::middleware::AuthLayer;
    ///
    /// let configs = vec![
    ///     Config::Stytch {
    ///         project_id: env::var("STYTCH_PROJECT_ID").unwrap(),
    ///         project_secret: env::var("STYTCH_SECRET").unwrap(),
    ///         m2m_client_id: None,
    ///         m2m_client_secret: None,
    ///     },
    /// ];
    ///
    /// let auth_layer = AuthLayer::from_configs(configs).await?;
    /// ```
    pub async fn from_configs(configs: Vec<crate::provider::Config>) -> AuthResult<Self> {
        let mut providers: Vec<Box<dyn Authn>> = Vec::new();

        for config in configs {
            Self::create_providers_from_config(config, &mut providers).await?;
        }

        Ok(Self::new(providers))
    }

    /// Helper to create providers from a single config
    async fn create_providers_from_config(
        config: crate::provider::Config,
        providers: &mut Vec<Box<dyn Authn>>,
    ) -> AuthResult<()> {
        match config {
            #[cfg(feature = "stytch")]
            crate::provider::Config::Stytch {
                project_id,
                project_secret,
                m2m_client_id,
                m2m_client_secret,
            } => {
                use crate::provider::{
                    Provider, StytchB2BM2MProvider, StytchConsumerM2MProvider,
                    StytchConsumerSessionProvider, StytchProvider,
                };

                let auth_config = Provider {
                    config: crate::provider::Config::Stytch {
                        project_id,
                        project_secret,
                        m2m_client_id,
                        m2m_client_secret,
                    },
                    ..Default::default()
                };

                // Instantiate all 4 Stytch providers
                providers.push(Box::new(StytchProvider::new(&auth_config).await?));
                providers.push(Box::new(StytchB2BM2MProvider::new(&auth_config).await?));
                providers.push(Box::new(
                    StytchConsumerSessionProvider::new(&auth_config).await?,
                ));
                providers.push(Box::new(
                    StytchConsumerM2MProvider::new(&auth_config).await?,
                ));
            }

            #[cfg(feature = "clerk")]
            crate::provider::Config::Clerk {
                publishable_key,
                secret_key,
            } => {
                use crate::provider::{ClerkProvider, Provider};

                let auth_config = Provider {
                    config: crate::provider::Config::Clerk {
                        publishable_key,
                        secret_key,
                    },
                    ..Default::default()
                };

                providers.push(Box::new(ClerkProvider::new(&auth_config).await?));
            }

            #[cfg(feature = "msal")]
            crate::provider::Config::Msal {
                tenant_id,
                client_id,
                client_secret,
            } => {
                use crate::provider::{MsalProvider, Provider};

                let auth_config = Provider {
                    config: crate::provider::Config::Msal {
                        tenant_id,
                        client_id,
                        client_secret,
                    },
                    ..Default::default()
                };

                providers.push(Box::new(MsalProvider::new(&auth_config).await?));
            }

            crate::provider::Config::None => {
                // Skip None variant
            }
        }

        Ok(())
    }
}

impl<S> tower_layer::Layer<S> for AuthLayer {
    type Service = AuthMiddleware<S>;

    fn layer(&self, inner: S) -> Self::Service {
        AuthMiddleware {
            inner,
            state: self.state.clone(),
        }
    }
}

/// Middleware service
#[derive(Clone)]
pub struct AuthMiddleware<S> {
    inner: S,
    state: AuthState,
}

impl<S> AuthMiddleware<S> {
    /// Extract and parse the Authorization header
    fn extract_auth_token(req: &Request) -> Result<Option<AuthToken>, AuthRejection> {
        let auth_header = req
            .headers()
            .get(axum::http::header::AUTHORIZATION)
            .and_then(|h| h.to_str().ok());

        match auth_header {
            Some(header_value) => {
                if let Some(token) = AuthToken::from_auth_header(header_value) {
                    Ok(Some(token))
                } else {
                    tracing::warn!("Malformed Authorization header");
                    Err(AuthRejection::MalformedHeader)
                }
            }
            None => Ok(None),
        }
    }

    /// Handle successful authentication
    fn handle_auth_success(
        user: UserContext,
        provider_index: usize,
        state: AuthState,
        req: &mut Request,
    ) {
        tracing::info!(
            user_id = %user.user_id,
            provider = %user.provider,
            "Authentication successful"
        );

        req.extensions_mut().insert(AuthExtension {
            user,
            provider_index,
        });
        req.extensions_mut().insert(state);
    }

    /// Handle authentication failure
    fn handle_auth_failure(error: &AuthError, required: bool) -> Option<Response> {
        tracing::warn!(
            error = %error,
            provider = ?error.provider(),
            "Authentication failed"
        );

        if required {
            Some(AuthRejection::InvalidToken.into_response())
        } else {
            None
        }
    }
}

impl<S> tower::Service<Request> for AuthMiddleware<S>
where
    S: tower::Service<Request, Response = Response> + Clone + Send + 'static,
    S::Future: Send + 'static,
{
    type Response = S::Response;
    type Error = S::Error;
    type Future = std::pin::Pin<
        Box<dyn std::future::Future<Output = Result<Self::Response, Self::Error>> + Send>,
    >;

    fn poll_ready(
        &mut self,
        cx: &mut std::task::Context<'_>,
    ) -> std::task::Poll<Result<(), Self::Error>> {
        self.inner.poll_ready(cx)
    }

    fn call(&mut self, mut req: Request) -> Self::Future {
        let clone = self.inner.clone();
        let mut inner = std::mem::replace(&mut self.inner, clone);
        let state = self.state.clone();

        Box::pin(async move {
            // Extract token from Authorization header
            let token_result = Self::extract_auth_token(&req);

            match token_result {
                Ok(Some(token)) => {
                    // Token present, attempt authentication
                    match state.authenticate_token(&token).await {
                        Ok((user, provider_index)) => {
                            Self::handle_auth_success(user, provider_index, state, &mut req);
                        }
                        Err(e) => {
                            if let Some(response) = Self::handle_auth_failure(&e, state.required) {
                                return Ok(response);
                            }
                        }
                    }
                }
                Ok(None) => {
                    // No token present
                    if state.required {
                        tracing::warn!("Missing Authorization header for protected endpoint");
                        return Ok(AuthRejection::MissingAuth.into_response());
                    }
                }
                Err(rejection) => {
                    // Malformed token
                    if state.required {
                        return Ok(rejection.into_response());
                    }
                }
            }

            inner.call(req).await
        })
    }
}

/// Extractor for UserContext from request
impl<S> FromRequestParts<S> for AuthExtension
where
    S: Send + Sync,
{
    type Rejection = AuthRejection;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        parts
            .extensions
            .get::<AuthExtension>()
            .cloned()
            .ok_or(AuthRejection::MissingAuth)
    }
}

/// Extractor for optional UserContext
pub struct OptionalAuth(pub Option<UserContext>);

impl<S> FromRequestParts<S> for OptionalAuth
where
    S: Send + Sync,
{
    type Rejection = std::convert::Infallible;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        Ok(OptionalAuth(
            parts
                .extensions
                .get::<AuthExtension>()
                .map(|ext| ext.user.clone()),
        ))
    }
}

/// Extractor for AuthContext with provider access
/// This allows handlers to perform provider-specific authorization checks
pub struct AuthContext {
    pub user: UserContext,
    state: AuthState,
    provider_index: usize,
}

impl AuthContext {
    /// Get the user context
    pub fn user(&self) -> &UserContext {
        &self.user
    }

    /// Check if user has a specific permission
    /// Uses the Authorizer trait to check permissions
    pub async fn check_permission(&self, permission: &str) -> AuthResult<bool> {
        if let Some(provider) = self.state.get_provider(self.provider_index) {
            match provider.authorize(&self.user, permission).await {
                Ok(()) => Ok(true),
                Err(AuthError::InsufficientPermissions(_)) => Ok(false),
                Err(e) => Err(e),
            }
        } else {
            Ok(false)
        }
    }

    /// Check if user has a specific role
    /// Checks the user's metadata for role information
    pub async fn check_role(&self, role: &str) -> AuthResult<bool> {
        Ok(self.user.has_role(role))
    }

    /// Get all user roles
    /// Extracts roles from user's metadata
    pub async fn get_roles(&self) -> AuthResult<Vec<String>> {
        Ok(self.user.get_roles())
    }

    /// Check if user belongs to a specific organization
    /// Checks the user's organization_id in metadata
    pub async fn check_organization(&self, org_id: &str) -> AuthResult<bool> {
        Ok(self.user.organization_id() == Some(org_id))
    }

    /// Require a specific permission or return 403 Forbidden
    pub async fn require_permission(&self, permission: &str) -> Result<(), StatusCode> {
        if self.check_permission(permission).await.unwrap_or(false) {
            Ok(())
        } else {
            Err(StatusCode::FORBIDDEN)
        }
    }

    /// Require a specific role or return 403 Forbidden
    pub async fn require_role(&self, role: &str) -> Result<(), StatusCode> {
        if self.check_role(role).await.unwrap_or(false) {
            Ok(())
        } else {
            Err(StatusCode::FORBIDDEN)
        }
    }
}

impl<S> FromRequestParts<S> for AuthContext
where
    S: Send + Sync,
{
    type Rejection = AuthRejection;

    async fn from_request_parts(parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
        let auth_ext = parts
            .extensions
            .get::<AuthExtension>()
            .ok_or(AuthRejection::MissingAuth)?;

        let state = parts
            .extensions
            .get::<AuthState>()
            .ok_or(AuthRejection::MissingAuth)?;

        Ok(AuthContext {
            user: auth_ext.user.clone(),
            state: state.clone(),
            provider_index: auth_ext.provider_index,
        })
    }
}

/// Rejection type for auth extraction
#[derive(Debug)]
pub enum AuthRejection {
    MissingAuth,
    InvalidToken,
    MalformedHeader,
}

impl IntoResponse for AuthRejection {
    fn into_response(self) -> Response {
        let (status, message) = match self {
            AuthRejection::MissingAuth => (StatusCode::UNAUTHORIZED, "Authentication required"),
            AuthRejection::InvalidToken => (StatusCode::UNAUTHORIZED, "Invalid or expired token"),
            AuthRejection::MalformedHeader => {
                (StatusCode::BAD_REQUEST, "Malformed Authorization header")
            }
        };

        (status, message).into_response()
    }
}

// Example usage documentation module
#[doc = r##"
# Example Usage

Using the authentication middleware in an Axum router:

```rust,ignore
use axum::{Router, routing::get, http::StatusCode};
use libauth_rs::middleware::{AuthLayer, AuthExtension, AuthContext};
use libauth_rs::provider::{Provider, ClerkProvider, MsalProvider};

#[tokio::main]
async fn main() {
    let config = Provider::default();

    // Create multiple providers
    let clerk = ClerkProvider::new(&config).await.unwrap();
    let msal = MsalProvider::new(&config).await.unwrap();

    // Create auth layer with automatic issuer-based routing
    let auth_layer = AuthLayer::new(vec![Box::new(clerk), Box::new(msal)])
        .with_auto_issuer_mapping() // Automatically route based on JWT issuer
        .required(false);

    let app = Router::new()
        .route("/public", get(public_handler))
        .route("/protected", get(protected_handler))
        .route("/admin", get(admin_handler))
        .layer(auth_layer);

    // Run your server...
}

// Public handler - no auth required
async fn public_handler(OptionalAuth(user): OptionalAuth) -> String {
    match user {
        Some(u) => format!("Hello, {}!", u.user_id),
        None => "Hello, anonymous!".to_string(),
    }
}

// Protected handler - auth required, basic user info
async fn protected_handler(AuthExtension { user, .. }: AuthExtension) -> String {
    format!("Welcome, {}!", user.user_id)
}

// Admin handler - auth required + role check using AuthContext
async fn admin_handler(auth: AuthContext) -> Result<String, StatusCode> {
    // Use provider-specific authorization
    auth.require_role("admin").await?;

    let roles = auth.get_roles().await.unwrap_or_default();
    Ok(format!("Admin access granted! Your roles: {:?}", roles))
}

// Per-provider routers example
async fn setup_per_provider_routers() -> Router {
    let config = Provider::default();
    let clerk = ClerkProvider::new(&config).await.unwrap();
    let msal = MsalProvider::new(&config).await.unwrap();

    // Clerk-specific routes
    let clerk_router = Router::new()
        .route("/org/:org_id/members", get(clerk_org_members))
        .layer(AuthLayer::new(vec![Box::new(clerk)]).required(true));

    // MSAL-specific routes
    let msal_router = Router::new()
        .route("/azure/groups", get(msal_groups))
        .layer(AuthLayer::new(vec![Box::new(msal)]).required(true));

    // Combine routers
    Router::new()
        .nest("/clerk", clerk_router)
        .nest("/msal", msal_router)
}
```
"##]
pub(crate) mod _example {}