Skip to main content

re_auth/
lib.rs

1//! Basic authentication helpers for Rerun.
2//!
3//! Currently, this crate provides a simple [`Jwt`]-based authentication scheme on
4//! top of a rudimentary [`RedapProvider`] that uses a symmetric key to _both_
5//! generate and sign tokens.
6//!
7//! **Warning!** This approach should only be seen as a stop-gap until we have
8//! integration of _real_ identity-providers, most likely based on `OpenID` Connect.
9
10#[cfg(not(target_arch = "wasm32"))]
11mod crypto_provider;
12
13#[cfg(not(target_arch = "wasm32"))]
14mod error;
15
16#[cfg(not(target_arch = "wasm32"))]
17mod provider;
18
19mod service;
20mod token;
21
22/// Rerun Cloud permissions
23#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
24pub enum Permission {
25    /// User can read data.
26    #[serde(rename = "read")]
27    Read,
28
29    /// User can both read and write data.
30    #[serde(rename = "read-write")]
31    ReadWrite,
32
33    #[serde(untagged)]
34    Unknown(String),
35}
36
37#[derive(Debug, thiserror::Error)]
38#[error("invalid permission")]
39pub struct InvalidPermission;
40
41impl std::str::FromStr for Permission {
42    type Err = InvalidPermission;
43
44    fn from_str(s: &str) -> Result<Self, Self::Err> {
45        match s {
46            "read" => Ok(Self::Read),
47            "read-write" => Ok(Self::ReadWrite),
48            _ => Err(InvalidPermission),
49        }
50    }
51}
52
53pub mod credentials;
54
55#[cfg(all(feature = "cli", feature = "oauth", not(target_arch = "wasm32")))]
56pub mod cli;
57
58#[cfg(feature = "oauth")]
59pub mod oauth;
60
61#[cfg(all(feature = "oauth", not(target_arch = "wasm32")))]
62pub mod callback_server;
63
64#[cfg(not(target_arch = "wasm32"))]
65pub use error::Error;
66#[cfg(all(feature = "oauth", not(target_arch = "wasm32")))]
67pub use oauth::login_flow::{DeviceCodeFlow, OauthLoginFlow};
68#[cfg(not(target_arch = "wasm32"))]
69pub use provider::{Claims, RedapProvider, SecretKey, VerificationOptions};
70pub use service::client;
71#[cfg(not(target_arch = "wasm32"))]
72pub use service::server;
73pub use token::{
74    DEFAULT_ALLOWED_HOSTS, HostMismatchError, INSECURE_SKIP_HOST_CHECK_ENV, Jwt, JwtDecodeError,
75    TokenError, host_matches_pattern, token_allowed_for_host,
76};
77
78/// The error message in Tonic's gRPC status when the token is malformed or invalid in some way.
79///
80/// The associated status code will always be `Unauthenticated`.
81pub const ERROR_MESSAGE_MALFORMED_CREDENTIALS: &str = "malformed auth token";
82
83/// The error message in Tonic's gRPC status when no token was found.
84///
85/// The associated status code will always be `Unauthenticated`.
86pub const ERROR_MESSAGE_MISSING_CREDENTIALS: &str = "missing credentials";
87
88mod wasm_compat;