Skip to main content

re_auth/
lib.rs

1//! Basic authentication helpers for Rerun.
2//!
3//! Currently, this crate provides a simple [`Jwt`]-based authentication scheme on
4//! top of a rudimentary [`RedapProvider`] that uses a symmetric key to _both_
5//! generate and sign tokens.
6//!
7//! **Warning!** This approach should only be seen as a stop-gap until we have
8//! integration of _real_ identity-providers, most likely based on `OpenID` Connect.
9
10#[cfg(not(target_arch = "wasm32"))]
11mod crypto_provider;
12
13#[cfg(not(target_arch = "wasm32"))]
14mod error;
15
16#[cfg(not(target_arch = "wasm32"))]
17mod provider;
18
19mod claims;
20mod service;
21mod token;
22
23/// Rerun Hub permissions
24#[derive(Debug, Clone, PartialEq, Eq, serde::Serialize, serde::Deserialize)]
25pub enum Permission {
26    /// User can read data.
27    #[serde(rename = "read")]
28    Read,
29
30    /// User can both read and write data.
31    #[serde(rename = "read-write")]
32    ReadWrite,
33
34    #[serde(untagged)]
35    Unknown(String),
36}
37
38#[derive(Debug, thiserror::Error)]
39#[error("invalid permission")]
40pub struct InvalidPermission;
41
42impl std::str::FromStr for Permission {
43    type Err = InvalidPermission;
44
45    fn from_str(s: &str) -> Result<Self, Self::Err> {
46        match s {
47            "read" => Ok(Self::Read),
48            "read-write" => Ok(Self::ReadWrite),
49            _ => Err(InvalidPermission),
50        }
51    }
52}
53
54pub mod credentials;
55
56#[cfg(all(feature = "cli", feature = "oauth", not(target_arch = "wasm32")))]
57pub mod cli;
58
59#[cfg(feature = "oauth")]
60pub mod oauth;
61
62#[cfg(all(feature = "oauth", not(target_arch = "wasm32")))]
63pub mod callback_server;
64
65pub use claims::{Claims, RedapClaims};
66#[cfg(not(target_arch = "wasm32"))]
67pub use error::Error;
68#[cfg(all(feature = "oauth", not(target_arch = "wasm32")))]
69pub use oauth::login_flow::{DeviceCodeFlow, OauthLoginFlow};
70#[cfg(not(target_arch = "wasm32"))]
71pub use provider::{RedapProvider, SecretKey, VerificationOptions};
72pub use service::client;
73#[cfg(not(target_arch = "wasm32"))]
74pub use service::server;
75pub use token::{
76    DEFAULT_ALLOWED_HOSTS, HostMismatchError, INSECURE_SKIP_HOST_CHECK_ENV, Jwt, JwtDecodeError,
77    TokenError, host_matches_pattern, token_allowed_for_host,
78};
79
80/// The error message in Tonic's gRPC status when the token is malformed or invalid in some way.
81///
82/// The associated status code will always be `Unauthenticated`.
83pub const ERROR_MESSAGE_MALFORMED_CREDENTIALS: &str = "malformed auth token";
84
85/// The error message in Tonic's gRPC status when no token was found.
86///
87/// The associated status code will always be `Unauthenticated`.
88pub const ERROR_MESSAGE_MISSING_CREDENTIALS: &str = "missing credentials";
89
90mod wasm_compat;