Skip to main content

reifydb_auth/
lib.rs

1// SPDX-License-Identifier: AGPL-3.0-or-later
2// Copyright (c) 2026 ReifyDB
3
4//! Authentication: turning a wire-level credential into a verified `IdentityId` the rest of the system can attach
5//! to a transaction. The crate owns the registry of supported authentication methods, the challenge-response state
6//! machine for methods that need it, and the service handle the server tiers route incoming sessions through.
7//!
8//! Authorisation - what an identity is allowed to do once authenticated - is not in this crate; that is the policy
9//! engine's responsibility. The split exists so a deployment can swap out authentication methods (token, password,
10//! external IDP) without touching the policy enforcement path.
11//!
12//! Invariant: a successful authentication produces an `IdentityId` that resolves through the catalog to a real,
13//! non-revoked identity. Anything that mints an `IdentityId` outside this crate (test fixtures aside) bypasses
14//! revocation and method requirements and is a security regression.
15
16#![cfg_attr(not(debug_assertions), deny(clippy::disallowed_methods))]
17#![cfg_attr(debug_assertions, warn(clippy::disallowed_methods))]
18#![cfg_attr(not(debug_assertions), deny(warnings))]
19#![allow(clippy::tabs_in_doc_comments)]
20extern crate core;
21
22use reifydb_core::interface::version::{ComponentType, HasVersion, SystemVersion};
23
24pub mod challenge;
25pub mod error;
26pub mod method;
27pub mod registry;
28pub mod service;
29
30pub struct AuthVersion;
31
32impl HasVersion for AuthVersion {
33	fn version(&self) -> SystemVersion {
34		SystemVersion {
35			name: env!("CARGO_PKG_NAME")
36				.strip_prefix("reifydb-")
37				.unwrap_or(env!("CARGO_PKG_NAME"))
38				.to_string(),
39			version: env!("CARGO_PKG_VERSION").to_string(),
40			description: "Authentication and authorization module".to_string(),
41			r#type: ComponentType::Module,
42		}
43	}
44}