Skip to main content

reifydb_core/interface/
auth.rs

1// SPDX-License-Identifier: Apache-2.0
2// Copyright (c) 2025 ReifyDB
3
4use std::collections::HashMap;
5
6use reifydb_runtime::context::rng::Rng;
7use reifydb_type::Result;
8
9/// Result of a single authentication step.
10///
11/// Authentication may complete in one step (password, API token) or require
12/// multiple round-trips (challenge-response flows like wallet signing, WebAuthn).
13#[derive(Debug, Clone, PartialEq, Eq)]
14pub enum AuthStep {
15	/// Authentication succeeded.
16	Authenticated,
17	/// Credentials were invalid.
18	Failed,
19	/// The provider needs the client to respond to a challenge.
20	/// The `payload` map contains provider-specific challenge material
21	/// (e.g., a nonce for the client to sign).
22	Challenge {
23		payload: HashMap<String, String>,
24	},
25}
26
27pub trait AuthenticationProvider: Send + Sync {
28	/// The method name this provider handles (e.g., "password", "token", "solana").
29	fn method(&self) -> &str;
30
31	/// Create stored credentials from configuration.
32	/// Called during `CREATE AUTHENTICATION ... FOR USER ...`.
33	/// The `rng` parameter provides deterministic randomness in test mode.
34	fn create(&self, rng: &Rng, config: &HashMap<String, String>) -> Result<HashMap<String, String>>;
35
36	/// Authenticate a user given their stored credentials and the presented credentials.
37	///
38	/// For single-step methods (password, token), this returns `Authenticated` or `Failed`.
39	/// For challenge-response methods, this may return `Challenge` with data the client
40	/// must respond to, followed by a second call with the response.
41	fn authenticate(
42		&self,
43		stored: &HashMap<String, String>,
44		credentials: &HashMap<String, String>,
45	) -> Result<AuthStep>;
46}