Expand description
§Reinhardt Auth
Authentication and authorization system for Reinhardt framework.
§Features
- DjangoModelPermissions: Django-style model permissions with
app_label.action_modelformat - DjangoModelPermissionsOrAnonReadOnly: Anonymous read access for unauthenticated users
- Object-Level Permissions: Fine-grained access control on individual objects
- User Management: CRUD operations for users with password hashing
- Group Management: User groups and permission assignment
- REST API Authentication: Multiple authentication backends (JWT, Token, Session, OAuth2)
- Standard Permissions: Permission classes for common authorization scenarios
- createsuperuser Command: CLI tool for creating admin users
§Quick Start
use reinhardt_auth::core::{IsAuthenticated, PermissionContext};
// Check if a permission is satisfied
let permission = IsAuthenticated;
// In actual usage, you would pass a real request context
let _ = permission; // permission classes implement PermissionClass trait§Architecture
Key modules in this crate:
core: Authentication traits, user types, permission classes, and password hashingsessions: Session backends (JWT, database, Redis, cookie, file)current_user: Dependency-injectableCurrentUserextractorsocial(feature-gated): OAuth2/OpenID Connect social authentication providersuser_management: CRUD operations for users and groups
§Feature Flags
| Feature | Default | Description |
|---|---|---|
params | enabled | CurrentUser parameter extraction via DI |
jwt | disabled | JWT-based authentication backend |
sessions | disabled | Session-based authentication |
oauth | disabled | OAuth2 authorization code flow |
token | disabled | Token-based authentication |
argon2-hasher | disabled | Argon2 password hashing (alternative to bcrypt) |
social | disabled | Social authentication (OAuth2/OIDC providers) |
database | disabled | Database-backed user/group storage via ORM |
§Security Note: Client-Side vs Server-Side Checks
Authentication state exposed via reinhardt_http::AuthState (e.g.,
is_authenticated(), is_admin()) is populated by server-side
middleware and stored in request extensions. When this state is
forwarded to client-side code (e.g., via WASM or JSON responses),
it must only be used for UI display purposes (showing/hiding
elements). All authorization decisions must be enforced server-side
through middleware and permission classes provided by this crate.
Re-exports§
pub use current_user::CurrentUser;Deprecated pub use auth_info::AuthInfo;pub use auth_user::AuthUser;pub use auth_extractors::validate_auth_extractors;pub use core::AllowAny;pub use core::AnonymousUser;pub use core::AuthBackend;pub use core::AuthIdentity;pub use core::BaseUser;pub use core::CompositeAuthBackend;pub use core::FullUser;pub use core::IsActiveUser;pub use core::IsAdminUser;pub use core::IsAuthenticated;pub use core::IsAuthenticatedOrReadOnly;pub use core::PasswordHasher;pub use core::Permission;pub use core::PermissionContext;pub use core::PermissionsMixin;pub use core::SimpleUser;pub use core::User;Deprecated pub use core::permission_operators;pub use repository::SimpleUserRepository;pub use repository::UserRepository;pub use advanced_permissions::ObjectPermission as AdvancedObjectPermission;pub use advanced_permissions::RoleBasedPermission;pub use base_user_manager::BaseUserManager;pub use basic::BasicAuthentication as HttpBasicAuth;pub use group_management::CreateGroupData;pub use group_management::Group;pub use group_management::GroupManagementError;pub use group_management::GroupManagementResult;pub use group_management::GroupManager;pub use group_management::get_group_manager;pub use group_management::register_group_manager;pub use ip_permission::CidrRange;pub use ip_permission::IpBlacklistPermission;pub use ip_permission::IpWhitelistPermission;pub use mfa::MFAAuthentication as MfaManager;pub use model_permissions::DjangoModelPermissions;pub use model_permissions::DjangoModelPermissionsOrAnonReadOnly;pub use model_permissions::ModelPermission;pub use object_permissions::ObjectPermission;pub use object_permissions::ObjectPermissionChecker;pub use object_permissions::ObjectPermissionManager;pub use permission_operators::AndPermission;pub use permission_operators::NotPermission;pub use permission_operators::OrPermission;pub use remote_user::RemoteUserAuthentication as RemoteUserAuth;pub use rest_authentication::BasicAuthConfig;pub use rest_authentication::CompositeAuthentication;pub use rest_authentication::RemoteUserAuthentication;pub use rest_authentication::RestAuthentication;pub use rest_authentication::SessionAuthConfig;pub use rest_authentication::SessionAuthentication;pub use rest_authentication::TokenAuthConfig;pub use rest_authentication::TokenAuthentication;pub use time_based_permission::DateRange;pub use time_based_permission::TimeBasedPermission;pub use time_based_permission::TimeWindow;pub use user_management::CreateUserData;pub use user_management::UpdateUserData;pub use user_management::UserManagementError;pub use user_management::UserManagementResult;pub use user_management::UserManager;
Modules§
- advanced_
permissions - Advanced permission classes (role-based, object-level). Advanced Permission System
- auth_
extractors - Startup validation for auth extractor DI configuration.
- auth_
info - Lightweight authentication extractor that reads from request extensions.
- auth_
user - Authenticated user extractor that loads the full user model from database.
- base_
user_ manager - Base user manager trait for CRUD operations.
- basic
- HTTP Basic authentication backend. HTTP Basic Authentication
- core
- reinhardt-core-auth
- current_
user - CurrentUser Injectable for dependency injection
- default_
user - Default user model with Argon2 password hashing.
- default_
user_ manager - Default user manager implementation.
- group_
management - Group management (create, delete, assign users). Group Management
- ip_
permission - IP-based permission classes (whitelist/blacklist with CIDR). IP-based access control permissions
- mfa
- Multi-factor authentication support. Multi-Factor Authentication (MFA)
- model_
permissions - Django-compatible model-level permissions. Model-based Permissions
- object_
permissions - Object-level permission checking. Object-Level Permissions
- remote_
user - Remote user authentication (proxy-based). Remote User Authentication
- repository
- User repository abstraction
- rest_
authentication - REST API authentication backends. REST API Authentication
- sessions
- Reinhardt Sessions
- time_
based_ permission - Time-based permission class (time windows, date ranges). Time-based access control permissions
- user_
management - User CRUD management. User Management
Enums§
- Authentication
Error - Authentication errors that can occur during user verification.
Traits§
- Authentication
Backend - Authentication backend trait