Expand description
Authentication & authorization.
Three pieces:
users.rs— user records, password hashing, loginsessions.rs— DB-backed sessions with expiry cleanuppermissions.rs— granular permissions + groups
A user belongs to zero or more groups. Permissions come from two
sources: (a) direct assignments on the user, (b) inherited from
the user’s groups. The permission string is
<app>.<action>_<model> — e.g. posts.change_post.
Modules§
- emergency
- Emergency-recovery primitives — the framework-side surface called
by the
rustio user <op>CLI commands. - guards
- Authority guards — server-side enforcement of the rank model.
Structs§
- Default
Password Policy - Length-only password policy. Default
min_lenis 10 — the secure-by-default baseline R1 ships with: long enough to defeat trivial guessing under Argon2id + per-IP rate-limiting (NIST SP 800-63B’s recommended length floor is 8, with longer being preferable), short enough not to drive operators toward sticky- note workarounds. Production / regulated deployments are encouraged to override to 12+ viacrate::admin::Admin::password_policy; high-sensitivity deployments may want 16+ paired with an organisational complexity rule or breach blocklist. - Default
Recovery Policy - Length-only / rate-limit-only baseline policy. Public fields plus
chainable
with_*setters so projects that want to tweak one knob don’t need to author a full trait impl. - Identity
- The identity attached to a request by the auth middleware. Kept cheap to clone because we pass it into handler bodies.
- Invalidation
Outcome - Outcome of an
invalidate_sessionscall. Used by the audit pipeline to write one row per affected session and by the caller to decide whether to clear the user’s cookie. - Login
Throttle - Auto-throttle parameters for the login flow
(
DESIGN_R2_ORGANISATIONAL.md§3.3 + §12 locked decisions). - Permission
- Session
- One session row, reconstructed from
rustio_sessions. Returned bylist_active_for_userfor the active-sessions UI. - Stored
User - Superuser
- Marker type used by the admin’s authorize macro for fast-paths on admins.
- User
Profile - Read-only view of a user, used by the built-in admin profile page.
Excludes
password_hashdeliberately. Construct viaload_user_profile.
Enums§
- MfaPolicy
- Framework-wide MFA enforcement policy.
- Password
Policy Error - Reasons a candidate password fails policy validation.
- Permission
Error - Role
- Session
Invalidation Reason - Why a session is being invalidated. Drives both the audit
action_typeand decisions about whether to clear remembered MFA or mint a replacement session. - Session
Target - Which sessions an
invalidate_sessionscall targets. - Session
Trust - Trust level a session has acquired. The login flow mints
SessionTrust::Authenticated; the future re-auth wall promotes toSessionTrust::Elevated; a successful TOTP step on this session lifts toSessionTrust::MfaVerified.
Constants§
- SESSION_
COOKIE - The cookie name we look for and set. Constant so middleware and handlers stay in sync.
Traits§
- Password
Policy - Validates a candidate password against project-defined rules.
- Recovery
Policy - Tunables for the R1 recovery flow: token TTL, rate-limit shape, strict-mailer boot guard, and public-site-URL derivation.
Functions§
- add_
user_ to_ group - check_
permission - Ask “does this identity have permission X?”.
- create_
group - Idempotent. A second call with the same
namereturns the existing group’s id; the storeddescriptionis preserved (first-write-wins). Mirrors thepermission_idupsert idiom in this module. - create_
session - create_
user - current_
session_ id - Resolve the cookie token to its
session_id(active sessions only). Used by the active-sessions UI to mark which row is the current device, and byUserExceptCurrentcallers. - delete_
session - Hard-delete a session row by cookie token. Retained as a
pre-0.4.0 compatibility shim — internal callers are migrating to
invalidate_sessions, which soft-revokes viarevoked_atand keeps the row available for the audit trail. New code MUST NOT call this directly; only the expired-row sweeper and the read-path stale-cleanup branch are allowed callers, both of which are inside this module. - find_
user_ by_ email - grant_
to_ group - grant_
to_ user - hash_
password - identity_
from_ session - init_
permission_ tables - init_
session_ tables - init_
tables - Initialise every auth-related table. Safe to call on every boot.
- init_
user_ tables - invalidate_
sessions - Centralised session invalidation — the single legitimate writer of
rustio_sessions.revoked_at. - list_
active_ for_ user - List a user’s currently-active sessions, ordered by
last_seendescending so the active-sessions UI surfaces the most recently used row first. Excludes revoked + expired rows. - load_
user_ profile - Load a user by id for display purposes. Returns
Ok(None)for a missing id (callers map to 404). ReturnsErronly on a real DB failure or a corrupted role string. Never readspassword_hash. - login
- Verify credentials and create a session. Returns the session token to set in the cookie. A deliberately vague error on failure — we don’t want to leak whether the email was valid.
- logout_
session - Convenience wrapper for the existing logout flow. Routes through
invalidate_sessionswithSessionTarget::SingleandSessionInvalidationReason::Logout. - migrate_
user_ schema - Idempotent schema upgrade for the 5-tier role hierarchy + demo + profile
columns. Safe to call repeatedly; safe on a fresh DB and on a legacy
'admin'-roled DB. - permissions_
for_ user - All permission names belonging to the given user — direct + via groups — unioned into one set. Cached for 60s.
- protected_
roles - Roles the framework refuses to lose its last active member of.
- purge_
expired_ sessions - Delete all expired sessions. Intended to be called periodically
from a background task (see
background::spawn_session_sweeper). - register_
model_ permissions - For an admin model named
posts, register the canonical four permissions:add_post,change_post,delete_post,view_post. Idempotent. - remove_
user_ from_ group - session_
token_ from_ cookie - set_
password - Re-hash and write a new password for
user_id. Stamps bothpassword_changed_atandupdated_atto the sameNOW()—password_changed_atis the doctrine-7 surface (“Password last changed: 2 days ago”) that the active-sessions UI reads; the existingupdated_atcontinues to track row-level edits. - update_
user_ role - verdict_
for_ orphan_ role - Pure verdict for the orphan check, factored out so it can be
unit-tested without a
Db. The async wrapperwould_orphan_rolesuppliesactive_countandtarget_is_protectedfrom SQL. - verify_
password - would_
orphan_ developers Deprecated - Legacy alias preserved so external callers keep compiling. Prefer
would_orphan_protectedwhich generalises across every role insuper::role::protected_roles. - would_
orphan_ protected - Walk every entry in
super::role::protected_rolesand return the first protected role whose membership would be orphaned by the proposed change.Nonemeans the change is safe. - would_
orphan_ role - Would the proposed change leave the system with zero active members
of
protected_role?
Type Aliases§
- Shared
Password Policy - Type-erased shared password-policy reference, mirroring
crate::email::SharedMailer. The framework’sAdminholds one of these; defaults toArc::new(DefaultPasswordPolicy::new())until a project overrides viaAdmin::password_policy(Arc::new(...)). - Shared
Recovery Policy - Type-erased shared recovery-policy reference, mirroring
SharedPasswordPolicy/crate::email::SharedMailer.