turbomcp_auth/
types.rs

1//! Core Authentication Types
2//!
3//! This module contains core types used throughout the TurboMCP authentication system.
4
5use std::collections::HashMap;
6use std::time::SystemTime;
7
8use async_trait::async_trait;
9use oauth2::RefreshToken;
10use serde::{Deserialize, Serialize};
11
12use turbomcp_protocol::{Error as McpError, Result as McpResult};
13
14use super::config::AuthProviderType;
15
16/// Authentication context containing user information and session data
17#[derive(Debug, Clone, Serialize, Deserialize)]
18pub struct AuthContext {
19    /// User ID
20    pub user_id: String,
21    /// User information
22    pub user: UserInfo,
23    /// User roles
24    pub roles: Vec<String>,
25    /// User permissions
26    pub permissions: Vec<String>,
27    /// Session ID
28    pub session_id: String,
29    /// Token information
30    pub token: Option<TokenInfo>,
31    /// Authentication provider used
32    pub provider: String,
33    /// Authentication timestamp
34    pub authenticated_at: SystemTime,
35    /// Token expiry time
36    pub expires_at: Option<SystemTime>,
37    /// Additional metadata
38    pub metadata: HashMap<String, serde_json::Value>,
39}
40
41/// User information
42#[derive(Debug, Clone, Serialize, Deserialize)]
43pub struct UserInfo {
44    /// User ID
45    pub id: String,
46    /// Username
47    pub username: String,
48    /// Email address
49    pub email: Option<String>,
50    /// Display name
51    pub display_name: Option<String>,
52    /// Avatar URL
53    pub avatar_url: Option<String>,
54    /// User metadata
55    pub metadata: HashMap<String, serde_json::Value>,
56}
57
58/// Token information
59#[derive(Debug, Clone, Serialize, Deserialize)]
60pub struct TokenInfo {
61    /// Access token
62    pub access_token: String,
63    /// Token type (Bearer, etc.)
64    pub token_type: String,
65    /// Refresh token
66    pub refresh_token: Option<String>,
67    /// Token expiry in seconds
68    pub expires_in: Option<u64>,
69    /// Token scope
70    pub scope: Option<String>,
71}
72
73/// Authentication provider trait
74#[async_trait]
75pub trait AuthProvider: Send + Sync + std::fmt::Debug {
76    /// Provider name
77    fn name(&self) -> &str;
78
79    /// Provider type
80    fn provider_type(&self) -> AuthProviderType;
81
82    /// Authenticate user with credentials
83    async fn authenticate(&self, credentials: AuthCredentials) -> McpResult<AuthContext>;
84
85    /// Validate existing token/session
86    async fn validate_token(&self, token: &str) -> McpResult<AuthContext>;
87
88    /// Refresh access token
89    async fn refresh_token(&self, refresh_token: &str) -> McpResult<TokenInfo>;
90
91    /// Revoke token/session
92    async fn revoke_token(&self, token: &str) -> McpResult<()>;
93
94    /// Get user information
95    async fn get_user_info(&self, token: &str) -> McpResult<UserInfo>;
96}
97
98/// Authentication credentials
99#[derive(Debug, Clone, Serialize, Deserialize)]
100pub enum AuthCredentials {
101    /// Username and password
102    UsernamePassword {
103        /// Username
104        username: String,
105        /// Password
106        password: String,
107    },
108    /// API key
109    ApiKey {
110        /// API key
111        key: String,
112    },
113    /// OAuth 2.0 authorization code
114    OAuth2Code {
115        /// Authorization code
116        code: String,
117        /// State parameter
118        state: String,
119    },
120    /// JWT token
121    JwtToken {
122        /// JWT token
123        token: String,
124    },
125    /// Custom credentials
126    Custom {
127        /// Custom credential data
128        data: HashMap<String, serde_json::Value>,
129    },
130}
131
132/// Secure token storage abstraction
133#[async_trait]
134pub trait TokenStorage: Send + Sync + std::fmt::Debug {
135    /// Store access token securely
136    async fn store_access_token(&self, user_id: &str, token: &AccessToken) -> McpResult<()>;
137
138    /// Retrieve access token
139    async fn get_access_token(&self, user_id: &str) -> McpResult<Option<AccessToken>>;
140
141    /// Store refresh token securely (encrypted at rest)
142    async fn store_refresh_token(&self, user_id: &str, token: &RefreshToken) -> McpResult<()>;
143
144    /// Retrieve refresh token
145    async fn get_refresh_token(&self, user_id: &str) -> McpResult<Option<RefreshToken>>;
146
147    /// Remove all tokens for user (logout)
148    async fn revoke_tokens(&self, user_id: &str) -> McpResult<()>;
149
150    /// List all users with stored tokens (for admin)
151    async fn list_users(&self) -> McpResult<Vec<String>>;
152}
153
154/// Secure access token with metadata
155#[derive(Debug, Clone)]
156pub struct AccessToken {
157    /// The actual token
158    pub(crate) token: String,
159    /// Token expiration time
160    pub(crate) expires_at: Option<SystemTime>,
161    /// Token scopes
162    pub(crate) scopes: Vec<String>,
163    /// Provider metadata
164    pub(crate) metadata: HashMap<String, serde_json::Value>,
165}
166
167impl AccessToken {
168    /// Create a new access token
169    #[must_use]
170    pub fn new(
171        token: String,
172        expires_at: Option<SystemTime>,
173        scopes: Vec<String>,
174        metadata: HashMap<String, serde_json::Value>,
175    ) -> Self {
176        Self {
177            token,
178            expires_at,
179            scopes,
180            metadata,
181        }
182    }
183
184    /// Get the token value
185    #[must_use]
186    pub fn token(&self) -> &str {
187        &self.token
188    }
189
190    /// Get the token expiration time
191    #[must_use]
192    pub fn expires_at(&self) -> Option<SystemTime> {
193        self.expires_at
194    }
195
196    /// Get the token scopes
197    #[must_use]
198    pub fn scopes(&self) -> &[String] {
199        &self.scopes
200    }
201
202    /// Get the token metadata
203    #[must_use]
204    pub fn metadata(&self) -> &HashMap<String, serde_json::Value> {
205        &self.metadata
206    }
207}
208
209/// Authentication middleware trait
210#[async_trait]
211pub trait AuthMiddleware: Send + Sync {
212    /// Extract authentication token from request
213    async fn extract_token(&self, headers: &HashMap<String, String>) -> Option<String>;
214
215    /// Handle authentication failure
216    async fn handle_auth_failure(&self, error: McpError) -> McpResult<()>;
217}
218
219/// Default authentication middleware
220#[derive(Debug, Clone)]
221pub struct DefaultAuthMiddleware;
222
223#[async_trait]
224impl AuthMiddleware for DefaultAuthMiddleware {
225    async fn extract_token(&self, headers: &HashMap<String, String>) -> Option<String> {
226        // Try Authorization header first
227        if let Some(auth_header) = headers
228            .get("authorization")
229            .or_else(|| headers.get("Authorization"))
230        {
231            if let Some(token) = auth_header.strip_prefix("Bearer ") {
232                return Some(token.to_string());
233            }
234            if let Some(token) = auth_header.strip_prefix("ApiKey ") {
235                return Some(token.to_string());
236            }
237        }
238
239        // Try X-API-Key header
240        if let Some(api_key) = headers
241            .get("x-api-key")
242            .or_else(|| headers.get("X-API-Key"))
243        {
244            return Some(api_key.clone());
245        }
246
247        None
248    }
249
250    async fn handle_auth_failure(&self, error: McpError) -> McpResult<()> {
251        tracing::warn!("Authentication failed: {}", error);
252        Err(Box::new(error))
253    }
254}
turbomcp_auth/types.rs

turbomcp_auth/
types.rs
