oidc integration

Reviewed-on: #11

notes-infra/Cargo.toml

@@ -4,18 +4,38 @@ version = "0.1.0"
 edition = "2024"
 
 [features]
-default = ["sqlite", "smart-features", "broker-nats"]
-sqlite = ["sqlx/sqlite", "k-core/sqlite", "tower-sessions-sqlx-store", "k-core/sessions-db"]
-postgres = ["sqlx/postgres", "k-core/postgres", "tower-sessions-sqlx-store", "k-core/sessions-db"]
+default = [
+    "sqlite",
+    "smart-features",
+    "broker-nats",
+    "auth-jwt",
+    "auth-oidc",
+    "auth-axum-login",
+]
+sqlite = [
+    "sqlx/sqlite",
+    "k-core/sqlite",
+    "tower-sessions-sqlx-store",
+    "k-core/sessions-db",
+]
+postgres = [
+    "sqlx/postgres",
+    "k-core/postgres",
+    "tower-sessions-sqlx-store",
+    "k-core/sessions-db",
+]
 smart-features = ["k-core/ai"]
 broker-nats = ["dep:futures-util", "k-core/broker-nats"]
+auth-axum-login = ["dep:axum-login", "dep:password-auth"]
+auth-oidc = ["dep:openidconnect", "dep:url"]
+auth-jwt = ["dep:jsonwebtoken"]
 
 [dependencies]
 k-core = { git = "https://git.gabrielkaszewski.dev/GKaszewski/k-core", features = [
     "logging",
     "db-sqlx",
-    "sessions-db"
-], version = "*"}
+    "sessions-db",
+], version = "*" }
 notes-domain = { path = "../notes-domain" }
 
 chrono = { version = "0.4.42", features = ["serde"] }
@@ -31,4 +51,18 @@ futures-util = { version = "0.3", optional = true }
 futures-core = "0.3"
 async-trait = "0.1.89"
 anyhow = "1.0.100"
-tower-sessions-sqlx-store = { version =  "0.15.0", optional = true}
+tower-sessions-sqlx-store = { version = "0.15.0", optional = true }
+tower-sessions = "0.14"
+
+# Auth dependencies (optional)
+axum-login = { version = "0.18", optional = true }
+password-auth = { version = "1.0", optional = true }
+openidconnect = { version = "4.0.1", optional = true }
+url = { version = "2.5.8", optional = true }
+jsonwebtoken = { version = "10.2.0", features = [
+    "sha2",
+    "p256",
+    "hmac",
+    "rsa",
+    "rust_crypto",
+], optional = true }

notes-infra/src/auth/axum_login.rs

@@ -0,0 +1,110 @@
+use std::sync::Arc;
+
+use axum_login::{AuthnBackend, UserId};
+use password_auth::verify_password;
+use serde::{Deserialize, Serialize};
+use tower_sessions::SessionManagerLayer;
+use uuid::Uuid;
+
+use notes_domain::{User, UserRepository};
+
+use crate::session_store::InfraSessionStore;
+
+/// Wrapper around domain User to implement AuthUser
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct AuthUser(pub User);
+
+impl axum_login::AuthUser for AuthUser {
+    type Id = Uuid;
+
+    fn id(&self) -> Self::Id {
+        self.0.id
+    }
+
+    fn session_auth_hash(&self) -> &[u8] {
+        // Use password hash to invalidate sessions if password changes
+        self.0
+            .password_hash
+            .as_ref()
+            .map(|s| s.as_bytes())
+            .unwrap_or(&[])
+    }
+}
+
+#[derive(Clone)]
+pub struct AuthBackend {
+    pub user_repo: Arc<dyn UserRepository>,
+}
+
+impl AuthBackend {
+    pub fn new(user_repo: Arc<dyn UserRepository>) -> Self {
+        Self { user_repo }
+    }
+}
+
+#[derive(Clone, Debug, Deserialize)]
+pub struct Credentials {
+    pub email: notes_domain::Email,
+    pub password: notes_domain::Password,
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum AuthError {
+    #[error(transparent)]
+    Anyhow(#[from] anyhow::Error),
+}
+
+impl AuthnBackend for AuthBackend {
+    type User = AuthUser;
+    type Credentials = Credentials;
+    type Error = AuthError;
+
+    async fn authenticate(
+        &self,
+        creds: Self::Credentials,
+    ) -> Result<Option<Self::User>, Self::Error> {
+        let user = self
+            .user_repo
+            .find_by_email(creds.email.as_ref())
+            .await
+            .map_err(|e| AuthError::Anyhow(anyhow::anyhow!(e)))?;
+
+        if let Some(user) = user {
+            if let Some(hash) = &user.password_hash {
+                // Verify password
+                if verify_password(creds.password.as_ref(), hash).is_ok() {
+                    return Ok(Some(AuthUser(user)));
+                }
+            }
+        }
+
+        Ok(None)
+    }
+
+    async fn get_user(&self, user_id: &UserId<Self>) -> Result<Option<Self::User>, Self::Error> {
+        let user = self
+            .user_repo
+            .find_by_id(*user_id)
+            .await
+            .map_err(|e| AuthError::Anyhow(anyhow::anyhow!(e)))?;
+
+        Ok(user.map(AuthUser))
+    }
+}
+
+pub type AuthSession = axum_login::AuthSession<AuthBackend>;
+pub type AuthManagerLayer = axum_login::AuthManagerLayer<AuthBackend, InfraSessionStore>;
+
+pub async fn setup_auth_layer(
+    session_layer: SessionManagerLayer<InfraSessionStore>,
+    user_repo: Arc<dyn UserRepository>,
+) -> Result<AuthManagerLayer, AuthError> {
+    let backend = AuthBackend::new(user_repo);
+
+    let auth_layer = axum_login::AuthManagerLayerBuilder::new(backend, session_layer).build();
+    Ok(auth_layer)
+}
+
+pub fn hash_password(password: &str) -> String {
+    password_auth::generate_hash(password)
+}

notes-infra/src/auth/jwt.rs

@@ -0,0 +1,278 @@
+//! JWT Authentication Infrastructure
+//!
+//! Provides JWT token creation and validation using HS256 (secret-based).
+//! For OIDC/JWKS validation, see the `oidc` module.
+
+use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode};
+use notes_domain::User;
+use serde::{Deserialize, Serialize};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+/// Minimum secret length for production (256 bits = 32 bytes)
+const MIN_SECRET_LENGTH: usize = 32;
+
+/// JWT configuration
+#[derive(Debug, Clone)]
+pub struct JwtConfig {
+    /// Secret key for HS256 signing/verification
+    pub secret: String,
+    /// Expected issuer (for validation)
+    pub issuer: Option<String>,
+    /// Expected audience (for validation)
+    pub audience: Option<String>,
+    /// Token expiry in hours (default: 24)
+    pub expiry_hours: u64,
+}
+
+impl JwtConfig {
+    /// Create a new JWT config with validation
+    ///
+    /// In production mode, this will reject weak secrets.
+    pub fn new(
+        secret: String,
+        issuer: Option<String>,
+        audience: Option<String>,
+        expiry_hours: Option<u64>,
+        is_production: bool,
+    ) -> Result<Self, JwtError> {
+        // Validate secret strength in production
+        if is_production && secret.len() < MIN_SECRET_LENGTH {
+            return Err(JwtError::WeakSecret {
+                min_length: MIN_SECRET_LENGTH,
+                actual_length: secret.len(),
+            });
+        }
+
+        Ok(Self {
+            secret,
+            issuer,
+            audience,
+            expiry_hours: expiry_hours.unwrap_or(24),
+        })
+    }
+
+    /// Create config without validation (for testing)
+    pub fn new_unchecked(secret: String) -> Self {
+        Self {
+            secret,
+            issuer: None,
+            audience: None,
+            expiry_hours: 24,
+        }
+    }
+}
+
+/// JWT claims structure
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct JwtClaims {
+    /// Subject - the user's unique identifier (user ID as string)
+    pub sub: String,
+    /// User's email address
+    pub email: String,
+    /// Expiry timestamp (seconds since UNIX epoch)
+    pub exp: usize,
+    /// Issued at timestamp (seconds since UNIX epoch)
+    pub iat: usize,
+    /// Issuer
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub iss: Option<String>,
+    /// Audience
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub aud: Option<String>,
+}
+
+/// JWT-related errors
+#[derive(Debug, thiserror::Error)]
+pub enum JwtError {
+    #[error("JWT secret is too weak: minimum {min_length} bytes required, got {actual_length}")]
+    WeakSecret {
+        min_length: usize,
+        actual_length: usize,
+    },
+
+    #[error("Token creation failed: {0}")]
+    CreationFailed(#[from] jsonwebtoken::errors::Error),
+
+    #[error("Token validation failed: {0}")]
+    ValidationFailed(String),
+
+    #[error("Token expired")]
+    Expired,
+
+    #[error("Invalid token format")]
+    InvalidFormat,
+
+    #[error("Missing configuration")]
+    MissingConfig,
+}
+
+/// JWT token validator and generator
+#[derive(Clone)]
+pub struct JwtValidator {
+    config: JwtConfig,
+    encoding_key: EncodingKey,
+    decoding_key: DecodingKey,
+    validation: Validation,
+}
+
+impl JwtValidator {
+    /// Create a new JWT validator with the given configuration
+    pub fn new(config: JwtConfig) -> Self {
+        let encoding_key = EncodingKey::from_secret(config.secret.as_bytes());
+        let decoding_key = DecodingKey::from_secret(config.secret.as_bytes());
+
+        let mut validation = Validation::new(Algorithm::HS256);
+
+        // Configure issuer validation if set
+        if let Some(ref issuer) = config.issuer {
+            validation.set_issuer(&[issuer]);
+        }
+
+        // Configure audience validation if set
+        if let Some(ref audience) = config.audience {
+            validation.set_audience(&[audience]);
+        }
+
+        Self {
+            config,
+            encoding_key,
+            decoding_key,
+            validation,
+        }
+    }
+
+    /// Create a JWT token for the given user
+    pub fn create_token(&self, user: &User) -> Result<String, JwtError> {
+        let now = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .expect("Time went backwards")
+            .as_secs() as usize;
+
+        let expiry = now + (self.config.expiry_hours as usize * 3600);
+
+        let claims = JwtClaims {
+            sub: user.id.to_string(),
+            email: user.email.as_ref().to_string(),
+            exp: expiry,
+            iat: now,
+            iss: self.config.issuer.clone(),
+            aud: self.config.audience.clone(),
+        };
+
+        let header = Header::new(Algorithm::HS256);
+        encode(&header, &claims, &self.encoding_key).map_err(JwtError::CreationFailed)
+    }
+
+    /// Validate a JWT token and return the claims
+    pub fn validate_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
+        let token_data = decode::<JwtClaims>(token, &self.decoding_key, &self.validation).map_err(
+            |e| match e.kind() {
+                jsonwebtoken::errors::ErrorKind::ExpiredSignature => JwtError::Expired,
+                jsonwebtoken::errors::ErrorKind::InvalidToken => JwtError::InvalidFormat,
+                _ => JwtError::ValidationFailed(e.to_string()),
+            },
+        )?;
+
+        Ok(token_data.claims)
+    }
+
+    /// Get the user ID (subject) from a token without full validation
+    /// Useful for logging/debugging, but should not be trusted for auth
+    pub fn decode_unverified(&self, token: &str) -> Result<JwtClaims, JwtError> {
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.insecure_disable_signature_validation();
+        validation.validate_exp = false;
+
+        let token_data = decode::<JwtClaims>(token, &self.decoding_key, &validation)
+            .map_err(|_| JwtError::InvalidFormat)?;
+
+        Ok(token_data.claims)
+    }
+}
+
+impl std::fmt::Debug for JwtValidator {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("JwtValidator")
+            .field("issuer", &self.config.issuer)
+            .field("audience", &self.config.audience)
+            .field("expiry_hours", &self.config.expiry_hours)
+            .finish_non_exhaustive()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use notes_domain::Email;
+
+    fn create_test_user() -> User {
+        let email = Email::try_from("test@example.com").unwrap();
+        User::new("test-subject", email)
+    }
+
+    #[test]
+    fn test_create_and_validate_token() {
+        let config = JwtConfig::new_unchecked("test-secret-key-that-is-long-enough".to_string());
+        let validator = JwtValidator::new(config);
+        let user = create_test_user();
+
+        let token = validator.create_token(&user).expect("Should create token");
+        let claims = validator
+            .validate_token(&token)
+            .expect("Should validate token");
+
+        assert_eq!(claims.sub, user.id.to_string());
+        assert_eq!(claims.email, "test@example.com");
+    }
+
+    #[test]
+    fn test_weak_secret_rejected_in_production() {
+        let result = JwtConfig::new(
+            "short".to_string(), // Too short
+            None,
+            None,
+            None,
+            true, // Production mode
+        );
+
+        assert!(matches!(result, Err(JwtError::WeakSecret { .. })));
+    }
+
+    #[test]
+    fn test_weak_secret_allowed_in_development() {
+        let result = JwtConfig::new(
+            "short".to_string(), // Too short but OK in dev
+            None,
+            None,
+            None,
+            false, // Development mode
+        );
+
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn test_invalid_token_rejected() {
+        let config = JwtConfig::new_unchecked("test-secret-key-that-is-long-enough".to_string());
+        let validator = JwtValidator::new(config);
+
+        let result = validator.validate_token("invalid.token.here");
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_wrong_secret_rejected() {
+        let config1 = JwtConfig::new_unchecked("secret-one-that-is-long-enough".to_string());
+        let config2 = JwtConfig::new_unchecked("secret-two-that-is-long-enough".to_string());
+
+        let validator1 = JwtValidator::new(config1);
+        let validator2 = JwtValidator::new(config2);
+
+        let user = create_test_user();
+        let token = validator1.create_token(&user).unwrap();
+
+        // Token from validator1 should fail on validator2
+        let result = validator2.validate_token(&token);
+        assert!(result.is_err());
+    }
+}

notes-infra/src/auth/mod.rs

@@ -0,0 +1,6 @@
+#[cfg(feature = "auth-axum-login")]
+pub mod axum_login;
+#[cfg(feature = "auth-jwt")]
+pub mod jwt;
+#[cfg(feature = "auth-oidc")]
+pub mod oidc;

notes-infra/src/auth/oidc.rs

@@ -0,0 +1,202 @@
+use anyhow::anyhow;
+use notes_domain::{
+    AuthorizationCode, AuthorizationUrlData, ClientId, ClientSecret, CsrfToken, IssuerUrl,
+    OidcNonce, PkceVerifier, RedirectUrl, ResourceId,
+};
+use openidconnect::{
+    AccessTokenHash, Client, EmptyAdditionalClaims, EndpointMaybeSet, EndpointNotSet, EndpointSet,
+    OAuth2TokenResponse, PkceCodeChallenge, Scope, StandardErrorResponse, TokenResponse,
+    UserInfoClaims,
+    core::{
+        CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreClient, CoreErrorResponseType,
+        CoreGenderClaim, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreProviderMetadata,
+        CoreRevocableToken, CoreRevocationErrorResponse, CoreTokenIntrospectionResponse,
+        CoreTokenResponse,
+    },
+    reqwest,
+};
+
+pub type OidcClient = Client<
+    EmptyAdditionalClaims,
+    CoreAuthDisplay,
+    CoreGenderClaim,
+    CoreJweContentEncryptionAlgorithm,
+    CoreJsonWebKey,
+    CoreAuthPrompt,
+    StandardErrorResponse<CoreErrorResponseType>,
+    CoreTokenResponse,
+    CoreTokenIntrospectionResponse,
+    CoreRevocableToken,
+    CoreRevocationErrorResponse,
+    EndpointSet,      // HasAuthUrl (Required and guaranteed by discovery)
+    EndpointNotSet,   // HasDeviceAuthUrl
+    EndpointNotSet,   // HasIntrospectionUrl
+    EndpointNotSet,   // HasRevocationUrl
+    EndpointMaybeSet, // HasTokenUrl (Discovered, might be missing)
+    EndpointMaybeSet, // HasUserInfoUrl (Discovered, might be missing)
+>;
+
+#[derive(Clone)]
+pub struct OidcService {
+    client: OidcClient,
+    resource_id: Option<ResourceId>,
+}
+
+#[derive(Debug)]
+pub struct OidcUser {
+    pub subject: String,
+    pub email: String,
+}
+
+impl OidcService {
+    /// Create a new OIDC service with validated configuration newtypes
+    pub async fn new(
+        issuer: IssuerUrl,
+        client_id: ClientId,
+        client_secret: Option<ClientSecret>,
+        redirect_url: RedirectUrl,
+        resource_id: Option<ResourceId>,
+    ) -> anyhow::Result<Self> {
+        tracing::debug!("🔵 OIDC Setup: Client ID = '{}'", client_id);
+        tracing::debug!("🔵 OIDC Setup: Redirect  = '{}'", redirect_url);
+        tracing::debug!(
+            "🔵 OIDC Setup: Secret    = {:?}",
+            if client_secret.is_some() {
+                "SET"
+            } else {
+                "NONE"
+            }
+        );
+
+        let http_client = reqwest::ClientBuilder::new()
+            .redirect(reqwest::redirect::Policy::none())
+            .build()?;
+
+        let provider_metadata = CoreProviderMetadata::discover_async(
+            openidconnect::IssuerUrl::new(issuer.as_ref().to_string())?,
+            &http_client,
+        )
+        .await?;
+
+        // Convert to openidconnect types
+        let oidc_client_id = openidconnect::ClientId::new(client_id.as_ref().to_string());
+        let oidc_client_secret = client_secret
+            .as_ref()
+            .filter(|s| !s.is_empty())
+            .map(|s| openidconnect::ClientSecret::new(s.as_ref().to_string()));
+        let oidc_redirect_url = openidconnect::RedirectUrl::new(redirect_url.as_ref().to_string())?;
+
+        let client = CoreClient::from_provider_metadata(
+            provider_metadata,
+            oidc_client_id,
+            oidc_client_secret,
+        )
+        .set_redirect_uri(oidc_redirect_url);
+
+        Ok(Self {
+            client,
+            resource_id,
+        })
+    }
+
+    /// Get the authorization URL and associated state for OIDC login
+    ///
+    /// Returns structured data instead of a raw tuple for better type safety
+    pub fn get_authorization_url(&self) -> AuthorizationUrlData {
+        let (pkce_challenge, pkce_verifier) = PkceCodeChallenge::new_random_sha256();
+
+        let (auth_url, csrf_token, nonce) = self
+            .client
+            .authorize_url(
+                CoreAuthenticationFlow::AuthorizationCode,
+                openidconnect::CsrfToken::new_random,
+                openidconnect::Nonce::new_random,
+            )
+            .add_scope(Scope::new("profile".to_string()))
+            .add_scope(Scope::new("email".to_string()))
+            .set_pkce_challenge(pkce_challenge)
+            .url();
+
+        AuthorizationUrlData {
+            url: auth_url.into(),
+            csrf_token: CsrfToken::new(csrf_token.secret().to_string()),
+            nonce: OidcNonce::new(nonce.secret().to_string()),
+            pkce_verifier: PkceVerifier::new(pkce_verifier.secret().to_string()),
+        }
+    }
+
+    /// Resolve the OIDC callback with type-safe parameters
+    pub async fn resolve_callback(
+        &self,
+        code: AuthorizationCode,
+        nonce: OidcNonce,
+        pkce_verifier: PkceVerifier,
+    ) -> anyhow::Result<OidcUser> {
+        let http_client = reqwest::ClientBuilder::new()
+            .redirect(reqwest::redirect::Policy::none())
+            .build()?;
+
+        let oidc_pkce_verifier =
+            openidconnect::PkceCodeVerifier::new(pkce_verifier.as_ref().to_string());
+        let oidc_nonce = openidconnect::Nonce::new(nonce.as_ref().to_string());
+
+        let token_response = self
+            .client
+            .exchange_code(openidconnect::AuthorizationCode::new(
+                code.as_ref().to_string(),
+            ))?
+            .set_pkce_verifier(oidc_pkce_verifier)
+            .request_async(&http_client)
+            .await?;
+
+        let id_token = token_response
+            .id_token()
+            .ok_or_else(|| anyhow!("Server did not return an ID token"))?;
+
+        let mut id_token_verifier = self.client.id_token_verifier().clone();
+
+        if let Some(resource_id) = &self.resource_id {
+            let trusted_resource_id = resource_id.as_ref().to_string();
+            id_token_verifier = id_token_verifier
+                .set_other_audience_verifier_fn(move |aud| aud.as_str() == trusted_resource_id);
+        }
+
+        let claims = id_token.claims(&id_token_verifier, &oidc_nonce)?;
+
+        if let Some(expected_access_token_hash) = claims.access_token_hash() {
+            let actual_access_token_hash = AccessTokenHash::from_token(
+                token_response.access_token(),
+                id_token.signing_alg()?,
+                id_token.signing_key(&id_token_verifier)?,
+            )?;
+
+            if actual_access_token_hash != *expected_access_token_hash {
+                return Err(anyhow!("Invalid access token"));
+            }
+        }
+
+        let email = if let Some(email) = claims.email() {
+            Some(email.as_str().to_string())
+        } else {
+            // Fallback: Call UserInfo Endpoint using the Access Token
+            tracing::debug!("🔵 Email missing in ID Token, fetching UserInfo...");
+
+            let user_info: UserInfoClaims<EmptyAdditionalClaims, CoreGenderClaim> = self
+                .client
+                .user_info(token_response.access_token().clone(), None)?
+                .request_async(&http_client)
+                .await?;
+
+            user_info.email().map(|e| e.as_str().to_string())
+        };
+
+        // If email is still missing, we must error out because your app requires valid emails
+        let email =
+            email.ok_or_else(|| anyhow!("User has no verified email address in ZITADEL"))?;
+
+        Ok(OidcUser {
+            subject: claims.subject().to_string(),
+            email,
+        })
+    }
+}

notes-infra/src/lib.rs

@@ -13,6 +13,7 @@
 //!
 //! - [`db::run_migrations`] - Run database migrations
 
+pub mod auth;
 #[cfg(feature = "broker-nats")]
 pub mod broker;
 pub mod db;

notes-infra/src/session_store.rs

@@ -1 +1,2 @@
 pub use k_core::session::store::InfraSessionStore;
+pub use tower_sessions::{Expiry, SessionManagerLayer};