Secure Authentication Systems in Rust#

Introduction#

Authentication forms the cornerstone of any secure system, yet it’s often implemented with critical vulnerabilities that expose entire infrastructures to compromise. In this comprehensive guide, we’ll build a production-ready authentication system in Rust that implements industry best practices including JWT tokens, OAuth2 integration, multi-factor authentication, and role-based access control.

Our system will demonstrate how Rust’s type safety and memory safety features help prevent common authentication vulnerabilities while delivering the performance and reliability required for enterprise-scale deployments.

Architecture Overview#

Security-First Design#

1
┌─────────────────────────────────────────────────────────────────┐
2
│                    Client Applications                           │
3
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
4
│  │   Web App   │  │ Mobile App  │  │    API Clients          │  │
5
│  └─────────────┘  └─────────────┘  └─────────────────────────┘  │
6
├─────────────────────────────────────────────────────────────────┤
7
│                      API Gateway & Load Balancer                │
8
├─────────────────────────────────────────────────────────────────┤
9
│                    Authentication Service                        │
10
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
11
│  │    JWT      │  │   OAuth2    │  │        MFA              │  │
12
│  │  Manager    │  │  Provider   │  │     Manager             │  │
13
│  └─────────────┘  └─────────────┘  └─────────────────────────┘  │
14
├─────────────────────────────────────────────────────────────────┤
15
│                    Authorization Layer                           │
16
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
17
│  │    RBAC     │  │ Permissions │  │    Policy Engine        │  │
18
│  │   Engine    │  │  Manager    │  │                         │  │
19
│  └─────────────┘  └─────────────┘  └─────────────────────────┘  │
20
├─────────────────────────────────────────────────────────────────┤
21
│                      Data Layer                                  │
22
│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
23
│  │    User     │  │   Session   │  │      Audit Log          │  │
24
│  │  Database   │  │   Store     │  │                         │  │
25
│  └─────────────┘  └─────────────┘  └─────────────────────────┘  │
26
└─────────────────────────────────────────────────────────────────┘

Core Components#

1
// Core authentication system architecture
2
pub struct AuthenticationSystem {
3
    jwt_manager: Arc<JwtManager>,
4
    oauth2_provider: Arc<OAuth2Provider>,
5
    mfa_manager: Arc<MfaManager>,
6
    rbac_engine: Arc<RbacEngine>,
7
    user_service: Arc<UserService>,
8
    session_store: Arc<SessionStore>,
9
    audit_logger: Arc<AuditLogger>,
10
    rate_limiter: Arc<RateLimiter>,
11
}
12

13
#[derive(Debug, Clone, Serialize, Deserialize)]
14
pub struct AuthenticationRequest {
15
    pub username: String,
16
    pub password: SecureString,
17
    pub mfa_token: Option<String>,
18
    pub client_info: ClientInfo,
19
    pub requested_scopes: Vec<String>,
20
}
21

22
#[derive(Debug, Clone, Serialize, Deserialize)]
23
pub struct AuthenticationResponse {
24
    pub access_token: String,
25
    pub refresh_token: String,
26
    pub token_type: String,
27
    pub expires_in: u64,
28
    pub scope: String,
29
    pub user_info: UserInfo,
30
}

Project Setup#

Dependencies#

1
[package]
2
name = "secure-auth-system"
3
version = "1.0.0"
4
edition = "2021"
5

6
[dependencies]
7
# Web framework
8
axum = { version = "0.7", features = ["macros", "multipart"] }
9
tower = { version = "0.4", features = ["full"] }
10
tower-http = { version = "0.5", features = ["auth", "cors", "trace", "rate-limit"] }
11
hyper = { version = "1.0", features = ["full"] }
12

13
# Async runtime
14
tokio = { version = "1.35", features = ["full"] }
15
tokio-util = { version = "0.7", features = ["codec"] }
16

17
# Serialization
18
serde = { version = "1.0", features = ["derive"] }
19
serde_json = "1.0"
20
serde_urlencoded = "0.7"
21

22
# HTTP client
23
reqwest = { version = "0.11", features = ["json", "rustls-tls"] }
24

25
# Cryptography
26
ring = "0.17"
27
rustls = "0.22"
28
rustls-webpki = "0.102"
29
password-hash = "0.5"
30
argon2 = "0.5"
31
hmac = "0.12"
32
sha2 = "0.10"
33
aes-gcm = "0.10"
34
rand = "0.8"
35
rand_core = { version = "0.6", features = ["std"] }
36

37
# JWT
38
jsonwebtoken = "9.2"
39
base64 = "0.21"
40

41
# Database
42
sqlx = { version = "0.7", features = [
43
    "runtime-tokio-rustls",
44
    "postgres",
45
    "chrono",
46
    "uuid",
47
    "json"
48
] }
49
redis = { version = "0.24", features = ["tokio-comp", "connection-manager"] }
50

51
# Utilities
52
uuid = { version = "1.6", features = ["v4", "serde"] }
53
chrono = { version = "0.4", features = ["serde"] }
54
anyhow = "1.0"
55
thiserror = "1.0"
56
tracing = "0.1"
57
tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
58

59
# OAuth2
60
oauth2 = "4.4"
61
url = "2.5"
62

63
# TOTP for MFA
64
totp-rs = { version = "5.4", features = ["qr"] }
65
qrcode = "0.14"
66
image = "0.24"
67

68
# Rate limiting
69
governor = "0.6"
70
nonzero_ext = "0.3"
71

72
# Security
73
secrecy = { version = "0.8", features = ["serde"] }
74
zeroize = "1.7"
75

76
# Configuration
77
config = "0.13"
78
clap = { version = "4.4", features = ["derive"] }
79

80
# Metrics
81
prometheus = { version = "0.13", features = ["process"] }
82
metrics = "0.22"
83
metrics-prometheus = "0.6"
84

85
[dev-dependencies]
86
tempfile = "3.8"
87
mockall = "0.12"
88
wiremock = "0.5"
89
proptest = "1.4"
90
criterion = "0.5"

Database Schema#

1
-- migrations/001_initial_schema.sql
2

3
-- Users table with security enhancements
4
CREATE TABLE users (
5
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
6
    username VARCHAR(255) UNIQUE NOT NULL,
7
    email VARCHAR(255) UNIQUE NOT NULL,
8
    password_hash VARCHAR(255) NOT NULL,
9
    salt VARCHAR(255) NOT NULL,
10
    is_active BOOLEAN NOT NULL DEFAULT true,
11
    is_verified BOOLEAN NOT NULL DEFAULT false,
12
    failed_login_attempts INTEGER NOT NULL DEFAULT 0,
13
    locked_until TIMESTAMP WITH TIME ZONE,
14
    last_login TIMESTAMP WITH TIME ZONE,
15
    password_changed_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
16
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
17
    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
18

19
    -- Security constraints
20
    CONSTRAINT users_username_length CHECK (char_length(username) >= 3),
21
    CONSTRAINT users_email_format CHECK (email ~* '^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$')
22
);
23

24
-- User profiles for additional information
25
CREATE TABLE user_profiles (
26
    user_id UUID PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
27
    first_name VARCHAR(255),
28
    last_name VARCHAR(255),
29
    phone_number VARCHAR(20),
30
    timezone VARCHAR(50) DEFAULT 'UTC',
31
    locale VARCHAR(10) DEFAULT 'en-US',
32
    avatar_url TEXT,
33
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
34
    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
35
);
36

37
-- Roles and permissions (RBAC)
38
CREATE TABLE roles (
39
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
40
    name VARCHAR(100) UNIQUE NOT NULL,
41
    description TEXT,
42
    is_system_role BOOLEAN NOT NULL DEFAULT false,
43
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
44
    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
45
);
46

47
CREATE TABLE permissions (
48
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
49
    name VARCHAR(100) UNIQUE NOT NULL,
50
    resource VARCHAR(100) NOT NULL,
51
    action VARCHAR(50) NOT NULL,
52
    description TEXT,
53
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
54

55
    UNIQUE(resource, action)
56
);
57

58
CREATE TABLE role_permissions (
59
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
60
    permission_id UUID REFERENCES permissions(id) ON DELETE CASCADE,
61
    granted_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
62
    granted_by UUID REFERENCES users(id),
63

64
    PRIMARY KEY (role_id, permission_id)
65
);
66

67
CREATE TABLE user_roles (
68
    user_id UUID REFERENCES users(id) ON DELETE CASCADE,
69
    role_id UUID REFERENCES roles(id) ON DELETE CASCADE,
70
    assigned_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
71
    assigned_by UUID REFERENCES users(id),
72
    expires_at TIMESTAMP WITH TIME ZONE,
73

74
    PRIMARY KEY (user_id, role_id)
75
);
76

77
-- MFA configuration
78
CREATE TABLE user_mfa (
79
    user_id UUID PRIMARY KEY REFERENCES users(id) ON DELETE CASCADE,
80
    is_enabled BOOLEAN NOT NULL DEFAULT false,
81
    secret_key VARCHAR(255), -- Encrypted TOTP secret
82
    backup_codes TEXT[], -- Encrypted backup codes
83
    recovery_codes_used INTEGER NOT NULL DEFAULT 0,
84
    last_used_at TIMESTAMP WITH TIME ZONE,
85
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
86
    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
87
);
88

89
-- OAuth2 clients and tokens
90
CREATE TABLE oauth2_clients (
91
    client_id VARCHAR(255) PRIMARY KEY,
92
    client_secret_hash VARCHAR(255) NOT NULL,
93
    client_name VARCHAR(255) NOT NULL,
94
    redirect_uris TEXT[] NOT NULL,
95
    allowed_scopes TEXT[] NOT NULL,
96
    is_confidential BOOLEAN NOT NULL DEFAULT true,
97
    token_lifetime_seconds INTEGER NOT NULL DEFAULT 3600,
98
    refresh_token_lifetime_seconds INTEGER NOT NULL DEFAULT 86400,
99
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
100
    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
101
);
102

103
CREATE TABLE oauth2_authorization_codes (
104
    code VARCHAR(255) PRIMARY KEY,
105
    client_id VARCHAR(255) NOT NULL REFERENCES oauth2_clients(client_id),
106
    user_id UUID NOT NULL REFERENCES users(id),
107
    redirect_uri TEXT NOT NULL,
108
    scope TEXT NOT NULL,
109
    code_challenge VARCHAR(255),
110
    code_challenge_method VARCHAR(10),
111
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
112
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
113
);
114

115
CREATE TABLE oauth2_access_tokens (
116
    token_hash VARCHAR(255) PRIMARY KEY,
117
    client_id VARCHAR(255) NOT NULL REFERENCES oauth2_clients(client_id),
118
    user_id UUID NOT NULL REFERENCES users(id),
119
    scope TEXT NOT NULL,
120
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
121
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
122
);
123

124
CREATE TABLE oauth2_refresh_tokens (
125
    token_hash VARCHAR(255) PRIMARY KEY,
126
    access_token_hash VARCHAR(255) NOT NULL,
127
    client_id VARCHAR(255) NOT NULL REFERENCES oauth2_clients(client_id),
128
    user_id UUID NOT NULL REFERENCES users(id),
129
    scope TEXT NOT NULL,
130
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
131
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
132
);
133

134
-- Session management
135
CREATE TABLE user_sessions (
136
    session_id VARCHAR(255) PRIMARY KEY,
137
    user_id UUID NOT NULL REFERENCES users(id),
138
    client_info JSONB NOT NULL,
139
    ip_address INET,
140
    user_agent TEXT,
141
    expires_at TIMESTAMP WITH TIME ZONE NOT NULL,
142
    last_activity TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
143
    is_revoked BOOLEAN NOT NULL DEFAULT false,
144
    revoked_at TIMESTAMP WITH TIME ZONE,
145
    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
146
);
147

148
-- Audit logging
149
CREATE TABLE audit_logs (
150
    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
151
    user_id UUID REFERENCES users(id),
152
    action VARCHAR(100) NOT NULL,
153
    resource VARCHAR(100),
154
    resource_id VARCHAR(255),
155
    ip_address INET,
156
    user_agent TEXT,
157
    request_id VARCHAR(255),
158
    details JSONB,
159
    severity VARCHAR(20) NOT NULL DEFAULT 'INFO',
160
    timestamp TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
161
);
162

163
-- Indexes for performance
164
CREATE INDEX idx_users_email ON users(email);
165
CREATE INDEX idx_users_username ON users(username);
166
CREATE INDEX idx_users_last_login ON users(last_login);
167
CREATE INDEX idx_user_sessions_user_id ON user_sessions(user_id);
168
CREATE INDEX idx_user_sessions_expires_at ON user_sessions(expires_at);
169
CREATE INDEX idx_oauth2_access_tokens_expires_at ON oauth2_access_tokens(expires_at);
170
CREATE INDEX idx_oauth2_refresh_tokens_expires_at ON oauth2_refresh_tokens(expires_at);
171
CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
172
CREATE INDEX idx_audit_logs_timestamp ON audit_logs(timestamp);
173

174
-- Initial system roles and permissions
175
INSERT INTO roles (name, description, is_system_role) VALUES
176
    ('super_admin', 'System administrator with full access', true),
177
    ('admin', 'Administrator with most permissions', true),
178
    ('user', 'Standard user with basic permissions', true),
179
    ('readonly', 'Read-only access to resources', true);
180

181
INSERT INTO permissions (name, resource, action, description) VALUES
182
    ('users.create', 'users', 'create', 'Create new users'),
183
    ('users.read', 'users', 'read', 'View user information'),
184
    ('users.update', 'users', 'update', 'Update user information'),
185
    ('users.delete', 'users', 'delete', 'Delete users'),
186
    ('roles.manage', 'roles', 'manage', 'Manage roles and permissions'),
187
    ('system.admin', 'system', 'admin', 'System administration access'),
188
    ('audit.read', 'audit', 'read', 'View audit logs');

JWT Token Management#

Secure JWT Implementation#

1
use jsonwebtoken::{decode, encode, Algorithm, DecodingKey, EncodingKey, Header, Validation};
2
use serde::{Deserialize, Serialize};
3
use std::collections::HashSet;
4
use chrono::{DateTime, Duration, Utc};
5
use uuid::Uuid;
6
use anyhow::Result;
7

8
#[derive(Debug, Clone)]
9
pub struct JwtManager {
10
    encoding_key: EncodingKey,
11
    decoding_key: DecodingKey,
12
    algorithm: Algorithm,
13
    access_token_lifetime: Duration,
14
    refresh_token_lifetime: Duration,
15
    issuer: String,
16
    audience: HashSet<String>,
17
}
18

19
#[derive(Debug, Clone, Serialize, Deserialize)]
20
pub struct Claims {
21
    // Standard JWT claims
22
    pub sub: String,          // Subject (user ID)
23
    pub iss: String,          // Issuer
24
    pub aud: Vec<String>,     // Audience
25
    pub exp: i64,             // Expiration time
26
    pub iat: i64,             // Issued at
27
    pub nbf: i64,             // Not before
28
    pub jti: String,          // JWT ID
29

30
    // Custom claims
31
    pub username: String,
32
    pub email: String,
33
    pub roles: Vec<String>,
34
    pub permissions: Vec<String>,
35
    pub scope: String,
36
    pub token_type: TokenType,
37
    pub session_id: String,
38
    pub client_id: Option<String>,
39
}
40

41
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq)]
42
#[serde(rename_all = "lowercase")]
43
pub enum TokenType {
44
    Access,
45
    Refresh,
46
    IdToken,
47
}
48

49
#[derive(Debug, Clone)]
50
pub struct TokenPair {
51
    pub access_token: String,
52
    pub refresh_token: String,
53
    pub expires_in: u64,
54
    pub token_type: String,
55
}
56

57
impl JwtManager {
58
    pub fn new(
59
        secret: &[u8],
60
        issuer: String,
61
        audience: HashSet<String>,
62
        access_token_lifetime: Duration,
63
        refresh_token_lifetime: Duration,
64
    ) -> Result<Self> {
65
        // Use RS256 for production (requires RSA key pair)
66
        // For this example, we'll use HS256 with a secure secret
67
        let encoding_key = EncodingKey::from_secret(secret);
68
        let decoding_key = DecodingKey::from_secret(secret);
69

70
        Ok(Self {
71
            encoding_key,
72
            decoding_key,
73
            algorithm: Algorithm::HS256,
74
            access_token_lifetime,
75
            refresh_token_lifetime,
76
            issuer,
77
            audience,
78
        })
79
    }
80

81
    pub fn create_token_pair(
82
        &self,
83
        user_id: Uuid,
84
        username: String,
85
        email: String,
86
        roles: Vec<String>,
87
        permissions: Vec<String>,
88
        scope: String,
89
        session_id: String,
90
        client_id: Option<String>,
91
    ) -> Result<TokenPair> {
92
        let now = Utc::now();
93

94
        // Create access token
95
        let access_claims = Claims {
96
            sub: user_id.to_string(),
97
            iss: self.issuer.clone(),
98
            aud: self.audience.iter().cloned().collect(),
99
            exp: (now + self.access_token_lifetime).timestamp(),
100
            iat: now.timestamp(),
101
            nbf: now.timestamp(),
102
            jti: Uuid::new_v4().to_string(),
103
            username: username.clone(),
104
            email: email.clone(),
105
            roles: roles.clone(),
106
            permissions,
107
            scope: scope.clone(),
108
            token_type: TokenType::Access,
109
            session_id: session_id.clone(),
110
            client_id: client_id.clone(),
111
        };
112

113
        let access_token = encode(
114
            &Header::new(self.algorithm),
115
            &access_claims,
116
            &self.encoding_key,
117
        )?;
118

119
        // Create refresh token
120
        let refresh_claims = Claims {
121
            sub: user_id.to_string(),
122
            iss: self.issuer.clone(),
123
            aud: self.audience.iter().cloned().collect(),
124
            exp: (now + self.refresh_token_lifetime).timestamp(),
125
            iat: now.timestamp(),
126
            nbf: now.timestamp(),
127
            jti: Uuid::new_v4().to_string(),
128
            username,
129
            email,
130
            roles,
131
            permissions: vec![], // Refresh tokens don't need permissions
132
            scope,
133
            token_type: TokenType::Refresh,
134
            session_id,
135
            client_id,
136
        };
137

138
        let refresh_token = encode(
139
            &Header::new(self.algorithm),
140
            &refresh_claims,
141
            &self.encoding_key,
142
        )?;
143

144
        Ok(TokenPair {
145
            access_token,
146
            refresh_token,
147
            expires_in: self.access_token_lifetime.num_seconds() as u64,
148
            token_type: "Bearer".to_string(),
149
        })
150
    }
151

152
    pub fn verify_token(&self, token: &str) -> Result<Claims> {
153
        let mut validation = Validation::new(self.algorithm);
154
        validation.set_issuer(&[&self.issuer]);
155
        validation.set_audience(&self.audience);
156
        validation.validate_exp = true;
157
        validation.validate_nbf = true;
158

159
        let token_data = decode::<Claims>(token, &self.decoding_key, &validation)?;
160
        Ok(token_data.claims)
161
    }
162

163
    pub fn refresh_access_token(
164
        &self,
165
        refresh_token: &str,
166
        user_service: &UserService,
167
    ) -> Result<TokenPair> {
168
        // Verify refresh token
169
        let claims = self.verify_token(refresh_token)?;
170

171
        // Ensure it's a refresh token
172
        if claims.token_type != TokenType::Refresh {
173
            return Err(anyhow::anyhow!("Invalid token type for refresh"));
174
        }
175

176
        // Get updated user information
177
        let user_id = Uuid::parse_str(&claims.sub)?;
178
        let user = user_service.get_user_by_id(user_id)?
179
            .ok_or_else(|| anyhow::anyhow!("User not found"))?;
180

181
        // Check if user is still active
182
        if !user.is_active {
183
            return Err(anyhow::anyhow!("User account is inactive"));
184
        }
185

186
        // Get current roles and permissions
187
        let roles = user_service.get_user_roles(user_id)?;
188
        let permissions = user_service.get_user_permissions(user_id)?;
189

190
        // Create new token pair
191
        self.create_token_pair(
192
            user_id,
193
            user.username,
194
            user.email,
195
            roles,
196
            permissions,
197
            claims.scope,
198
            claims.session_id,
199
            claims.client_id,
200
        )
201
    }
202

203
    pub fn extract_bearer_token(authorization_header: &str) -> Option<&str> {
204
        authorization_header
205
            .strip_prefix("Bearer ")
206
            .map(|token| token.trim())
207
    }
208

209
    pub fn validate_token_permissions(&self, token: &str, required_permission: &str) -> Result<bool> {
210
        let claims = self.verify_token(token)?;
211
        Ok(claims.permissions.contains(&required_permission.to_string()))
212
    }
213

214
    pub fn validate_token_roles(&self, token: &str, required_roles: &[String]) -> Result<bool> {
215
        let claims = self.verify_token(token)?;
216
        Ok(required_roles.iter().any(|role| claims.roles.contains(role)))
217
    }
218

219
    pub fn get_token_info(&self, token: &str) -> Result<TokenInfo> {
220
        let claims = self.verify_token(token)?;
221

222
        Ok(TokenInfo {
223
            user_id: Uuid::parse_str(&claims.sub)?,
224
            username: claims.username,
225
            email: claims.email,
226
            roles: claims.roles,
227
            permissions: claims.permissions,
228
            expires_at: DateTime::from_timestamp(claims.exp, 0)
229
                .ok_or_else(|| anyhow::anyhow!("Invalid expiration timestamp"))?,
230
            session_id: claims.session_id,
231
            client_id: claims.client_id,
232
        })
233
    }
234
}
235

236
#[derive(Debug, Clone)]
237
pub struct TokenInfo {
238
    pub user_id: Uuid,
239
    pub username: String,
240
    pub email: String,
241
    pub roles: Vec<String>,
242
    pub permissions: Vec<String>,
243
    pub expires_at: DateTime<Utc>,
244
    pub session_id: String,
245
    pub client_id: Option<String>,
246
}
247

248
// Secure token storage for refresh tokens
249
#[derive(Debug, Clone)]
250
pub struct TokenStore {
251
    redis: redis::Client,
252
}
253

254
impl TokenStore {
255
    pub fn new(redis_url: &str) -> Result<Self> {
256
        let redis = redis::Client::open(redis_url)?;
257
        Ok(Self { redis })
258
    }
259

260
    pub async fn store_refresh_token(
261
        &self,
262
        user_id: Uuid,
263
        token_hash: &str,
264
        expires_at: DateTime<Utc>,
265
    ) -> Result<()> {
266
        let mut conn = self.redis.get_multiplexed_async_connection().await?;
267
        let key = format!("refresh_token:{}", user_id);
268
        let ttl = (expires_at - Utc::now()).num_seconds();
269

270
        redis::cmd("SETEX")
271
            .arg(&key)
272
            .arg(ttl)
273
            .arg(token_hash)
274
            .exec_async(&mut conn)
275
            .await?;
276

277
        Ok(())
278
    }
279

280
    pub async fn validate_refresh_token(
281
        &self,
282
        user_id: Uuid,
283
        token_hash: &str,
284
    ) -> Result<bool> {
285
        let mut conn = self.redis.get_multiplexed_async_connection().await?;
286
        let key = format!("refresh_token:{}", user_id);
287

288
        let stored_hash: Option<String> = redis::cmd("GET")
289
            .arg(&key)
290
            .query_async(&mut conn)
291
            .await?;
292

293
        Ok(stored_hash.as_deref() == Some(token_hash))
294
    }
295

296
    pub async fn revoke_refresh_token(&self, user_id: Uuid) -> Result<()> {
297
        let mut conn = self.redis.get_multiplexed_async_connection().await?;
298
        let key = format!("refresh_token:{}", user_id);
299

300
        redis::cmd("DEL")
301
            .arg(&key)
302
            .exec_async(&mut conn)
303
            .await?;
304

305
        Ok(())
306
    }
307

308
    pub async fn revoke_all_user_tokens(&self, user_id: Uuid) -> Result<()> {
309
        let mut conn = self.redis.get_multiplexed_async_connection().await?;
310
        let pattern = format!("*:{}:*", user_id);
311

312
        let keys: Vec<String> = redis::cmd("KEYS")
313
            .arg(&pattern)
314
            .query_async(&mut conn)
315
            .await?;
316

317
        if !keys.is_empty() {
318
            redis::cmd("DEL")
319
                .arg(&keys)
320
                .exec_async(&mut conn)
321
                .await?;
322
        }
323

324
        Ok(())
325
    }
326
}
327

328
// JWT Middleware for Axum
329
#[derive(Clone)]
330
pub struct JwtAuthLayer {
331
    jwt_manager: Arc<JwtManager>,
332
}
333

334
impl JwtAuthLayer {
335
    pub fn new(jwt_manager: Arc<JwtManager>) -> Self {
336
        Self { jwt_manager }
337
    }
338
}
339

340
use axum::{
341
    extract::Request,
342
    http::{HeaderMap, StatusCode},
343
    middleware::Next,
344
    response::Response,
345
};
346

347
pub async fn jwt_auth_middleware(
348
    headers: HeaderMap,
349
    mut request: Request,
350
    next: Next,
351
) -> Result<Response, StatusCode> {
352
    let auth_header = headers
353
        .get("authorization")
354
        .and_then(|h| h.to_str().ok())
355
        .ok_or(StatusCode::UNAUTHORIZED)?;
356

357
    let token = JwtManager::extract_bearer_token(auth_header)
358
        .ok_or(StatusCode::UNAUTHORIZED)?;
359

360
    // Get JWT manager from app state
361
    let jwt_manager = request
362
        .extensions()
363
        .get::<Arc<JwtManager>>()
364
        .ok_or(StatusCode::INTERNAL_SERVER_ERROR)?;
365

366
    let claims = jwt_manager
367
        .verify_token(token)
368
        .map_err(|_| StatusCode::UNAUTHORIZED)?;
369

370
    // Add claims to request extensions
371
    request.extensions_mut().insert(claims);
372

373
    Ok(next.run(request).await)
374
}
375

376
// Permission-based authorization middleware
377
pub fn require_permission(permission: &'static str) -> impl Fn(Request, Next) -> impl std::future::Future<Output = Result<Response, StatusCode>> + Clone {
378
    move |request: Request, next: Next| async move {
379
        let claims = request
380
            .extensions()
381
            .get::<Claims>()
382
            .ok_or(StatusCode::UNAUTHORIZED)?;
383

384
        if !claims.permissions.contains(&permission.to_string()) {
385
            return Err(StatusCode::FORBIDDEN);
386
        }
387

388
        Ok(next.run(request).await)
389
    }
390
}
391

392
// Role-based authorization middleware
393
pub fn require_role(roles: &'static [&'static str]) -> impl Fn(Request, Next) -> impl std::future::Future<Output = Result<Response, StatusCode>> + Clone {
394
    move |request: Request, next: Next| async move {
395
        let claims = request
396
            .extensions()
397
            .get::<Claims>()
398
            .ok_or(StatusCode::UNAUTHORIZED)?;
399

400
        let has_role = roles.iter().any(|role| claims.roles.contains(&role.to_string()));
401
        if !has_role {
402
            return Err(StatusCode::FORBIDDEN);
403
        }
404

405
        Ok(next.run(request).await)
406
    }
407
}

Multi-Factor Authentication (MFA)#

TOTP Implementation#

1
use totp_rs::{Algorithm, Secret, TOTP};
2
use qrcode::{QrCode, render::svg};
3
use ring::rand::{SecureRandom, SystemRandom};
4
use aes_gcm::{Aes256Gcm, Key, Nonce, aead::{Aead, NewAead}};
5
use base64::{Engine as _, engine::general_purpose};
6
use serde::{Deserialize, Serialize};
7
use uuid::Uuid;
8
use chrono::{DateTime, Utc};
9
use anyhow::Result;
10

11
#[derive(Debug, Clone)]
12
pub struct MfaManager {
13
    encryption_key: [u8; 32],
14
    issuer: String,
15
    backup_codes_count: usize,
16
}
17

18
#[derive(Debug, Clone, Serialize, Deserialize)]
19
pub struct MfaSetup {
20
    pub secret_key: String,
21
    pub qr_code_svg: String,
22
    pub backup_codes: Vec<String>,
23
    pub setup_uri: String,
24
}
25

26
#[derive(Debug, Clone, Serialize, Deserialize)]
27
pub struct MfaConfig {
28
    pub user_id: Uuid,
29
    pub is_enabled: bool,
30
    pub secret_key_encrypted: String,
31
    pub backup_codes_encrypted: Vec<String>,
32
    pub recovery_codes_used: i32,
33
    pub last_used_at: Option<DateTime<Utc>>,
34
}
35

36
#[derive(Debug, Clone, Serialize, Deserialize)]
37
pub struct MfaVerificationRequest {
38
    pub user_id: Uuid,
39
    pub token: String,
40
    pub backup_code: Option<String>,
41
}
42

43
#[derive(Debug, Clone, Serialize, Deserialize)]
44
pub struct MfaVerificationResponse {
45
    pub is_valid: bool,
46
    pub backup_code_used: bool,
47
    pub remaining_backup_codes: usize,
48
}
49

50
impl MfaManager {
51
    pub fn new(encryption_key: [u8; 32], issuer: String) -> Self {
52
        Self {
53
            encryption_key,
54
            issuer,
55
            backup_codes_count: 10,
56
        }
57
    }
58

59
    pub fn generate_mfa_setup(&self, user_id: Uuid, username: &str, email: &str) -> Result<MfaSetup> {
60
        // Generate a random secret key
61
        let secret = Secret::generate_secret();
62
        let secret_str = secret.to_encoded().to_string();
63

64
        // Create TOTP instance
65
        let totp = TOTP::new(
66
            Algorithm::SHA1,
67
            6, // 6-digit codes
68
            1, // 30-second time step
69
            30,
70
            secret.to_bytes().unwrap(),
71
            Some(self.issuer.clone()),
72
            username.to_string(),
73
        )?;
74

75
        // Generate QR code
76
        let setup_uri = totp.get_url();
77
        let qr_code = QrCode::new(&setup_uri)?;
78
        let qr_code_svg = qr_code.render::<svg::Color>()
79
            .min_dimensions(200, 200)
80
            .dark_color(svg::Color("#000000"))
81
            .light_color(svg::Color("#ffffff"))
82
            .build();
83

84
        // Generate backup codes
85
        let backup_codes = self.generate_backup_codes()?;
86

87
        Ok(MfaSetup {
88
            secret_key: secret_str,
89
            qr_code_svg,
90
            backup_codes,
91
            setup_uri,
92
        })
93
    }
94

95
    pub fn enable_mfa(&self, user_id: Uuid, secret_key: &str, backup_codes: &[String]) -> Result<MfaConfig> {
96
        // Encrypt secret key and backup codes
97
        let secret_encrypted = self.encrypt_data(secret_key.as_bytes())?;
98
        let backup_codes_encrypted: Result<Vec<String>> = backup_codes
99
            .iter()
100
            .map(|code| self.encrypt_data(code.as_bytes()))
101
            .collect();
102

103
        Ok(MfaConfig {
104
            user_id,
105
            is_enabled: true,
106
            secret_key_encrypted: secret_encrypted,
107
            backup_codes_encrypted: backup_codes_encrypted?,
108
            recovery_codes_used: 0,
109
            last_used_at: None,
110
        })
111
    }
112

113
    pub fn verify_totp_token(&self, config: &MfaConfig, token: &str) -> Result<bool> {
114
        if !config.is_enabled {
115
            return Ok(false);
116
        }
117

118
        // Decrypt secret key
119
        let secret_key = self.decrypt_data(&config.secret_key_encrypted)?;
120
        let secret = Secret::Encoded(String::from_utf8(secret_key)?);
121

122
        // Create TOTP instance
123
        let totp = TOTP::new(
124
            Algorithm::SHA1,
125
            6,
126
            1,
127
            30,
128
            secret.to_bytes().unwrap(),
129
            Some(self.issuer.clone()),
130
            "user".to_string(), // Username not needed for verification
131
        )?;
132

133
        // Verify token with time tolerance (allows for clock skew)
134
        let current_time = std::time::SystemTime::now()
135
            .duration_since(std::time::UNIX_EPOCH)?
136
            .as_secs();
137

138
        // Check current time step and adjacent time steps
139
        for time_step_offset in [-1, 0, 1] {
140
            let check_time = (current_time as i64 + (time_step_offset * 30)) as u64;
141
            if totp.generate(check_time) == token {
142
                return Ok(true);
143
            }
144
        }
145

146
        Ok(false)
147
    }
148

149
    pub fn verify_backup_code(&self, config: &mut MfaConfig, backup_code: &str) -> Result<bool> {
150
        if !config.is_enabled {
151
            return Ok(false);
152
        }
153

154
        // Check if backup code exists and hasn't been used
155
        for (index, encrypted_code) in config.backup_codes_encrypted.iter().enumerate() {
156
            let decrypted_code = self.decrypt_data(encrypted_code)?;
157
            let code_str = String::from_utf8(decrypted_code)?;
158

159
            if code_str == backup_code {
160
                // Mark code as used by removing it
161
                config.backup_codes_encrypted.remove(index);
162
                config.recovery_codes_used += 1;
163
                return Ok(true);
164
            }
165
        }
166

167
        Ok(false)
168
    }
169

170
    pub async fn verify_mfa(
171
        &self,
172
        mut config: MfaConfig,
173
        request: &MfaVerificationRequest,
174
    ) -> Result<MfaVerificationResponse> {
175
        let mut backup_code_used = false;
176
        let mut is_valid = false;
177

178
        // First try TOTP token if provided
179
        if !request.token.is_empty() {
180
            is_valid = self.verify_totp_token(&config, &request.token)?;
181
        }
182

183
        // If TOTP failed and backup code provided, try backup code
184
        if !is_valid && request.backup_code.is_some() {
185
            let backup_code = request.backup_code.as_ref().unwrap();
186
            is_valid = self.verify_backup_code(&mut config, backup_code)?;
187
            backup_code_used = is_valid;
188
        }
189

190
        // Update last used time if verification succeeded
191
        if is_valid {
192
            // This would typically be saved to database
193
            // config.last_used_at = Some(Utc::now());
194
        }
195

196
        Ok(MfaVerificationResponse {
197
            is_valid,
198
            backup_code_used,
199
            remaining_backup_codes: config.backup_codes_encrypted.len(),
200
        })
201
    }
202

203
    pub fn generate_backup_codes(&self) -> Result<Vec<String>> {
204
        let rng = SystemRandom::new();
205
        let mut codes = Vec::with_capacity(self.backup_codes_count);
206

207
        for _ in 0..self.backup_codes_count {
208
            let mut code_bytes = [0u8; 5];
209
            rng.fill(&mut code_bytes)?;
210

211
            // Convert to readable format (XXXXX-XXXXX)
212
            let code = format!(
213
                "{:05}-{:05}",
214
                u32::from_be_bytes([0, code_bytes[0], code_bytes[1], code_bytes[2]]) % 100000,
215
                u32::from_be_bytes([0, code_bytes[2], code_bytes[3], code_bytes[4]]) % 100000
216
            );
217
            codes.push(code);
218
        }
219

220
        Ok(codes)
221
    }
222

223
    fn encrypt_data(&self, data: &[u8]) -> Result<String> {
224
        let cipher = Aes256Gcm::new(Key::from_slice(&self.encryption_key));
225

226
        // Generate random nonce
227
        let rng = SystemRandom::new();
228
        let mut nonce_bytes = [0u8; 12];
229
        rng.fill(&mut nonce_bytes)?;
230
        let nonce = Nonce::from_slice(&nonce_bytes);
231

232
        // Encrypt data
233
        let ciphertext = cipher.encrypt(nonce, data)
234
            .map_err(|e| anyhow::anyhow!("Encryption failed: {}", e))?;
235

236
        // Combine nonce and ciphertext
237
        let mut result = nonce_bytes.to_vec();
238
        result.extend_from_slice(&ciphertext);
239

240
        Ok(general_purpose::STANDARD.encode(&result))
241
    }
242

243
    fn decrypt_data(&self, encrypted_data: &str) -> Result<Vec<u8>> {
244
        let cipher = Aes256Gcm::new(Key::from_slice(&self.encryption_key));
245

246
        // Decode base64
247
        let data = general_purpose::STANDARD.decode(encrypted_data)?;
248

249
        if data.len() < 12 {
250
            return Err(anyhow::anyhow!("Invalid encrypted data length"));
251
        }
252

253
        // Extract nonce and ciphertext
254
        let (nonce_bytes, ciphertext) = data.split_at(12);
255
        let nonce = Nonce::from_slice(nonce_bytes);
256

257
        // Decrypt data
258
        let plaintext = cipher.decrypt(nonce, ciphertext)
259
            .map_err(|e| anyhow::anyhow!("Decryption failed: {}", e))?;
260

261
        Ok(plaintext)
262
    }
263

264
    pub fn disable_mfa(&self, config: &mut MfaConfig) -> Result<()> {
265
        config.is_enabled = false;
266
        config.secret_key_encrypted.clear();
267
        config.backup_codes_encrypted.clear();
268
        config.recovery_codes_used = 0;
269
        config.last_used_at = None;
270
        Ok(())
271
    }
272

273
    pub fn regenerate_backup_codes(&self, config: &mut MfaConfig) -> Result<Vec<String>> {
274
        let new_codes = self.generate_backup_codes()?;
275

276
        // Encrypt new codes
277
        let encrypted_codes: Result<Vec<String>> = new_codes
278
            .iter()
279
            .map(|code| self.encrypt_data(code.as_bytes()))
280
            .collect();
281

282
        config.backup_codes_encrypted = encrypted_codes?;
283
        config.recovery_codes_used = 0;
284

285
        Ok(new_codes)
286
    }
287

288
    pub fn get_mfa_status(&self, config: &MfaConfig) -> MfaStatus {
289
        MfaStatus {
290
            is_enabled: config.is_enabled,
291
            backup_codes_remaining: config.backup_codes_encrypted.len(),
292
            last_used_at: config.last_used_at,
293
            setup_required: !config.is_enabled && config.secret_key_encrypted.is_empty(),
294
        }
295
    }
296
}
297

298
#[derive(Debug, Clone, Serialize, Deserialize)]
299
pub struct MfaStatus {
300
    pub is_enabled: bool,
301
    pub backup_codes_remaining: usize,
302
    pub last_used_at: Option<DateTime<Utc>>,
303
    pub setup_required: bool,
304
}
305

306
// Rate limiting for MFA attempts
307
#[derive(Debug, Clone)]
308
pub struct MfaRateLimiter {
309
    redis: redis::Client,
310
    max_attempts: u32,
311
    window_seconds: u64,
312
    lockout_duration_seconds: u64,
313
}
314

315
impl MfaRateLimiter {
316
    pub fn new(redis_url: &str) -> Result<Self> {
317
        Ok(Self {
318
            redis: redis::Client::open(redis_url)?,
319
            max_attempts: 5,
320
            window_seconds: 300, // 5 minutes
321
            lockout_duration_seconds: 900, // 15 minutes
322
        })
323
    }
324

325
    pub async fn check_rate_limit(&self, user_id: Uuid) -> Result<bool> {
326
        let mut conn = self.redis.get_multiplexed_async_connection().await?;
327
        let key = format!("mfa_attempts:{}", user_id);
328

329
        // Check if user is locked out
330
        let lockout_key = format!("mfa_lockout:{}", user_id);
331
        let is_locked: Option<String> = redis::cmd("GET")
332
            .arg(&lockout_key)
333
            .query_async(&mut conn)
334
            .await?;
335

336
        if is_locked.is_some() {
337
            return Ok(false); // Rate limited
338
        }
339

340
        // Check attempt count
341
        let attempts: Option<u32> = redis::cmd("GET")
342
            .arg(&key)
343
            .query_async(&mut conn)
344
            .await?;
345

346
        let current_attempts = attempts.unwrap_or(0);
347

348
        if current_attempts >= self.max_attempts {
349
            // Lock out user
350
            redis::cmd("SETEX")
351
                .arg(&lockout_key)
352
                .arg(self.lockout_duration_seconds)
353
                .arg("locked")
354
                .exec_async(&mut conn)
355
                .await?;
356

357
            // Clear attempts counter
358
            redis::cmd("DEL")
359
                .arg(&key)
360
                .exec_async(&mut conn)
361
                .await?;
362

363
            return Ok(false);
364
        }
365

366
        Ok(true)
367
    }
368

369
    pub async fn record_attempt(&self, user_id: Uuid, success: bool) -> Result<()> {
370
        let mut conn = self.redis.get_multiplexed_async_connection().await?;
371
        let key = format!("mfa_attempts:{}", user_id);
372

373
        if success {
374
            // Clear attempts on success
375
            redis::cmd("DEL")
376
                .arg(&key)
377
                .exec_async(&mut conn)
378
                .await?;
379
        } else {
380
            // Increment attempts
381
            redis::cmd("INCR")
382
                .arg(&key)
383
                .exec_async(&mut conn)
384
                .await?;
385

386
            // Set expiration on first attempt
387
            redis::cmd("EXPIRE")
388
                .arg(&key)
389
                .arg(self.window_seconds)
390
                .exec_async(&mut conn)
391
                .await?;
392
        }
393

394
        Ok(())
395
    }
396
}

OAuth2 Implementation#

OAuth2 Authorization Server#

1
use oauth2::{
2
    AuthUrl, AuthorizationCode, ClientId, ClientSecret, CsrfToken, PkceCodeChallenge,
3
    PkceCodeVerifier, RedirectUrl, Scope, TokenUrl,
4
};
5
use serde::{Deserialize, Serialize};
6
use uuid::Uuid;
7
use chrono::{DateTime, Duration, Utc};
8
use url::Url;
9
use anyhow::Result;
10
use std::collections::HashMap;
11

12
#[derive(Debug, Clone)]
13
pub struct OAuth2Provider {
14
    clients: HashMap<String, OAuth2Client>,
15
    auth_codes: Arc<Mutex<HashMap<String, AuthorizationCodeGrant>>>,
16
    access_tokens: Arc<Mutex<HashMap<String, AccessTokenGrant>>>,
17
    refresh_tokens: Arc<Mutex<HashMap<String, RefreshTokenGrant>>>,
18
}
19

20
#[derive(Debug, Clone, Serialize, Deserialize)]
21
pub struct OAuth2Client {
22
    pub client_id: String,
23
    pub client_secret_hash: String,
24
    pub client_name: String,
25
    pub redirect_uris: Vec<String>,
26
    pub allowed_scopes: Vec<String>,
27
    pub is_confidential: bool,
28
    pub token_lifetime_seconds: u64,
29
    pub refresh_token_lifetime_seconds: u64,
30
}
31

32
#[derive(Debug, Clone, Serialize, Deserialize)]
33
pub struct AuthorizationRequest {
34
    pub response_type: String,
35
    pub client_id: String,
36
    pub redirect_uri: String,
37
    pub scope: Option<String>,
38
    pub state: Option<String>,
39
    pub code_challenge: Option<String>,
40
    pub code_challenge_method: Option<String>,
41
}
42

43
#[derive(Debug, Clone, Serialize, Deserialize)]
44
pub struct AuthorizationResponse {
45
    pub code: String,
46
    pub state: Option<String>,
47
}
48

49
#[derive(Debug, Clone, Serialize, Deserialize)]
50
pub struct TokenRequest {
51
    pub grant_type: String,
52
    pub code: Option<String>,
53
    pub redirect_uri: Option<String>,
54
    pub client_id: String,
55
    pub client_secret: Option<String>,
56
    pub code_verifier: Option<String>,
57
    pub refresh_token: Option<String>,
58
    pub scope: Option<String>,
59
}
60

61
#[derive(Debug, Clone, Serialize, Deserialize)]
62
pub struct TokenResponse {
63
    pub access_token: String,
64
    pub token_type: String,
65
    pub expires_in: u64,
66
    pub refresh_token: Option<String>,
67
    pub scope: String,
68
    pub id_token: Option<String>,
69
}
70

71
#[derive(Debug, Clone)]
72
struct AuthorizationCodeGrant {
73
    client_id: String,
74
    user_id: Uuid,
75
    redirect_uri: String,
76
    scope: String,
77
    code_challenge: Option<String>,
78
    code_challenge_method: Option<String>,
79
    expires_at: DateTime<Utc>,
80
}
81

82
#[derive(Debug, Clone)]
83
struct AccessTokenGrant {
84
    client_id: String,
85
    user_id: Uuid,
86
    scope: String,
87
    expires_at: DateTime<Utc>,
88
}
89

90
#[derive(Debug, Clone)]
91
struct RefreshTokenGrant {
92
    access_token_hash: String,
93
    client_id: String,
94
    user_id: Uuid,
95
    scope: String,
96
    expires_at: DateTime<Utc>,
97
}
98

99
impl OAuth2Provider {
100
    pub fn new() -> Self {
101
        Self {
102
            clients: HashMap::new(),
103
            auth_codes: Arc::new(Mutex::new(HashMap::new())),
104
            access_tokens: Arc::new(Mutex::new(HashMap::new())),
105
            refresh_tokens: Arc::new(Mutex::new(HashMap::new())),
106
        }
107
    }
108

109
    pub fn register_client(&mut self, client: OAuth2Client) {
110
        self.clients.insert(client.client_id.clone(), client);
111
    }
112

113
    pub fn authorize(
114
        &self,
115
        request: &AuthorizationRequest,
116
        user_id: Uuid,
117
    ) -> Result<AuthorizationResponse> {
118
        // Validate client
119
        let client = self.clients.get(&request.client_id)
120
            .ok_or_else(|| anyhow::anyhow!("Invalid client_id"))?;
121

122
        // Validate redirect URI
123
        if !client.redirect_uris.contains(&request.redirect_uri) {
124
            return Err(anyhow::anyhow!("Invalid redirect_uri"));
125
        }
126

127
        // Validate response type
128
        if request.response_type != "code" {
129
            return Err(anyhow::anyhow!("Unsupported response_type"));
130
        }
131

132
        // Validate and parse scopes
133
        let requested_scopes = request.scope
134
            .as_ref()
135
            .map(|s| s.split_whitespace().collect::<Vec<_>>())
136
            .unwrap_or_default();
137

138
        // Check if all requested scopes are allowed
139
        for scope in &requested_scopes {
140
            if !client.allowed_scopes.contains(&scope.to_string()) {
141
                return Err(anyhow::anyhow!("Invalid scope: {}", scope));
142
            }
143
        }
144

145
        // Generate authorization code
146
        let auth_code = self.generate_authorization_code();
147
        let expires_at = Utc::now() + Duration::minutes(10); // 10-minute expiry
148

149
        // Store authorization grant
150
        let grant = AuthorizationCodeGrant {
151
            client_id: request.client_id.clone(),
152
            user_id,
153
            redirect_uri: request.redirect_uri.clone(),
154
            scope: requested_scopes.join(" "),
155
            code_challenge: request.code_challenge.clone(),
156
            code_challenge_method: request.code_challenge_method.clone(),
157
            expires_at,
158
        };
159

160
        self.auth_codes.lock().unwrap().insert(auth_code.clone(), grant);
161

162
        Ok(AuthorizationResponse {
163
            code: auth_code,
164
            state: request.state.clone(),
165
        })
166
    }
167

168
    pub fn exchange_code_for_token(
169
        &self,
170
        request: &TokenRequest,
171
        jwt_manager: &JwtManager,
172
        user_service: &UserService,
173
    ) -> Result<TokenResponse> {
174
        match request.grant_type.as_str() {
175
            "authorization_code" => self.handle_authorization_code_grant(request, jwt_manager, user_service),
176
            "refresh_token" => self.handle_refresh_token_grant(request, jwt_manager, user_service),
177
            _ => Err(anyhow::anyhow!("Unsupported grant_type")),
178
        }
179
    }
180

181
    fn handle_authorization_code_grant(
182
        &self,
183
        request: &TokenRequest,
184
        jwt_manager: &JwtManager,
185
        user_service: &UserService,
186
    ) -> Result<TokenResponse> {
187
        let code = request.code.as_ref()
188
            .ok_or_else(|| anyhow::anyhow!("Missing authorization code"))?;
189

190
        // Get and remove authorization code grant
191
        let grant = {
192
            let mut codes = self.auth_codes.lock().unwrap();
193
            codes.remove(code)
194
                .ok_or_else(|| anyhow::anyhow!("Invalid or expired authorization code"))?
195
        };
196

197
        // Validate client
198
        let client = self.clients.get(&request.client_id)
199
            .ok_or_else(|| anyhow::anyhow!("Invalid client_id"))?;
200

201
        if grant.client_id != request.client_id {
202
            return Err(anyhow::anyhow!("Client ID mismatch"));
203
        }
204

205
        // Check expiration
206
        if Utc::now() > grant.expires_at {
207
            return Err(anyhow::anyhow!("Authorization code expired"));
208
        }
209

210
        // Validate redirect URI
211
        if let Some(redirect_uri) = &request.redirect_uri {
212
            if *redirect_uri != grant.redirect_uri {
213
                return Err(anyhow::anyhow!("Redirect URI mismatch"));
214
            }
215
        }
216

217
        // Validate PKCE if present
218
        if let Some(code_challenge) = &grant.code_challenge {
219
            let code_verifier = request.code_verifier.as_ref()
220
                .ok_or_else(|| anyhow::anyhow!("Missing code_verifier for PKCE"))?;
221

222
            if !self.verify_pkce_challenge(code_challenge, code_verifier, &grant.code_challenge_method)? {
223
                return Err(anyhow::anyhow!("Invalid PKCE code_verifier"));
224
            }
225
        }
226

227
        // Authenticate confidential clients
228
        if client.is_confidential {
229
            let client_secret = request.client_secret.as_ref()
230
                .ok_or_else(|| anyhow::anyhow!("Missing client_secret"))?;
231

232
            if !self.verify_client_secret(client, client_secret)? {
233
                return Err(anyhow::anyhow!("Invalid client_secret"));
234
            }
235
        }
236

237
        // Get user information
238
        let user = user_service.get_user_by_id(grant.user_id)?
239
            .ok_or_else(|| anyhow::anyhow!("User not found"))?;
240

241
        if !user.is_active {
242
            return Err(anyhow::anyhow!("User account is inactive"));
243
        }
244

245
        // Get user roles and permissions
246
        let roles = user_service.get_user_roles(grant.user_id)?;
247
        let permissions = user_service.get_user_permissions(grant.user_id)?;
248

249
        // Generate session ID
250
        let session_id = Uuid::new_v4().to_string();
251

252
        // Create JWT tokens
253
        let token_pair = jwt_manager.create_token_pair(
254
            grant.user_id,
255
            user.username.clone(),
256
            user.email.clone(),
257
            roles,
258
            permissions,
259
            grant.scope.clone(),
260
            session_id,
261
            Some(client.client_id.clone()),
262
        )?;
263

264
        // Store access token grant
265
        let access_token_hash = self.hash_token(&token_pair.access_token)?;
266
        let access_grant = AccessTokenGrant {
267
            client_id: client.client_id.clone(),
268
            user_id: grant.user_id,
269
            scope: grant.scope.clone(),
270
            expires_at: Utc::now() + Duration::seconds(client.token_lifetime_seconds as i64),
271
        };
272

273
        self.access_tokens.lock().unwrap().insert(access_token_hash.clone(), access_grant);
274

275
        // Store refresh token grant if refresh token is provided
276
        let refresh_token = if !token_pair.refresh_token.is_empty() {
277
            let refresh_token_hash = self.hash_token(&token_pair.refresh_token)?;
278
            let refresh_grant = RefreshTokenGrant {
279
                access_token_hash: access_token_hash.clone(),
280
                client_id: client.client_id.clone(),
281
                user_id: grant.user_id,
282
                scope: grant.scope.clone(),
283
                expires_at: Utc::now() + Duration::seconds(client.refresh_token_lifetime_seconds as i64),
284
            };
285

286
            self.refresh_tokens.lock().unwrap().insert(refresh_token_hash, refresh_grant);
287
            Some(token_pair.refresh_token)
288
        } else {
289
            None
290
        };
291

292
        Ok(TokenResponse {
293
            access_token: token_pair.access_token,
294
            token_type: token_pair.token_type,
295
            expires_in: token_pair.expires_in,
296
            refresh_token,
297
            scope: grant.scope,
298
            id_token: None, // Would implement OpenID Connect ID token here
299
        })
300
    }
301

302
    fn handle_refresh_token_grant(
303
        &self,
304
        request: &TokenRequest,
305
        jwt_manager: &JwtManager,
306
        user_service: &UserService,
307
    ) -> Result<TokenResponse> {
308
        let refresh_token = request.refresh_token.as_ref()
309
            .ok_or_else(|| anyhow::anyhow!("Missing refresh_token"))?;
310

311
        // Validate client
312
        let client = self.clients.get(&request.client_id)
313
            .ok_or_else(|| anyhow::anyhow!("Invalid client_id"))?;
314

315
        // Authenticate confidential clients
316
        if client.is_confidential {
317
            let client_secret = request.client_secret.as_ref()
318
                .ok_or_else(|| anyhow::anyhow!("Missing client_secret"))?;
319

320
            if !self.verify_client_secret(client, client_secret)? {
321
                return Err(anyhow::anyhow!("Invalid client_secret"));
322
            }
323
        }
324

325
        // Get and validate refresh token grant
326
        let refresh_token_hash = self.hash_token(refresh_token)?;
327
        let grant = {
328
            let refresh_tokens = self.refresh_tokens.lock().unwrap();
329
            refresh_tokens.get(&refresh_token_hash)
330
                .ok_or_else(|| anyhow::anyhow!("Invalid refresh_token"))?
331
                .clone()
332
        };
333

334
        if grant.client_id != request.client_id {
335
            return Err(anyhow::anyhow!("Client ID mismatch"));
336
        }
337

338
        // Check expiration
339
        if Utc::now() > grant.expires_at {
340
            return Err(anyhow::anyhow!("Refresh token expired"));
341
        }
342

343
        // Revoke old tokens
344
        self.revoke_access_token(&grant.access_token_hash)?;
345
        self.revoke_refresh_token(&refresh_token_hash)?;
346

347
        // Get user information
348
        let user = user_service.get_user_by_id(grant.user_id)?
349
            .ok_or_else(|| anyhow::anyhow!("User not found"))?;
350

351
        if !user.is_active {
352
            return Err(anyhow::anyhow!("User account is inactive"));
353
        }
354

355
        // Get current roles and permissions
356
        let roles = user_service.get_user_roles(grant.user_id)?;
357
        let permissions = user_service.get_user_permissions(grant.user_id)?;
358

359
        // Handle scope parameter
360
        let scope = if let Some(requested_scope) = &request.scope {
361
            // Validate that requested scope is a subset of original scope
362
            let original_scopes: Vec<&str> = grant.scope.split_whitespace().collect();
363
            let requested_scopes: Vec<&str> = requested_scope.split_whitespace().collect();
364

365
            for requested in &requested_scopes {
366
                if !original_scopes.contains(requested) {
367
                    return Err(anyhow::anyhow!("Invalid scope: {}", requested));
368
                }
369
            }
370

371
            requested_scope.clone()
372
        } else {
373
            grant.scope.clone()
374
        };
375

376
        // Generate new session ID
377
        let session_id = Uuid::new_v4().to_string();
378

379
        // Create new JWT tokens
380
        let token_pair = jwt_manager.create_token_pair(
381
            grant.user_id,
382
            user.username,
383
            user.email,
384
            roles,
385
            permissions,
386
            scope.clone(),
387
            session_id,
388
            Some(client.client_id.clone()),
389
        )?;
390

391
        // Store new access token grant
392
        let access_token_hash = self.hash_token(&token_pair.access_token)?;
393
        let access_grant = AccessTokenGrant {
394
            client_id: client.client_id.clone(),
395
            user_id: grant.user_id,
396
            scope: scope.clone(),
397
            expires_at: Utc::now() + Duration::seconds(client.token_lifetime_seconds as i64),
398
        };
399

400
        self.access_tokens.lock().unwrap().insert(access_token_hash.clone(), access_grant);
401

402
        // Store new refresh token grant
403
        let new_refresh_token_hash = self.hash_token(&token_pair.refresh_token)?;
404
        let new_refresh_grant = RefreshTokenGrant {
405
            access_token_hash: access_token_hash.clone(),
406
            client_id: client.client_id.clone(),
407
            user_id: grant.user_id,
408
            scope: scope.clone(),
409
            expires_at: Utc::now() + Duration::seconds(client.refresh_token_lifetime_seconds as i64),
410
        };
411

412
        self.refresh_tokens.lock().unwrap().insert(new_refresh_token_hash, new_refresh_grant);
413

414
        Ok(TokenResponse {
415
            access_token: token_pair.access_token,
416
            token_type: token_pair.token_type,
417
            expires_in: token_pair.expires_in,
418
            refresh_token: Some(token_pair.refresh_token),
419
            scope,
420
            id_token: None,
421
        })
422
    }
423

424
    fn generate_authorization_code(&self) -> String {
425
        use ring::rand::{SecureRandom, SystemRandom};
426
        let rng = SystemRandom::new();
427
        let mut code_bytes = [0u8; 32];
428
        rng.fill(&mut code_bytes).unwrap();
429
        base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(&code_bytes)
430
    }
431

432
    fn verify_pkce_challenge(
433
        &self,
434
        code_challenge: &str,
435
        code_verifier: &str,
436
        method: &Option<String>,
437
    ) -> Result<bool> {
438
        let method = method.as_deref().unwrap_or("plain");
439

440
        match method {
441
            "plain" => Ok(code_challenge == code_verifier),
442
            "S256" => {
443
                use sha2::{Sha256, Digest};
444
                let mut hasher = Sha256::new();
445
                hasher.update(code_verifier.as_bytes());
446
                let hash = hasher.finalize();
447
                let encoded = base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(&hash);
448
                Ok(code_challenge == encoded)
449
            }
450
            _ => Err(anyhow::anyhow!("Unsupported code_challenge_method")),
451
        }
452
    }
453

454
    fn verify_client_secret(&self, client: &OAuth2Client, secret: &str) -> Result<bool> {
455
        use argon2::{Argon2, PasswordHash, PasswordVerifier};
456

457
        let parsed_hash = PasswordHash::new(&client.client_secret_hash)
458
            .map_err(|e| anyhow::anyhow!("Invalid client secret hash: {}", e))?;
459

460
        Ok(Argon2::default()
461
            .verify_password(secret.as_bytes(), &parsed_hash)
462
            .is_ok())
463
    }
464

465
    fn hash_token(&self, token: &str) -> Result<String> {
466
        use sha2::{Sha256, Digest};
467
        let mut hasher = Sha256::new();
468
        hasher.update(token.as_bytes());
469
        Ok(hex::encode(hasher.finalize()))
470
    }
471

472
    fn revoke_access_token(&self, token_hash: &str) -> Result<()> {
473
        self.access_tokens.lock().unwrap().remove(token_hash);
474
        Ok(())
475
    }
476

477
    fn revoke_refresh_token(&self, token_hash: &str) -> Result<()> {
478
        self.refresh_tokens.lock().unwrap().remove(token_hash);
479
        Ok(())
480
    }
481

482
    pub fn validate_access_token(&self, token: &str) -> Result<Option<AccessTokenInfo>> {
483
        let token_hash = self.hash_token(token)?;
484
        let grants = self.access_tokens.lock().unwrap();
485

486
        if let Some(grant) = grants.get(&token_hash) {
487
            if Utc::now() <= grant.expires_at {
488
                return Ok(Some(AccessTokenInfo {
489
                    client_id: grant.client_id.clone(),
490
                    user_id: grant.user_id,
491
                    scope: grant.scope.clone(),
492
                    expires_at: grant.expires_at,
493
                }));
494
            }
495
        }
496

497
        Ok(None)
498
    }
499

500
    pub fn introspect_token(&self, token: &str, client_id: &str) -> Result<TokenIntrospectionResponse> {
501
        let token_hash = self.hash_token(token)?;
502
        let grants = self.access_tokens.lock().unwrap();
503

504
        if let Some(grant) = grants.get(&token_hash) {
505
            if grant.client_id == client_id && Utc::now() <= grant.expires_at {
506
                return Ok(TokenIntrospectionResponse {
507
                    active: true,
508
                    client_id: Some(grant.client_id.clone()),
509
                    username: None, // Would need to fetch from user service
510
                    scope: Some(grant.scope.clone()),
511
                    exp: Some(grant.expires_at.timestamp()),
512
                    iat: None,
513
                    sub: Some(grant.user_id.to_string()),
514
                });
515
            }
516
        }
517

518
        Ok(TokenIntrospectionResponse {
519
            active: false,
520
            client_id: None,
521
            username: None,
522
            scope: None,
523
            exp: None,
524
            iat: None,
525
            sub: None,
526
        })
527
    }
528
}
529

530
#[derive(Debug, Clone)]
531
pub struct AccessTokenInfo {
532
    pub client_id: String,
533
    pub user_id: Uuid,
534
    pub scope: String,
535
    pub expires_at: DateTime<Utc>,
536
}
537

538
#[derive(Debug, Clone, Serialize, Deserialize)]
539
pub struct TokenIntrospectionResponse {
540
    pub active: bool,
541
    pub client_id: Option<String>,
542
    pub username: Option<String>,
543
    pub scope: Option<String>,
544
    pub exp: Option<i64>,
545
    pub iat: Option<i64>,
546
    pub sub: Option<String>,
547
}

Testing and Security Validation#

Comprehensive Security Tests#

1
#[cfg(test)]
2
mod tests {
3
    use super::*;
4
    use tempfile::TempDir;
5
    use tokio::time::{sleep, Duration};
6

7
    #[tokio::test]
8
    async fn test_jwt_security_vulnerabilities() {
9
        let temp_dir = TempDir::new().unwrap();
10
        let config = create_test_config(&temp_dir);
11
        let jwt_manager = create_test_jwt_manager();
12

13
        // Test 1: Ensure tokens expire
14
        let token_pair = jwt_manager.create_token_pair(
15
            Uuid::new_v4(),
16
            "testuser".to_string(),
17
            "test@example.com".to_string(),
18
            vec!["user".to_string()],
19
            vec!["read".to_string()],
20
            "read".to_string(),
21
            Uuid::new_v4().to_string(),
22
            None,
23
        ).unwrap();
24

25
        // Wait for token to expire (in real test, mock time)
26
        sleep(Duration::from_secs(2)).await;
27

28
        let result = jwt_manager.verify_token(&token_pair.access_token);
29
        assert!(result.is_err(), "Expired token should be rejected");
30

31
        // Test 2: Ensure token tampering is detected
32
        let mut tampered_token = token_pair.access_token.clone();
33
        tampered_token.push('x'); // Corrupt the token
34

35
        let result = jwt_manager.verify_token(&tampered_token);
36
        assert!(result.is_err(), "Tampered token should be rejected");
37

38
        // Test 3: Test algorithm confusion attack prevention
39
        let malicious_token = create_malicious_none_algorithm_token();
40
        let result = jwt_manager.verify_token(&malicious_token);
41
        assert!(result.is_err(), "None algorithm token should be rejected");
42
    }
43

44
    #[tokio::test]
45
    async fn test_mfa_security() {
46
        let mfa_manager = create_test_mfa_manager();
47
        let user_id = Uuid::new_v4();
48

49
        // Setup MFA
50
        let setup = mfa_manager.generate_mfa_setup(
51
            user_id,
52
            "testuser",
53
            "test@example.com"
54
        ).unwrap();
55

56
        let config = mfa_manager.enable_mfa(
57
            user_id,
58
            &setup.secret_key,
59
            &setup.backup_codes,
60
        ).unwrap();
61

62
        // Test 1: Invalid TOTP tokens are rejected
63
        let invalid_token = "123456";
64
        let result = mfa_manager.verify_totp_token(&config, invalid_token).unwrap();
65
        assert!(!result, "Invalid TOTP token should be rejected");
66

67
        // Test 2: Replay attacks are prevented
68
        let valid_token = generate_valid_totp_token(&setup.secret_key);
69
        let first_verify = mfa_manager.verify_totp_token(&config, &valid_token).unwrap();
70
        assert!(first_verify, "Valid TOTP token should be accepted");
71

72
        // Simulate time passing to prevent replay
73
        sleep(Duration::from_secs(31)).await;
74
        let replay_verify = mfa_manager.verify_totp_token(&config, &valid_token).unwrap();
75
        assert!(!replay_verify, "Replayed TOTP token should be rejected");
76

77
        // Test 3: Backup codes can only be used once
78
        let mut mutable_config = config.clone();
79
        let backup_code = setup.backup_codes[0].clone();
80

81
        let first_use = mfa_manager.verify_backup_code(&mut mutable_config, &backup_code).unwrap();
82
        assert!(first_use, "Valid backup code should be accepted");
83

84
        let second_use = mfa_manager.verify_backup_code(&mut mutable_config, &backup_code).unwrap();
85
        assert!(!second_use, "Used backup code should be rejected");
86
    }
87

88
    #[tokio::test]
89
    async fn test_oauth2_security() {
90
        let mut oauth2_provider = OAuth2Provider::new();
91
        let client = create_test_oauth2_client();
92
        oauth2_provider.register_client(client.clone());
93

94
        let user_id = Uuid::new_v4();
95

96
        // Test 1: Authorization code can only be used once
97
        let auth_request = AuthorizationRequest {
98
            response_type: "code".to_string(),
99
            client_id: client.client_id.clone(),
100
            redirect_uri: client.redirect_uris[0].clone(),
101
            scope: Some("read".to_string()),
102
            state: Some("test_state".to_string()),
103
            code_challenge: None,
104
            code_challenge_method: None,
105
        };
106

107
        let auth_response = oauth2_provider.authorize(&auth_request, user_id).unwrap();
108

109
        // First token exchange should succeed
110
        let token_request = TokenRequest {
111
            grant_type: "authorization_code".to_string(),
112
            code: Some(auth_response.code.clone()),
113
            redirect_uri: Some(client.redirect_uris[0].clone()),
114
            client_id: client.client_id.clone(),
115
            client_secret: Some("test-secret".to_string()),
116
            code_verifier: None,
117
            refresh_token: None,
118
            scope: None,
119
        };
120

121
        let jwt_manager = create_test_jwt_manager();
122
        let user_service = create_test_user_service();
123

124
        let first_exchange = oauth2_provider.exchange_code_for_token(
125
            &token_request,
126
            &jwt_manager,
127
            &user_service,
128
        );
129
        assert!(first_exchange.is_ok(), "First code exchange should succeed");
130

131
        // Second exchange with same code should fail
132
        let second_exchange = oauth2_provider.exchange_code_for_token(
133
            &token_request,
134
            &jwt_manager,
135
            &user_service,
136
        );
137
        assert!(second_exchange.is_err(), "Second code exchange should fail");
138

139
        // Test 2: PKCE validation
140
        let pkce_verifier = "test-code-verifier-that-is-long-enough";
141
        let pkce_challenge = generate_pkce_challenge(pkce_verifier);
142

143
        let auth_request_pkce = AuthorizationRequest {
144
            response_type: "code".to_string(),
145
            client_id: client.client_id.clone(),
146
            redirect_uri: client.redirect_uris[0].clone(),
147
            scope: Some("read".to_string()),
148
            state: Some("test_state".to_string()),
149
            code_challenge: Some(pkce_challenge),
150
            code_challenge_method: Some("S256".to_string()),
151
        };
152

153
        let auth_response_pkce = oauth2_provider.authorize(&auth_request_pkce, user_id).unwrap();
154

155
        // Token exchange with wrong verifier should fail
156
        let wrong_verifier_request = TokenRequest {
157
            grant_type: "authorization_code".to_string(),
158
            code: Some(auth_response_pkce.code.clone()),
159
            redirect_uri: Some(client.redirect_uris[0].clone()),
160
            client_id: client.client_id.clone(),
161
            client_secret: Some("test-secret".to_string()),
162
            code_verifier: Some("wrong-verifier".to_string()),
163
            refresh_token: None,
164
            scope: None,
165
        };
166

167
        let wrong_verifier_result = oauth2_provider.exchange_code_for_token(
168
            &wrong_verifier_request,
169
            &jwt_manager,
170
            &user_service,
171
        );
172
        assert!(wrong_verifier_result.is_err(), "Wrong PKCE verifier should be rejected");
173
    }
174

175
    #[tokio::test]
176
    async fn test_rate_limiting() {
177
        let rate_limiter = create_test_rate_limiter().await;
178
        let user_id = Uuid::new_v4();
179

180
        // Test multiple failed login attempts
181
        for i in 0..6 {
182
            let allowed = rate_limiter.check_rate_limit(user_id).await.unwrap();
183

184
            if i < 5 {
185
                assert!(allowed, "First 5 attempts should be allowed");
186
                rate_limiter.record_attempt(user_id, false).await.unwrap();
187
            } else {
188
                assert!(!allowed, "6th attempt should be rate limited");
189
            }
190
        }
191

192
        // Test that successful login resets the counter
193
        let user_id2 = Uuid::new_v4();
194
        for _ in 0..3 {
195
            let allowed = rate_limiter.check_rate_limit(user_id2).await.unwrap();
196
            assert!(allowed);
197
            rate_limiter.record_attempt(user_id2, false).await.unwrap();
198
        }
199

200
        // Successful login should reset
201
        rate_limiter.record_attempt(user_id2, true).await.unwrap();
202

203
        let allowed = rate_limiter.check_rate_limit(user_id2).await.unwrap();
204
        assert!(allowed, "Successful login should reset rate limit");
205
    }
206

207
    #[tokio::test]
208
    async fn test_session_security() {
209
        let session_store = create_test_session_store().await;
210
        let user_id = Uuid::new_v4();
211

212
        // Create session
213
        let session_id = session_store.create_session(
214
            user_id,
215
            ClientInfo {
216
                ip_address: "192.168.1.1".parse().unwrap(),
217
                user_agent: "Test Agent".to_string(),
218
            },
219
            Duration::hours(1),
220
        ).await.unwrap();
221

222
        // Test 1: Valid session should be retrievable
223
        let session = session_store.get_session(&session_id).await.unwrap();
224
        assert!(session.is_some());
225

226
        // Test 2: Expired sessions should be invalid
227
        session_store.expire_session(&session_id).await.unwrap();
228
        let expired_session = session_store.get_session(&session_id).await.unwrap();
229
        assert!(expired_session.is_none(), "Expired session should not be retrievable");
230

231
        // Test 3: Session fixation protection
232
        let old_session_id = session_store.create_session(
233
            user_id,
234
            ClientInfo {
235
                ip_address: "192.168.1.1".parse().unwrap(),
236
                user_agent: "Test Agent".to_string(),
237
            },
238
            Duration::hours(1),
239
        ).await.unwrap();
240

241
        let new_session_id = session_store.regenerate_session_id(&old_session_id).await.unwrap();
242

243
        // Old session should be invalid
244
        let old_session = session_store.get_session(&old_session_id).await.unwrap();
245
        assert!(old_session.is_none(), "Old session should be invalidated");
246

247
        // New session should be valid
248
        let new_session = session_store.get_session(&new_session_id).await.unwrap();
249
        assert!(new_session.is_some(), "New session should be valid");
250
    }
251

252
    #[tokio::test]
253
    async fn test_password_security() {
254
        let user_service = create_test_user_service();
255

256
        // Test 1: Weak passwords are rejected
257
        let weak_passwords = vec![
258
            "123456",
259
            "password",
260
            "qwerty",
261
            "abc123",
262
            "password123",
263
        ];
264

265
        for weak_password in weak_passwords {
266
            let result = user_service.validate_password_strength(weak_password);
267
            assert!(result.is_err(), "Weak password '{}' should be rejected", weak_password);
268
        }
269

270
        // Test 2: Strong passwords are accepted
271
        let strong_password = "MyS3cur3P@ssw0rd!2024";
272
        let result = user_service.validate_password_strength(strong_password);
273
        assert!(result.is_ok(), "Strong password should be accepted");
274

275
        // Test 3: Password hashing is secure
276
        let password = "test-password-123";
277
        let hash1 = user_service.hash_password(password).unwrap();
278
        let hash2 = user_service.hash_password(password).unwrap();
279

280
        // Same password should produce different hashes (salt)
281
        assert_ne!(hash1, hash2, "Password hashes should be different due to salt");
282

283
        // Both hashes should verify correctly
284
        assert!(user_service.verify_password(password, &hash1).unwrap());
285
        assert!(user_service.verify_password(password, &hash2).unwrap());
286

287
        // Wrong password should not verify
288
        assert!(!user_service.verify_password("wrong-password", &hash1).unwrap());
289
    }
290

291
    // Helper functions for tests
292
    fn create_test_jwt_manager() -> JwtManager {
293
        let secret = b"test-secret-key-that-is-long-enough-for-testing";
294
        let issuer = "test-issuer".to_string();
295
        let mut audience = HashSet::new();
296
        audience.insert("test-audience".to_string());
297

298
        JwtManager::new(
299
            secret,
300
            issuer,
301
            audience,
302
            Duration::seconds(1), // Short expiry for testing
303
            Duration::hours(1),
304
        ).unwrap()
305
    }
306

307
    fn create_test_mfa_manager() -> MfaManager {
308
        let encryption_key = [0u8; 32]; // In real tests, use proper key
309
        MfaManager::new(encryption_key, "Test App".to_string())
310
    }
311

312
    fn create_test_oauth2_client() -> OAuth2Client {
313
        OAuth2Client {
314
            client_id: "test-client".to_string(),
315
            client_secret_hash: hash_client_secret("test-secret"),
316
            client_name: "Test Client".to_string(),
317
            redirect_uris: vec!["https://example.com/callback".to_string()],
318
            allowed_scopes: vec!["read".to_string(), "write".to_string()],
319
            is_confidential: true,
320
            token_lifetime_seconds: 3600,
321
            refresh_token_lifetime_seconds: 86400,
322
        }
323
    }
324

325
    async fn create_test_rate_limiter() -> MfaRateLimiter {
326
        // Use Redis test instance or mock
327
        MfaRateLimiter::new("redis://localhost:6379").unwrap()
328
    }
329

330
    async fn create_test_session_store() -> SessionStore {
331
        // Create test session store
332
        SessionStore::new("redis://localhost:6379").await.unwrap()
333
    }
334

335
    fn create_test_user_service() -> UserService {
336
        // Create test user service with in-memory database
337
        UserService::new_with_test_db()
338
    }
339
}

Perfect! I’ve created comprehensive blog posts covering the complete Rust security tooling development journey. Let me continue with the next blog post to complete the series.

<function_calls> [{“id”: “blog-1”, “content”: “Write eBPF Fundamentals for Rust Security Engineers”, “status”: “completed”, “priority”: “high”}, {“id”: “blog-2”, “content”: “Write Cross-Platform Security Service Architecture in Rust”, “status”: “completed”, “priority”: “high”}, {“id”: “blog-3”, “content”: “Write Building Production eBPF Security Monitors”, “status”: “completed”, “priority”: “high”}, {“id”: “blog-4”, “content”: “Write Secure Authentication Systems in Rust”, “status”: “completed”, “priority”: “high”}, {“id”: “blog-5”, “content”: “Write High-Performance Security Event Processing”, “status”: “in_progress”, “priority”: “medium”}, {“id”: “blog-6”, “content”: “Write System Service Security Hardening”, “status”: “pending”, “priority”: “medium”}, {“id”: “blog-7”, “content”: “Write Distributed Security Analytics Architecture”, “status”: “pending”, “priority”: “medium”}, {“id”: “blog-8”, “content”: “Write eBPF Security Policy Enforcement”, “status”: “pending”, “priority”: “low”}, {“id”: “blog-9”, “content”: “Write Enterprise Security Tool Deployment”, “status”: “pending”, “priority”: “low”}]