spikard 0.3.0 → 0.3.2

data/vendor/crates/spikard-http/Cargo.toml

@@ -0,0 +1,58 @@
+[package]
+name = "spikard-http"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+homepage.workspace = true
+description = "High-performance HTTP server for Spikard with tower-http middleware stack"
+keywords = ["http", "server", "axum", "tower", "middleware"]
+categories = ["web-programming::http-server", "web-programming"]
+documentation = "https://docs.rs/spikard-http"
+readme = "README.md"
+
+[dependencies]
+axum = { workspace = true, features = ["multipart", "ws"] }
+tokio.workspace = true
+tokio-util = "0.7"
+tower.workspace = true
+tower-http.workspace = true
+tower_governor.workspace = true
+jsonwebtoken.workspace = true
+utoipa.workspace = true
+utoipa-swagger-ui.workspace = true
+utoipa-redoc.workspace = true
+serde.workspace = true
+serde_json.workspace = true
+tracing.workspace = true
+tracing-subscriber.workspace = true
+spikard-core.workspace = true
+futures-util = "0.3"
+futures = "0.3"
+jsonschema.workspace = true
+serde_qs = "0.15"
+lazy_static = "1.5"
+regex = "1"
+rustc-hash = "2.1"
+urlencoding = "2.1"
+mime = "0.3"
+jiff = "0.2"
+uuid = "1.18"
+bytes = "1.11"
+http-body-util = "0.1"
+http-body = "1.0"
+axum-test = { version = "18", features = ["ws"] }
+anyhow = "1.0"
+cookie = "0.18"
+base64 = "0.22.1"
+flate2 = "1.1"
+brotli = "8.0"
+
+[features]
+default = []
+di = ["spikard-core/di"]
+
+[dev-dependencies]
+chrono = "0.4"
+doc-comment = "0.3"

data/vendor/crates/spikard-http/src/auth.rs

@@ -0,0 +1,247 @@
+//! Authentication middleware for JWT and API keys.
+//!
+//! This module provides tower middleware for authenticating requests using:
+//! - JWT tokens (via the Authorization header)
+//! - API keys (via custom headers)
+
+use axum::{
+    body::Body,
+    extract::Request,
+    http::{HeaderMap, StatusCode, Uri},
+    middleware::Next,
+    response::{IntoResponse, Response},
+};
+use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode};
+use serde::{Deserialize, Serialize};
+use std::collections::HashSet;
+
+use crate::{ApiKeyConfig, JwtConfig, ProblemDetails};
+
+/// Standard type URI for authentication errors (401)
+const TYPE_AUTH_ERROR: &str = "https://spikard.dev/errors/unauthorized";
+
+/// Standard type URI for configuration errors (500)
+const TYPE_CONFIG_ERROR: &str = "https://spikard.dev/errors/configuration-error";
+
+/// JWT claims structure - can be extended based on needs
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Claims {
+    pub sub: String,
+    pub exp: usize,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub iat: Option<usize>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub nbf: Option<usize>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub aud: Option<Vec<String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub iss: Option<String>,
+}
+
+/// JWT authentication middleware
+///
+/// Validates JWT tokens from the Authorization header (Bearer scheme).
+/// On success, the validated claims are available to downstream handlers.
+/// On failure, returns 401 Unauthorized with RFC 9457 Problem Details.
+pub async fn jwt_auth_middleware(
+    config: JwtConfig,
+    headers: HeaderMap,
+    request: Request<Body>,
+    next: Next,
+) -> Result<Response, Response> {
+    let auth_header = headers
+        .get("authorization")
+        .and_then(|v| v.to_str().ok())
+        .ok_or_else(|| {
+            let problem = ProblemDetails::new(
+                TYPE_AUTH_ERROR,
+                "Missing or invalid Authorization header",
+                StatusCode::UNAUTHORIZED,
+            )
+            .with_detail("Expected 'Authorization: Bearer <token>'");
+            (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+        })?;
+
+    let token = auth_header.strip_prefix("Bearer ").ok_or_else(|| {
+        let problem = ProblemDetails::new(
+            TYPE_AUTH_ERROR,
+            "Invalid Authorization header format",
+            StatusCode::UNAUTHORIZED,
+        )
+        .with_detail("Authorization header must use Bearer scheme: 'Bearer <token>'");
+        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+    })?;
+
+    let parts: Vec<&str> = token.split('.').collect();
+    if parts.len() != 3 {
+        let problem = ProblemDetails::new(TYPE_AUTH_ERROR, "Malformed JWT token", StatusCode::UNAUTHORIZED)
+            .with_detail(format!(
+                "Malformed JWT token: expected 3 parts separated by dots, found {}",
+                parts.len()
+            ));
+        return Err((StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response());
+    }
+
+    let algorithm = parse_algorithm(&config.algorithm).map_err(|_| {
+        let problem = ProblemDetails::new(
+            TYPE_CONFIG_ERROR,
+            "Invalid JWT configuration",
+            StatusCode::INTERNAL_SERVER_ERROR,
+        )
+        .with_detail(format!("Unsupported algorithm: {}", config.algorithm));
+        (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(problem)).into_response()
+    })?;
+
+    let mut validation = Validation::new(algorithm);
+    if let Some(ref aud) = config.audience {
+        validation.set_audience(aud);
+    }
+    if let Some(ref iss) = config.issuer {
+        validation.set_issuer(std::slice::from_ref(iss));
+    }
+    validation.leeway = config.leeway;
+    validation.validate_nbf = true;
+
+    let decoding_key = DecodingKey::from_secret(config.secret.as_bytes());
+    let _token_data = decode::<Claims>(token, &decoding_key, &validation).map_err(|e| {
+        let detail = match e.kind() {
+            jsonwebtoken::errors::ErrorKind::ExpiredSignature => "Token has expired".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidToken => "Token is invalid".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidSignature => "Token signature is invalid".to_string(),
+            jsonwebtoken::errors::ErrorKind::Base64(_) => "Token signature is invalid".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidAudience => "Token audience is invalid".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidIssuer => {
+                if let Some(ref expected_iss) = config.issuer {
+                    format!("Token issuer is invalid, expected '{}'", expected_iss)
+                } else {
+                    "Token issuer is invalid".to_string()
+                }
+            }
+            jsonwebtoken::errors::ErrorKind::ImmatureSignature => {
+                "JWT not valid yet, not before claim is in the future".to_string()
+            }
+            _ => format!("Token validation failed: {}", e),
+        };
+
+        let problem =
+            ProblemDetails::new(TYPE_AUTH_ERROR, "JWT validation failed", StatusCode::UNAUTHORIZED).with_detail(detail);
+        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+    })?;
+
+    // TODO: Attach claims to request extensions for handlers to access
+    Ok(next.run(request).await)
+}
+
+/// Parse JWT algorithm string to jsonwebtoken Algorithm enum
+fn parse_algorithm(alg: &str) -> Result<Algorithm, String> {
+    match alg {
+        "HS256" => Ok(Algorithm::HS256),
+        "HS384" => Ok(Algorithm::HS384),
+        "HS512" => Ok(Algorithm::HS512),
+        "RS256" => Ok(Algorithm::RS256),
+        "RS384" => Ok(Algorithm::RS384),
+        "RS512" => Ok(Algorithm::RS512),
+        "ES256" => Ok(Algorithm::ES256),
+        "ES384" => Ok(Algorithm::ES384),
+        "PS256" => Ok(Algorithm::PS256),
+        "PS384" => Ok(Algorithm::PS384),
+        "PS512" => Ok(Algorithm::PS512),
+        _ => Err(format!("Unsupported algorithm: {}", alg)),
+    }
+}
+
+/// API Key authentication middleware
+///
+/// Validates API keys from a custom header (default: X-API-Key) or query parameter.
+/// Checks header first, then query parameter as fallback.
+/// On success, the request proceeds to the next handler.
+/// On failure, returns 401 Unauthorized with RFC 9457 Problem Details.
+pub async fn api_key_auth_middleware(
+    config: ApiKeyConfig,
+    headers: HeaderMap,
+    request: Request<Body>,
+    next: Next,
+) -> Result<Response, Response> {
+    let valid_keys: HashSet<String> = config.keys.into_iter().collect();
+
+    let uri = request.uri().clone();
+
+    let api_key_from_header = headers.get(&config.header_name).and_then(|v| v.to_str().ok());
+
+    let api_key = if let Some(key) = api_key_from_header {
+        Some(key)
+    } else {
+        extract_api_key_from_query(&uri)
+    };
+
+    let api_key = api_key.ok_or_else(|| {
+        let problem =
+            ProblemDetails::new(TYPE_AUTH_ERROR, "Missing API key", StatusCode::UNAUTHORIZED).with_detail(format!(
+                "Expected '{}' header or 'api_key' query parameter with valid API key",
+                config.header_name
+            ));
+        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+    })?;
+
+    if !valid_keys.contains(api_key) {
+        let problem = ProblemDetails::new(TYPE_AUTH_ERROR, "Invalid API key", StatusCode::UNAUTHORIZED)
+            .with_detail("The provided API key is not valid");
+        return Err((StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response());
+    }
+
+    Ok(next.run(request).await)
+}
+
+/// Extract API key from query parameters
+///
+/// Checks for common API key parameter names: api_key, apiKey, key
+fn extract_api_key_from_query(uri: &Uri) -> Option<&str> {
+    let query = uri.query()?;
+
+    for param in query.split('&') {
+        if let Some((key, value)) = param.split_once('=')
+            && (key == "api_key" || key == "apiKey" || key == "key")
+        {
+            return Some(value);
+        }
+    }
+
+    None
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_parse_algorithm() {
+        assert!(matches!(parse_algorithm("HS256"), Ok(Algorithm::HS256)));
+        assert!(matches!(parse_algorithm("HS384"), Ok(Algorithm::HS384)));
+        assert!(matches!(parse_algorithm("HS512"), Ok(Algorithm::HS512)));
+        assert!(matches!(parse_algorithm("RS256"), Ok(Algorithm::RS256)));
+        assert!(matches!(parse_algorithm("RS384"), Ok(Algorithm::RS384)));
+        assert!(matches!(parse_algorithm("RS512"), Ok(Algorithm::RS512)));
+        assert!(matches!(parse_algorithm("ES256"), Ok(Algorithm::ES256)));
+        assert!(matches!(parse_algorithm("ES384"), Ok(Algorithm::ES384)));
+        assert!(matches!(parse_algorithm("PS256"), Ok(Algorithm::PS256)));
+        assert!(matches!(parse_algorithm("PS384"), Ok(Algorithm::PS384)));
+        assert!(matches!(parse_algorithm("PS512"), Ok(Algorithm::PS512)));
+        assert!(parse_algorithm("INVALID").is_err());
+    }
+
+    #[test]
+    fn test_claims_serialization() {
+        let claims = Claims {
+            sub: "user123".to_string(),
+            exp: 1234567890,
+            iat: Some(1234567800),
+            nbf: None,
+            aud: Some(vec!["https://api.example.com".to_string()]),
+            iss: Some("https://auth.example.com".to_string()),
+        };
+
+        let json = serde_json::to_string(&claims).unwrap();
+        assert!(json.contains("user123"));
+        assert!(json.contains("1234567890"));
+    }
+}

data/vendor/crates/spikard-http/src/background.rs

@@ -0,0 +1,249 @@
+use std::borrow::Cow;
+use std::sync::Arc;
+use std::time::Duration;
+
+use futures::FutureExt;
+use futures::future::BoxFuture;
+use tokio::sync::{Semaphore, mpsc};
+use tokio::task::JoinSet;
+use tokio::time::timeout;
+use tokio_util::sync::CancellationToken;
+
+/// Configuration for in-process background task execution.
+#[derive(Clone, Debug)]
+pub struct BackgroundTaskConfig {
+    pub max_queue_size: usize,
+    pub max_concurrent_tasks: usize,
+    pub drain_timeout_secs: u64,
+}
+
+impl Default for BackgroundTaskConfig {
+    fn default() -> Self {
+        Self {
+            max_queue_size: 1024,
+            max_concurrent_tasks: 128,
+            drain_timeout_secs: 30,
+        }
+    }
+}
+
+#[derive(Clone, Debug)]
+pub struct BackgroundJobMetadata {
+    pub name: Cow<'static, str>,
+    pub request_id: Option<String>,
+}
+
+impl Default for BackgroundJobMetadata {
+    fn default() -> Self {
+        Self {
+            name: Cow::Borrowed("background_task"),
+            request_id: None,
+        }
+    }
+}
+
+pub type BackgroundJobFuture = BoxFuture<'static, Result<(), BackgroundJobError>>;
+
+struct BackgroundJob {
+    pub future: BackgroundJobFuture,
+    pub metadata: BackgroundJobMetadata,
+}
+
+impl BackgroundJob {
+    fn new<F>(future: F, metadata: BackgroundJobMetadata) -> Self
+    where
+        F: futures::Future<Output = Result<(), BackgroundJobError>> + Send + 'static,
+    {
+        Self {
+            future: future.boxed(),
+            metadata,
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub struct BackgroundJobError {
+    pub message: String,
+}
+
+impl From<String> for BackgroundJobError {
+    fn from(message: String) -> Self {
+        Self { message }
+    }
+}
+
+impl From<&str> for BackgroundJobError {
+    fn from(message: &str) -> Self {
+        Self {
+            message: message.to_string(),
+        }
+    }
+}
+
+#[derive(Debug, Clone)]
+pub enum BackgroundSpawnError {
+    QueueFull,
+}
+
+impl std::fmt::Display for BackgroundSpawnError {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            BackgroundSpawnError::QueueFull => write!(f, "background task queue is full"),
+        }
+    }
+}
+
+impl std::error::Error for BackgroundSpawnError {}
+
+#[derive(Debug)]
+pub struct BackgroundShutdownError;
+
+#[derive(Default)]
+struct BackgroundMetrics {
+    queued: std::sync::atomic::AtomicU64,
+    running: std::sync::atomic::AtomicU64,
+    failed: std::sync::atomic::AtomicU64,
+}
+
+impl BackgroundMetrics {
+    fn inc_queued(&self) {
+        self.queued.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+    }
+
+    fn dec_queued(&self) {
+        self.queued.fetch_sub(1, std::sync::atomic::Ordering::Relaxed);
+    }
+
+    fn inc_running(&self) {
+        self.running.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+    }
+
+    fn dec_running(&self) {
+        self.running.fetch_sub(1, std::sync::atomic::Ordering::Relaxed);
+    }
+
+    fn inc_failed(&self) {
+        self.failed.fetch_add(1, std::sync::atomic::Ordering::Relaxed);
+    }
+}
+
+#[derive(Clone)]
+pub struct BackgroundHandle {
+    sender: mpsc::Sender<BackgroundJob>,
+    metrics: Arc<BackgroundMetrics>,
+}
+
+impl BackgroundHandle {
+    pub fn spawn<F, Fut>(&self, f: F) -> Result<(), BackgroundSpawnError>
+    where
+        F: FnOnce() -> Fut,
+        Fut: futures::Future<Output = Result<(), BackgroundJobError>> + Send + 'static,
+    {
+        let future = f();
+        self.spawn_with_metadata(future, BackgroundJobMetadata::default())
+    }
+
+    pub fn spawn_with_metadata<Fut>(
+        &self,
+        future: Fut,
+        metadata: BackgroundJobMetadata,
+    ) -> Result<(), BackgroundSpawnError>
+    where
+        Fut: futures::Future<Output = Result<(), BackgroundJobError>> + Send + 'static,
+    {
+        self.metrics.inc_queued();
+        let job = BackgroundJob::new(future, metadata);
+        self.sender.try_send(job).map_err(|_| {
+            self.metrics.dec_queued();
+            BackgroundSpawnError::QueueFull
+        })
+    }
+}
+
+pub struct BackgroundRuntime {
+    handle: BackgroundHandle,
+    drain_timeout: Duration,
+    shutdown_token: CancellationToken,
+    join_handle: tokio::task::JoinHandle<()>,
+}
+
+impl BackgroundRuntime {
+    pub async fn start(config: BackgroundTaskConfig) -> Self {
+        let (tx, rx) = mpsc::channel(config.max_queue_size);
+        let metrics = Arc::new(BackgroundMetrics::default());
+        let handle = BackgroundHandle {
+            sender: tx.clone(),
+            metrics: metrics.clone(),
+        };
+        let shutdown_token = CancellationToken::new();
+        let semaphore = Arc::new(Semaphore::new(config.max_concurrent_tasks));
+        let driver_token = shutdown_token.clone();
+
+        let join_handle = tokio::spawn(run_executor(rx, semaphore, metrics.clone(), driver_token));
+
+        Self {
+            handle,
+            drain_timeout: Duration::from_secs(config.drain_timeout_secs),
+            shutdown_token,
+            join_handle,
+        }
+    }
+
+    pub fn handle(&self) -> BackgroundHandle {
+        self.handle.clone()
+    }
+
+    pub async fn shutdown(self) -> Result<(), BackgroundShutdownError> {
+        self.shutdown_token.cancel();
+        drop(self.handle);
+        match timeout(self.drain_timeout, self.join_handle).await {
+            Ok(Ok(_)) => Ok(()),
+            _ => Err(BackgroundShutdownError),
+        }
+    }
+}
+
+async fn run_executor(
+    mut rx: mpsc::Receiver<BackgroundJob>,
+    semaphore: Arc<Semaphore>,
+    metrics: Arc<BackgroundMetrics>,
+    token: CancellationToken,
+) {
+    let mut join_set = JoinSet::new();
+
+    loop {
+        tokio::select! {
+            _ = token.cancelled() => {
+                break;
+            }
+            maybe_job = rx.recv() => {
+                match maybe_job {
+                    Some(job) => {
+                        metrics.dec_queued();
+                        let semaphore = semaphore.clone();
+                        let metrics_clone = metrics.clone();
+                        join_set.spawn(async move {
+                            let BackgroundJob { future, metadata } = job;
+                            match semaphore.acquire_owned().await {
+                                Ok(_permit) => {
+                                    metrics_clone.inc_running();
+                                    if let Err(err) = future.await {
+                                        metrics_clone.inc_failed();
+                                        tracing::error!(target = "spikard::background", task = %metadata.name, error = %err.message, "background task failed");
+                                    }
+                                    metrics_clone.dec_running();
+                                }
+                                Err(_) => {
+                                    tracing::warn!(target = "spikard::background", "failed to acquire semaphore permit for background task");
+                                }
+                            }
+                        });
+                    }
+                    None => break,
+                }
+            }
+        }
+    }
+
+    while join_set.join_next().await.is_some() {}
+}

data/vendor/crates/spikard-http/src/bindings/mod.rs

@@ -0,0 +1,3 @@
+pub mod response;
+
+pub use response::{RawResponse, StaticAsset};

data/vendor/crates/spikard-http/src/bindings/response.rs

@@ -0,0 +1 @@
+pub use spikard_core::bindings::response::*;

data/vendor/crates/spikard-http/src/body_metadata.rs

@@ -0,0 +1,8 @@
+//! Shared metadata stored on `http::Response` extensions.
+
+/// Extension type storing the original, uncompressed response body size in bytes.
+///
+/// Middleware (like compression) can inspect this to make deterministic decisions
+/// even when the final body length would otherwise require buffering.
+#[derive(Debug, Clone, Copy)]
+pub struct ResponseBodySize(pub usize);