feat(auth/rust): generate Rust/axum backend from auth.candy — eval green#47
Merged
Conversation
Implements Phase D of the candy alpha plan. All 14 hurl scenarios pass. - actor User: rusqlite-backed UserRepo with create/findBy/email_exists - actor Session: realized as self-contained HS256 JWT (jsonwebtoken); no sessions table — revocation via revoked_jtis(jti PK) - flow Signup: idempotent on Key; argon2id password hashing; uuid-v7 ids - flow Login: opaque InvalidCredentials; constant error shape - flow Logout: idempotent via INSERT OR IGNORE on revoked_jtis - policy PasswordStrength: blocklist > length > digit; all 4 spec examples covered as unit tests - Two bearer middlewares: BearerAuth (sig+exp+revocation) and LogoutBearerAuth (sig+exp only) so logout-replay returns 204 - In-process event bus (tokio::sync::broadcast) for eager delivery of UserSignedUp, UserLoggedIn, SessionRevoked events - cargo fmt, clippy -D warnings, build --release, test --all all green
bcd1047 to
7711fb3
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Phase D of the candy alpha plan. Closes alpha criterion 4 (auth on
a second target language) and demonstrates the codegen prompts produce
idiomatic, eval-green code in Rust as well as Go.
A Rust/axum backend generated from `examples/auth/auth.candy` using
the codegen prompts merged in #41. Same JWT-self-contained design as
the Go target (#45) but using the Rust ecosystem libs from
`examples/auth/preferences.candy`. All 14 hurl scenarios pass against
the running server. `cargo fmt`, `cargo clippy -- -D warnings`,
`cargo build --release` all clean. 4 PasswordStrength unit tests
pass against the spec's policy examples.
What landed
Total: 1,038 Rust LOC (under the 3,000 budget).
Library pins (per `examples/auth/preferences.candy`)
No KSUID-substituted-for-JWT shortcuts; preferences honored exactly.
Commits (atomic, in order)
Spec → realisation choices (mirror of Go target's HANDOFF)
`auth: bearer` splits into two middlewares for the same principled
reasons as the Go target (HANDOFF §3):
skips revocation so `logout-replay` returns 204 per the eval.
PasswordStrength order — blocklist before length
The spec policy example `"password123" → InBlocklist` (11 chars, in
blocklist) requires the implementation to check the blocklist BEFORE
length, otherwise `"password123"` would hit `TooShort` first. Same
ordering as the Go target's `policies.go`.
Verification
Note on fixture-fix duplication
This PR ships the same auth/fixtures.env fix as PR #45. If #45 merges
first this PR will rebase cleanly; if this merges first #45 rebases.
Same one-line change either way.
Closes / Refs