No description
Uwe Schuster
87bf3b6e56
sharedMapper was made private in #6 but Listener::handleMessage (defined later in the same header) still calls Hub::sharedMapper(). Any consumer that actually instantiates the WebSocket Listener hit a private-access compile error. Add `friend class Listener;` so Listener can reach the shared ObjectMapper without exposing it publicly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| cmake | ||
| docs | ||
| include/oatpp-authkit | ||
| test | ||
| .gitignore | ||
| CMakeLists.txt | ||
| README.md | ||
oatpp-authkit
Header-only C++ library distilled from fewo-webapp's hardened auth / security stack. Header-only, oatpp 1.3+, C++17.
What's in v0.1 (the clean-lift set)
| Header | Purpose |
|---|---|
interceptor/SecurityHeadersInterceptor.hpp |
CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Strict defaults. |
interceptor/BodySizeLimitInterceptor.hpp |
Reject request bodies above a configurable limit with 413 before they hit your handlers. |
handler/JsonErrorHandler.hpp |
Normalises thrown exceptions into {status, message} JSON so controllers never leak raw HTML error pages. |
util/RateLimiter.hpp |
In-memory token-bucket keyed on an arbitrary string (typically the client IP from clientIpTrusted). |
util/TokenExtract.hpp |
extractToken (Cookie/Bearer), isValidIp (IPv4/IPv6 via inet_pton), clientIpTrusted (loopback-gated XFF). |
startup/RequireEncryptionKey.hpp |
requireEncryptionKey(envVarName, encryptionEnabled, allowPlaintext) — refuse startup without a symmetric key unless a dev flag overrides. |
repo/Repository.hpp + IHistoryRepository.hpp + TemporalFieldTraits.hpp + TemporalAt.hpp + ActorContext.hpp |
Pure-abstract Repository<TDto> interface set distilled from fewo-webapp's per-entity *Db clients. Mixed UUID allocation on save, separate IHistoryRepository<T> for temporal versions, TemporalFieldTraits<T> to map canonical (entity_id, valid_from, valid_until) onto whatever a DTO actually calls them, ActorContext placeholder for the scope-guard decorator. |
repo/TemporalRepository.hpp |
Decorator that wraps any Repository<TDto> and turns it into a temporally-versioned one. save closes the prior live version and inserts a new one; findByEntityIdAt(id, at) returns the version live at a point in time; implements IHistoryRepository<T>. Inner adapter is expected to expose all rows (live + historical) and treat save as upsert keyed by (entity_id, valid_from). DTOs register their three temporal columns via OATPP_AUTHKIT_REGISTER_TEMPORAL. |
repo/ScopeGuardRepository.hpp |
Generic resource-scope decorator. Takes a bool(ActorContext, TDto) predicate at construction; gates every method on it. Throws ScopeDeniedException on deny (catchers translate to 403). Knows nothing about consumer-specific concepts like "property" or "tenant" — the predicate decides. |
repo/IQueryable.hpp |
Optional capability for repos that resolve a typed query AST. field<&Dto::col>().eq(...) style DSL composes via && / ` |
repo/IAuditSink.hpp + repo/AuditLogRepository.hpp |
Cross-cutting audit-trail decorator. Emits an AuditEvent (actor, entity type/id, op, timestamp) per mutation through a consumer-supplied IAuditSink. Ops are Create / Update / Delete / Read; pre-write findByEntityId lookup distinguishes Create from Update. Configurable enabled-op set (default {Create,Update,Delete} — Read is opt-in, list() never audited). Sink failures are caught and swallowed unless a bool(const std::exception&) handler asks to rethrow. Stacks with TemporalRepository and ScopeGuardRepository. |
Consume via CMake
# FetchContent (pin to a tag):
include(FetchContent)
FetchContent_Declare(oatpp-authkit
GIT_REPOSITORY https://git.uwe-schuster.info/uwe.admin/oatpp-authkit.git
GIT_TAG v0.1.0)
FetchContent_MakeAvailable(oatpp-authkit)
target_link_libraries(app PRIVATE oatpp::authkit)
Or after cmake --install:
find_package(oatpp-authkit 0.1 REQUIRED)
target_link_libraries(app PRIVATE oatpp::authkit)
Browser-friendly 401/403
By default AuthInterceptor returns application/json for every rejection,
which is correct for /api/* callers but breaks browser navigation: a user
following a stale link or an expired password-reset URL sees a raw
{"status":"Unauthorized"} instead of a real page.
Override IAuthPolicy::unauthenticatedRedirect(path) to redirect browser
navigations to a login or landing page while keeping JSON responses for
fetch/axios callers (detected via path prefix /api/,
X-Requested-With: XMLHttpRequest, or an Accept header that prefers
application/json):
class AppAuthPolicy : public oatpp_authkit::IAuthPolicy {
public:
std::optional<std::string>
unauthenticatedRedirect(const std::string& path) override {
return "/?next=" + oatpp_authkit::AuthInterceptor::urlEncode(path);
}
};
Returning std::nullopt (the default) preserves the legacy JSON behaviour
for all responses.
Tests
cmake -B build -DOATPP_AUTHKIT_BUILD_TESTS=ON
cmake --build build
ctest --test-dir build --output-on-failure
Tests are off by default so consumers pulling the library in via
FetchContent don't pay the cost.
Roadmap
- v0.2 —
AuthInterceptor+requireAdminported onto three seams (IAuthBackend,IAuthPolicy,IRuntimeConfig) so consumers plug in their own user store, public-path list, and admin role set without forking the interceptor. - Later — session cookie helpers, API-key rotation, re-encryption migration.
See docs/security-baseline.md for language-neutral CSP / rate-limit / body-size
constants that non-C++ consumers can re-implement directly.