feat: add skip_paths for JwtLayer and docs_with_auth for protected Swagger UI

- JwtLayer now supports skip_paths() to exclude paths from JWT validation
- Added docs_with_auth() for Basic Auth protected documentation
- Updated auth-api example to demonstrate protected docs
- Bumped version to 0.1.2

Author: Tuntii

CHANGELOG.md

@@ -7,11 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.1.2] - 2024-12-31
+
 ### Added
-- CONTRIBUTING.md with contribution guidelines
-- CHANGELOG.md following Keep a Changelog format
-- GitHub Actions CI/CD workflows
-- Dual MIT/Apache-2.0 license files
+- `skip_paths` method for JwtLayer to exclude paths from JWT validation
+- `docs_with_auth` method for Basic Auth protected Swagger UI
+- `docs_with_auth_and_info` method for customized protected docs
+
+### Changed
+- auth-api example now demonstrates protected docs with Basic Auth
+- JWT middleware can now skip validation for public endpoints
 
 ## [0.1.1] - 2024-12-31
 
@@ -78,6 +83,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - `extras` meta-feature for common optional features
 - `full` feature for all optional features
 
-[Unreleased]: https://github.com/Tuntii/RustAPI/compare/v0.1.1...HEAD
+[Unreleased]: https://github.com/Tuntii/RustAPI/compare/v0.1.2...HEAD
+[0.1.2]: https://github.com/Tuntii/RustAPI/compare/v0.1.1...v0.1.2
 [0.1.1]: https://github.com/Tuntii/RustAPI/compare/v0.1.0...v0.1.1
 [0.1.0]: https://github.com/Tuntii/RustAPI/releases/tag/v0.1.0

Cargo.lock

@@ -14,7 +14,7 @@ members = [
 ]
 
 [workspace.package]
-version = "0.1.1"
+version = "0.1.2"
 edition = "2021"
 authors = ["RustAPI Contributors"]
 license = "MIT OR Apache-2.0"
@@ -72,8 +72,8 @@ prometheus = "0.13"
 utoipa = { version = "4.2" }
 
 # Internal crates
-rustapi-core = { path = "crates/rustapi-core", version = "0.1.1" }
-rustapi-macros = { path = "crates/rustapi-macros", version = "0.1.1" }
-rustapi-validate = { path = "crates/rustapi-validate", version = "0.1.1" }
-rustapi-openapi = { path = "crates/rustapi-openapi", version = "0.1.1" }
-rustapi-extras = { path = "crates/rustapi-extras", version = "0.1.1" }
+rustapi-core = { path = "crates/rustapi-core", version = "0.1.2" }
+rustapi-macros = { path = "crates/rustapi-macros", version = "0.1.2" }
+rustapi-validate = { path = "crates/rustapi-validate", version = "0.1.2" }
+rustapi-openapi = { path = "crates/rustapi-openapi", version = "0.1.2" }
+rustapi-extras = { path = "crates/rustapi-extras", version = "0.1.2" }

Cargo.toml

@@ -41,6 +41,7 @@ tracing = { workspace = true }
 tracing-subscriber = { workspace = true }
 inventory = { workspace = true }
 uuid = { workspace = true }
+base64 = "0.22"
 
 # Cookies (optional)
 cookie = { version = "0.18", optional = true }

crates/rustapi-core/Cargo.toml

@@ -370,6 +370,129 @@ impl RustApi {
             .route(path, get(docs_handler))
     }
 
+    /// Enable Swagger UI documentation with Basic Auth protection
+    ///
+    /// When username and password are provided, the docs endpoint will require
+    /// Basic Authentication. This is useful for protecting API documentation
+    /// in production environments.
+    ///
+    /// # Example
+    ///
+    /// ```rust,ignore
+    /// RustApi::new()
+    ///     .route("/users", get(list_users))
+    ///     .docs_with_auth("/docs", "admin", "secret123")
+    ///     .run("127.0.0.1:8080")
+    ///     .await
+    /// ```
+    #[cfg(feature = "swagger-ui")]
+    pub fn docs_with_auth(self, path: &str, username: &str, password: &str) -> Self {
+        let title = self.openapi_spec.info.title.clone();
+        let version = self.openapi_spec.info.version.clone();
+        let description = self.openapi_spec.info.description.clone();
+
+        self.docs_with_auth_and_info(
+            path,
+            username,
+            password,
+            &title,
+            &version,
+            description.as_deref(),
+        )
+    }
+
+    /// Enable Swagger UI documentation with Basic Auth and custom API info
+    ///
+    /// # Example
+    ///
+    /// ```rust,ignore
+    /// RustApi::new()
+    ///     .docs_with_auth_and_info(
+    ///         "/docs",
+    ///         "admin",
+    ///         "secret",
+    ///         "My API",
+    ///         "2.0.0",
+    ///         Some("Protected API documentation")
+    ///     )
+    /// ```
+    #[cfg(feature = "swagger-ui")]
+    pub fn docs_with_auth_and_info(
+        mut self,
+        path: &str,
+        username: &str,
+        password: &str,
+        title: &str,
+        version: &str,
+        description: Option<&str>,
+    ) -> Self {
+        use crate::router::MethodRouter;
+        use base64::{engine::general_purpose::STANDARD, Engine};
+        use std::collections::HashMap;
+
+        // Update spec info
+        self.openapi_spec.info.title = title.to_string();
+        self.openapi_spec.info.version = version.to_string();
+        if let Some(desc) = description {
+            self.openapi_spec.info.description = Some(desc.to_string());
+        }
+
+        let path = path.trim_end_matches('/');
+        let openapi_path = format!("{}/openapi.json", path);
+
+        // Create expected auth header value
+        let credentials = format!("{}:{}", username, password);
+        let encoded = STANDARD.encode(credentials.as_bytes());
+        let expected_auth = format!("Basic {}", encoded);
+
+        // Clone values for closures
+        let spec_json =
+            serde_json::to_string_pretty(&self.openapi_spec.to_json()).unwrap_or_default();
+        let openapi_url = openapi_path.clone();
+        let expected_auth_spec = expected_auth.clone();
+        let expected_auth_docs = expected_auth;
+
+        // Create spec handler with auth check
+        let spec_handler: crate::handler::BoxedHandler = std::sync::Arc::new(move |req: crate::Request| {
+            let json = spec_json.clone();
+            let expected = expected_auth_spec.clone();
+            Box::pin(async move {
+                if !check_basic_auth(&req, &expected) {
+                    return unauthorized_response();
+                }
+                http::Response::builder()
+                    .status(http::StatusCode::OK)
+                    .header(http::header::CONTENT_TYPE, "application/json")
+                    .body(http_body_util::Full::new(bytes::Bytes::from(json)))
+                    .unwrap()
+            }) as std::pin::Pin<Box<dyn std::future::Future<Output = crate::Response> + Send>>
+        });
+
+        // Create docs handler with auth check
+        let docs_handler: crate::handler::BoxedHandler = std::sync::Arc::new(move |req: crate::Request| {
+            let url = openapi_url.clone();
+            let expected = expected_auth_docs.clone();
+            Box::pin(async move {
+                if !check_basic_auth(&req, &expected) {
+                    return unauthorized_response();
+                }
+                rustapi_openapi::swagger_ui_html(&url)
+            }) as std::pin::Pin<Box<dyn std::future::Future<Output = crate::Response> + Send>>
+        });
+
+        // Create method routers with boxed handlers
+        let mut spec_handlers = HashMap::new();
+        spec_handlers.insert(http::Method::GET, spec_handler);
+        let spec_router = MethodRouter::from_boxed(spec_handlers);
+
+        let mut docs_handlers = HashMap::new();
+        docs_handlers.insert(http::Method::GET, docs_handler);
+        let docs_router = MethodRouter::from_boxed(docs_handlers);
+
+        self.route(&openapi_path, spec_router)
+            .route(path, docs_router)
+    }
+
     /// Run the server
     ///
     /// # Example
@@ -407,3 +530,24 @@ impl Default for RustApi {
         Self::new()
     }
 }
+
+/// Check Basic Auth header against expected credentials
+#[cfg(feature = "swagger-ui")]
+fn check_basic_auth(req: &crate::Request, expected: &str) -> bool {
+    req.headers()
+        .get(http::header::AUTHORIZATION)
+        .and_then(|v| v.to_str().ok())
+        .map(|auth| auth == expected)
+        .unwrap_or(false)
+}
+
+/// Create 401 Unauthorized response with WWW-Authenticate header
+#[cfg(feature = "swagger-ui")]
+fn unauthorized_response() -> crate::Response {
+    http::Response::builder()
+        .status(http::StatusCode::UNAUTHORIZED)
+        .header(http::header::WWW_AUTHENTICATE, "Basic realm=\"API Documentation\"")
+        .header(http::header::CONTENT_TYPE, "text/plain")
+        .body(http_body_util::Full::new(bytes::Bytes::from("Unauthorized")))
+        .unwrap()
+}

crates/rustapi-core/src/app.rs

@@ -86,13 +86,15 @@ impl JwtValidation {
 /// }
 ///
 /// let app = RustApi::new()
-///     .layer(JwtLayer::<Claims>::new("my-secret-key"))
+///     .layer(JwtLayer::<Claims>::new("my-secret-key")
+///         .skip_paths(vec!["/health", "/docs", "/auth/login"]))
 ///     .route("/protected", get(protected_handler));
 /// ```
 #[derive(Clone)]
 pub struct JwtLayer<T> {
     secret: Arc<String>,
     validation: JwtValidation,
+    skip_paths: Arc<Vec<String>>,
     _claims: PhantomData<T>,
 }
 
@@ -102,6 +104,7 @@ impl<T: DeserializeOwned + Clone + Send + Sync + 'static> JwtLayer<T> {
         Self {
             secret: Arc::new(secret.into()),
             validation: JwtValidation::default(),
+            skip_paths: Arc::new(Vec::new()),
             _claims: PhantomData,
         }
     }
@@ -112,6 +115,22 @@ impl<T: DeserializeOwned + Clone + Send + Sync + 'static> JwtLayer<T> {
         self
     }
 
+    /// Skip JWT validation for specific paths.
+    /// 
+    /// Paths that start with any of the provided prefixes will bypass JWT validation.
+    /// This is useful for public endpoints like health checks, documentation, and login.
+    ///
+    /// # Example
+    ///
+    /// ```ignore
+    /// let layer = JwtLayer::<Claims>::new("secret")
+    ///     .skip_paths(vec!["/health", "/docs", "/auth/login"]);
+    /// ```
+    pub fn skip_paths(mut self, paths: Vec<&str>) -> Self {
+        self.skip_paths = Arc::new(paths.into_iter().map(String::from).collect());
+        self
+    }
+
     /// Get the configured secret.
     pub fn secret(&self) -> &str {
         &self.secret
@@ -142,8 +161,15 @@ impl<T: DeserializeOwned + Clone + Send + Sync + 'static> MiddlewareLayer for Jw
     ) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>> {
         let secret = self.secret.clone();
         let validation = self.validation.clone();
+        let skip_paths = self.skip_paths.clone();
 
         Box::pin(async move {
+            // Check if this path should skip JWT validation
+            let path = req.uri().path();
+            if skip_paths.iter().any(|skip| path.starts_with(skip)) {
+                return next(req).await;
+            }
+
             // Extract the Authorization header
             let auth_header = req.headers().get(http::header::AUTHORIZATION);
 

crates/rustapi-extras/src/jwt/mod.rs

@@ -195,33 +195,36 @@ async fn main() -> Result<(), Box<dyn std::error::Error + Send + Sync>> {
     println!("  GET /protected/data    - Protected data");
     println!();
     println!("Documentation:");
-    println!("  GET /docs - Swagger UI");
+    println!("  GET /docs - Swagger UI (Basic Auth: docs / docs123)");
     println!();
     println!("Server running at http://127.0.0.1:8080");
 
     // Create the app with JWT middleware for protected routes
+    // Public routes (/health, /auth/login, /) are excluded from JWT validation
+    // Docs has its own Basic Auth protection
     let app = RustApi::new()
         .body_limit(1024 * 1024) // 1MB limit
         .layer(RequestIdLayer::new())
         .layer(TracingLayer::new())
         // Rate limiting: 100 requests per minute
         .layer(RateLimitLayer::new(100, Duration::from_secs(60)))
-        // JWT middleware - validates tokens on all routes
-        // Public routes will fail without token, so we need to handle that
-        .layer(JwtLayer::<Claims>::new(JWT_SECRET))
+        // JWT middleware - skip public paths (docs has its own auth)
+        .layer(JwtLayer::<Claims>::new(JWT_SECRET)
+            .skip_paths(vec!["/health", "/docs", "/auth/login", "/"]))
         .register_schema::<LoginRequest>()
         .register_schema::<LoginResponse>()
         .register_schema::<UserProfile>()
         .register_schema::<Message>()
-        // Public routes (these will require token due to global JWT layer)
+        // Public routes
         .mount_route(welcome_route())
         .mount_route(health_route())
         .mount_route(login_route())
-        // Protected routes using standard routing
+        // Protected routes
         .route("/protected/profile", get(get_profile))
         .route("/protected/admin", get(admin_only))
         .route("/protected/data", get(get_protected_data))
-        .docs("/docs");
+        // Docs with Basic Auth protection
+        .docs_with_auth("/docs", "docs", "docs123");
 
     app.run("127.0.0.1:8080").await
 }