Skip to content

nythos-core v0.2.1

Latest
Latest

Choose a tag to compare

View all tags
@Emagjby Emagjby released this 07 Jun 20:43
· 1 commit to main since this release
v0.2.1
1f2b745
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Summary

nythos-core v0.2.1 introduces the domain-level OAuth foundation for Nythos.

This release adds the core OAuth provider model, tenant-scoped external identities, tenant OAuth provider configuration, verified external profile boundaries, OAuth-specific ports, and decision-first OAuth login/linking orchestration.

The release keeps nythos-core infrastructure-free. Provider redirects, PKCE, authorization code exchange, token validation, JWKS fetching, userinfo calls, secrets, cookies, HTTP routes, and runtime/framework integration remain outside core.

Highlights

  • Added OAuth provider modeling:

    • OAuthProviderKind
    • Supported providers: Google, GitHub, Microsoft
    • Stable lowercase persistence strings
    • Parsing and display support

  • Added external identity domain modeling:

    • ExternalIdentity
    • Tenant-scoped provider identity links
    • Natural key: (tenant_id, provider_kind, provider_subject)
    • Provider email and display name metadata
    • linked_at and last_seen_at timestamps
    • Explicit touch(now) support for successful provider login tracking

  • Added tenant OAuth provider configuration:

    • TenantOAuthProviderConfig
    • Provider enabled/disabled flag
    • Registration allowed/disallowed flag
    • No secrets, client IDs, URLs, JWKS endpoints, redirect URIs, or provider HTTP configuration in core

  • Added verified external profile boundary:

    • VerifiedExternalProfile
    • Represents gateway-verified provider profile data
    • verified_email() exposes email only when the provider has verified it
    • Unverified email remains metadata only and is not safe for account-linking decisions

  • Added new OAuth ports:

    • ExternalIdentityRepository
    • TenantOAuthProviderConfigPort

  • Added OAuth login/linking orchestration:

    • OAuthLoginService::resolve_login
    • OAuthLoginService::link_identity
    • OAuthLoginOutcome

  • Added explicit OAuth login outcomes:

    • ProviderDisabled
    • ExistingIdentityLogin
    • LinkRequired
    • RegistrationRequired

  • Added OAuth-specific error variants:

    • OAuthIdentityAlreadyLinked
    • OAuthIdentityAlreadyLinkedToSelf
    • UserNotFoundOrInactive

  • Added tests for:

    • OAuth domain models
    • External identity repository contract
    • Tenant OAuth provider config port contract
    • OAuth login resolution
    • Explicit external identity linking
    • Public exports
    • Error variants

  • Added documentation for the OAuth core/gateway boundary.

Why this changed

Nythos needs OAuth support without pulling provider mechanics into nythos-core.

OAuth itself requires infrastructure concerns: redirects, HTTP calls, token exchange, JWKS validation, PKCE, secrets, cookies, callback routes, and provider-specific behavior. Those belong in nythos-gateway or adapter layers.

This release gives core the domain model and decision boundary instead:

  1. Gateway verifies provider data.
  2. Gateway constructs VerifiedExternalProfile.
  3. Core resolves the tenant-scoped auth decision.
  4. Gateway decides how to complete UX, linking, registration, or session issuance.

This keeps the core crate clean, portable, testable, and runtime-agnostic.

Important behavior

OAuthLoginService::resolve_login is decision-first.

It does not:

  • create users
  • link identities
  • issue sessions
  • perform provider verification
  • inspect unverified email
  • cross tenant boundaries

It only returns the next domain outcome.

OAuthLoginService::link_identity is explicit.

It should be called only after gateway obtains user consent. It validates that the target user exists and can authenticate, checks for duplicate provider identity links, persists the external identity, and returns the linked identity.

Core/gateway boundary

nythos-core owns:

  • OAuth provider domain types
  • tenant OAuth provider configuration shape
  • verified profile boundary type
  • external identity domain model
  • repository port contracts
  • login/linking decisions
  • account status checks
  • tenant-scoped auth rules

nythos-gateway owns:

  • OAuth redirects
  • OAuth state / CSRF
  • PKCE
  • authorization code exchange
  • provider token exchange
  • provider ID token validation
  • JWKS fetching
  • provider userinfo fetching
  • client secrets
  • cookies
  • HTTP routes
  • framework/runtime integration
  • database schema and migrations
  • session issuance after core returns an outcome
  • OAuth registration UX and completion

Compatibility

This is an additive patch release from 0.2.0 to 0.2.1.

  • No existing public APIs were removed.
  • No existing service constructors were changed.
  • No existing port methods were changed.
  • No runtime, framework, database, or OAuth provider dependencies were added.
  • Existing email/password registration, login, refresh, revoke, session, and RBAC flows remain unchanged.

New public API surface

New domain types:

  • OAuthProviderKind
  • ExternalIdentity
  • TenantOAuthProviderConfig
  • VerifiedExternalProfile

New auth types:

  • OAuthLoginOutcome
  • OAuthLoginService

New ports:

  • ExternalIdentityRepository
  • TenantOAuthProviderConfigPort

New errors:

  • OAuthIdentityAlreadyLinked
  • OAuthIdentityAlreadyLinkedToSelf
  • UserNotFoundOrInactive
Assets 2
Loading