Class AuthManager

Class Documentation

class AuthManager

Manages authentication and authorization for the gateway.

Implements JWT-based authentication with RBAC (Role-Based Access Control). Supports both symmetric (HS256) and asymmetric (RS256) JWT signing.

@verifies REQ_INTEROP_086, REQ_INTEROP_087

Public Functions

explicit AuthManager(const AuthConfig &config)

Construct AuthManager with configuration.

Parameters:

config – Authentication configuration

~AuthManager() = default
AuthManager(const AuthManager&) = delete
AuthManager &operator=(const AuthManager&) = delete
AuthManager(AuthManager&&) = delete
AuthManager &operator=(AuthManager&&) = delete
inline bool is_enabled() const

Check if authentication is enabled.

Returns:

true if auth is enabled

inline AuthRequirement get_requirement() const

Get the auth requirement level.

Returns:

AuthRequirement level

tl::expected<TokenResponse, AuthErrorResponse> authenticate(const std::string &client_id, const std::string &client_secret)

Authenticate client credentials and generate tokens.

Parameters:

  • client_id – Client identifier

  • client_secret – Client secret

Returns:

TokenResponse on success, AuthErrorResponse on failure

tl::expected<TokenResponse, AuthErrorResponse> refresh_access_token(const std::string &refresh_token)

Refresh an access token using a refresh token.

Parameters:

refresh_token – The refresh token

Returns:

TokenResponse on success, AuthErrorResponse on failure

TokenValidationResult validate_token(const std::string &token, TokenType expected_type = TokenType::ACCESS) const

Validate a JWT access token.

Parameters:

  • token – The JWT token string

  • expected_type – Expected token type (defaults to ACCESS)

Returns:

TokenValidationResult with claims if valid

AuthorizationResult check_authorization(UserRole role, const std::string &method, const std::string &path) const

Check if a role is authorized for a specific HTTP method and path.

Parameters:

  • role – User role

  • method – HTTP method (GET, POST, PUT, DELETE)

  • path – Request path (e.g., /api/v1/components/engine/data)

Returns:

AuthorizationResult indicating if authorized

bool requires_authentication(const std::string &method, const std::string &path) const

Check if authentication is required for a request.

Parameters:

  • method – HTTP method

  • path – Request path

Returns:

true if authentication is required

bool revoke_refresh_token(const std::string &refresh_token)

Revoke a refresh token.

Parameters:

refresh_token – The refresh token to revoke

Returns:

true if revoked, false if not found

size_t cleanup_expired_tokens()

Clean up expired refresh tokens.

Returns:

Number of tokens cleaned up

bool register_client(const std::string &client_id, const std::string &client_secret, UserRole role)

Register a new client (for dynamic client registration)

Parameters:

  • client_id – Client identifier

  • client_secret – Client secret

  • role – Role to assign

Returns:

true if registered, false if client_id already exists

std::optional<ClientCredentials> get_client(const std::string &client_id) const

Get client credentials by ID.

Parameters:

client_id – Client identifier

Returns:

ClientCredentials if found

bool disable_client(const std::string &client_id)

Disable a client (all tokens become invalid immediately)

Parameters:

client_id – Client identifier

Returns:

true if disabled, false if client not found

bool enable_client(const std::string &client_id)

Enable a previously disabled client.

Parameters:

client_id – Client identifier

Returns:

true if enabled, false if client not found