harmony/nats/callout/src/service.rs

use std::sync::Arc;

use async_nats::ConnectOptions;
use futures_util::StreamExt;
use tracing::{error, info, warn};

use crate::config::AuthCalloutConfig;
use crate::handler::handle_auth_request;
use crate::zitadel::ZitadelValidator;

const AUTH_SUBJECT: &str = "$SYS.REQ.USER.AUTH";

/// Production NATS auth callout service.
pub struct AuthCalloutService {
    config: AuthCalloutConfig,
}

impl AuthCalloutService {
    pub fn new(config: AuthCalloutConfig) -> Self {
        Self { config }
    }

    pub async fn run(&self) -> anyhow::Result<()> {
        let nc = async_nats::connect_with_options(
            &self.config.nats_url,
            ConnectOptions::new()
                .user_and_password(self.config.auth_user.clone(), self.config.auth_pass.clone())
                .retry_on_initial_connect(),
        )
        .await
        .map_err(|e| anyhow::anyhow!("NATS connection failed: {e}"))?;

        let validator = Arc::new(
            ZitadelValidator::new(
                self.config.oidc_issuer_url.clone(),
                self.config.oidc_audience.clone(),
                self.config.device_id_claim.clone(),
                self.config.device_id_prefix_strip.clone(),
                self.config.danger_accept_invalid_certs,
            )
            .await?,
        );

        let mut subscriber = nc
            .subscribe(AUTH_SUBJECT)
            .await
            .map_err(|e| anyhow::anyhow!("subscribe failed: {e}"))?;

        info!(subject = AUTH_SUBJECT, "auth callout service listening");

        while let Some(msg) = subscriber.next().await {
            let config = self.config.clone();
            let validator = validator.clone();
            let nc = nc.clone();
            tokio::spawn(async move {
                if let Err(e) = handle_auth_request(&nc, &msg, &config, &validator).await {
                    error!(error = %e, "failed to handle auth request");
                }
            });
        }

        warn!("auth callout subscription closed");
        Ok(())
    }
}