Implement REST password provider support

crates/cli/src/util.rs

@@ -46,7 +46,11 @@ pub async fn password_manager_from_config(
             (version, hasher)
         });
 
-    PasswordManager::new(config.minimum_complexity(), schemes)
+    PasswordManager::new(
+        config.minimum_complexity(),
+        config.rest_auth_provider().cloned(),
+        schemes,
+    )
 }
 
 pub fn mailer_from_config(

crates/config/src/sections/mod.rs

@@ -38,7 +38,7 @@ pub use self::{
         Resource as HttpResource, TlsConfig as HttpTlsConfig, UnixOrTcp,
     },
     matrix::MatrixConfig,
-    passwords::{Algorithm as PasswordAlgorithm, PasswordsConfig},
+    passwords::{Algorithm as PasswordAlgorithm, PasswordsConfig, RestAuthProviderConfig},
     policy::PolicyConfig,
     rate_limiting::RateLimitingConfig,
     secrets::SecretsConfig,

crates/config/src/sections/passwords.rs

@@ -31,6 +31,23 @@ fn default_minimum_complexity() -> u8 {
     3
 }
 
+/// Configuration for REST password provider
+#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
+pub struct RestAuthProviderConfig {
+    /// The base URL where the identity service is implemented
+    pub url: String,
+    /// Implemented version of the identity service ("v1", "v2")
+    pub version: String,
+}
+
+impl RestAuthProviderConfig {
+    /// Constructor for `RestAuthProviderConfig`
+    #[must_use]
+    pub fn new(url: String, version: String) -> Self {
+        Self { url, version }
+    }
+}
+
 /// User password hashing config
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
 pub struct PasswordsConfig {
@@ -52,6 +69,10 @@ pub struct PasswordsConfig {
     /// - 4: any more than that
     #[serde(default = "default_minimum_complexity")]
     minimum_complexity: u8,
+
+    /// The REST authentication provider URL
+    #[serde(skip_serializing_if = "Option::is_none")]
+    rest_auth_provider: Option<RestAuthProviderConfig>,
 }
 
 impl Default for PasswordsConfig {
@@ -60,6 +81,7 @@ impl Default for PasswordsConfig {
             enabled: default_enabled(),
             schemes: default_schemes(),
             minimum_complexity: default_minimum_complexity(),
+            rest_auth_provider: None,
         }
     }
 }
@@ -152,6 +174,12 @@ impl PasswordsConfig {
 
         Ok(mapped_result)
     }
+
+    /// Get the REST authentication config, if set.
+    #[must_use]
+    pub fn rest_auth_provider(&self) -> Option<&RestAuthProviderConfig> {
+        self.rest_auth_provider.as_ref()
+    }
 }
 
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]

crates/data-model/src/compat/mod.rs

@@ -12,7 +12,7 @@ mod session;
 mod sso_login;
 
 pub use self::{
-    device::Device,
+    device::{Device, InvalidDeviceID},
     session::{CompatSession, CompatSessionState},
     sso_login::{CompatSsoLogin, CompatSsoLoginState},
 };

crates/data-model/src/lib.rs

@@ -26,7 +26,7 @@ pub use ulid::Ulid;
 pub use self::{
     compat::{
         CompatAccessToken, CompatRefreshToken, CompatRefreshTokenState, CompatSession,
-        CompatSessionState, CompatSsoLogin, CompatSsoLoginState, Device,
+        CompatSessionState, CompatSsoLogin, CompatSsoLoginState, Device, InvalidDeviceID,
     },
     oauth2::{
         AuthorizationCode, AuthorizationGrant, AuthorizationGrantStage, Client, DeviceCodeGrant,

crates/handlers/Cargo.toml

@@ -35,6 +35,7 @@ tower-http.workspace = true
 axum.workspace = true
 axum-macros = "0.4.2"
 axum-extra.workspace = true
+reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 rustls.workspace = true
 
 aide.workspace = true
@@ -104,4 +105,5 @@ zxcvbn = "3.1.0"
 insta.workspace = true
 tracing-subscriber.workspace = true
 cookie_store = "0.21.0"
+mockito = "1.5"
 sqlx.workspace = true