1 files changed, 6 insertions, 64 deletions
diff --git a/lockchain-core/src/users/mod.rs b/lockchain-core/src/users/mod.rs
index e9205d1..bad4256 100644
--- a/lockchain-core/src/users/mod.rs
+++ b/lockchain-core/src/users/mod.rs
@@ -12,18 +12,21 @@
 //!
 //! `User` is also a serialisable struct which contains important
 //! data to load and store them into a metadata store.
+#![allow(deprecated)]
 
 mod auth;
+mod user;
 mod rights;
 mod tokens;
 mod keystore;
 
-mod store;
 mod secrets;
+mod userstore;
 
 pub use self::auth::pam_authenticate;
 pub use self::keystore::KeyStore;
 pub use self::tokens::Token;
+pub use self::user::User;
 
 pub use errors::AuthError;
 pub use self::rights::{Access, Role};
@@ -35,69 +38,6 @@ use {
     traits::{AutoEncoder, Base64AutoEncoder},
 };
 
-/// A generic user representation
-///
-/// A user has an identify check built in that can verify a passphrase
-/// but is ultimately only a metadata item for a API layer. Any layer is
-/// free to disregard these access rights (as such, they should not be
-/// considered security, only obscurity/ management control)
-///
-/// A company might not want allow non-admins to create new vaults or
-/// users to delete records. This does not cryptographically stop anyone
-/// from breaking into the company server, swapping the source code and
-/// changing the rules!
-///
-/// An user can have multiple role-access pairs
-#[derive(Serialize, Deserialize, Clone)]
-pub struct User {
-    name: String,
-    pw_hash: String,
-    rights: HashMap<Access, Role>,
-    token: Option<String>,
-}
-
-impl User {
-    /// Register a new user with a name and password
-    pub fn register(name: &str, pw: &str) -> Self {
-        Self {
-            name: name.into(),
-            pw_hash: encoding::base64_encode(&hashing::blake2(pw, name).to_vec()),
-            rights: HashMap::new(),
-            token: None,
-        }
-    }
-    /// Verify a user password input
-    pub fn verify(&self, pw: &str) -> bool {
-        self.pw_hash == encoding::base64_encode(&hashing::blake2(pw, &self.name).to_vec())
-    }
-    /// Provides a hook to use second-factor authentication to authorise
-    ///
-    /// This is meant to be used with an external Yubikey
-    pub fn second_auth_verify(&mut self) -> bool {
-        unimplemented!()
-    }
-    /// Generate a token unique to this user (or return the existing one)
-    pub fn token(&mut self) -> String {
-        if self.token.is_none() {
-            self.token = Some(encoding::base64_encode(&random::bytes(256)));
-        }
-
-        self.token.as_ref().unwrap().clone()
-    }
-    /// Verify that a user is allowed access to a piece of data
-    ///
-    /// `None` means "no access of any kind"
-    pub fn has_access(&self, item: Access) -> Option<Role> {
-        self.rights.get(&item).map(|i| i.clone())
-    }
-    /// Modify access to an item for a role or create a new access entry
-    pub fn give_access(&mut self, item: Access, role: Role) {
-        self.rights.insert(item, role);
-    }
-}
-
-impl AutoEncoder for User {}
-
 /// A utility structure that manages users and can be derived
 /// from/into a metadata object. By default this process uses
 /// base64 encoding.
@@ -106,6 +46,8 @@ impl AutoEncoder for User {}
 /// users and then use `meta_push_domain` and give it the
 /// `UserStore::into()` which is then encoded automatically.
 /// The reverse action works the same way
+#[deprecated(since="0.10.0", note="Use the `userstore::UserStore` structure instead")]
+#[allow(deprecated)]
 #[derive(Serialize, Deserialize)]
 pub struct UserStore {
     /// A map between username – user item