Support credentials reloading when using `with_credentials_file`

[eplightning]

Proposed change

Currently when using ConnectOptions::with_credentials_file, the passed credentials file will only be loaded once - during the with_credentials_file call - and then never again.
This means when credentials eventually become invalid (e.g. when exp claim in JWT was set), the client not be able to recover.

It is possible to workaround this problem via auth_callback, but it requires pulling a lot of extra dependencies and duplicating code that is already inside the crate:

static USER_CONFIG_RE: Lazy<Regex> = Lazy::new(|| {
    Regex::new(r"\s*(?:(?:[-]{3,}.*[-]{3,}\r?\n)([\w\-.=]+)(?:\r?\n[-]{3,}.*[-]{3,}\r?\n))")
        .unwrap()
});

fn extract_jwt_and_nkey_from_creds(contents: &str) -> Option<(&str, &str)> {
    let mut matches = USER_CONFIG_RE.captures_iter(contents);
    let jwt_capture = matches.next()?;
    let nkey_capture = matches.next()?;

    Some((jwt_capture.get(1)?.as_str(), nkey_capture.get(1)?.as_str()))
}

async fn dynamic_credentials_file_auth(
    creds_path: impl AsRef<Path>,
    nonce: Vec<u8>,
) -> std::result::Result<Auth, AuthError> {
    let contents = read_to_string(creds_path).await.map_err(AuthError::new)?;

    let (jwt, nkey) = extract_jwt_and_nkey_from_creds(&contents)
        .ok_or_else(|| AuthError::new("creds file not in a valid format"))?;

    let kp = KeyPair::from_seed(nkey).map_err(AuthError::new)?;
    let signed_nonce = kp.sign(&nonce).map_err(AuthError::new)?;

    let mut auth = Auth::new();
    auth.jwt = Some(jwt.to_owned());
    auth.signature = Some(signed_nonce);
    Ok(auth)
}

pub async fn connect_to_nats_refresh() -> Client {
    let opts = ConnectOptions::with_auth_callback(move |nonce| {
        async move { dynamic_credentials_file_auth("/tmp/nats.creds", nonce).await }
    });

    opts.connect("nats://localhost:4222").await.unwrap()
}

Use case

Allow credential rotation without requiring full application restart.

This is fully supported in other NATS SDKs (at least with the ones I tested: Go, NodeJS, Java and the old non-async Rust crate).

Contribution

No response

[Jarema]

If I remember correctly, there were concerns or issues that those files available initially might be gone. So that would be a breaking change.

However - there is definately no harm in implementing a helper.
If you already have a working example that uses auth_callback under the hood - do you want to contribute it?

[eplightning]

If I remember correctly, there were concerns or issues that those files available initially might be gone. So that would be a breaking change.

Makes sense, I suppose it could be a separate with_reloadable_credentials_file (or something else) method on ConnectOptions then.

If you already have a working example that uses auth_callback under the hood - do you want to contribute it?

Sure, I can take a look later.

[Jarema]

Great!
In the meantime - I will think whats the best name for that function.

[Jarema]

with_reloadable_credentials_file is fine. other option: with_dynamic_credentials_file.