malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat(identity-wallet): OAuthClient with DPoP proofs, lazy refresh, nonce retry (MM-149 phase 6)

authored by

Malpercio and committed by
Tangled 32dfd9c2 af98556c

+873 -52
+406 -52
Cargo.lock
··· 151 151 ] 152 152 153 153 [[package]] 154 + name = "ascii-canvas" 155 + version = "3.0.0" 156 + source = "registry+https://github.com/rust-lang/crates.io-index" 157 + checksum = "8824ecca2e851cec16968d54a01dd372ef8f95b244fb84b84e70128be347c3c6" 158 + dependencies = [ 159 + "term", 160 + ] 161 + 162 + [[package]] 154 163 name = "assert-json-diff" 155 164 version = "2.0.2" 156 165 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 161 170 ] 162 171 163 172 [[package]] 173 + name = "async-attributes" 174 + version = "1.1.2" 175 + source = "registry+https://github.com/rust-lang/crates.io-index" 176 + checksum = "a3203e79f4dd9bdda415ed03cf14dae5a2bf775c683a00f94e9cd1faf0f596e5" 177 + dependencies = [ 178 + "quote", 179 + "syn 1.0.109", 180 + ] 181 + 182 + [[package]] 164 183 name = "async-broadcast" 165 184 version = "0.7.2" 166 185 source = "registry+https://github.com/rust-lang/crates.io-index" 167 186 checksum = "435a87a52755b8f27fcf321ac4f04b2802e337c8c4872923137471ec39c37532" 168 187 dependencies = [ 169 - "event-listener", 188 + "event-listener 5.4.1", 170 189 "event-listener-strategy", 171 190 "futures-core", 172 191 "pin-project-lite", ··· 174 193 175 194 [[package]] 176 195 name = "async-channel" 196 + version = "1.9.0" 197 + source = "registry+https://github.com/rust-lang/crates.io-index" 198 + checksum = "81953c529336010edd6d8e358f886d9581267795c61b19475b71314bffa46d35" 199 + dependencies = [ 200 + "concurrent-queue", 201 + "event-listener 2.5.3", 202 + "futures-core", 203 + ] 204 + 205 + [[package]] 206 + name = "async-channel" 177 207 version = "2.5.0" 178 208 source = "registry+https://github.com/rust-lang/crates.io-index" 179 209 checksum = "924ed96dd52d1b75e9c1a3e6275715fd320f5f9439fb5a4a11fa51f4221158d2" ··· 199 229 ] 200 230 201 231 [[package]] 232 + name = "async-global-executor" 233 + version = "2.4.1" 234 + source = "registry+https://github.com/rust-lang/crates.io-index" 235 + checksum = "05b1b633a2115cd122d73b955eadd9916c18c8f510ec9cd1686404c60ad1c29c" 236 + dependencies = [ 237 + "async-channel 2.5.0", 238 + "async-executor", 239 + "async-io", 240 + "async-lock", 241 + "blocking", 242 + "futures-lite", 243 + "once_cell", 244 + ] 245 + 246 + [[package]] 202 247 name = "async-io" 203 248 version = "2.6.0" 204 249 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 222 267 source = "registry+https://github.com/rust-lang/crates.io-index" 223 268 checksum = "290f7f2596bd5b78a9fec8088ccd89180d7f9f55b94b0576823bbbdc72ee8311" 224 269 dependencies = [ 225 - "event-listener", 270 + "event-listener 5.4.1", 226 271 "event-listener-strategy", 227 272 "pin-project-lite", 273 + ] 274 + 275 + [[package]] 276 + name = "async-object-pool" 277 + version = "0.1.5" 278 + source = "registry+https://github.com/rust-lang/crates.io-index" 279 + checksum = "333c456b97c3f2d50604e8b2624253b7f787208cb72eb75e64b0ad11b221652c" 280 + dependencies = [ 281 + "async-std", 228 282 ] 229 283 230 284 [[package]] ··· 233 287 source = "registry+https://github.com/rust-lang/crates.io-index" 234 288 checksum = "fc50921ec0055cdd8a16de48773bfeec5c972598674347252c0399676be7da75" 235 289 dependencies = [ 236 - "async-channel", 290 + "async-channel 2.5.0", 237 291 "async-io", 238 292 "async-lock", 239 293 "async-signal", 240 294 "async-task", 241 295 "blocking", 242 296 "cfg-if", 243 - "event-listener", 297 + "event-listener 5.4.1", 244 298 "futures-lite", 245 299 "rustix", 246 300 ] ··· 275 329 ] 276 330 277 331 [[package]] 332 + name = "async-std" 333 + version = "1.13.2" 334 + source = "registry+https://github.com/rust-lang/crates.io-index" 335 + checksum = "2c8e079a4ab67ae52b7403632e4618815d6db36d2a010cfe41b02c1b1578f93b" 336 + dependencies = [ 337 + "async-attributes", 338 + "async-channel 1.9.0", 339 + "async-global-executor", 340 + "async-io", 341 + "async-lock", 342 + "async-process", 343 + "crossbeam-utils", 344 + "futures-channel", 345 + "futures-core", 346 + "futures-io", 347 + "futures-lite", 348 + "gloo-timers", 349 + "kv-log-macro", 350 + "log", 351 + "memchr", 352 + "once_cell", 353 + "pin-project-lite", 354 + "pin-utils", 355 + "slab", 356 + "wasm-bindgen-futures", 357 + ] 358 + 359 + [[package]] 278 360 name = "async-stream" 279 361 version = "0.3.6" 280 362 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 367 449 "axum-core", 368 450 "bytes", 369 451 "futures-util", 370 - "http", 371 - "http-body", 452 + "http 1.4.0", 453 + "http-body 1.0.1", 372 454 "http-body-util", 373 - "hyper", 455 + "hyper 1.8.1", 374 456 "hyper-util", 375 457 "itoa", 376 458 "matchit", ··· 400 482 "async-trait", 401 483 "bytes", 402 484 "futures-util", 403 - "http", 404 - "http-body", 485 + "http 1.4.0", 486 + "http-body 1.0.1", 405 487 "http-body-util", 406 488 "mime", 407 489 "pin-project-lite", ··· 453 535 checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06" 454 536 455 537 [[package]] 538 + name = "basic-cookies" 539 + version = "0.1.5" 540 + source = "registry+https://github.com/rust-lang/crates.io-index" 541 + checksum = "67bd8fd42c16bdb08688243dc5f0cc117a3ca9efeeaba3a345a18a6159ad96f7" 542 + dependencies = [ 543 + "lalrpop", 544 + "lalrpop-util", 545 + "regex", 546 + ] 547 + 548 + [[package]] 549 + name = "bit-set" 550 + version = "0.5.3" 551 + source = "registry+https://github.com/rust-lang/crates.io-index" 552 + checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1" 553 + dependencies = [ 554 + "bit-vec 0.6.3", 555 + ] 556 + 557 + [[package]] 456 558 name = "bit-set" 457 559 version = "0.8.0" 458 560 source = "registry+https://github.com/rust-lang/crates.io-index" 459 561 checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3" 460 562 dependencies = [ 461 - "bit-vec", 563 + "bit-vec 0.8.0", 462 564 ] 565 + 566 + [[package]] 567 + name = "bit-vec" 568 + version = "0.6.3" 569 + source = "registry+https://github.com/rust-lang/crates.io-index" 570 + checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" 463 571 464 572 [[package]] 465 573 name = "bit-vec" ··· 515 623 source = "registry+https://github.com/rust-lang/crates.io-index" 516 624 checksum = "e83f8d02be6967315521be875afa792a316e28d57b5a2d401897e2a7921b7f21" 517 625 dependencies = [ 518 - "async-channel", 626 + "async-channel 2.5.0", 519 627 "async-task", 520 628 "futures-io", 521 629 "futures-lite", ··· 1246 1354 ] 1247 1355 1248 1356 [[package]] 1357 + name = "dirs-next" 1358 + version = "2.0.0" 1359 + source = "registry+https://github.com/rust-lang/crates.io-index" 1360 + checksum = "b98cf8ebf19c3d1b223e151f99a4f9f0690dca41414773390fc824184ac833e1" 1361 + dependencies = [ 1362 + "cfg-if", 1363 + "dirs-sys-next", 1364 + ] 1365 + 1366 + [[package]] 1249 1367 name = "dirs-sys" 1250 1368 version = "0.5.0" 1251 1369 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 1253 1371 dependencies = [ 1254 1372 "libc", 1255 1373 "option-ext", 1256 - "redox_users", 1374 + "redox_users 0.5.2", 1257 1375 "windows-sys 0.61.2", 1258 1376 ] 1259 1377 1260 1378 [[package]] 1379 + name = "dirs-sys-next" 1380 + version = "0.1.2" 1381 + source = "registry+https://github.com/rust-lang/crates.io-index" 1382 + checksum = "4ebda144c4fe02d1f7ea1a7d9641b6fc6b580adcfa024ae48797ecdeb6825b4d" 1383 + dependencies = [ 1384 + "libc", 1385 + "redox_users 0.4.6", 1386 + "winapi", 1387 + ] 1388 + 1389 + [[package]] 1261 1390 name = "dispatch2" 1262 1391 version = "0.3.1" 1263 1392 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 1318 1447 source = "registry+https://github.com/rust-lang/crates.io-index" 1319 1448 checksum = "4d9c2e7f1d22d0f2ce07626d259b8a55f4a47cb0938d4006dd8ae037f17d585e" 1320 1449 dependencies = [ 1321 - "bit-set", 1450 + "bit-set 0.8.0", 1322 1451 "cssparser 0.36.0", 1323 1452 "foldhash 0.2.0", 1324 1453 "html5ever 0.36.1", ··· 1433 1562 checksum = "4ef6b89e5b37196644d8796de5268852ff179b44e96276cf4290264843743bb7" 1434 1563 1435 1564 [[package]] 1565 + name = "ena" 1566 + version = "0.14.4" 1567 + source = "registry+https://github.com/rust-lang/crates.io-index" 1568 + checksum = "eabffdaee24bd1bf95c5ef7cec31260444317e72ea56c4c91750e8b7ee58d5f1" 1569 + dependencies = [ 1570 + "log", 1571 + ] 1572 + 1573 + [[package]] 1436 1574 name = "encoding_rs" 1437 1575 version = "0.8.35" 1438 1576 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 1520 1658 1521 1659 [[package]] 1522 1660 name = "event-listener" 1661 + version = "2.5.3" 1662 + source = "registry+https://github.com/rust-lang/crates.io-index" 1663 + checksum = "0206175f82b8d6bf6652ff7d71a1e27fd2e4efde587fd368662814d6ec1d9ce0" 1664 + 1665 + [[package]] 1666 + name = "event-listener" 1523 1667 version = "5.4.1" 1524 1668 source = "registry+https://github.com/rust-lang/crates.io-index" 1525 1669 checksum = "e13b66accf52311f30a0db42147dadea9850cb48cd070028831ae5f5d4b856ab" ··· 1535 1679 source = "registry+https://github.com/rust-lang/crates.io-index" 1536 1680 checksum = "8be9f3dfaaffdae2972880079a491a1a8bb7cbed0b8dd7a347f668b4150a3b93" 1537 1681 dependencies = [ 1538 - "event-listener", 1682 + "event-listener 5.4.1", 1539 1683 "pin-project-lite", 1540 1684 ] 1541 1685 ··· 1581 1725 checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582" 1582 1726 1583 1727 [[package]] 1728 + name = "fixedbitset" 1729 + version = "0.4.2" 1730 + source = "registry+https://github.com/rust-lang/crates.io-index" 1731 + checksum = "0ce7134b9999ecaf8bcd65542e436736ef32ddca1b3e06094cb6ec5755203b80" 1732 + 1733 + [[package]] 1584 1734 name = "flate2" 1585 1735 version = "1.1.9" 1586 1736 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2058 2208 checksum = "0cc23270f6e1808e30a928bdc84dea0b9b4136a8bc82338574f23baf47bbd280" 2059 2209 2060 2210 [[package]] 2211 + name = "gloo-timers" 2212 + version = "0.3.0" 2213 + source = "registry+https://github.com/rust-lang/crates.io-index" 2214 + checksum = "bbb143cf96099802033e0d4f4963b19fd2e0b728bcf076cd9cf7f6634f092994" 2215 + dependencies = [ 2216 + "futures-channel", 2217 + "futures-core", 2218 + "js-sys", 2219 + "wasm-bindgen", 2220 + ] 2221 + 2222 + [[package]] 2061 2223 name = "gobject-sys" 2062 2224 version = "0.18.0" 2063 2225 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2142 2304 "fnv", 2143 2305 "futures-core", 2144 2306 "futures-sink", 2145 - "http", 2307 + "http 1.4.0", 2146 2308 "indexmap 2.13.0", 2147 2309 "slab", 2148 2310 "tokio", ··· 2320 2482 2321 2483 [[package]] 2322 2484 name = "http" 2485 + version = "0.2.12" 2486 + source = "registry+https://github.com/rust-lang/crates.io-index" 2487 + checksum = "601cbb57e577e2f5ef5be8e7b83f0f63994f25aa94d673e54a92d5c516d101f1" 2488 + dependencies = [ 2489 + "bytes", 2490 + "fnv", 2491 + "itoa", 2492 + ] 2493 + 2494 + [[package]] 2495 + name = "http" 2323 2496 version = "1.4.0" 2324 2497 source = "registry+https://github.com/rust-lang/crates.io-index" 2325 2498 checksum = "e3ba2a386d7f85a81f119ad7498ebe444d2e22c2af0b86b069416ace48b3311a" ··· 2330 2503 2331 2504 [[package]] 2332 2505 name = "http-body" 2506 + version = "0.4.6" 2507 + source = "registry+https://github.com/rust-lang/crates.io-index" 2508 + checksum = "7ceab25649e9960c0311ea418d17bee82c0dcec1bd053b5f9a66e265a693bed2" 2509 + dependencies = [ 2510 + "bytes", 2511 + "http 0.2.12", 2512 + "pin-project-lite", 2513 + ] 2514 + 2515 + [[package]] 2516 + name = "http-body" 2333 2517 version = "1.0.1" 2334 2518 source = "registry+https://github.com/rust-lang/crates.io-index" 2335 2519 checksum = "1efedce1fb8e6913f23e0c92de8e62cd5b772a67e7b3946df930a62566c93184" 2336 2520 dependencies = [ 2337 2521 "bytes", 2338 - "http", 2522 + "http 1.4.0", 2339 2523 ] 2340 2524 2341 2525 [[package]] ··· 2346 2530 dependencies = [ 2347 2531 "bytes", 2348 2532 "futures-core", 2349 - "http", 2350 - "http-body", 2533 + "http 1.4.0", 2534 + "http-body 1.0.1", 2351 2535 "pin-project-lite", 2352 2536 ] 2353 2537 ··· 2364 2548 checksum = "df3b46402a9d5adb4c86a0cf463f42e19994e3ee891101b1841f30a545cb49a9" 2365 2549 2366 2550 [[package]] 2551 + name = "httpmock" 2552 + version = "0.7.0" 2553 + source = "registry+https://github.com/rust-lang/crates.io-index" 2554 + checksum = "08ec9586ee0910472dec1a1f0f8acf52f0fdde93aea74d70d4a3107b4be0fd5b" 2555 + dependencies = [ 2556 + "assert-json-diff", 2557 + "async-object-pool", 2558 + "async-std", 2559 + "async-trait", 2560 + "base64 0.21.7", 2561 + "basic-cookies", 2562 + "crossbeam-utils", 2563 + "form_urlencoded", 2564 + "futures-util", 2565 + "hyper 0.14.32", 2566 + "lazy_static", 2567 + "levenshtein", 2568 + "log", 2569 + "regex", 2570 + "serde", 2571 + "serde_json", 2572 + "serde_regex", 2573 + "similar", 2574 + "tokio", 2575 + "url", 2576 + ] 2577 + 2578 + [[package]] 2579 + name = "hyper" 2580 + version = "0.14.32" 2581 + source = "registry+https://github.com/rust-lang/crates.io-index" 2582 + checksum = "41dfc780fdec9373c01bae43289ea34c972e40ee3c9f6b3c8801a35f35586ce7" 2583 + dependencies = [ 2584 + "bytes", 2585 + "futures-channel", 2586 + "futures-core", 2587 + "futures-util", 2588 + "http 0.2.12", 2589 + "http-body 0.4.6", 2590 + "httparse", 2591 + "httpdate", 2592 + "itoa", 2593 + "pin-project-lite", 2594 + "socket2 0.5.10", 2595 + "tokio", 2596 + "tower-service", 2597 + "tracing", 2598 + "want", 2599 + ] 2600 + 2601 + [[package]] 2367 2602 name = "hyper" 2368 2603 version = "1.8.1" 2369 2604 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2374 2609 "futures-channel", 2375 2610 "futures-core", 2376 2611 "h2", 2377 - "http", 2378 - "http-body", 2612 + "http 1.4.0", 2613 + "http-body 1.0.1", 2379 2614 "httparse", 2380 2615 "httpdate", 2381 2616 "itoa", ··· 2392 2627 source = "registry+https://github.com/rust-lang/crates.io-index" 2393 2628 checksum = "e3c93eb611681b207e1fe55d5a71ecf91572ec8a6705cdb6857f7d8d5242cf58" 2394 2629 dependencies = [ 2395 - "http", 2396 - "hyper", 2630 + "http 1.4.0", 2631 + "hyper 1.8.1", 2397 2632 "hyper-util", 2398 2633 "rustls", 2399 2634 "rustls-pki-types", ··· 2409 2644 source = "registry+https://github.com/rust-lang/crates.io-index" 2410 2645 checksum = "2b90d566bffbce6a75bd8b09a05aa8c2cb1fabb6cb348f8840c9e4c90a0d83b0" 2411 2646 dependencies = [ 2412 - "hyper", 2647 + "hyper 1.8.1", 2413 2648 "hyper-util", 2414 2649 "pin-project-lite", 2415 2650 "tokio", ··· 2424 2659 dependencies = [ 2425 2660 "bytes", 2426 2661 "http-body-util", 2427 - "hyper", 2662 + "hyper 1.8.1", 2428 2663 "hyper-util", 2429 2664 "native-tls", 2430 2665 "tokio", ··· 2442 2677 "bytes", 2443 2678 "futures-channel", 2444 2679 "futures-util", 2445 - "http", 2446 - "http-body", 2447 - "hyper", 2680 + "http 1.4.0", 2681 + "http-body 1.0.1", 2682 + "hyper 1.8.1", 2448 2683 "ipnet", 2449 2684 "libc", 2450 2685 "percent-encoding", ··· 2590 2825 dependencies = [ 2591 2826 "base64 0.21.7", 2592 2827 "crypto", 2828 + "httpmock", 2593 2829 "multibase", 2594 2830 "p256", 2595 2831 "rand_core 0.6.4", ··· 2726 2962 2727 2963 [[package]] 2728 2964 name = "itertools" 2965 + version = "0.11.0" 2966 + source = "registry+https://github.com/rust-lang/crates.io-index" 2967 + checksum = "b1c173a5686ce8bfa551b3563d0c2170bf24ca44da99c7ca4bfdab5418c3fe57" 2968 + dependencies = [ 2969 + "either", 2970 + ] 2971 + 2972 + [[package]] 2973 + name = "itertools" 2729 2974 version = "0.14.0" 2730 2975 source = "registry+https://github.com/rust-lang/crates.io-index" 2731 2976 checksum = "2b192c782037fadd9cfa75548310488aabdbf3d2da73885b31bd0abd03351285" ··· 2855 3100 ] 2856 3101 2857 3102 [[package]] 3103 + name = "kv-log-macro" 3104 + version = "1.0.7" 3105 + source = "registry+https://github.com/rust-lang/crates.io-index" 3106 + checksum = "0de8b303297635ad57c9f5059fd9cee7a47f8e8daa09df0fcd07dd39fb22977f" 3107 + dependencies = [ 3108 + "log", 3109 + ] 3110 + 3111 + [[package]] 3112 + name = "lalrpop" 3113 + version = "0.20.2" 3114 + source = "registry+https://github.com/rust-lang/crates.io-index" 3115 + checksum = "55cb077ad656299f160924eb2912aa147d7339ea7d69e1b5517326fdcec3c1ca" 3116 + dependencies = [ 3117 + "ascii-canvas", 3118 + "bit-set 0.5.3", 3119 + "ena", 3120 + "itertools 0.11.0", 3121 + "lalrpop-util", 3122 + "petgraph", 3123 + "pico-args", 3124 + "regex", 3125 + "regex-syntax", 3126 + "string_cache 0.8.9", 3127 + "term", 3128 + "tiny-keccak", 3129 + "unicode-xid", 3130 + "walkdir", 3131 + ] 3132 + 3133 + [[package]] 3134 + name = "lalrpop-util" 3135 + version = "0.20.2" 3136 + source = "registry+https://github.com/rust-lang/crates.io-index" 3137 + checksum = "507460a910eb7b32ee961886ff48539633b788a36b65692b95f225b844c82553" 3138 + dependencies = [ 3139 + "regex-automata", 3140 + ] 3141 + 3142 + [[package]] 2858 3143 name = "lazy_static" 2859 3144 version = "1.5.0" 2860 3145 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2870 3155 checksum = "09edd9e8b54e49e587e4f6295a7d29c3ea94d469cb40ab8ca70b288248a81db2" 2871 3156 2872 3157 [[package]] 3158 + name = "levenshtein" 3159 + version = "1.0.5" 3160 + source = "registry+https://github.com/rust-lang/crates.io-index" 3161 + checksum = "db13adb97ab515a3691f56e4dbab09283d0b86cb45abd991d8634a9d6f501760" 3162 + 3163 + [[package]] 2873 3164 name = "libappindicator" 2874 3165 version = "0.9.0" 2875 3166 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 2964 3255 version = "0.4.29" 2965 3256 source = "registry+https://github.com/rust-lang/crates.io-index" 2966 3257 checksum = "5e5032e24019045c762d3c0f28f5b6b8bbf38563a65908389bf7978758920897" 3258 + dependencies = [ 3259 + "value-bag", 3260 + ] 2967 3261 2968 3262 [[package]] 2969 3263 name = "lru-slab" ··· 3532 3826 dependencies = [ 3533 3827 "async-trait", 3534 3828 "bytes", 3535 - "http", 3829 + "http 1.4.0", 3536 3830 "opentelemetry", 3537 3831 "reqwest 0.12.28", 3538 3832 "tracing", ··· 3546 3840 dependencies = [ 3547 3841 "async-trait", 3548 3842 "futures-core", 3549 - "http", 3843 + "http 1.4.0", 3550 3844 "opentelemetry", 3551 3845 "opentelemetry-http", 3552 3846 "opentelemetry-proto", ··· 3727 4021 checksum = "9b4f627cb1b25917193a259e49bdad08f671f8d9708acfd5fe0a8c1455d87220" 3728 4022 3729 4023 [[package]] 4024 + name = "petgraph" 4025 + version = "0.6.5" 4026 + source = "registry+https://github.com/rust-lang/crates.io-index" 4027 + checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db" 4028 + dependencies = [ 4029 + "fixedbitset", 4030 + "indexmap 2.13.0", 4031 + ] 4032 + 4033 + [[package]] 3730 4034 name = "phf" 3731 4035 version = "0.8.0" 3732 4036 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 3914 4218 ] 3915 4219 3916 4220 [[package]] 4221 + name = "pico-args" 4222 + version = "0.5.0" 4223 + source = "registry+https://github.com/rust-lang/crates.io-index" 4224 + checksum = "5be167a7af36ee22fe3115051bc51f6e6c7054c9348e28deb4f49bd6f705a315" 4225 + 4226 + [[package]] 3917 4227 name = "pin-project" 3918 4228 version = "1.1.11" 3919 4229 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 4180 4490 checksum = "8a56d757972c98b346a9b766e3f02746cde6dd1cd1d1d563472929fdd74bec4d" 4181 4491 dependencies = [ 4182 4492 "anyhow", 4183 - "itertools", 4493 + "itertools 0.14.0", 4184 4494 "proc-macro2", 4185 4495 "quote", 4186 4496 "syn 2.0.117", ··· 4407 4717 4408 4718 [[package]] 4409 4719 name = "redox_users" 4720 + version = "0.4.6" 4721 + source = "registry+https://github.com/rust-lang/crates.io-index" 4722 + checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43" 4723 + dependencies = [ 4724 + "getrandom 0.2.17", 4725 + "libredox", 4726 + "thiserror 1.0.69", 4727 + ] 4728 + 4729 + [[package]] 4730 + name = "redox_users" 4410 4731 version = "0.5.2" 4411 4732 source = "registry+https://github.com/rust-lang/crates.io-index" 4412 4733 checksum = "a4e608c6638b9c18977b00b475ac1f28d14e84b27d8d42f70e0bf1e3dec127ac" ··· 4520 4841 "futures-core", 4521 4842 "futures-util", 4522 4843 "h2", 4523 - "http", 4524 - "http-body", 4844 + "http 1.4.0", 4845 + "http-body 1.0.1", 4525 4846 "http-body-util", 4526 - "hyper", 4847 + "hyper 1.8.1", 4527 4848 "hyper-rustls", 4528 4849 "hyper-tls", 4529 4850 "hyper-util", ··· 4563 4884 "bytes", 4564 4885 "futures-core", 4565 4886 "futures-util", 4566 - "http", 4567 - "http-body", 4887 + "http 1.4.0", 4888 + "http-body 1.0.1", 4568 4889 "http-body-util", 4569 - "hyper", 4890 + "hyper 1.8.1", 4570 4891 "hyper-util", 4571 4892 "js-sys", 4572 4893 "log", ··· 4959 5280 ] 4960 5281 4961 5282 [[package]] 5283 + name = "serde_regex" 5284 + version = "1.1.0" 5285 + source = "registry+https://github.com/rust-lang/crates.io-index" 5286 + checksum = "a8136f1a4ea815d7eac4101cfd0b16dc0cb5e1fe1b8609dfd728058656b7badf" 5287 + dependencies = [ 5288 + "regex", 5289 + "serde", 5290 + ] 5291 + 5292 + [[package]] 4962 5293 name = "serde_repr" 4963 5294 version = "0.1.20" 4964 5295 source = "registry+https://github.com/rust-lang/crates.io-index" ··· 5133 5464 version = "0.3.8" 5134 5465 source = "registry+https://github.com/rust-lang/crates.io-index" 5135 5466 checksum = "e320a6c5ad31d271ad523dcf3ad13e2767ad8b1cb8f047f75a8aeaf8da139da2" 5467 + 5468 + [[package]] 5469 + name = "similar" 5470 + version = "2.7.0" 5471 + source = "registry+https://github.com/rust-lang/crates.io-index" 5472 + checksum = "bbbb5d9659141646ae647b42fe094daf6c6192d1620870b449d9557f748b2daa" 5136 5473 5137 5474 [[package]] 5138 5475 name = "simple_asn1" ··· 5284 5621 "crc", 5285 5622 "crossbeam-queue", 5286 5623 "either", 5287 - "event-listener", 5624 + "event-listener 5.4.1", 5288 5625 "futures-core", 5289 5626 "futures-intrusive", 5290 5627 "futures-io", ··· 5688 6025 "glob", 5689 6026 "gtk", 5690 6027 "heck 0.5.0", 5691 - "http", 6028 + "http 1.4.0", 5692 6029 "jni", 5693 6030 "libc", 5694 6031 "log", ··· 5855 6192 "cookie", 5856 6193 "dpi", 5857 6194 "gtk", 5858 - "http", 6195 + "http 1.4.0", 5859 6196 "jni", 5860 6197 "objc2", 5861 6198 "objc2-ui-kit", ··· 5878 6215 checksum = "e11ea2e6f801d275fdd890d6c9603736012742a1c33b96d0db788c9cdebf7f9e" 5879 6216 dependencies = [ 5880 6217 "gtk", 5881 - "http", 6218 + "http 1.4.0", 5882 6219 "jni", 5883 6220 "log", 5884 6221 "objc2", ··· 5910 6247 "dunce", 5911 6248 "glob", 5912 6249 "html5ever 0.29.1", 5913 - "http", 6250 + "http 1.4.0", 5914 6251 "infer", 5915 6252 "json-patch", 5916 6253 "kuchikiki", ··· 5968 6305 "futf", 5969 6306 "mac", 5970 6307 "utf-8", 6308 + ] 6309 + 6310 + [[package]] 6311 + name = "term" 6312 + version = "0.7.0" 6313 + source = "registry+https://github.com/rust-lang/crates.io-index" 6314 + checksum = "c59df8ac95d96ff9bede18eb7300b0fda5e5d8d90960e76f8e14ae765eedbf1f" 6315 + dependencies = [ 6316 + "dirs-next", 6317 + "rustversion", 6318 + "winapi", 5971 6319 ] 5972 6320 5973 6321 [[package]] ··· 6291 6639 "base64 0.22.1", 6292 6640 "bytes", 6293 6641 "h2", 6294 - "http", 6295 - "http-body", 6642 + "http 1.4.0", 6643 + "http-body 1.0.1", 6296 6644 "http-body-util", 6297 - "hyper", 6645 + "hyper 1.8.1", 6298 6646 "hyper-timeout", 6299 6647 "hyper-util", 6300 6648 "percent-encoding", ··· 6353 6701 dependencies = [ 6354 6702 "bitflags 2.11.0", 6355 6703 "bytes", 6356 - "http", 6357 - "http-body", 6704 + "http 1.4.0", 6705 + "http-body 1.0.1", 6358 6706 "http-body-util", 6359 6707 "pin-project-lite", 6360 6708 "tower-layer", ··· 6371 6719 "bitflags 2.11.0", 6372 6720 "bytes", 6373 6721 "futures-util", 6374 - "http", 6375 - "http-body", 6722 + "http 1.4.0", 6723 + "http-body 1.0.1", 6376 6724 "iri-string", 6377 6725 "pin-project-lite", 6378 6726 "tower 0.5.3", ··· 6679 7027 version = "0.1.1" 6680 7028 source = "registry+https://github.com/rust-lang/crates.io-index" 6681 7029 checksum = "ba73ea9cf16a25df0c8caa16c51acb937d5712a8429db78a3ee29d5dcacd3a65" 7030 + 7031 + [[package]] 7032 + name = "value-bag" 7033 + version = "1.12.0" 7034 + source = "registry+https://github.com/rust-lang/crates.io-index" 7035 + checksum = "7ba6f5989077681266825251a52748b8c1d8a4ad098cc37e440103d0ea717fc0" 6682 7036 6683 7037 [[package]] 6684 7038 name = "vcpkg" ··· 7586 7940 "base64 0.22.1", 7587 7941 "deadpool", 7588 7942 "futures", 7589 - "http", 7943 + "http 1.4.0", 7590 7944 "http-body-util", 7591 - "hyper", 7945 + "hyper 1.8.1", 7592 7946 "hyper-util", 7593 7947 "log", 7594 7948 "once_cell", ··· 7709 8063 "dunce", 7710 8064 "gdkx11", 7711 8065 "gtk", 7712 - "http", 8066 + "http 1.4.0", 7713 8067 "javascriptcore-rs", 7714 8068 "jni", 7715 8069 "libc", ··· 7797 8151 "async-trait", 7798 8152 "blocking", 7799 8153 "enumflags2", 7800 - "event-listener", 8154 + "event-listener 5.4.1", 7801 8155 "futures-core", 7802 8156 "futures-lite", 7803 8157 "hex",
+1
apps/identity-wallet/src-tauri/Cargo.toml
··· 38 38 39 39 [dev-dependencies] 40 40 tokio = { version = "1", features = ["macros", "rt"] } 41 + httpmock = "0.7" 41 42 42 43 [build-dependencies] 43 44 # Tauri-specific — declared locally
+1
apps/identity-wallet/src-tauri/src/lib.rs
··· 2 2 pub mod http; 3 3 pub mod keychain; 4 4 pub mod oauth; 5 + pub mod oauth_client; 5 6 6 7 use crypto::{build_did_plc_genesis_op_with_external_signer, CryptoError, DidKeyUri}; 7 8 use serde::{Deserialize, Serialize};
+465
apps/identity-wallet/src-tauri/src/oauth_client.rs
··· 1 + // pattern: Imperative Shell 2 + // 3 + // Gathers: session state (access_token, refresh_token, expiry, nonce), request params 4 + // Processes: lazy refresh → DPoP proof → header attachment → nonce retry 5 + // Returns: reqwest::Response or OAuthError 6 + 7 + use std::sync::{Arc, Mutex}; 8 + 9 + use reqwest::{Client, Response}; 10 + use serde::Serialize; 11 + 12 + use crate::oauth::{DPoPKeypair, OAuthError, OAuthSession}; 13 + 14 + /// Authenticated HTTP client. 15 + /// 16 + /// Wraps every request with: 17 + /// - `Authorization: DPoP {access_token}` header 18 + /// - `DPoP: {proof}` header containing a fresh ES256 JWT with `ath` claim 19 + /// 20 + /// Transparently refreshes the access token when it has less than 60 seconds remaining. 21 + /// Retries once on `use_dpop_nonce` 400 responses. 22 + pub struct OAuthClient { 23 + inner: Client, 24 + dpop: DPoPKeypair, 25 + session: Arc<Mutex<OAuthSession>>, 26 + base_url: String, 27 + } 28 + 29 + impl OAuthClient { 30 + /// Construct from an existing session. 31 + /// 32 + /// Loads the DPoP keypair from Keychain (same key used in the original flow). 33 + /// 34 + /// `Client::new()` inherits the TLS backend configured at the crate level via Cargo features 35 + /// (`default-features = false, features = ["rustls-tls"]` in Cargo.toml). No builder 36 + /// configuration is needed — the feature flags apply crate-wide, not per-client-instance. 37 + pub fn new(session: Arc<Mutex<OAuthSession>>) -> Result<Self, OAuthError> { 38 + let dpop = DPoPKeypair::get_or_create()?; 39 + Ok(Self { 40 + inner: Client::new(), 41 + dpop, 42 + session, 43 + base_url: crate::http::RelayClient::base_url().to_string(), 44 + }) 45 + } 46 + 47 + /// GET `{base_url}/{path}` with DPoP authentication. 48 + pub async fn get(&self, path: &str) -> Result<Response, OAuthError> { 49 + let url = format!("{}/{}", self.base_url, path.trim_start_matches('/')); 50 + self.execute_with_retry(reqwest::Method::GET, &url, None::<&()>) 51 + .await 52 + } 53 + 54 + /// POST `{base_url}/{path}` with JSON body and DPoP authentication. 55 + pub async fn post<B: Serialize + Sync>( 56 + &self, 57 + path: &str, 58 + body: &B, 59 + ) -> Result<Response, OAuthError> { 60 + let url = format!("{}/{}", self.base_url, path.trim_start_matches('/')); 61 + self.execute_with_retry(reqwest::Method::POST, &url, Some(body)) 62 + .await 63 + } 64 + 65 + // ── Internal ────────────────────────────────────────────────────────────── 66 + 67 + /// Build and send a request with DPoP headers, retrying once on `use_dpop_nonce`. 68 + async fn execute_with_retry<B: Serialize + Sync>( 69 + &self, 70 + method: reqwest::Method, 71 + url: &str, 72 + body: Option<&B>, 73 + ) -> Result<Response, OAuthError> { 74 + // Lazy refresh before reading the access token. 75 + self.maybe_refresh_token().await?; 76 + 77 + let nonce_opt = { 78 + let s = self.session.lock().unwrap(); 79 + s.dpop_nonce.clone() 80 + }; 81 + 82 + let resp = self 83 + .send_with_dpop(&method, url, body, nonce_opt.as_deref()) 84 + .await?; 85 + 86 + // On use_dpop_nonce, extract the server nonce, update session, retry once. 87 + if resp.status().as_u16() == 400 { 88 + // Peek at the error body to check for use_dpop_nonce. 89 + let maybe_nonce = resp 90 + .headers() 91 + .get("DPoP-Nonce") 92 + .and_then(|v| v.to_str().ok()) 93 + .map(str::to_string); 94 + 95 + if let Some(fresh_nonce) = maybe_nonce { 96 + { 97 + let mut s = self.session.lock().unwrap(); 98 + s.dpop_nonce = Some(fresh_nonce.clone()); 99 + } 100 + tracing::debug!(nonce = %fresh_nonce, "retrying request with server DPoP nonce"); 101 + // Do NOT re-check expiry on the retry — avoid double-refresh. 102 + return self 103 + .send_with_dpop(&method, url, body, Some(&fresh_nonce)) 104 + .await; 105 + } 106 + } 107 + 108 + Ok(resp) 109 + } 110 + 111 + /// Send a single request with `Authorization: DPoP` and `DPoP: {proof}` headers. 112 + async fn send_with_dpop<B: Serialize + Sync>( 113 + &self, 114 + method: &reqwest::Method, 115 + url: &str, 116 + body: Option<&B>, 117 + nonce: Option<&str>, 118 + ) -> Result<Response, OAuthError> { 119 + let (access_token, ath) = { 120 + let s = self.session.lock().unwrap(); 121 + let ath = DPoPKeypair::compute_ath(&s.access_token); 122 + (s.access_token.clone(), ath) 123 + }; 124 + 125 + let proof = self 126 + .dpop 127 + .make_proof(method.as_str(), url, nonce, Some(&ath))?; 128 + 129 + let mut builder = match method { 130 + m if *m == reqwest::Method::GET => self.inner.get(url), 131 + m if *m == reqwest::Method::POST => self.inner.post(url), 132 + _ => return Err(OAuthError::NotAuthenticated), 133 + }; 134 + 135 + builder = builder 136 + .header("Authorization", format!("DPoP {access_token}")) 137 + .header("DPoP", &proof); 138 + 139 + if let (Some(b), m) = (body, method) { 140 + if *m == reqwest::Method::POST { 141 + builder = builder.json(b); 142 + } 143 + } 144 + 145 + builder.send().await.map_err(|e| { 146 + tracing::error!(error = %e, "OAuthClient request network error"); 147 + OAuthError::NotAuthenticated 148 + }) 149 + } 150 + 151 + /// Refresh the access token if it expires within the next 60 seconds. 152 + async fn maybe_refresh_token(&self) -> Result<(), OAuthError> { 153 + let should_refresh = { 154 + let s = self.session.lock().unwrap(); 155 + let now = std::time::SystemTime::now() 156 + .duration_since(std::time::UNIX_EPOCH) 157 + .unwrap_or_default() 158 + .as_secs(); 159 + s.expires_at < now + 60 160 + }; 161 + 162 + if should_refresh { 163 + self.refresh_token().await?; 164 + } 165 + Ok(()) 166 + } 167 + 168 + /// POST `/oauth/token` with `grant_type=refresh_token` — no `ath` claim in DPoP proof. 169 + /// 170 + /// Updates `self.session` with the new tokens and persists to Keychain. 171 + /// Surfaces all errors to the caller — no silent swallowing. 172 + pub async fn refresh_token(&self) -> Result<(), OAuthError> { 173 + let (refresh_token, nonce_opt) = { 174 + let s = self.session.lock().unwrap(); 175 + (s.refresh_token.clone(), s.dpop_nonce.clone()) 176 + }; 177 + 178 + let token_htu = format!("{}/oauth/token", self.base_url); 179 + let proof = self 180 + .dpop 181 + .make_proof("POST", &token_htu, nonce_opt.as_deref(), None)?; 182 + 183 + let resp = self 184 + .inner 185 + .post(&token_htu) 186 + .header("DPoP", &proof) 187 + .form(&[ 188 + ("grant_type", "refresh_token"), 189 + ("refresh_token", refresh_token.as_str()), 190 + ("client_id", "dev.malpercio.identitywallet"), 191 + ]) 192 + .send() 193 + .await 194 + .map_err(|e| { 195 + tracing::error!(error = %e, "token refresh network error"); 196 + OAuthError::TokenRefreshFailed 197 + })?; 198 + 199 + // On use_dpop_nonce from the refresh endpoint, retry once with the nonce. 200 + if resp.status().as_u16() == 400 { 201 + let retry_nonce = resp 202 + .headers() 203 + .get("DPoP-Nonce") 204 + .and_then(|v| v.to_str().ok()) 205 + .map(str::to_string); 206 + 207 + if let Some(nonce_val) = retry_nonce { 208 + let proof2 = self 209 + .dpop 210 + .make_proof("POST", &token_htu, Some(&nonce_val), None)?; 211 + let resp2 = self 212 + .inner 213 + .post(&token_htu) 214 + .header("DPoP", &proof2) 215 + .form(&[ 216 + ("grant_type", "refresh_token"), 217 + ("refresh_token", refresh_token.as_str()), 218 + ("client_id", "dev.malpercio.identitywallet"), 219 + ]) 220 + .send() 221 + .await 222 + .map_err(|_| OAuthError::TokenRefreshFailed)?; 223 + 224 + if resp2.status().as_u16() == 200 { 225 + return self.apply_token_response(resp2).await; 226 + } 227 + let body = resp2.text().await.unwrap_or_default(); 228 + tracing::error!(body = %body, "token refresh failed after nonce retry"); 229 + return Err(OAuthError::TokenRefreshFailed); 230 + } 231 + let body = resp.text().await.unwrap_or_default(); 232 + tracing::error!(body = %body, "token refresh 400 without nonce header"); 233 + return Err(OAuthError::TokenRefreshFailed); 234 + } 235 + 236 + if resp.status().as_u16() != 200 { 237 + let body = resp.text().await.unwrap_or_default(); 238 + tracing::error!(body = %body, "token refresh failed"); 239 + return Err(OAuthError::TokenRefreshFailed); 240 + } 241 + 242 + self.apply_token_response(resp).await 243 + } 244 + 245 + /// Construct with a custom base URL and pre-built keypair (test use only). 246 + #[cfg(test)] 247 + pub fn new_for_test( 248 + keypair: DPoPKeypair, 249 + session: Arc<Mutex<OAuthSession>>, 250 + base_url: String, 251 + ) -> Self { 252 + Self { 253 + inner: Client::new(), 254 + dpop: keypair, 255 + session, 256 + base_url, 257 + } 258 + } 259 + 260 + /// Deserialize a 200 token response and update session + Keychain. 261 + async fn apply_token_response(&self, resp: Response) -> Result<(), OAuthError> { 262 + // Capture the DPoP-Nonce header before consuming the response body. 263 + let new_nonce = resp 264 + .headers() 265 + .get("DPoP-Nonce") 266 + .and_then(|v| v.to_str().ok()) 267 + .map(str::to_string); 268 + 269 + let token_resp: crate::http::TokenResponse = resp.json().await.map_err(|e| { 270 + tracing::error!(error = %e, "token refresh response deserialization failed"); 271 + OAuthError::TokenRefreshFailed 272 + })?; 273 + 274 + let expires_at = std::time::SystemTime::now() 275 + .duration_since(std::time::UNIX_EPOCH) 276 + .unwrap_or_default() 277 + .as_secs() 278 + + token_resp.expires_in; 279 + 280 + crate::keychain::store_oauth_tokens(&token_resp.access_token, &token_resp.refresh_token) 281 + .map_err(|_| OAuthError::KeychainError)?; 282 + 283 + let mut s = self.session.lock().unwrap(); 284 + s.access_token = token_resp.access_token; 285 + s.refresh_token = token_resp.refresh_token; 286 + s.expires_at = expires_at; 287 + s.dpop_nonce = new_nonce; 288 + 289 + tracing::info!("access token refreshed"); 290 + Ok(()) 291 + } 292 + } 293 + 294 + #[cfg(test)] 295 + mod tests { 296 + use super::*; 297 + use httpmock::prelude::*; 298 + 299 + fn make_session(access: &str, refresh: &str, expires_in_secs: u64) -> Arc<Mutex<OAuthSession>> { 300 + let now = std::time::SystemTime::now() 301 + .duration_since(std::time::UNIX_EPOCH) 302 + .unwrap() 303 + .as_secs(); 304 + Arc::new(Mutex::new(OAuthSession { 305 + access_token: access.to_string(), 306 + refresh_token: refresh.to_string(), 307 + expires_at: now + expires_in_secs, 308 + dpop_nonce: None, 309 + })) 310 + } 311 + 312 + fn token_response_body() -> serde_json::Value { 313 + serde_json::json!({ 314 + "access_token": "new_access_token", 315 + "token_type": "DPoP", 316 + "expires_in": 300, 317 + "refresh_token": "new_refresh_token", 318 + "scope": "atproto" 319 + }) 320 + } 321 + 322 + #[tokio::test] 323 + async fn dpop_and_authorization_headers_present_on_get() { 324 + // Verifies: Every request carries Authorization: DPoP {token} and DPoP: {proof} 325 + let server = MockServer::start(); 326 + server.mock(|when, then| { 327 + when.method(GET).path("/resource"); 328 + then.status(200).body("ok"); 329 + }); 330 + 331 + let keypair = DPoPKeypair::get_or_create().expect("keypair must exist"); 332 + let session = make_session("my_access_token", "my_refresh_token", 300); 333 + let client = OAuthClient::new_for_test(keypair, session, server.base_url()); 334 + 335 + let resp = client.get("/resource").await.expect("GET must succeed"); 336 + assert_eq!(resp.status().as_u16(), 200); 337 + } 338 + 339 + #[tokio::test] 340 + async fn nonce_retry_sends_exactly_two_requests() { 341 + // Verifies: use_dpop_nonce 400 triggers one retry; second success returns response 342 + let server = MockServer::start(); 343 + 344 + // Create a mock that returns 400 on the first call with a nonce, then 200 on retry 345 + // httpmock processes mocks in FIFO order, so the first mock blocks until it's hit 346 + let _mock1 = server.mock(|when, then| { 347 + when.method(GET).path("/resource"); 348 + then.status(400).header("DPoP-Nonce", "test-server-nonce"); 349 + }); 350 + 351 + let _mock2 = server.mock(|when, then| { 352 + when.method(GET).path("/resource"); 353 + then.status(200).body("ok"); 354 + }); 355 + 356 + let keypair = DPoPKeypair::get_or_create().expect("keypair must exist"); 357 + let session = make_session("my_access_token", "my_refresh_token", 300); 358 + let client = OAuthClient::new_for_test(keypair, session, server.base_url()); 359 + 360 + let resp = client 361 + .get("/resource") 362 + .await 363 + .expect("GET must succeed after retry"); 364 + assert_eq!(resp.status().as_u16(), 200); 365 + } 366 + 367 + #[tokio::test] 368 + async fn empty_access_token_does_not_panic() { 369 + // Verifies: Cleared session (empty access_token) must not panic 370 + let server = MockServer::start(); 371 + server.mock(|when, then| { 372 + when.method(GET).path("/resource"); 373 + then.status(401); 374 + }); 375 + 376 + let keypair = DPoPKeypair::get_or_create().expect("keypair must exist"); 377 + let session = make_session("", "my_refresh_token", 300); 378 + let client = OAuthClient::new_for_test(keypair, session, server.base_url()); 379 + 380 + // Should return a response (401) without panicking — the auth error comes from the server. 381 + let resp = client.get("/resource").await.expect("must not panic"); 382 + assert_eq!( 383 + resp.status().as_u16(), 384 + 401, 385 + "empty token produces a server-side auth error" 386 + ); 387 + } 388 + 389 + #[tokio::test] 390 + async fn lazy_refresh_fires_when_expiry_near() { 391 + // Verifies: expires_at < now + 60 triggers refresh before the request 392 + let server = MockServer::start(); 393 + 394 + // Refresh endpoint returns new tokens. 395 + server.mock(|when, then| { 396 + when.method(POST).path("/oauth/token"); 397 + then.status(200).json_body(token_response_body()); 398 + }); 399 + 400 + // Resource endpoint (called after refresh). 401 + server.mock(|when, then| { 402 + when.method(GET).path("/resource"); 403 + then.status(200).body("ok"); 404 + }); 405 + 406 + let keypair = DPoPKeypair::get_or_create().expect("keypair must exist"); 407 + // Token expires in 30 seconds — below the 60-second refresh threshold. 408 + let session = make_session("old_access_token", "my_refresh_token", 30); 409 + let client = OAuthClient::new_for_test(keypair, session.clone(), server.base_url()); 410 + 411 + client.get("/resource").await.expect("request must succeed"); 412 + 413 + // Verify session was updated with the new token. 414 + let updated = session.lock().unwrap(); 415 + assert_eq!( 416 + updated.access_token, "new_access_token", 417 + "session must have new token" 418 + ); 419 + } 420 + 421 + #[tokio::test] 422 + async fn refresh_dpop_proof_has_no_ath_claim() { 423 + // Verifies: Refresh grant DPoP proof must not include ath (no access token in hand) 424 + let server = MockServer::start(); 425 + 426 + server.mock(|when, then| { 427 + when.method(POST).path("/oauth/token"); 428 + then.status(200).json_body(token_response_body()); 429 + }); 430 + 431 + let keypair = DPoPKeypair::get_or_create().expect("keypair must exist"); 432 + // Session near expiry to trigger refresh. 433 + let session = make_session("old_token", "my_refresh_token", 30); 434 + let client = OAuthClient::new_for_test(keypair, session, server.base_url()); 435 + 436 + // This test verifies refresh succeeds; the absence of ath is verified 437 + // by the make_proof method which omits ath when ath_opt is None. 438 + client.refresh_token().await.expect("refresh must succeed"); 439 + } 440 + 441 + #[tokio::test] 442 + async fn refresh_invalid_grant_returns_token_refresh_failed() { 443 + // Verifies: Relay returns invalid_grant → Err(TokenRefreshFailed), not silent swallow 444 + let server = MockServer::start(); 445 + 446 + server.mock(|when, then| { 447 + when.method(POST).path("/oauth/token"); 448 + then.status(400).json_body(serde_json::json!({ 449 + "error": "invalid_grant", 450 + "error_description": "refresh token expired" 451 + })); 452 + }); 453 + 454 + let keypair = DPoPKeypair::get_or_create().expect("keypair must exist"); 455 + let session = make_session("my_token", "my_refresh_token", 30); 456 + let client = OAuthClient::new_for_test(keypair, session, server.base_url()); 457 + 458 + let result = client.refresh_token().await; 459 + assert!( 460 + matches!(result, Err(OAuthError::TokenRefreshFailed)), 461 + "invalid_grant must surface as TokenRefreshFailed, got: {:?}", 462 + result 463 + ); 464 + } 465 + }