Summary#
- Adds
crates/relay/src/auth/mod.rswithAuthenticatedUseras an AxumFromRequestPartsextractor — the first extractor in this codebase, enabling handlers to declare auth via function parameters - Validates HS256 JWT signature,
exp(zero leeway),aud(whenserver_didconfigured), andsub; mapsExpiredSignature→TOKEN_EXPIRED, all other failures →INVALID_TOKEN, missing header →AUTHENTICATION_REQUIRED - Full DPoP proof validation (RFC 9449): JWK thumbprint (RFC 7638),
htm/htuclaim checks,iatfreshness window,cnf.jktbinding against access token - New
AuthenticationRequiredandInvalidTokenerror codes incommon;jwt_secret: [u8; 32]added toAppState(generated viaOsRngat startup, ephemeral)
Test plan#
-
cargo test --package relay— 243 tests pass, 0 failures - Missing
Authorizationheader → 401AUTHENTICATION_REQUIRED - Wrong
Bearerscheme (e.g.Token abc) → 401AUTHENTICATION_REQUIRED - Malformed JWT / wrong signature → 401
INVALID_TOKEN - Expired token (leeway = 0) → 401
TOKEN_EXPIRED - Unknown scope string → 401
INVALID_TOKEN - Valid access token → 200 with correct DID and
Accessscope - Valid refresh token → 200 with
Refreshscope - DPoP header present but access token missing
cnfclaim → 401INVALID_TOKEN - RFC 7638 RSA thumbprint test vector passes
- EC thumbprint format: 43-char base64url, stable across runs