Struct TokenAuthenticator 

pub struct TokenAuthenticator { /* private fields */ }

Available on crate feature auth-token only.

A production-ready, time-limited signed-token authenticator (feature = "auth-token").

A token binds a StreamKey to an expiry under an HMAC-SHA-256 signature, so it cannot be forged without the shared secret nor replayed past its deadline. The wire form is:

<expiry_unix_seconds>:<hex(hmac_sha256(secret, "app/stream:expiry"))>

Mint tokens out-of-band (e.g. in your sign-in / “get publish URL” endpoint) with sign; the engine verifies them on the publish path — and, when gate_playback is set, the play path too. Verification is constant-time and pulls in no crypto dependency (the HMAC is a small, test-vector-checked in-crate implementation).

use arcly_stream::auth::TokenAuthenticator;
use arcly_stream::StreamKey;

let auth = TokenAuthenticator::new("super-secret");
let key = StreamKey::new("live", "cam-1");
// Mint a token valid until some absolute Unix time:
let token = auth.sign(&key, 9_999_999_999);
assert!(auth.verify(&key, &token).is_ok());
// A token for a different stream is rejected:
assert!(auth.verify(&StreamKey::new("live", "other"), &token).is_err());

Implementations

impl TokenAuthenticator

pub fn new(secret: impl Into<Vec<u8>>) -> Self

New authenticator keyed by secret. Gates publish only by default; call gate_playback to gate play as well.

pub fn gate_playback(self, gate: bool) -> Self

Also require a valid token to play (subscribe), not just publish.

pub fn sign(&self, key: &StreamKey, expires_at: u64) -> String

Mint a token authorizing key until expires_at (Unix seconds).

pub fn verify(&self, key: &StreamKey, token: &str) -> Result<()>

Verify token against key and the current wall clock. Returns StreamError::Unauthorized on a malformed, expired, or mis-signed token.

Trait Implementations

impl StreamAuthenticator for TokenAuthenticator

fn authorize_publish<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, key: &'life1 StreamKey, creds: &'life2 Credentials, ) -> Pin<Box<dyn Future<Output = Result<()>> + Send + 'async_trait>>

where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait,

Decide whether creds may publish to key. Return StreamError::Unauthorized to reject.

fn authorize_play<'life0, 'life1, 'life2, 'async_trait>( &'life0 self, key: &'life1 StreamKey, creds: &'life2 Credentials, ) -> Pin<Box<dyn Future<Output = Result<()>> + Send + 'async_trait>>

where Self: 'async_trait, 'life0: 'async_trait, 'life1: 'async_trait, 'life2: 'async_trait,

Decide whether creds may subscribe to key.