Skip to main content

canic_core/api/auth/
token.rs

1//! Module: api::auth::token
2//!
3//! Responsibility: adapt issuer-local delegated-token endpoint calls.
4//! Does not own: endpoint authorization, token verification internals, or stable records.
5//! Boundary: checks issuer feature/config gates and delegates to auth ops/workflow.
6
7use super::AuthApi;
8use crate::{
9    dto::{
10        auth::{
11            ActiveDelegationProofStatusResponse, DelegatedToken, DelegatedTokenGetRequest,
12            DelegatedTokenPrepareRequest, DelegatedTokenPrepareResponse,
13            InstallActiveDelegationProofRequest, InstallActiveDelegationProofResponse,
14        },
15        error::Error,
16    },
17    ops::{auth::AuthOps, ic::IcOps},
18    workflow::runtime::auth::RuntimeAuthWorkflow,
19};
20
21impl AuthApi {
22    /// Prepare a delegated token from the issuer-local active delegation proof.
23    pub async fn prepare_delegated_token(
24        request: DelegatedTokenPrepareRequest,
25    ) -> Result<DelegatedTokenPrepareResponse, Error> {
26        Self::require_delegated_token_issuer_enabled()?;
27        RuntimeAuthWorkflow::prepare_delegated_token(request)
28            .await
29            .map_err(Self::map_auth_error)
30    }
31
32    /// Retrieve a prepared delegated token with its issuer canister-signature proof.
33    pub fn get_delegated_token(request: DelegatedTokenGetRequest) -> Result<DelegatedToken, Error> {
34        Self::require_delegated_token_issuer_enabled()?;
35
36        AuthOps::get_delegated_token_issuer_proof(request.claims_hash, IcOps::msg_caller())
37            .map_err(Self::map_auth_error)
38    }
39
40    /// Install validated root-certified delegation material for issuer-local token issuance.
41    pub fn install_active_delegation_proof(
42        request: InstallActiveDelegationProofRequest,
43    ) -> Result<InstallActiveDelegationProofResponse, Error> {
44        Self::require_delegated_token_issuer_enabled()?;
45
46        let active_proof =
47            AuthOps::install_active_delegation_proof(request.proof, IcOps::msg_caller())
48                .map_err(Self::map_auth_error)?;
49
50        Ok(InstallActiveDelegationProofResponse { active_proof })
51    }
52
53    /// Report non-secret issuer-local active proof lifecycle status for operators.
54    pub fn active_delegation_proof_status() -> Result<ActiveDelegationProofStatusResponse, Error> {
55        Self::require_delegated_token_issuer_enabled()?;
56        Ok(AuthOps::active_delegation_proof_status(IcOps::now_nanos()))
57    }
58}