canic_core/api/access/
token.rs

1use crate::{
2    cdk::types::Principal,
3    dto::{
4        auth::{DelegatedToken, DelegatedTokenClaims, DelegationCert, DelegationProof},
5        error::Error,
6    },
7    error::InternalErrorClass,
8    ops::auth::DelegatedTokenOps,
9};
10
11///
12/// DelegatedTokenApi
13///
14
15pub struct DelegatedTokenApi;
16
17impl DelegatedTokenApi {
18    fn map_token_error(err: crate::InternalError) -> Error {
19        match err.class() {
20            InternalErrorClass::Infra | InternalErrorClass::Ops | InternalErrorClass::Workflow => {
21                Error::internal(err.to_string())
22            }
23            _ => Error::from(err),
24        }
25    }
26
27    /// Sign a delegation cert.
28    pub fn sign_delegation_cert(cert: DelegationCert) -> Result<DelegationProof, Error> {
29        DelegatedTokenOps::sign_delegation_cert(cert).map_err(Self::map_token_error)
30    }
31
32    /// Full delegation proof verification (structure + signature).
33    ///
34    /// Purely local verification; does not read certified data or require a
35    /// query context.
36    pub fn verify_delegation_proof(
37        proof: &DelegationProof,
38        authority_pid: Principal,
39    ) -> Result<(), Error> {
40        DelegatedTokenOps::verify_delegation_proof(proof, authority_pid)
41            .map_err(Self::map_token_error)
42    }
43
44    pub fn sign_token(
45        token_version: u16,
46        claims: DelegatedTokenClaims,
47        proof: DelegationProof,
48    ) -> Result<DelegatedToken, Error> {
49        DelegatedTokenOps::sign_token(token_version, claims, proof).map_err(Self::map_token_error)
50    }
51
52    /// Full delegated token verification (structure + signature).
53    ///
54    /// Purely local verification; does not read certified data or require a
55    /// query context.
56    pub fn verify_token(
57        token: &DelegatedToken,
58        authority_pid: Principal,
59        now_secs: u64,
60    ) -> Result<(), Error> {
61        DelegatedTokenOps::verify_token(token, authority_pid, now_secs)
62            .map(|_| ())
63            .map_err(Self::map_token_error)
64    }
65
66    /// Return verified claims after full token verification.
67    ///
68    /// Purely local verification; does not read certified data or require a
69    /// query context.
70    pub fn verify_token_claims(
71        token: &DelegatedToken,
72        authority_pid: Principal,
73        now_secs: u64,
74    ) -> Result<DelegatedTokenClaims, Error> {
75        DelegatedTokenOps::verify_token(token, authority_pid, now_secs)
76            .map(|verified| verified.claims)
77            .map_err(Self::map_token_error)
78    }
79}