ApiKeyManagerV0

api_keys_simplified

Struct ApiKeyManagerV0 

Source 
pub struct ApiKeyManagerV0 { /* private fields */ }
Expand description

ApiKeyManager is storable object used to generate and verify API keys. It contains immutable config data necessary to operate. It does NOT contain ANY sensitive data.

Implementations§

Source§

impl ApiKeyManagerV0

Auto-generated by derive_getters::Getters.

Source

pub fn hasher(&self) -> &KeyHasher

Get field hasher from instance of ApiKeyManagerV0.

Source§

impl ApiKeyManagerV0

Source

pub fn init( prefix: impl Into<String>, config: KeyConfig, hash_config: HashConfig, expiry_grace_period: Duration, ) -> Result<Self, InitError>

Source

pub fn init_default_config(prefix: impl Into<String>) -> Result<Self, InitError>

Source

pub fn init_high_security_config( prefix: impl Into<String>, ) -> Result<Self, InitError>

Source

pub fn generate( &self, environment: impl Into<Environment>, ) -> Result<ApiKey<Hash>>

Generates a new API key for the specified environment.

The generated key includes a checksum (if enabled) for fast DoS protection.

§Example
let key = manager.generate(Environment::production())?;
println!("Key: {}", key.key().expose_secret());
Source

pub fn generate_with_expiry( &self, environment: impl Into<Environment>, expiry: DateTime<Utc>, ) -> Result<ApiKey<Hash>>

Generates a new API key with an expiration timestamp.

The expiration is embedded in the key itself, making it stateless. Keys are automatically rejected after the expiry time without database lookups.

§Use Cases
  • Trial keys (7-30 days)
  • Temporary partner access
  • Time-limited API access
§Example
// Create a 7-day trial key
let expiry = Utc::now() + Duration::days(7);
let key = manager.generate_with_expiry(Environment::production(), expiry)?;
Source

pub fn verify( &self, key: &SecureString, stored_hash: impl AsRef<str>, ) -> Result<KeyStatus>

Verifies an API key against a stored hash.

Returns KeyStatus indicating whether the key is valid or invalid.

§Parameters
  • key - The API key to verify
  • stored_hash - The Argon2 hash stored in your database
  • expiry_grace_period - Optional grace period duration after expiry.
    • None: Skip expiry validation (all keys treated as non-expired)
    • Some(Duration::ZERO): Strict expiry check (no grace period)
    • Some(duration): Key remains valid for duration after its expiry time

The grace period protects against clock skew issues. Once a key expires beyond the grace period, it stays expired even if the system clock goes backwards.

§Security Flow
  1. Checksum validation (if enabled): Rejects invalid keys in ~20μs
  2. Argon2 verification: Verifies hash for valid checksums (~300ms)
  3. Expiry check: Returns Invalid if expired beyond grace period
§Returns
  • KeyStatus::Valid - Key is valid and not expired
  • KeyStatus::Invalid - Key is invalid (wrong key, hash mismatch, checksum failed, or expired)
§Note on Revocation

This method does NOT check revocation status. To implement key revocation:

  1. Mark the hash as revoked in your database
  2. Check revocation status before calling this method
  3. Only call verify() for non-revoked hashes
§Example
match manager.verify(key.key(), key.hash())? {
    KeyStatus::Valid => { /* grant access */ },
    KeyStatus::Invalid => { /* reject - wrong key or expired */ },
}
Source

pub fn verify_checksum(&self, key: &SecureString) -> Result<bool>

Trait Implementations§

Source§

impl Clone for ApiKeyManagerV0

Source§

fn clone(&self) -> ApiKeyManagerV0

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.