Skip to main content

arete_auth/
token.rs

1use crate::claims::{AuthContext, SessionClaims};
2use crate::error::VerifyError;
3use crate::keys::{SigningKey, VerifyingKey};
4use base64::Engine;
5use serde::{Deserialize, Serialize};
6use serde_json;
7
8/// JWT Header for EdDSA (Ed25519) tokens
9#[derive(Debug, Clone, Serialize, Deserialize)]
10struct JwtHeader {
11    alg: String,
12    typ: String,
13    #[serde(skip_serializing_if = "Option::is_none")]
14    kid: Option<String>,
15}
16
17impl Default for JwtHeader {
18    fn default() -> Self {
19        Self {
20            alg: "EdDSA".to_string(),
21            typ: "JWT".to_string(),
22            kid: None,
23        }
24    }
25}
26
27/// Token signer for issuing session tokens using Ed25519 (EdDSA)
28pub struct TokenSigner {
29    signing_key: SigningKey,
30    issuer: String,
31}
32
33impl TokenSigner {
34    /// Create a new token signer with an Ed25519 signing key
35    ///
36    /// Uses EdDSA (Ed25519) for asymmetric signing. This is the recommended
37    /// algorithm for production use as it provides better security than HMAC.
38    pub fn new(signing_key: SigningKey, issuer: impl Into<String>) -> Self {
39        Self {
40            signing_key,
41            issuer: issuer.into(),
42        }
43    }
44
45    /// Sign a session token using Ed25519
46    pub fn sign(&self, claims: SessionClaims) -> Result<String, TokenError> {
47        // Create header with key ID
48        let header = JwtHeader {
49            kid: Some(self.signing_key.key_id()),
50            ..Default::default()
51        };
52
53        // Encode header
54        let header_json = serde_json::to_string(&header)?;
55        let header_b64 =
56            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(header_json.as_bytes());
57
58        // Encode claims
59        let claims_json = serde_json::to_string(&claims)?;
60        let claims_b64 =
61            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(claims_json.as_bytes());
62
63        // Create message to sign
64        let message = format!("{}.{}", header_b64, claims_b64);
65
66        // Sign with Ed25519
67        let signature = self.signing_key.sign(message.as_bytes());
68        let signature_b64 =
69            base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(signature.to_bytes());
70
71        // Combine into JWT
72        Ok(format!("{}.{}.{}", header_b64, claims_b64, signature_b64))
73    }
74
75    /// Get the issuer
76    pub fn issuer(&self) -> &str {
77        &self.issuer
78    }
79}
80
81/// Token error type
82#[derive(Debug)]
83pub enum TokenError {
84    Serialization(serde_json::Error),
85    Base64(base64::DecodeError),
86    InvalidFormat(String),
87}
88
89impl std::fmt::Display for TokenError {
90    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
91        match self {
92            TokenError::Serialization(e) => write!(f, "Serialization error: {}", e),
93            TokenError::Base64(e) => write!(f, "Base64 error: {}", e),
94            TokenError::InvalidFormat(s) => write!(f, "Invalid format: {}", s),
95        }
96    }
97}
98
99impl std::error::Error for TokenError {}
100
101impl From<serde_json::Error> for TokenError {
102    fn from(e: serde_json::Error) -> Self {
103        TokenError::Serialization(e)
104    }
105}
106
107impl From<base64::DecodeError> for TokenError {
108    fn from(e: base64::DecodeError) -> Self {
109        TokenError::Base64(e)
110    }
111}
112
113/// Token verifier for validating session tokens using Ed25519 (EdDSA)
114pub struct TokenVerifier {
115    verifying_key: VerifyingKey,
116    issuer: String,
117    audience: String,
118    require_origin: bool,
119    require_client_ip: bool,
120}
121
122impl TokenVerifier {
123    /// Create a new token verifier with an Ed25519 verifying key
124    ///
125    /// Uses EdDSA (Ed25519) for asymmetric signature verification.
126    /// This is the recommended algorithm for production use.
127    pub fn new(
128        verifying_key: VerifyingKey,
129        issuer: impl Into<String>,
130        audience: impl Into<String>,
131    ) -> Self {
132        Self {
133            verifying_key,
134            issuer: issuer.into(),
135            audience: audience.into(),
136            require_origin: false,
137            require_client_ip: false,
138        }
139    }
140
141    /// Require origin validation
142    pub fn with_origin_validation(mut self) -> Self {
143        self.require_origin = true;
144        self
145    }
146
147    /// Require client IP validation
148    pub fn with_client_ip_validation(mut self) -> Self {
149        self.require_client_ip = true;
150        self
151    }
152
153    /// Verify a token and return the auth context
154    ///
155    /// # Arguments
156    /// * `token` - The JWT token to verify
157    /// * `expected_origin` - Optional expected origin for origin validation
158    /// * `expected_client_ip` - Optional expected client IP for IP binding validation
159    pub fn verify(
160        &self,
161        token: &str,
162        expected_origin: Option<&str>,
163        expected_client_ip: Option<&str>,
164    ) -> Result<AuthContext, VerifyError> {
165        // Split token into parts
166        let parts: Vec<&str> = token.split('.').collect();
167        if parts.len() != 3 {
168            return Err(VerifyError::InvalidFormat("Invalid JWT format".to_string()));
169        }
170
171        let header_b64 = parts[0];
172        let claims_b64 = parts[1];
173        let signature_b64 = parts[2];
174
175        // Decode and verify header
176        let header_json = base64::engine::general_purpose::URL_SAFE_NO_PAD
177            .decode(header_b64)
178            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid header base64: {}", e)))?;
179        let header: JwtHeader = serde_json::from_slice(&header_json)
180            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid header JSON: {}", e)))?;
181
182        if header.alg != "EdDSA" {
183            return Err(VerifyError::InvalidFormat(format!(
184                "Unsupported algorithm: {}",
185                header.alg
186            )));
187        }
188
189        // Decode claims
190        let claims_json = base64::engine::general_purpose::URL_SAFE_NO_PAD
191            .decode(claims_b64)
192            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid claims base64: {}", e)))?;
193        let claims: SessionClaims = serde_json::from_slice(&claims_json)
194            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid claims JSON: {}", e)))?;
195
196        // Decode signature
197        let signature_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD
198            .decode(signature_b64)
199            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid signature base64: {}", e)))?;
200        if signature_bytes.len() != 64 {
201            return Err(VerifyError::InvalidFormat(
202                "Invalid signature length".to_string(),
203            ));
204        }
205        let signature = ed25519_dalek::Signature::from_bytes(&signature_bytes.try_into().unwrap());
206
207        // Verify signature
208        let message = format!("{}.{}", header_b64, claims_b64);
209        self.verifying_key
210            .verify(message.as_bytes(), &signature)
211            .map_err(|_| VerifyError::InvalidSignature)?;
212
213        // Check issuer
214        if claims.iss != self.issuer {
215            return Err(VerifyError::InvalidIssuer);
216        }
217
218        // Check audience
219        if claims.aud != self.audience {
220            return Err(VerifyError::InvalidAudience);
221        }
222
223        // Check expiration
224        use std::time::{SystemTime, UNIX_EPOCH};
225        let now = SystemTime::now()
226            .duration_since(UNIX_EPOCH)
227            .expect("time should not be before epoch")
228            .as_secs();
229
230        if claims.exp <= now {
231            return Err(VerifyError::Expired);
232        }
233
234        if claims.nbf > now {
235            return Err(VerifyError::NotYetValid);
236        }
237
238        // Validate origin if required or if token has origin binding
239        let token_has_origin = claims.origin.is_some();
240        let origin_provided = expected_origin.is_some();
241
242        if token_has_origin && origin_provided {
243            // Token is origin-bound and origin was provided - validate they match
244            let expected = expected_origin.unwrap();
245            let actual = claims.origin.as_ref().unwrap();
246
247            if actual != expected {
248                return Err(VerifyError::OriginMismatch {
249                    expected: expected.to_string(),
250                    actual: actual.clone(),
251                });
252            }
253        } else if token_has_origin && self.require_origin {
254            // Token has origin but none was provided, and origin is required
255            return Err(VerifyError::OriginRequired {
256                token_origin: claims.origin.as_ref().unwrap().clone(),
257            });
258        } else if !token_has_origin && self.require_origin {
259            // Verifier requires origin but token doesn't have one bound
260            return Err(VerifyError::MissingClaim("origin".to_string()));
261        }
262        // If token has origin but none provided, and origin is NOT required,
263        // we allow the connection (defense-in-depth is optional)
264
265        // Validate client IP if required
266        if self.require_client_ip {
267            if let Some(expected) = expected_client_ip {
268                match &claims.client_ip {
269                    Some(actual) if actual == expected => {}
270                    Some(actual) => {
271                        return Err(VerifyError::OriginMismatch {
272                            expected: expected.to_string(),
273                            actual: actual.clone(),
274                        });
275                    }
276                    None => {
277                        return Err(VerifyError::MissingClaim("client_ip".to_string()));
278                    }
279                }
280            } else if claims.client_ip.is_none() {
281                return Err(VerifyError::MissingClaim("client_ip".to_string()));
282            }
283        }
284
285        Ok(AuthContext::from_claims(claims))
286    }
287
288    /// Get the expected issuer
289    pub fn issuer(&self) -> &str {
290        &self.issuer
291    }
292
293    /// Get the expected audience
294    pub fn audience(&self) -> &str {
295        &self.audience
296    }
297}
298
299/// JWKS structure for key rotation
300#[derive(Debug, Clone, Deserialize)]
301pub struct Jwks {
302    pub keys: Vec<Jwk>,
303}
304
305#[derive(Debug, Clone, Deserialize)]
306pub struct Jwk {
307    pub kty: String,
308    #[serde(rename = "use")]
309    pub use_: Option<String>,
310    pub kid: String,
311    pub x: String, // Base64-encoded public key
312}
313
314/// Token verifier with JWKS support for key rotation
315#[derive(Clone)]
316pub struct JwksVerifier {
317    jwks: Jwks,
318    issuer: String,
319    audience: String,
320    require_origin: bool,
321}
322
323impl JwksVerifier {
324    /// Create a new JWKS verifier
325    pub fn new(jwks: Jwks, issuer: impl Into<String>, audience: impl Into<String>) -> Self {
326        Self {
327            jwks,
328            issuer: issuer.into(),
329            audience: audience.into(),
330            require_origin: false,
331        }
332    }
333
334    /// Require origin validation
335    pub fn with_origin_validation(mut self) -> Self {
336        self.require_origin = true;
337        self
338    }
339
340    /// Verify a token using the appropriate key from JWKS
341    pub fn verify(
342        &self,
343        token: &str,
344        expected_origin: Option<&str>,
345        expected_client_ip: Option<&str>,
346    ) -> Result<AuthContext, VerifyError> {
347        // Decode header to get kid
348        let parts: Vec<&str> = token.split('.').collect();
349        if parts.len() != 3 {
350            return Err(VerifyError::InvalidFormat("Invalid JWT format".to_string()));
351        }
352
353        let header_json = base64::engine::general_purpose::URL_SAFE_NO_PAD
354            .decode(parts[0])
355            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid header: {}", e)))?;
356        let header: JwtHeader = serde_json::from_slice(&header_json)
357            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid header JSON: {}", e)))?;
358
359        let kid = header
360            .kid
361            .ok_or_else(|| VerifyError::MissingClaim("kid".to_string()))?;
362
363        // Find the key
364        let jwk = self
365            .jwks
366            .keys
367            .iter()
368            .find(|k| k.kid == kid)
369            .ok_or(VerifyError::KeyNotFound(kid))?;
370
371        // Decode the public key from hex (first 16 chars of hex = 8 bytes of key id)
372        // Actually, we need to decode the full public key from the JWKS
373        // The JWKS should contain the full base64-encoded public key
374        let public_key_bytes = base64::engine::general_purpose::URL_SAFE_NO_PAD
375            .decode(&jwk.x)
376            .map_err(|_| VerifyError::InvalidFormat("Invalid public key base64".to_string()))?;
377
378        let public_key: [u8; 32] = public_key_bytes
379            .try_into()
380            .map_err(|_| VerifyError::InvalidFormat("Invalid key length".to_string()))?;
381
382        // Create verifier for this key
383        let verifying_key = VerifyingKey::from_bytes(&public_key)
384            .map_err(|e| VerifyError::InvalidFormat(e.to_string()))?;
385
386        let verifier = if self.require_origin {
387            TokenVerifier::new(verifying_key, &self.issuer, &self.audience).with_origin_validation()
388        } else {
389            TokenVerifier::new(verifying_key, &self.issuer, &self.audience)
390        };
391
392        verifier.verify(token, expected_origin, expected_client_ip)
393    }
394
395    /// Fetch JWKS from a URL
396    #[cfg(feature = "jwks")]
397    pub async fn fetch_jwks(url: &str) -> Result<Jwks, reqwest::Error> {
398        let response = reqwest::get(url).await?;
399        let jwks: Jwks = response.json().await?;
400        Ok(jwks)
401    }
402}
403
404#[cfg(test)]
405/// HMAC-based verifier for tests only
406pub struct HmacVerifier {
407    _secret: Vec<u8>,
408    _issuer: String,
409    _audience: String,
410}
411
412#[cfg(test)]
413impl HmacVerifier {
414    /// Create a new HMAC verifier (dev only)
415    pub fn new(
416        secret: impl Into<Vec<u8>>,
417        issuer: impl Into<String>,
418        audience: impl Into<String>,
419    ) -> Self {
420        Self {
421            _secret: secret.into(),
422            _issuer: issuer.into(),
423            _audience: audience.into(),
424        }
425    }
426
427    /// Verify a token using HMAC
428    pub fn verify(
429        &self,
430        token: &str,
431        _expected_origin: Option<&str>,
432    ) -> Result<AuthContext, VerifyError> {
433        // Split token
434        let parts: Vec<&str> = token.split('.').collect();
435        if parts.len() != 3 {
436            return Err(VerifyError::InvalidFormat("Invalid JWT format".to_string()));
437        }
438
439        // For HMAC, we'd need to verify the HMAC signature
440        // This is a simplified implementation - in practice you'd use hmac-sha256
441        // For now, just decode the claims without verification (dev only!)
442        let claims_json = base64::engine::general_purpose::URL_SAFE_NO_PAD
443            .decode(parts[1])
444            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid claims: {}", e)))?;
445        let claims: SessionClaims = serde_json::from_slice(&claims_json)
446            .map_err(|e| VerifyError::InvalidFormat(format!("Invalid claims JSON: {}", e)))?;
447
448        Ok(AuthContext::from_claims(claims))
449    }
450}
451
452#[cfg(test)]
453mod tests {
454    use super::*;
455    use crate::claims::{KeyClass, Limits};
456
457    fn create_test_claims() -> SessionClaims {
458        SessionClaims::builder("test-issuer", "test-subject", "test-audience")
459            .with_ttl(300)
460            .with_scope("read")
461            .with_metering_key("meter-123")
462            .with_key_class(KeyClass::Publishable)
463            .with_limits(Limits {
464                max_connections: Some(10),
465                max_subscriptions: Some(100),
466                max_snapshot_rows: Some(1000),
467                max_messages_per_minute: Some(1000),
468                max_bytes_per_minute: Some(10_000_000),
469                max_http_requests_per_minute: Some(300),
470                max_http_batch_addresses: Some(100),
471            })
472            .build()
473    }
474
475    #[test]
476    fn test_sign_and_verify() {
477        // Generate keys
478        let signing_key = crate::keys::SigningKey::generate();
479        let verifying_key = signing_key.verifying_key();
480
481        // Create signer and verifier
482        let signer = TokenSigner::new(signing_key, "test-issuer");
483        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience");
484
485        // Sign token
486        let claims = create_test_claims();
487        let token = signer.sign(claims.clone()).unwrap();
488
489        // Verify token
490        let context = verifier.verify(&token, None, None).unwrap();
491
492        assert_eq!(context.subject, "test-subject");
493        assert_eq!(context.issuer, "test-issuer");
494        assert_eq!(context.metering_key, "meter-123");
495    }
496
497    #[test]
498    fn test_expired_token() {
499        let signing_key = crate::keys::SigningKey::generate();
500        let verifying_key = signing_key.verifying_key();
501
502        let signer = TokenSigner::new(signing_key, "test-issuer");
503        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience");
504
505        // Create expired claims
506        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
507            .with_ttl(0) // Already expired
508            .with_scope("read")
509            .with_metering_key("meter-123")
510            .with_key_class(KeyClass::Publishable)
511            .build();
512
513        let token = signer.sign(claims).unwrap();
514
515        // Should fail with expired error
516        let result = verifier.verify(&token, None, None);
517        assert!(matches!(result, Err(VerifyError::Expired)));
518    }
519
520    #[test]
521    fn test_invalid_signature() {
522        let signing_key = crate::keys::SigningKey::generate();
523        let wrong_signing_key = crate::keys::SigningKey::generate();
524        let wrong_verifying_key = wrong_signing_key.verifying_key();
525
526        let signer = TokenSigner::new(signing_key, "test-issuer");
527        let verifier = TokenVerifier::new(wrong_verifying_key, "test-issuer", "test-audience");
528
529        let claims = create_test_claims();
530        let token = signer.sign(claims).unwrap();
531
532        // Should fail with invalid signature
533        let result = verifier.verify(&token, None, None);
534        assert!(matches!(result, Err(VerifyError::InvalidSignature)));
535    }
536
537    #[test]
538    fn test_wrong_issuer() {
539        let signing_key = crate::keys::SigningKey::generate();
540        let verifying_key = signing_key.verifying_key();
541
542        let signer = TokenSigner::new(signing_key, "wrong-issuer");
543        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience");
544
545        // Create claims with the wrong issuer
546        let claims = SessionClaims::builder("wrong-issuer", "test-subject", "test-audience")
547            .with_ttl(300)
548            .with_scope("read")
549            .with_metering_key("meter-123")
550            .with_key_class(KeyClass::Publishable)
551            .build();
552        let token = signer.sign(claims).unwrap();
553
554        // Should fail with invalid issuer
555        let result = verifier.verify(&token, None, None);
556        assert!(matches!(result, Err(VerifyError::InvalidIssuer)));
557    }
558
559    #[test]
560    fn test_wrong_audience() {
561        let signing_key = crate::keys::SigningKey::generate();
562        let verifying_key = signing_key.verifying_key();
563
564        let signer = TokenSigner::new(signing_key, "test-issuer");
565        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "expected-audience");
566
567        let claims = SessionClaims::builder("test-issuer", "test-subject", "wrong-audience")
568            .with_ttl(300)
569            .with_scope("read")
570            .with_metering_key("meter-123")
571            .with_key_class(KeyClass::Publishable)
572            .build();
573        let token = signer.sign(claims).unwrap();
574
575        let result = verifier.verify(&token, None, None);
576        assert!(matches!(result, Err(VerifyError::InvalidAudience)));
577    }
578
579    #[test]
580    fn test_origin_mismatch() {
581        let signing_key = crate::keys::SigningKey::generate();
582        let verifying_key = signing_key.verifying_key();
583
584        let signer = TokenSigner::new(signing_key, "test-issuer");
585        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience")
586            .with_origin_validation();
587
588        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
589            .with_ttl(300)
590            .with_scope("read")
591            .with_metering_key("meter-123")
592            .with_origin("https://allowed.example")
593            .with_key_class(KeyClass::Publishable)
594            .build();
595        let token = signer.sign(claims).unwrap();
596
597        let result = verifier.verify(&token, Some("https://other.example"), None);
598        assert!(matches!(result, Err(VerifyError::OriginMismatch { .. })));
599    }
600
601    #[test]
602    fn test_origin_validation_success() {
603        let signing_key = crate::keys::SigningKey::generate();
604        let verifying_key = signing_key.verifying_key();
605
606        let signer = TokenSigner::new(signing_key, "test-issuer");
607        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience")
608            .with_origin_validation();
609
610        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
611            .with_ttl(300)
612            .with_scope("read")
613            .with_metering_key("meter-123")
614            .with_origin("https://allowed.example")
615            .with_key_class(KeyClass::Publishable)
616            .build();
617        let token = signer.sign(claims).unwrap();
618
619        let context = verifier
620            .verify(&token, Some("https://allowed.example"), None)
621            .unwrap();
622        assert_eq!(context.origin.as_deref(), Some("https://allowed.example"));
623    }
624
625    #[test]
626    fn test_origin_validation_requires_origin_claim() {
627        let signing_key = crate::keys::SigningKey::generate();
628        let verifying_key = signing_key.verifying_key();
629
630        let signer = TokenSigner::new(signing_key, "test-issuer");
631        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience")
632            .with_origin_validation();
633
634        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
635            .with_ttl(300)
636            .with_scope("read")
637            .with_metering_key("meter-123")
638            .with_key_class(KeyClass::Publishable)
639            .build();
640        let token = signer.sign(claims).unwrap();
641
642        let result = verifier.verify(&token, None, None);
643        assert!(matches!(
644            result,
645            Err(VerifyError::MissingClaim(ref claim)) if claim == "origin"
646        ));
647    }
648
649    #[test]
650    fn test_client_ip_validation_requires_client_ip_claim() {
651        let signing_key = crate::keys::SigningKey::generate();
652        let verifying_key = signing_key.verifying_key();
653
654        let signer = TokenSigner::new(signing_key, "test-issuer");
655        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience")
656            .with_client_ip_validation();
657
658        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
659            .with_ttl(300)
660            .with_scope("read")
661            .with_metering_key("meter-123")
662            .with_key_class(KeyClass::Publishable)
663            .build();
664        let token = signer.sign(claims).unwrap();
665
666        let result = verifier.verify(&token, None, None);
667        assert!(matches!(
668            result,
669            Err(VerifyError::MissingClaim(ref claim)) if claim == "client_ip"
670        ));
671    }
672
673    #[test]
674    fn test_origin_bound_token_allows_no_origin_when_not_required() {
675        // This tests the non-browser client scenario (Rust, Python, etc.)
676        // where the client doesn't send an Origin header, but the JWT has
677        // an origin claim from when the token was minted via browser/API.
678        // When require_origin is false, the connection should still be allowed
679        // for defense-in-depth flexibility.
680        let signing_key = crate::keys::SigningKey::generate();
681        let verifying_key = signing_key.verifying_key();
682
683        let signer = TokenSigner::new(signing_key, "test-issuer");
684        // Verifier WITHOUT origin validation (the default for public stacks)
685        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience");
686
687        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
688            .with_ttl(300)
689            .with_scope("read")
690            .with_metering_key("meter-123")
691            .with_origin("https://example.com") // Token has origin claim
692            .with_key_class(KeyClass::Publishable)
693            .build();
694        let token = signer.sign(claims).unwrap();
695
696        // No origin provided, but require_origin is false - should succeed
697        let context = verifier.verify(&token, None, None).unwrap();
698        assert_eq!(context.origin.as_deref(), Some("https://example.com"));
699    }
700
701    #[test]
702    fn test_origin_bound_token_validates_when_origin_provided_even_when_not_required() {
703        // When origin IS provided, it should still be validated against the token
704        // even when require_origin is false (defense-in-depth)
705        let signing_key = crate::keys::SigningKey::generate();
706        let verifying_key = signing_key.verifying_key();
707
708        let signer = TokenSigner::new(signing_key, "test-issuer");
709        // Verifier WITHOUT origin validation (the default)
710        let verifier = TokenVerifier::new(verifying_key, "test-issuer", "test-audience");
711
712        let claims = SessionClaims::builder("test-issuer", "test-subject", "test-audience")
713            .with_ttl(300)
714            .with_scope("read")
715            .with_metering_key("meter-123")
716            .with_origin("https://allowed.example")
717            .with_key_class(KeyClass::Publishable)
718            .build();
719        let token = signer.sign(claims).unwrap();
720
721        // Origin provided and matches - should succeed
722        let context = verifier
723            .verify(&token, Some("https://allowed.example"), None)
724            .unwrap();
725        assert_eq!(context.origin.as_deref(), Some("https://allowed.example"));
726
727        // Origin provided but doesn't match - should fail
728        let result = verifier.verify(&token, Some("https://evil.example"), None);
729        assert!(matches!(result, Err(VerifyError::OriginMismatch { .. })));
730    }
731}