cf-modkit-auth 0.5.0

ModKit authentication library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

use serde::Deserialize;

pub use modkit_utils::SecretString;

/// `OAuth2` client authentication method.
#[derive(Debug, Default, Clone, Copy, PartialEq, Eq)]
pub enum ClientAuthMethod {
    /// HTTP Basic authentication (RFC 6749 §2.3.1).
    /// `Authorization: Basic base64(client_id:client_secret)`
    #[default]
    Basic,
    /// Credentials in the request body (RFC 6749 §2.3.1 alternative).
    /// `client_id` and `client_secret` as form fields.
    Form,
}

/// Deserialized `OAuth2` token endpoint response.
///
/// Only the fields required by the client credentials flow are included.
/// Unknown fields are silently ignored during deserialization.
///
/// **Intentionally `Deserialize`-only** — `Serialize` is not derived to
/// prevent accidental serialization of access tokens into logs or
/// error messages.
#[derive(Deserialize)]
pub(crate) struct TokenResponse {
    /// The access token issued by the authorization server.
    pub access_token: String,
    /// The lifetime in seconds of the access token (optional per RFC 6749).
    #[serde(default)]
    pub expires_in: Option<u64>,
    /// The type of the token issued (optional; must be "Bearer" if present).
    #[serde(default)]
    pub token_type: Option<String>,
}

#[cfg(test)]
#[cfg_attr(coverage_nightly, coverage(off))]
mod tests {
    use super::*;

    #[test]
    fn default_auth_method_is_basic() {
        assert_eq!(ClientAuthMethod::default(), ClientAuthMethod::Basic);
    }

    #[test]
    fn deserialize_full_response() {
        let json = r#"{"access_token":"tok","expires_in":3600,"token_type":"Bearer"}"#;
        let r: TokenResponse = serde_json::from_str(json).unwrap();
        assert_eq!(r.access_token, "tok");
        assert_eq!(r.expires_in, Some(3600));
        assert_eq!(r.token_type.as_deref(), Some("Bearer"));
    }

    #[test]
    fn deserialize_minimal_response() {
        let json = r#"{"access_token":"tok"}"#;
        let r: TokenResponse = serde_json::from_str(json).unwrap();
        assert_eq!(r.access_token, "tok");
        assert!(r.expires_in.is_none());
        assert!(r.token_type.is_none());
    }

    #[test]
    fn deserialize_ignores_unknown_fields() {
        let json = r#"{"access_token":"tok","scope":"read","refresh_token":"rt"}"#;
        let r: TokenResponse = serde_json::from_str(json).unwrap();
        assert_eq!(r.access_token, "tok");
    }
}