firebase-admin 0.2.0

An open-source Firebase Admin SDK for Rust, starting with Authentication
Documentation
[graph]
targets = []

[advisories]
version = 2
ignore = [
    # RUSTSEC-2023-0071 (Marvin Attack: RSA timing sidechannel), pulled in
    # transitively via jsonwebtoken's `rust_crypto` backend (the `rsa`
    # crate). No fixed version exists upstream (RustCrypto/RSA has not
    # shipped a constant-time mitigation as of this writing) and switching
    # to jsonwebtoken's `aws_lc_rs` backend to avoid it would add a C/cmake
    # build dependency. Accepted risk: exploiting this requires an attacker
    # who can trigger many RSA signing operations (create_custom_token,
    # create_session_cookie) against a running service and measure response
    # timing with high precision over the network — signature *verification*
    # (the majority of this crate's RSA usage) is unaffected, since it only
    # uses the public key and has no secret-dependent timing to attack.
    # Revisit if RustCrypto ships a fix, or if usage patterns change to make
    # remote timing measurement more practical (e.g. a public unauthenticated
    # endpoint that triggers signing per-request).
    "RUSTSEC-2023-0071",
]

[licenses]
version = 2
allow = [
    "MIT",
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "Unicode-3.0",
    "Zlib",
    "CC0-1.0",
    # Data-distribution license (not a software license) used by
    # webpki-roots, which bundles Mozilla's root CA certificates; permissive,
    # no copyleft, no patent restrictions. Standard in the Rust ecosystem —
    # rustls itself allowlists it for the same crate.
    "CDLA-Permissive-2.0",
]

[bans]
multiple-versions = "warn"
wildcards = "deny"

[sources]
unknown-registry = "deny"
unknown-git = "deny"