pas-external 0.10.0

Ppoppo Accounts System (PAS) external SDK — OAuth2 PKCE, JWT verification port, Axum middleware, session liveness
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

#![doc = include_str!("../README.md")]

pub mod audit;
// `epoch` re-exports the engine `EpochRevocation` port + ships the
// canonical adapter set (Phase 11.Z, RFC_2026-05-09 §3.5). Gated on
// `well-known-fetch` because the engine port itself needs `token` and
// the original `UserinfoFetcher` (deleted in 0.10.0) required the HTTP
// client (`oauth`) — both implied by the `well-known-fetch` flag.
// `SharedCacheCache` (0.10.0, RFC_2026-05-08 §4.1) requires the
// additional `shared-cache` feature for the `ppoppo-infra` adapter dep.
#[cfg(feature = "well-known-fetch")]
pub mod epoch;
pub mod error;
// `oauth` is the OAuth2 wire-DTO + AuthClient adapter used internally by
// `oidc::RelyingParty`. As of 0.8.0 it is `pub(crate)` — consumers reach
// the OIDC RP composition root (`oidc::RelyingParty<S>`) and never the
// raw OAuth surface. See `oidc::RefreshOutcome` for the boundary type at
// `RelyingParty::refresh`.
#[cfg(feature = "oauth")]
pub(crate) mod oauth;
#[cfg(feature = "token")]
pub mod oidc;
#[cfg(feature = "oauth")]
pub mod pas_port;
// `pkce` primitives (`generate_state`, `generate_code_verifier`,
// `generate_code_challenge`) are SDK plumbing — `oidc::RelyingParty::start`
// consumes them internally and exposes the resulting state via
// `AuthorizationRedirect`. As of 0.8.0 the module is `pub(crate)`.
#[cfg(feature = "oauth")]
pub(crate) mod pkce;
// `session_liveness` is intentionally ungated at module level — the
// 0.10.0 `SessionLiveness` port has no AES / OAuth deps and ships
// regardless of feature configuration so the verifier slot
// (`PasJwtVerifier::with_session_liveness`) can reference it under
// just `feature = "well-known-fetch"`. Internal sub-modules
// (`cipher`, `liveness`) remain gated on `feature = "session-liveness"`
// for the AES wrapper + PAS refresh-token check.
pub mod session_liveness;
#[cfg(feature = "token")]
pub mod token;
pub mod types;

// Test-support helpers. `FakePasServer` is the SDK-owned wiremock-wrapped
// fake PAS Authorization Server, replacing the 0.7.x
// `RelyingParty::for_test_with_parts` escape hatch. Consumer integration
// tests construct a real `RelyingParty::new(...)` against
// `FakePasServer.issuer_url()` so production and test go through the same
// public interface.
#[cfg(feature = "test-support")]
pub mod test_support;

// Re-exports for convenient access
pub use audit::{
    AuditEvent, AuditSink, IdTokenFailureKind, MemoryRateLimiter, NoopAuditSink, RateLimitKey,
    RateLimitedAuditSink, RateLimiter, VerifyErrorKind, compose_id_token_source_id,
    compose_source_id,
};
#[cfg(any(test, feature = "test-support"))]
pub use audit::MemoryAuditSink;
pub use error::{Error, TokenError};
// 0.10.0 — ungated L2 verifier-slot port (RFC_2026-05-08 §4.2 lock).
pub use session_liveness::{SessionLiveness, SessionLivenessError};
#[cfg(feature = "session-liveness")]
pub use session_liveness::{
    CipherError, EncryptedRefreshToken, LivenessFailure, LivenessOutcome, RevokeCause,
    TokenCipher, TransientCause, attempt_liveness_refresh,
};
// γ port-and-adapter — Phase 6.1 (D-04 = γ, locked 2026-05-05).
// `KeySet`, `PublicKey`, `VerifiedClaims`, `verify_v4_*`,
// `parse_public_key_hex`, `extract_unverified_kid`, and the
// `WellKnownPaseto*` types from 0.5 are removed — see CHANGELOG 0.6.0.
#[cfg(feature = "token")]
pub use token::{AuthSession, BearerVerifier, Expectations, VerifyError};
#[cfg(feature = "well-known-fetch")]
pub use token::PasJwtVerifier;
// Re-export gated on BOTH `token` (the source module) AND
// `test-support` / `cfg(test)` (the consumer-facing flag). Pre-9.C
// the cfg was just `any(test, feature = "test-support")` which broke
// `--no-default-features --features test-support` builds because the
// `token` module itself is gated `feature = "token"`. Tightening
// here is a feature-matrix correctness fix; semantics under default
// features (where `token` is on) are unchanged.
#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use token::MemoryBearerVerifier;
// OIDC RP surface — composition root + post-verify shapes + ports.
// `RelyingParty<S>` is the consumer-facing entry point; `RefreshOutcome`
// is the typed boundary return for `RelyingParty::refresh` (replaces
// the 0.7.x `oauth::TokenResponse` re-export).
#[cfg(feature = "token")]
pub use oidc::{Address, IdAssertion, IdTokenVerifier, IdVerifyError, Nonce, ScopePiiReader};
#[cfg(all(feature = "token", any(test, feature = "test-support")))]
pub use oidc::MemoryIdTokenVerifier;
pub use types::{KeyId, Ppnum, PpnumId, SessionId, UserId};
// `Url` is consumer-facing via `Config::new(client_id, redirect_uri: Url, ...)`
// and `Discovery::for_test`. Re-exported so consumers reach the same `url`
// crate version the SDK uses without separately tracking it in their
// Cargo.toml.
#[cfg(feature = "oauth")]
pub use url::Url;