pas-external 0.12.0

Ppoppo Accounts System (PAS) external SDK — OAuth2 PKCE, JWT verification port, Axum middleware, session liveness
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

//! Session liveness — two complementary axes.
//!
//! # Per-request session-row check ([`SessionLiveness`])
//!
//! Phase 11.Z 0.10.0 (RFC_2026-05-08 §4.2 lock). The verifier-side L2
//! port: "is the bearer token's session row still alive in the
//! consumer's own DB?" Wired into
//! [`crate::JwtVerifier::with_session_liveness`]. Always available
//! (no feature gate) — the port itself has no AES / OAuth deps.
//!
//! # Periodic PAS refresh-token check (`feature = "session-liveness"`)
//!
//! When a consumer persists PAS `refresh_token`s server-side and treats
//! PAS as the single source of truth for session validity, the code path
//! is always the same:
//!
//! 1. Encrypt the `refresh_token` at rest.
//! 2. Periodically ask PAS "is this session still live?" via
//!    [`attempt_liveness_refresh`].
//! 3. Distinguish a *revoked* session from a *transient* failure.
//!
//! This half ships behind `feature = "session-liveness"`:
//!
//! - [`TokenCipher`] — AES-256-GCM wrapper for at-rest encryption.
//! - [`LivenessOutcome`] — classification of a single liveness attempt.
//! - [`attempt_liveness_refresh`] — the decrypt → call PAS →
//!   re-encrypt sequence wrapped as one call. Generic over
//!   `P: PasAuthPort`.
//!
//! See `pas_external::pas_port` for the underlying port.
//!
//! Both halves answer "is this user's session valid?" at different
//! layers and cadences — one shared umbrella module keeps the surface
//! coherent. The 0.10.0 lookup port has no `aes-gcm` / `oauth`
//! transitive deps, so consumers can use L2 row-checks without pulling
//! the AES wrapper.

// `SessionLiveness` + `SessionLivenessError` — the per-request L2 row
// liveness port — are migrated to `ppoppo-sdk-core::session_liveness`
// in Phase A so multiple SDK crates and 1st-party services consume one
// shared trait. Re-exported here so `pas_external::session_liveness::*`
// + `pas_external::SessionLiveness` keep the same surface.
pub use ::ppoppo_sdk_core::session_liveness::{SessionLiveness, SessionLivenessError};

#[cfg(feature = "session-liveness")]
mod cipher;
#[cfg(feature = "session-liveness")]
mod liveness;

#[cfg(feature = "session-liveness")]
pub use cipher::{CipherError, EncryptedRefreshToken, TokenCipher};
#[cfg(feature = "session-liveness")]
pub use liveness::{
    LivenessFailure, LivenessOutcome, RevokeCause, TransientCause, attempt_liveness_refresh,
};