ppoppo-sdk-core 0.2.0

//! [`BearerAuthConfig`] — per-consumer cookie name + clearance closure.

use std::sync::Arc;

use axum_extra::extract::cookie::CookieJar;

/// Per-consumer cookie configuration carried into
/// [`super::BearerAuthLayer`].
///
/// The Layer uses [`Self::access_cookie_name`] as the fallback bearer
/// source (when `Authorization` is absent) and the [`Self::on_clear`]
/// closure to mint Set-Cookie removals on dead-session 401s. Cookie
/// names are domain-scoped per RFC 6265bis; each consumer owns its
/// `__Host-*_at` literal in its own `cookies` module.
#[derive(Clone)]
pub struct BearerAuthConfig {
    /// Cookie name carrying the Bearer token in browser contexts —
    /// e.g. `"__Host-pcs_at"` (chat-auth), `"__Host-rcw_at"` (RCW),
    /// `"__Host-ctw_at"` (CTW).
    pub access_cookie_name: &'static str,
    /// Add-based session-cookie clearance closure. Invoked on
    /// dead-session 401 with a fresh [`CookieJar`]; the returned jar's
    /// add-list becomes the response's Set-Cookie headers. Consumers
    /// typically wrap their `cookies::clear_session_cookies` helper
    /// (which clears AT + RT, and possibly CSRF in future).
    pub on_clear: Arc<dyn Fn(CookieJar) -> CookieJar + Send + Sync>,
}

impl BearerAuthConfig {
    /// Build a config from the cookie name and clearance closure.
    #[must_use]
    pub fn new(
        access_cookie_name: &'static str,
        on_clear: Arc<dyn Fn(CookieJar) -> CookieJar + Send + Sync>,
    ) -> Self {
        Self {
            access_cookie_name,
            on_clear,
        }
    }
}