ppoppo-token 0.2.0

//! Per-request id_token verification configuration.
//!
//! ── Composition ────────────────────────────────────────────────────────
//!
//! JOSE-shared fields (`issuer`, `audience`, `expected_typ`,
//! `max_token_size`, `algorithms`) live in `engine::SharedVerifyConfig`
//! and are reached via `self.shared`. OIDC-specific axes
//! (`expected_nonce`, `max_age`, `acr_values`) stay on this struct.
//! Symmetric to `access_token::VerifyConfig`'s replay/session/epoch
//! ports — neither profile imports the other's policy axes.
//!
//! ── Required vs Phase-deferred fields ───────────────────────────────────
//!
//! * `expected_nonce` — required at construction. M66 binding is *not*
//!   opt-in: the OIDC profile mandates nonce when the RP sent one in
//!   the auth request, and the engine refuses to verify without one to
//!   prevent a footgun where a misconfigured config silently skips the
//!   gate.
//! * `max_age` / `acr_values` — `Option<...>` placeholders. Phase 10.6
//!   (M70) and 10.7 (M71) wire their consumption; until then they're
//!   inert. Pre-pinning the field shape now means those rows are
//!   commits that *populate*, not commits that *re-shape* the struct.

use super::Nonce;
use crate::algorithm::Algorithm;
use crate::engine::shared_config::SharedVerifyConfig;

#[derive(Debug, Clone)]
#[allow(dead_code)] // max_age/acr_values consumed in Phase 10.6/10.7
pub struct VerifyConfig {
    pub(crate) shared: SharedVerifyConfig,

    /// M66 — RP-stored nonce. Required field; construction goes through
    /// `VerifyConfig::id_token(...)` which takes a `Nonce`.
    pub(crate) expected_nonce: Nonce,

    /// M67 — when `Some(token)`, the engine compares the payload's
    /// `at_hash` claim against `SHA-256(token)[..16]` base64url-no-pad.
    /// Set via `with_access_token_binding`; populated by RPs that
    /// receive both id_token and access_token in the same response
    /// (hybrid + implicit flows, OIDC Core §3.1.3.8). When `None`, the
    /// engine does not inspect `at_hash` — pure code flow consumers
    /// (RCW/CTW today) leave this unset.
    pub(crate) expected_access_token: Option<String>,

    /// M68 — when `Some(code)`, the engine compares the payload's
    /// `c_hash` claim against `SHA-256(code)[..16]` base64url-no-pad.
    /// Set via `with_authorization_code_binding`; populated by RPs that
    /// receive both id_token and authorization_code in the same response
    /// (hybrid flow, OIDC Core §3.3.2.11). When `None`, the engine does
    /// not inspect `c_hash`.
    pub(crate) expected_authorization_code: Option<String>,

    /// Phase 10.6 (M70) — when `Some(n)`, refuses tokens whose
    /// `auth_time` is more than `n` seconds in the past.
    pub(crate) max_age: Option<i64>,

    /// Phase 10.7 (M71) — when `Some(values)`, refuses tokens whose
    /// `acr` is not in `values`.
    pub(crate) acr_values: Option<Vec<String>>,
}

impl VerifyConfig {
    /// Canonical id_token config: `JWT` typ (distinct from access
    /// token's `at+jwt`), EdDSA-only algorithm whitelist, 8 KB token
    /// size cap, RP-stored `expected_nonce` required.
    pub fn id_token(
        issuer: impl Into<String>,
        audience: impl Into<String>,
        expected_nonce: Nonce,
    ) -> Self {
        Self {
            shared: SharedVerifyConfig::new(
                issuer,
                audience,
                "JWT",
                8 * 1024,
                vec![Algorithm::EdDSA],
            ),
            expected_nonce,
            expected_access_token: None,
            expected_authorization_code: None,
            max_age: None,
            acr_values: None,
        }
    }

    /// Override the algorithm whitelist. Test-only escape hatch —
    /// production callers MUST go through `id_token` so EdDSA is the
    /// default, not an override.
    #[must_use]
    pub fn with_algorithms(mut self, algorithms: Vec<Algorithm>) -> Self {
        self.shared.algorithms = algorithms;
        self
    }

    /// M67 — bind verification to the access_token the RP just received.
    /// On verify, the engine asserts
    /// `payload.at_hash == base64url(SHA-256(access_token)[..16])`.
    /// Required when the response carries both id_token and access_token
    /// (hybrid flow `code id_token token`, implicit `id_token token`).
    /// Pure code flow consumers do not call this.
    #[must_use]
    pub fn with_access_token_binding(mut self, access_token: impl Into<String>) -> Self {
        self.expected_access_token = Some(access_token.into());
        self
    }

    /// M68 — bind verification to the authorization code the RP just
    /// received at the redirect_uri. On verify, the engine asserts
    /// `payload.c_hash == base64url(SHA-256(code)[..16])`. Required when
    /// the hybrid response carries both id_token and code
    /// (`code id_token`, `code id_token token`). Pure implicit-flow
    /// consumers do not call this.
    #[must_use]
    pub fn with_authorization_code_binding(mut self, code: impl Into<String>) -> Self {
        self.expected_authorization_code = Some(code.into());
        self
    }

    /// Phase 10.6 (M70) wire site. Inert in 10.1.C.
    #[must_use]
    pub fn with_max_age(mut self, max_age: i64) -> Self {
        self.max_age = Some(max_age);
        self
    }

    /// Phase 10.7 (M71) wire site. Inert in 10.1.C.
    #[must_use]
    pub fn with_acr_values(mut self, acr_values: Vec<String>) -> Self {
        self.acr_values = Some(acr_values);
        self
    }
}