Skip to main content

rmcp_server_kit/
auth.rs

1//! Authentication middleware for MCP servers.
2//!
3//! Supports multiple authentication methods tried in priority order:
4//! 1. mTLS client certificate (if configured and peer cert present)
5//! 2. Bearer token (API key) with Argon2id hash verification
6//!
7//! Includes per-source-IP rate limiting on authentication attempts.
8
9use std::{
10    collections::HashSet,
11    net::{IpAddr, SocketAddr},
12    num::NonZeroU32,
13    path::PathBuf,
14    sync::{
15        Arc, LazyLock, Mutex,
16        atomic::{AtomicU64, Ordering},
17    },
18    time::Duration,
19};
20
21use arc_swap::ArcSwap;
22use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
23use axum::{
24    body::Body,
25    extract::ConnectInfo,
26    http::{Request, header},
27    middleware::Next,
28    response::{IntoResponse, Response},
29};
30use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
31use secrecy::SecretString;
32use serde::Deserialize;
33use x509_parser::prelude::*;
34
35use crate::{bounded_limiter::BoundedKeyedLimiter, error::McpxError};
36
37/// Identity of an authenticated caller.
38///
39/// The [`Debug`] impl is **manually written** to redact the raw bearer token
40/// and the JWT `sub` claim. This prevents accidental disclosure if an
41/// `AuthIdentity` is ever logged via `tracing::debug!(?identity, …)` or
42/// `format!("{identity:?}")`. Only `name`, `role`, and `method` are printed
43/// in the clear; `raw_token` and `sub` are rendered as `<redacted>` /
44/// `<present>` / `<none>` markers.
45#[derive(Clone)]
46#[non_exhaustive]
47pub struct AuthIdentity {
48    /// Human-readable identity name (e.g. API key label or cert CN).
49    pub name: String,
50    /// RBAC role associated with this identity.
51    pub role: String,
52    /// Which authentication mechanism produced this identity.
53    pub method: AuthMethod,
54    /// Raw bearer token from the `Authorization` header, wrapped in
55    /// [`SecretString`] so it is never accidentally logged or serialized.
56    /// Present for OAuth JWT; `None` for mTLS and API-key auth.
57    /// Tool handlers use this for downstream token passthrough via
58    /// [`crate::rbac::current_token`].
59    pub raw_token: Option<SecretString>,
60    /// JWT `sub` claim (stable user identifier, e.g. Keycloak UUID).
61    /// Used for token store keying. `None` for non-JWT auth.
62    pub sub: Option<String>,
63}
64
65impl std::fmt::Debug for AuthIdentity {
66    /// Redacts `raw_token` and `sub` to prevent secret leakage via
67    /// `format!("{:?}")` or `tracing::debug!(?identity)`.
68    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69        f.debug_struct("AuthIdentity")
70            .field("name", &self.name)
71            .field("role", &self.role)
72            .field("method", &self.method)
73            .field(
74                "raw_token",
75                &if self.raw_token.is_some() {
76                    "<redacted>"
77                } else {
78                    "<none>"
79                },
80            )
81            .field(
82                "sub",
83                &if self.sub.is_some() {
84                    "<redacted>"
85                } else {
86                    "<none>"
87                },
88            )
89            .finish()
90    }
91}
92
93/// How the caller authenticated.
94#[derive(Debug, Clone, Copy, PartialEq, Eq)]
95#[non_exhaustive]
96pub enum AuthMethod {
97    /// Bearer API key (Argon2id-hashed, configured statically).
98    BearerToken,
99    /// Mutual TLS client certificate.
100    MtlsCertificate,
101    /// OAuth 2.1 JWT bearer token (validated via JWKS).
102    OAuthJwt,
103}
104
105#[derive(Debug, Clone, Copy, PartialEq, Eq)]
106enum AuthFailureClass {
107    MissingCredential,
108    InvalidCredential,
109    #[cfg_attr(not(feature = "oauth"), allow(dead_code))]
110    ExpiredCredential,
111    /// Source IP exceeded the post-failure backoff limit.
112    RateLimited,
113    /// Source IP exceeded the pre-auth abuse gate (rejected before any
114    /// password-hash work — see [`AuthState::pre_auth_limiter`]).
115    PreAuthGate,
116}
117
118impl AuthFailureClass {
119    fn as_str(self) -> &'static str {
120        match self {
121            Self::MissingCredential => "missing_credential",
122            Self::InvalidCredential => "invalid_credential",
123            Self::ExpiredCredential => "expired_credential",
124            Self::RateLimited => "rate_limited",
125            Self::PreAuthGate => "pre_auth_gate",
126        }
127    }
128
129    fn bearer_error(self) -> (&'static str, &'static str) {
130        match self {
131            Self::MissingCredential => (
132                "invalid_request",
133                "missing bearer token or mTLS client certificate",
134            ),
135            Self::InvalidCredential => ("invalid_token", "token is invalid"),
136            Self::ExpiredCredential => ("invalid_token", "token is expired"),
137            Self::RateLimited => ("invalid_request", "too many failed authentication attempts"),
138            Self::PreAuthGate => (
139                "invalid_request",
140                "too many unauthenticated requests from this source",
141            ),
142        }
143    }
144
145    fn response_body(self) -> &'static str {
146        match self {
147            Self::MissingCredential => "unauthorized: missing credential",
148            Self::InvalidCredential => "unauthorized: invalid credential",
149            Self::ExpiredCredential => "unauthorized: expired credential",
150            Self::RateLimited => "rate limited",
151            Self::PreAuthGate => "rate limited (pre-auth)",
152        }
153    }
154}
155
156/// Snapshot of authentication success/failure counters.
157#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize)]
158#[non_exhaustive]
159pub struct AuthCountersSnapshot {
160    /// Successful mTLS authentications.
161    pub success_mtls: u64,
162    /// Successful bearer-token authentications.
163    pub success_bearer: u64,
164    /// Successful OAuth JWT authentications.
165    pub success_oauth_jwt: u64,
166    /// Failures because no credential was presented.
167    pub failure_missing_credential: u64,
168    /// Failures because the credential was malformed or wrong.
169    pub failure_invalid_credential: u64,
170    /// Failures because the credential had expired.
171    pub failure_expired_credential: u64,
172    /// Failures because the source IP was rate-limited (post-failure backoff).
173    pub failure_rate_limited: u64,
174    /// Failures because the source IP exceeded the pre-auth abuse gate.
175    /// These never reach the password-hash verification path.
176    pub failure_pre_auth_gate: u64,
177}
178
179/// Internal atomic counters backing [`AuthCountersSnapshot`].
180#[derive(Debug, Default)]
181pub(crate) struct AuthCounters {
182    success_mtls: AtomicU64,
183    success_bearer: AtomicU64,
184    success_oauth_jwt: AtomicU64,
185    failure_missing_credential: AtomicU64,
186    failure_invalid_credential: AtomicU64,
187    failure_expired_credential: AtomicU64,
188    failure_rate_limited: AtomicU64,
189    failure_pre_auth_gate: AtomicU64,
190}
191
192impl AuthCounters {
193    fn record_success(&self, method: AuthMethod) {
194        match method {
195            AuthMethod::MtlsCertificate => {
196                self.success_mtls.fetch_add(1, Ordering::Relaxed);
197            }
198            AuthMethod::BearerToken => {
199                self.success_bearer.fetch_add(1, Ordering::Relaxed);
200            }
201            AuthMethod::OAuthJwt => {
202                self.success_oauth_jwt.fetch_add(1, Ordering::Relaxed);
203            }
204        }
205    }
206
207    fn record_failure(&self, class: AuthFailureClass) {
208        match class {
209            AuthFailureClass::MissingCredential => {
210                self.failure_missing_credential
211                    .fetch_add(1, Ordering::Relaxed);
212            }
213            AuthFailureClass::InvalidCredential => {
214                self.failure_invalid_credential
215                    .fetch_add(1, Ordering::Relaxed);
216            }
217            AuthFailureClass::ExpiredCredential => {
218                self.failure_expired_credential
219                    .fetch_add(1, Ordering::Relaxed);
220            }
221            AuthFailureClass::RateLimited => {
222                self.failure_rate_limited.fetch_add(1, Ordering::Relaxed);
223            }
224            AuthFailureClass::PreAuthGate => {
225                self.failure_pre_auth_gate.fetch_add(1, Ordering::Relaxed);
226            }
227        }
228    }
229
230    fn snapshot(&self) -> AuthCountersSnapshot {
231        AuthCountersSnapshot {
232            success_mtls: self.success_mtls.load(Ordering::Relaxed),
233            success_bearer: self.success_bearer.load(Ordering::Relaxed),
234            success_oauth_jwt: self.success_oauth_jwt.load(Ordering::Relaxed),
235            failure_missing_credential: self.failure_missing_credential.load(Ordering::Relaxed),
236            failure_invalid_credential: self.failure_invalid_credential.load(Ordering::Relaxed),
237            failure_expired_credential: self.failure_expired_credential.load(Ordering::Relaxed),
238            failure_rate_limited: self.failure_rate_limited.load(Ordering::Relaxed),
239            failure_pre_auth_gate: self.failure_pre_auth_gate.load(Ordering::Relaxed),
240        }
241    }
242}
243
244/// RFC 3339 timestamp, parsed at deserialization time.
245///
246/// Use this for any public field that needs to carry an RFC 3339 timestamp from
247/// TOML/JSON config or builder APIs. Construction is fallible (`parse`); once
248/// constructed the value is guaranteed to be a real RFC 3339 timestamp with a
249/// known offset, so downstream code does not need to handle parse errors.
250///
251/// Wraps [`chrono::DateTime<chrono::FixedOffset>`]; the underlying value is
252/// available via [`Self::as_datetime`] or [`Self::into_inner`]. `Serialize`
253/// emits the canonical RFC 3339 form via [`chrono::DateTime::to_rfc3339`], so
254/// the on-the-wire format for `ApiKeySummary` (admin endpoints) is unchanged.
255#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
256#[non_exhaustive]
257pub struct RfcTimestamp(chrono::DateTime<chrono::FixedOffset>);
258
259impl RfcTimestamp {
260    /// Parse an RFC 3339 timestamp.
261    ///
262    /// # Errors
263    ///
264    /// Returns the underlying [`chrono::ParseError`] when `s` is not a valid
265    /// RFC 3339 timestamp (e.g. missing the `T` separator, missing the offset
266    /// suffix, or out-of-range fields).
267    pub fn parse(s: &str) -> Result<Self, chrono::ParseError> {
268        chrono::DateTime::parse_from_rfc3339(s).map(Self)
269    }
270
271    /// Borrow the underlying [`chrono::DateTime`].
272    #[must_use]
273    pub fn as_datetime(&self) -> &chrono::DateTime<chrono::FixedOffset> {
274        &self.0
275    }
276
277    /// Consume the wrapper and return the underlying [`chrono::DateTime`].
278    #[must_use]
279    pub fn into_inner(self) -> chrono::DateTime<chrono::FixedOffset> {
280        self.0
281    }
282}
283
284impl std::fmt::Display for RfcTimestamp {
285    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
286        // Canonical RFC 3339 form; matches the deserialization input contract.
287        write!(f, "{}", self.0.to_rfc3339())
288    }
289}
290
291impl std::fmt::Debug for RfcTimestamp {
292    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
293        // Render as the canonical RFC 3339 string (not chrono's internal
294        // debug form) so existing `ApiKeyEntry` Debug-redaction tests --
295        // which look for the literal `"2030-01-01T00:00:00Z"` form in the
296        // formatted output -- continue to hold without bespoke handling.
297        write!(f, "{}", self.0.to_rfc3339())
298    }
299}
300
301impl<'de> Deserialize<'de> for RfcTimestamp {
302    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
303    where
304        D: serde::Deserializer<'de>,
305    {
306        // Validate at deserialization time: a malformed `expires_at` in
307        // TOML or JSON aborts config load with a clear serde error rather
308        // than silently producing a key that fails open at runtime.
309        let s = String::deserialize(deserializer)?;
310        Self::parse(&s).map_err(serde::de::Error::custom)
311    }
312}
313
314impl serde::Serialize for RfcTimestamp {
315    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
316    where
317        S: serde::Serializer,
318    {
319        serializer.serialize_str(&self.0.to_rfc3339())
320    }
321}
322
323impl From<chrono::DateTime<chrono::FixedOffset>> for RfcTimestamp {
324    fn from(value: chrono::DateTime<chrono::FixedOffset>) -> Self {
325        Self(value)
326    }
327}
328
329/// A single API key entry (stored as Argon2id hash in config).
330///
331/// The [`Debug`] impl is **manually written** to redact the Argon2id hash.
332/// Although the hash is not directly reversible, treating it as a secret
333/// prevents offline brute-force attempts from leaked logs and matches the
334/// defense-in-depth posture used for [`AuthIdentity`].
335#[derive(Clone, Deserialize)]
336#[non_exhaustive]
337pub struct ApiKeyEntry {
338    /// Human-readable key label (used in logs and audit records).
339    pub name: String,
340    /// Argon2id hash of the token (PHC string format).
341    pub hash: String,
342    /// RBAC role granted when this key authenticates successfully.
343    pub role: String,
344    /// Optional expiry, parsed from an RFC 3339 string at deserialization
345    /// time. Construction from a raw string is fallible (see
346    /// [`RfcTimestamp::parse`] and [`ApiKeyEntry::try_with_expiry`]),
347    /// which guarantees `verify_bearer_token` never sees a malformed value.
348    pub expires_at: Option<RfcTimestamp>,
349}
350
351impl std::fmt::Debug for ApiKeyEntry {
352    /// Redacts the Argon2id `hash` to keep it out of logs, panic backtraces,
353    /// and admin-endpoint responses that might `format!("{:?}", …)` an entry.
354    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
355        f.debug_struct("ApiKeyEntry")
356            .field("name", &self.name)
357            .field("hash", &"<redacted>")
358            .field("role", &self.role)
359            .field("expires_at", &self.expires_at)
360            .finish()
361    }
362}
363
364impl ApiKeyEntry {
365    /// Create a new API key entry (no expiry).
366    #[must_use]
367    pub fn new(name: impl Into<String>, hash: impl Into<String>, role: impl Into<String>) -> Self {
368        Self {
369            name: name.into(),
370            hash: hash.into(),
371            role: role.into(),
372            expires_at: None,
373        }
374    }
375
376    /// Set an RFC 3339 expiry on this key.
377    ///
378    /// Takes an already-parsed [`RfcTimestamp`]; for ergonomic construction
379    /// from a raw string see [`Self::try_with_expiry`].
380    #[must_use]
381    pub fn with_expiry(mut self, expires_at: RfcTimestamp) -> Self {
382        self.expires_at = Some(expires_at);
383        self
384    }
385
386    /// Set an RFC 3339 expiry on this key from a raw string.
387    ///
388    /// # Errors
389    ///
390    /// Returns the underlying [`chrono::ParseError`] when `expires_at` is
391    /// not a valid RFC 3339 timestamp. This is the fallible counterpart to
392    /// [`Self::with_expiry`].
393    pub fn try_with_expiry(
394        mut self,
395        expires_at: impl AsRef<str>,
396    ) -> Result<Self, chrono::ParseError> {
397        self.expires_at = Some(RfcTimestamp::parse(expires_at.as_ref())?);
398        Ok(self)
399    }
400}
401
402/// mTLS client certificate authentication configuration.
403#[derive(Debug, Clone, Deserialize)]
404#[allow(
405    clippy::struct_excessive_bools,
406    reason = "mTLS CRL behavior is intentionally configured as independent booleans"
407)]
408#[non_exhaustive]
409pub struct MtlsConfig {
410    /// Path to CA certificate(s) for verifying client certs (PEM format).
411    pub ca_cert_path: PathBuf,
412    /// If true, clients MUST present a valid certificate.
413    /// If false, client certs are optional (verified if presented).
414    #[serde(default)]
415    pub required: bool,
416    /// Default RBAC role for mTLS-authenticated clients.
417    /// The client cert CN becomes the identity name.
418    #[serde(default = "default_mtls_role")]
419    pub default_role: String,
420    /// Enable CRL-based certificate revocation checks using CDP URLs from the
421    /// configured CA chain and connecting client certificates.
422    #[serde(default = "default_true")]
423    pub crl_enabled: bool,
424    /// Optional fixed refresh interval for known CRLs. When omitted, refresh
425    /// cadence is derived from `nextUpdate` and clamped internally.
426    #[serde(default, with = "humantime_serde::option")]
427    pub crl_refresh_interval: Option<Duration>,
428    /// Timeout for individual CRL fetches.
429    #[serde(default = "default_crl_fetch_timeout", with = "humantime_serde")]
430    pub crl_fetch_timeout: Duration,
431    /// Grace window during which stale CRLs may still be used when refresh
432    /// attempts fail.
433    #[serde(default = "default_crl_stale_grace", with = "humantime_serde")]
434    pub crl_stale_grace: Duration,
435    /// When true, missing or unavailable CRLs cause revocation checks to fail
436    /// closed.
437    #[serde(default)]
438    pub crl_deny_on_unavailable: bool,
439    /// When true, apply revocation checks only to the end-entity certificate.
440    #[serde(default)]
441    pub crl_end_entity_only: bool,
442    /// Allow HTTP CRL distribution-point URLs in addition to HTTPS.
443    ///
444    /// Defaults to `true` because RFC 5280 §4.2.1.13 designates HTTP (and
445    /// LDAP) as the canonical transport for CRL distribution points.
446    /// SSRF defense for HTTP CDPs is provided by the IP-allowlist guard
447    /// (private/loopback/link-local/multicast/cloud-metadata addresses are
448    /// always rejected), redirect=none, body-size cap, and per-host
449    /// concurrency limit -- not by forcing HTTPS.
450    #[serde(default = "default_true")]
451    pub crl_allow_http: bool,
452    /// Enforce CRL expiration during certificate validation.
453    #[serde(default = "default_true")]
454    pub crl_enforce_expiration: bool,
455    /// Maximum concurrent CRL fetches across all hosts. Defense in depth
456    /// against SSRF amplification: even if many CDPs are discovered, no
457    /// more than this many fetches run in parallel. Per-host concurrency
458    /// is independently capped at 1 regardless of this value.
459    /// Default: `4`.
460    #[serde(default = "default_crl_max_concurrent_fetches")]
461    pub crl_max_concurrent_fetches: usize,
462    /// Hard cap on each CRL response body in bytes. Fetches exceeding this
463    /// are aborted mid-stream to bound memory and prevent gzip-bomb-style
464    /// amplification. Default: 5 MiB (`5 * 1024 * 1024`).
465    #[serde(default = "default_crl_max_response_bytes")]
466    pub crl_max_response_bytes: u64,
467    /// Global CDP discovery rate limit, in URLs per minute. Throttles
468    /// how many *new* CDP URLs the verifier may admit into the fetch
469    /// pipeline across the whole process, bounding asymmetric `DoS`
470    /// amplification when attacker-controlled certificates carry large
471    /// CDP lists. The limit is global (not per-source-IP) in this
472    /// release; per-IP scoping is deferred to a future version because
473    /// it requires plumbing the peer `SocketAddr` through the rustls
474    /// verifier hook (a different subsystem than ordinary request
475    /// middleware). Note: the **bearer pre-auth limiter** that gates
476    /// API-key / OAuth `Authorization` headers is already per-IP — see
477    /// [`RateLimitConfig::pre_auth_max_per_minute`] and the keyed
478    /// governor built by `build_pre_auth_limiter`. URLs that lose the
479    /// rate-limiter race are *not* marked as seen, so subsequent
480    /// handshakes observing the same URL can retry admission.
481    /// Default: `60`.
482    #[serde(default = "default_crl_discovery_rate_per_min")]
483    pub crl_discovery_rate_per_min: u32,
484    /// Maximum number of distinct hosts that may hold a CRL fetch
485    /// semaphore at any time. At the cap, idle entries (no in-flight
486    /// fetch) are evicted on demand so new hosts keep working; only when
487    /// every entry has a concurrent in-flight fetch does the request
488    /// return [`McpxError::Config`] containing the literal substring
489    /// `"crl_host_semaphore_cap_exceeded"`. Bounds memory growth from
490    /// attacker-controlled CDP URLs pointing at unique hostnames.
491    /// Default: 1024.
492    #[serde(default = "default_crl_max_host_semaphores")]
493    pub crl_max_host_semaphores: usize,
494    /// Maximum number of distinct URLs tracked in the "seen" set.
495    /// Beyond this, additional discovered URLs are silently dropped
496    /// with a rate-limited warn! log; no error surfaces. Default: 4096.
497    #[serde(default = "default_crl_max_seen_urls")]
498    pub crl_max_seen_urls: usize,
499    /// Maximum number of cached CRL entries. Beyond this, new
500    /// successful fetches are silently dropped with a rate-limited
501    /// warn! log (newest-rejected, not LRU-evicted). Default: 1024.
502    #[serde(default = "default_crl_max_cache_entries")]
503    pub crl_max_cache_entries: usize,
504}
505
506fn default_mtls_role() -> String {
507    "viewer".into()
508}
509
510const fn default_true() -> bool {
511    true
512}
513
514const fn default_crl_fetch_timeout() -> Duration {
515    Duration::from_secs(30)
516}
517
518const fn default_crl_stale_grace() -> Duration {
519    Duration::from_hours(24)
520}
521
522const fn default_crl_max_concurrent_fetches() -> usize {
523    4
524}
525
526const fn default_crl_max_response_bytes() -> u64 {
527    5 * 1024 * 1024
528}
529
530const fn default_crl_discovery_rate_per_min() -> u32 {
531    60
532}
533
534const fn default_crl_max_host_semaphores() -> usize {
535    1024
536}
537
538const fn default_crl_max_seen_urls() -> usize {
539    4096
540}
541
542const fn default_crl_max_cache_entries() -> usize {
543    1024
544}
545
546/// Rate limiting configuration for authentication attempts.
547///
548/// rmcp-server-kit uses two independent per-IP token-bucket limiters for auth:
549///
550/// 1. **Pre-auth abuse gate** ([`Self::pre_auth_max_per_minute`]): consulted
551///    *before* any password-hash work. Throttles unauthenticated traffic from
552///    a single source IP so an attacker cannot pin the CPU on Argon2id by
553///    spraying invalid bearer tokens. Sized generously (default = 10× the
554///    post-failure quota) so legitimate clients are unaffected. mTLS-
555///    authenticated connections bypass this gate entirely (the TLS handshake
556///    already performed expensive crypto with a verified peer).
557/// 2. **Post-failure backoff** ([`Self::max_attempts_per_minute`]): consulted
558///    *after* an authentication attempt fails. Provides explicit backpressure
559///    on bad credentials.
560#[derive(Debug, Clone, Deserialize)]
561#[non_exhaustive]
562pub struct RateLimitConfig {
563    /// Maximum failed authentication attempts per source IP per minute.
564    /// Successful authentications do not consume this budget.
565    #[serde(default = "default_max_attempts")]
566    pub max_attempts_per_minute: u32,
567    /// Maximum *unauthenticated* requests per source IP per minute admitted
568    /// to the password-hash verification path. When `None`, defaults to
569    /// `max_attempts_per_minute * 10` at limiter-construction time.
570    ///
571    /// Set higher than [`Self::max_attempts_per_minute`] so honest clients
572    /// retrying with the wrong key never trip this gate; its purpose is only
573    /// to bound CPU usage under spray attacks.
574    #[serde(default)]
575    pub pre_auth_max_per_minute: Option<u32>,
576    /// Hard cap on the number of distinct source IPs tracked per limiter.
577    /// When reached, idle entries are pruned first; if still full, the
578    /// oldest (LRU) entry is evicted to make room for the new one. This
579    /// bounds memory under IP-spray attacks. Default: `10_000`.
580    #[serde(default = "default_max_tracked_keys")]
581    pub max_tracked_keys: usize,
582    /// Per-IP entries idle for longer than this are eligible for
583    /// opportunistic pruning. Default: 15 minutes.
584    #[serde(default = "default_idle_eviction", with = "humantime_serde")]
585    pub idle_eviction: Duration,
586    /// Burst capacity for the post-failure limiter: the maximum number
587    /// of failed attempts admitted back-to-back before the sustained
588    /// `max_attempts_per_minute` rate applies. `None` (default) keeps
589    /// governor's default of burst = rate. Must be greater than zero
590    /// when set. May be smaller than the rate (smoothing) or larger
591    /// (spike tolerance).
592    #[serde(default)]
593    pub burst: Option<u32>,
594    /// Burst capacity for the pre-auth abuse gate. `None` (default)
595    /// keeps burst = the gate's resolved rate. Legal regardless of
596    /// whether [`Self::pre_auth_max_per_minute`] is set — the gate's
597    /// base rate always resolves (`max_attempts_per_minute * 10` when
598    /// unset). Must be greater than zero when set.
599    #[serde(default)]
600    pub pre_auth_burst: Option<u32>,
601}
602
603impl Default for RateLimitConfig {
604    fn default() -> Self {
605        Self {
606            max_attempts_per_minute: default_max_attempts(),
607            pre_auth_max_per_minute: None,
608            max_tracked_keys: default_max_tracked_keys(),
609            idle_eviction: default_idle_eviction(),
610            burst: None,
611            pre_auth_burst: None,
612        }
613    }
614}
615
616impl RateLimitConfig {
617    /// Create a rate limit config with the given max failed attempts per minute.
618    /// Pre-auth gate defaults to `10x` this value at limiter-construction time.
619    /// Memory-bound defaults are `10_000` tracked keys with 15-minute idle eviction.
620    #[must_use]
621    pub fn new(max_attempts_per_minute: u32) -> Self {
622        Self {
623            max_attempts_per_minute,
624            ..Self::default()
625        }
626    }
627
628    /// Override the pre-auth abuse-gate quota (per source IP per minute).
629    /// When unset, defaults to `max_attempts_per_minute * 10`.
630    #[must_use]
631    pub fn with_pre_auth_max_per_minute(mut self, quota: u32) -> Self {
632        self.pre_auth_max_per_minute = Some(quota);
633        self
634    }
635
636    /// Override the per-limiter cap on tracked source-IP keys (default `10_000`).
637    #[must_use]
638    pub fn with_max_tracked_keys(mut self, max: usize) -> Self {
639        self.max_tracked_keys = max;
640        self
641    }
642
643    /// Override the idle-eviction window (default 15 minutes).
644    #[must_use]
645    pub fn with_idle_eviction(mut self, idle: Duration) -> Self {
646        self.idle_eviction = idle;
647        self
648    }
649
650    /// Set the burst capacity for the post-failure limiter. Must be
651    /// greater than zero (validated at server-config validation time).
652    #[must_use]
653    pub fn with_burst(mut self, burst: u32) -> Self {
654        self.burst = Some(burst);
655        self
656    }
657
658    /// Set the burst capacity for the pre-auth abuse gate. Must be
659    /// greater than zero (validated at server-config validation time).
660    #[must_use]
661    pub fn with_pre_auth_burst(mut self, burst: u32) -> Self {
662        self.pre_auth_burst = Some(burst);
663        self
664    }
665}
666
667fn default_max_attempts() -> u32 {
668    30
669}
670
671fn default_max_tracked_keys() -> usize {
672    10_000
673}
674
675fn default_idle_eviction() -> Duration {
676    Duration::from_mins(15)
677}
678
679/// Authentication configuration.
680#[derive(Debug, Clone, Default, Deserialize)]
681#[non_exhaustive]
682pub struct AuthConfig {
683    /// Master switch - when false, all requests are allowed through.
684    #[serde(default)]
685    pub enabled: bool,
686    /// Bearer token API keys.
687    #[serde(default)]
688    pub api_keys: Vec<ApiKeyEntry>,
689    /// mTLS client certificate authentication.
690    pub mtls: Option<MtlsConfig>,
691    /// Rate limiting for auth attempts.
692    pub rate_limit: Option<RateLimitConfig>,
693    /// OAuth 2.1 JWT bearer token authentication.
694    #[cfg(feature = "oauth")]
695    pub oauth: Option<crate::oauth::OAuthConfig>,
696}
697
698impl AuthConfig {
699    /// Create an enabled auth config with the given API keys.
700    #[must_use]
701    pub fn with_keys(keys: Vec<ApiKeyEntry>) -> Self {
702        Self {
703            enabled: true,
704            api_keys: keys,
705            mtls: None,
706            rate_limit: None,
707            #[cfg(feature = "oauth")]
708            oauth: None,
709        }
710    }
711
712    /// Set rate limiting on this auth config.
713    #[must_use]
714    pub fn with_rate_limit(mut self, rate_limit: RateLimitConfig) -> Self {
715        self.rate_limit = Some(rate_limit);
716        self
717    }
718}
719
720/// Summary of a single API key suitable for admin endpoints.
721///
722/// Intentionally omits the Argon2id hash - only metadata is exposed.
723#[derive(Debug, Clone, serde::Serialize)]
724#[non_exhaustive]
725pub struct ApiKeySummary {
726    /// Human-readable key label.
727    pub name: String,
728    /// RBAC role granted when this key authenticates.
729    pub role: String,
730    /// Optional RFC 3339 expiry timestamp. Serialized as a canonical
731    /// RFC 3339 string so the admin-endpoint wire format is preserved.
732    pub expires_at: Option<RfcTimestamp>,
733}
734
735/// Snapshot of the enabled authentication methods for admin endpoints.
736#[derive(Debug, Clone, serde::Serialize)]
737#[allow(
738    clippy::struct_excessive_bools,
739    reason = "this is a flat summary of independent auth-method booleans"
740)]
741#[non_exhaustive]
742pub struct AuthConfigSummary {
743    /// Master enabled flag from config.
744    pub enabled: bool,
745    /// Whether API-key bearer auth is configured.
746    pub bearer: bool,
747    /// Whether mTLS client auth is configured.
748    pub mtls: bool,
749    /// Whether OAuth JWT validation is configured.
750    pub oauth: bool,
751    /// Current API-key list (no hashes).
752    pub api_keys: Vec<ApiKeySummary>,
753}
754
755impl AuthConfig {
756    /// Produce a hash-free summary of the auth config for admin endpoints.
757    #[must_use]
758    pub fn summary(&self) -> AuthConfigSummary {
759        AuthConfigSummary {
760            enabled: self.enabled,
761            bearer: !self.api_keys.is_empty(),
762            mtls: self.mtls.is_some(),
763            #[cfg(feature = "oauth")]
764            oauth: self.oauth.is_some(),
765            #[cfg(not(feature = "oauth"))]
766            oauth: false,
767            api_keys: self
768                .api_keys
769                .iter()
770                .map(|k| ApiKeySummary {
771                    name: k.name.clone(),
772                    role: k.role.clone(),
773                    expires_at: k.expires_at,
774                })
775                .collect(),
776        }
777    }
778}
779
780/// Keyed rate limiter type (per source IP). Memory-bounded by
781/// [`RateLimitConfig::max_tracked_keys`] to defend against IP-spray `DoS`.
782pub(crate) type KeyedLimiter = BoundedKeyedLimiter<IpAddr>;
783
784/// Connection info for TLS connections, carrying the peer socket address
785/// and (when mTLS is configured) the verified client identity extracted
786/// from the peer certificate during the TLS handshake.
787///
788/// Defined as a local type so we can implement axum's `Connected` trait
789/// for our custom `TlsListener` without orphan rule issues. The `identity`
790/// field travels with the connection itself (via the wrapping IO type),
791/// so there is no shared map to race against, no port-reuse aliasing, and
792/// no eviction policy to maintain.
793#[derive(Clone, Debug)]
794#[non_exhaustive]
795pub(crate) struct TlsConnInfo {
796    /// Remote peer socket address.
797    pub addr: SocketAddr,
798    /// Verified mTLS client identity, if a client certificate was presented
799    /// and successfully extracted during the TLS handshake.
800    pub identity: Option<AuthIdentity>,
801}
802
803impl TlsConnInfo {
804    /// Construct a new [`TlsConnInfo`].
805    #[must_use]
806    pub(crate) const fn new(addr: SocketAddr, identity: Option<AuthIdentity>) -> Self {
807        Self { addr, identity }
808    }
809}
810
811/// Default hard cap on the number of distinct authenticated identities
812/// remembered by [`SeenIdentitySet`].
813///
814/// Sized to comfortably exceed realistic identity churn for an MCP server
815/// while bounding worst-case memory at roughly `4096 * avg_name_len`
816/// (~256 KiB at 64-byte names). Honest clients will never trigger eviction;
817/// hostile churn (rotating mTLS subjects or OAuth `sub` values) is bounded.
818const DEFAULT_SEEN_IDENTITY_CAP: usize = 4096;
819
820/// Bounded set tracking which authenticated identities have already been
821/// logged at INFO level (subsequent auths fall back to DEBUG).
822///
823/// # Why bounded?
824///
825/// `id.name` is attacker-influenced under mTLS (SAN/CN) and OAuth (`sub`).
826/// An unbounded [`std::collections::HashSet`] would grow with churn,
827/// producing both a slow memory leak and unbounded log-cardinality
828/// downstream (Loki/ES). The cap follows the same trade-off documented in
829/// [`crate::bounded_limiter`]: when an evicted identity reappears it
830/// re-fires INFO once. This is acceptable for diagnostic logging.
831///
832/// # Concurrency
833///
834/// Uses [`std::sync::Mutex`] because [`Self::insert_is_first`] is purely
835/// synchronous and the critical section never `.await`s. The mutex is
836/// poison-tolerant: a poisoned set is still logically consistent
837/// (only writer is `insert_is_first`, which performs an atomic insert
838/// + bounded eviction; no torn invariants are possible).
839pub(crate) struct SeenIdentitySet {
840    inner: Mutex<SeenInner>,
841}
842
843struct SeenInner {
844    set: HashSet<String>,
845    /// Insertion-order FIFO used for bounded eviction. Tracking strict LRU
846    /// would require touching the queue on every hit (under the mutex);
847    /// FIFO is sufficient because the contract only promises "bounded
848    /// memory", not "remember the most recently seen identities".
849    order: std::collections::VecDeque<String>,
850    cap: usize,
851}
852
853impl SeenIdentitySet {
854    /// Construct with the default cap of [`DEFAULT_SEEN_IDENTITY_CAP`].
855    #[must_use]
856    pub(crate) fn new() -> Self {
857        Self::with_cap(DEFAULT_SEEN_IDENTITY_CAP)
858    }
859
860    /// Construct with an explicit cap. A `cap` of `0` is silently raised
861    /// to `1` to keep the invariant `set.len() <= cap` non-vacuous.
862    #[must_use]
863    pub(crate) fn with_cap(cap: usize) -> Self {
864        let cap = cap.max(1);
865        Self {
866            inner: Mutex::new(SeenInner {
867                set: HashSet::with_capacity(cap.min(64)),
868                order: std::collections::VecDeque::with_capacity(cap.min(64)),
869                cap,
870            }),
871        }
872    }
873
874    /// Insert `name`. Returns `true` if this is the first time `name` was
875    /// inserted (or it was previously evicted and reinserted), `false`
876    /// if it was already present.
877    ///
878    /// When the cap is reached, the oldest inserted entry is evicted to
879    /// make room. Eviction never blocks the caller.
880    pub(crate) fn insert_is_first(&self, name: &str) -> bool {
881        // SAFETY: the only writer is this method; a poisoned set remains
882        // logically consistent (atomic insert + bounded eviction preserve
883        // the `set.len() <= cap` invariant). Continuing past poison only
884        // affects diagnostic logging granularity, not correctness or
885        // security.
886        let mut guard = self
887            .inner
888            .lock()
889            .unwrap_or_else(std::sync::PoisonError::into_inner);
890
891        if guard.set.contains(name) {
892            return false;
893        }
894        // Cap enforcement: evict-then-insert keeps the invariant
895        // `set.len() <= cap` even when the cap is `1`.
896        if guard.set.len() >= guard.cap
897            && let Some(evicted) = guard.order.pop_front()
898        {
899            guard.set.remove(&evicted);
900        }
901        let owned = name.to_owned();
902        guard.set.insert(owned.clone());
903        guard.order.push_back(owned);
904        true
905    }
906
907    /// Test-only snapshot of the current size.
908    #[cfg(test)]
909    pub(crate) fn len(&self) -> usize {
910        self.inner
911            .lock()
912            .unwrap_or_else(std::sync::PoisonError::into_inner)
913            .set
914            .len()
915    }
916}
917
918impl Default for SeenIdentitySet {
919    fn default() -> Self {
920        Self::new()
921    }
922}
923
924/// Shared state for the auth middleware.
925///
926/// `api_keys` uses [`ArcSwap`] so the SIGHUP handler can atomically
927/// swap in a new key list without blocking in-flight requests.
928#[allow(
929    missing_debug_implementations,
930    reason = "contains governor RateLimiter and JwksCache without Debug impls"
931)]
932#[non_exhaustive]
933pub(crate) struct AuthState {
934    /// Active set of API keys (hot-swappable).
935    pub api_keys: ArcSwap<Vec<ApiKeyEntry>>,
936    /// Optional per-IP post-failure rate limiter (consulted *after* auth fails).
937    pub rate_limiter: Option<Arc<KeyedLimiter>>,
938    /// Optional per-IP pre-auth abuse gate (consulted *before* password-hash work).
939    /// mTLS-authenticated connections bypass this gate.
940    pub pre_auth_limiter: Option<Arc<KeyedLimiter>>,
941    #[cfg(feature = "oauth")]
942    /// Optional JWKS cache for OAuth JWT validation.
943    pub jwks_cache: Option<Arc<crate::oauth::JwksCache>>,
944    /// Tracks identity names that have already been logged at INFO level.
945    /// Subsequent auths for the same identity are logged at DEBUG.
946    /// Bounded to prevent attacker-driven memory growth via churned
947    /// mTLS subjects or OAuth `sub` claims (see [`SeenIdentitySet`]).
948    pub seen_identities: SeenIdentitySet,
949    /// Lightweight in-memory auth success/failure counters for diagnostics.
950    pub counters: AuthCounters,
951}
952
953impl AuthState {
954    /// Atomically replace the API key list (lock-free, wait-free).
955    ///
956    /// New requests immediately see the updated keys.
957    /// In-flight requests that already loaded the old list finish
958    /// using it -- no torn reads.
959    pub(crate) fn reload_keys(&self, keys: Vec<ApiKeyEntry>) {
960        let count = keys.len();
961        self.api_keys.store(Arc::new(keys));
962        tracing::info!(keys = count, "API keys reloaded");
963    }
964
965    /// Snapshot auth counters for diagnostics and tests.
966    #[must_use]
967    pub(crate) fn counters_snapshot(&self) -> AuthCountersSnapshot {
968        self.counters.snapshot()
969    }
970
971    /// Produce the admin-endpoint list of API keys (metadata only, no hashes).
972    #[must_use]
973    pub(crate) fn api_key_summaries(&self) -> Vec<ApiKeySummary> {
974        self.api_keys
975            .load()
976            .iter()
977            .map(|k| ApiKeySummary {
978                name: k.name.clone(),
979                role: k.role.clone(),
980                expires_at: k.expires_at,
981            })
982            .collect()
983    }
984
985    /// Log auth success: INFO on first occurrence per identity, DEBUG after.
986    ///
987    /// Backed by [`SeenIdentitySet`], a bounded FIFO set that caps
988    /// retained identities to prevent attacker-driven memory growth.
989    /// FIFO (not LRU) is intentional: this cache de-duplicates INFO logs,
990    /// not security state, so per-hit eviction-order mutation is not
991    /// justified. See [`SeenIdentitySet`] for the full trade-off rationale.
992    fn log_auth(&self, id: &AuthIdentity, method: &str) {
993        self.counters.record_success(id.method);
994        let first = self.seen_identities.insert_is_first(&id.name);
995        if first {
996            tracing::info!(name = %id.name, role = %id.role, "{method} authenticated");
997        } else {
998            tracing::debug!(name = %id.name, role = %id.role, "{method} authenticated");
999        }
1000    }
1001}
1002
1003/// Default auth rate limit: 30 attempts per minute per source IP.
1004// SAFETY: unwrap() is safe - literal 30 is provably non-zero (const-evaluated).
1005const DEFAULT_AUTH_RATE: NonZeroU32 = NonZeroU32::new(30).unwrap();
1006
1007/// Apply an optional burst capacity to a quota. `None` keeps governor's
1008/// default (burst = rate). Zero values are rejected at config-validation
1009/// time; the `NonZeroU32` filter here is defensive only.
1010fn apply_burst(quota: governor::Quota, burst: Option<u32>) -> governor::Quota {
1011    match burst.and_then(NonZeroU32::new) {
1012        Some(b) => quota.allow_burst(b),
1013        None => quota,
1014    }
1015}
1016
1017/// Create a post-failure rate limiter from config.
1018#[must_use]
1019pub(crate) fn build_rate_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1020    let quota = governor::Quota::per_minute(
1021        NonZeroU32::new(config.max_attempts_per_minute).unwrap_or(DEFAULT_AUTH_RATE),
1022    );
1023    let quota = apply_burst(quota, config.burst);
1024    Arc::new(BoundedKeyedLimiter::new(
1025        quota,
1026        config.max_tracked_keys,
1027        config.idle_eviction,
1028    ))
1029}
1030
1031/// Create a pre-auth abuse-gate rate limiter from config.
1032///
1033/// Quota: `pre_auth_max_per_minute` if set, otherwise
1034/// `max_attempts_per_minute * 10` (capped at `u32::MAX`). The 10× factor
1035/// keeps the gate generous enough for honest retries while still bounding
1036/// attacker CPU on Argon2 verification.
1037#[must_use]
1038pub(crate) fn build_pre_auth_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1039    let resolved = config.pre_auth_max_per_minute.unwrap_or_else(|| {
1040        config
1041            .max_attempts_per_minute
1042            .saturating_mul(PRE_AUTH_DEFAULT_MULTIPLIER)
1043    });
1044    let quota =
1045        governor::Quota::per_minute(NonZeroU32::new(resolved).unwrap_or(DEFAULT_PRE_AUTH_RATE));
1046    let quota = apply_burst(quota, config.pre_auth_burst);
1047    Arc::new(BoundedKeyedLimiter::new(
1048        quota,
1049        config.max_tracked_keys,
1050        config.idle_eviction,
1051    ))
1052}
1053
1054/// Default multiplier applied to `max_attempts_per_minute` when the operator
1055/// does not set `pre_auth_max_per_minute` explicitly.
1056const PRE_AUTH_DEFAULT_MULTIPLIER: u32 = 10;
1057
1058/// Default pre-auth abuse-gate rate (used only if both the configured value
1059/// and the multiplied fallback are zero, which `NonZeroU32::new` rejects).
1060// SAFETY: unwrap() is safe - literal 300 is provably non-zero (const-evaluated).
1061const DEFAULT_PRE_AUTH_RATE: NonZeroU32 = NonZeroU32::new(300).unwrap();
1062
1063/// Parse an mTLS client certificate and extract an `AuthIdentity`.
1064///
1065/// Reads the Subject CN as the identity name. Falls back to the first
1066/// DNS SAN if CN is absent. The role is taken from the `MtlsConfig`.
1067#[must_use]
1068pub fn extract_mtls_identity(cert_der: &[u8], default_role: &str) -> Option<AuthIdentity> {
1069    let (_, cert) = X509Certificate::from_der(cert_der).ok()?;
1070
1071    // Try CN from Subject first.
1072    let cn = cert
1073        .subject()
1074        .iter_common_name()
1075        .next()
1076        .and_then(|attr| attr.as_str().ok())
1077        .map(String::from);
1078
1079    // Fall back to first DNS SAN.
1080    let name = cn.or_else(|| {
1081        cert.subject_alternative_name()
1082            .ok()
1083            .flatten()
1084            .and_then(|san| {
1085                #[allow(
1086                    clippy::wildcard_enum_match_arm,
1087                    reason = "x509-parser GeneralName is a large external enum; only DNSName is meaningful here"
1088                )]
1089                san.value.general_names.iter().find_map(|gn| match gn {
1090                    GeneralName::DNSName(dns) => Some((*dns).to_owned()),
1091                    _ => None,
1092                })
1093            })
1094    })?;
1095
1096    // Reject identities with characters unsafe for logging and RBAC matching.
1097    if !name
1098        .chars()
1099        .all(|c| c.is_alphanumeric() || matches!(c, '-' | '.' | '_' | '@'))
1100    {
1101        tracing::warn!(cn = %name, "mTLS identity rejected: invalid characters in CN/SAN");
1102        return None;
1103    }
1104
1105    Some(AuthIdentity {
1106        name,
1107        role: default_role.to_owned(),
1108        method: AuthMethod::MtlsCertificate,
1109        raw_token: None,
1110        sub: None,
1111    })
1112}
1113
1114/// Extract the bearer token from an `Authorization` header value.
1115///
1116/// Implements RFC 7235 §2.1: the auth-scheme token is **case-insensitive**.
1117/// `Bearer`, `bearer`, `BEARER`, and `BeArEr` all parse equivalently. Any
1118/// leading whitespace between the scheme and the token is trimmed (per
1119/// RFC 7235 the separator is one or more SP characters; we accept the
1120/// common single-space form plus tolerate extras).
1121///
1122/// Returns `None` if the header value:
1123/// - does not contain a space (no scheme/credentials boundary), or
1124/// - uses a scheme other than `Bearer` (case-insensitively).
1125///
1126/// The caller is responsible for token-level validation (length, charset,
1127/// signature, etc.); this helper only handles the scheme prefix.
1128fn extract_bearer(value: &str) -> Option<&str> {
1129    let (scheme, rest) = value.split_once(' ')?;
1130    if scheme.eq_ignore_ascii_case("Bearer") {
1131        let token = rest.trim_start_matches(' ');
1132        if token.is_empty() { None } else { Some(token) }
1133    } else {
1134        None
1135    }
1136}
1137
1138/// Verify a bearer token against configured API keys.
1139///
1140/// Argon2id verification is CPU-intensive, so this should be called via
1141/// `spawn_blocking`. Returns the matching identity if the token is valid.
1142///
1143/// # Timing-side-channel resistance
1144///
1145/// Always performs **exactly one Argon2id verification per configured key**,
1146/// regardless of:
1147///
1148/// * which slot (if any) matches the presented token, or
1149/// * whether a key has expired.
1150///
1151/// Expired and post-match slots are verified against an internal dummy PHC hash,
1152/// a fixed Argon2id PHC string with the same cost parameters as the real
1153/// hashes. This bounds the timing observable to "one Argon2 per configured
1154/// key" regardless of which (if any) slot held the matching credential,
1155/// closing the first-match latency oracle (CWE-208) and the expired-slot
1156/// timing leak.
1157///
1158/// `subtle::ConstantTimeEq` is used to fold per-slot match bits into the
1159/// final result so the compiler cannot reintroduce a data-dependent branch.
1160///
1161/// # Panics
1162///
1163/// Panics if the internal dummy PHC hash cannot be parsed as an Argon2id PHC string.
1164/// This is impossible by construction: the static is generated by
1165/// [`argon2::Argon2::hash_password`] which always emits a valid PHC string.
1166#[must_use]
1167pub fn verify_bearer_token(token: &str, keys: &[ApiKeyEntry]) -> Option<AuthIdentity> {
1168    use subtle::ConstantTimeEq as _;
1169
1170    let now = chrono::Utc::now();
1171    #[allow(
1172        clippy::expect_used,
1173        reason = "DUMMY_PHC_HASH is a static LazyLock built from a fixed Argon2id PHC string by construction; PasswordHash::new on it is infallible. See DUMMY_PHC_HASH definition."
1174    )]
1175    let dummy_hash = PasswordHash::new(&DUMMY_PHC_HASH)
1176        .expect("DUMMY_PHC_HASH is a valid Argon2id PHC string by construction");
1177
1178    let mut matched_index: usize = usize::MAX;
1179    let mut any_match: u8 = 0;
1180
1181    for (idx, key) in keys.iter().enumerate() {
1182        let expired = key.expires_at.is_some_and(|exp| exp.as_datetime() < &now);
1183
1184        let real_hash = PasswordHash::new(&key.hash);
1185        let verify_against = match (&real_hash, expired, any_match) {
1186            (Ok(h), false, 0) => h,
1187            _ => &dummy_hash,
1188        };
1189
1190        let slot_ok = u8::from(
1191            Argon2::default()
1192                .verify_password(token.as_bytes(), verify_against)
1193                .is_ok(),
1194        );
1195
1196        let real_match = slot_ok & u8::from(!expired) & u8::from(real_hash.is_ok());
1197        let first_real_match = real_match & (1 - any_match);
1198        if first_real_match.ct_eq(&1).into() {
1199            matched_index = idx;
1200        }
1201        any_match |= real_match;
1202    }
1203
1204    if any_match == 0 {
1205        return None;
1206    }
1207    let key = keys.get(matched_index)?;
1208    Some(AuthIdentity {
1209        name: key.name.clone(),
1210        role: key.role.clone(),
1211        method: AuthMethod::BearerToken,
1212        raw_token: None,
1213        sub: None,
1214    })
1215}
1216
1217/// Fixed Argon2id PHC hash used as a constant-time placeholder when an
1218/// API-key slot is expired, malformed, or follows the matching slot.
1219///
1220/// Generated once on first access using the same default Argon2 cost
1221/// parameters as live verifications, so the dummy verify takes
1222/// indistinguishable wall time from a real one. The plaintext
1223/// (`"rmcp-server-kit-dummy"`) and the fixed salt are unrelated to any
1224/// real credential — randomness is unnecessary because this hash is
1225/// only ever compared against attacker-supplied input on slots that
1226/// will be discarded regardless of match result. Using a fixed salt
1227/// avoids depending on `rand_core`'s `getrandom` feature, which is not
1228/// activated transitively in every feature configuration of this crate.
1229static DUMMY_PHC_HASH: LazyLock<String> = LazyLock::new(|| {
1230    // 16 bytes of base64 (`AAAA...`) — minimum valid Argon2 salt length.
1231    #[allow(
1232        clippy::expect_used,
1233        reason = "fixed 22-char base64 ('AAAA...') decodes to a valid 16-byte salt; SaltString::from_b64 is infallible on this literal"
1234    )]
1235    let salt = SaltString::from_b64("AAAAAAAAAAAAAAAAAAAAAA")
1236        .expect("fixed 16-byte base64 salt is well-formed");
1237    #[allow(
1238        clippy::expect_used,
1239        reason = "Argon2::default() with a fixed plaintext and a well-formed salt is infallible; only fails on bad params/salt"
1240    )]
1241    Argon2::default()
1242        .hash_password(b"rmcp-server-kit-dummy", &salt)
1243        .expect("Argon2 default params hash a fixed plaintext")
1244        .to_string()
1245});
1246
1247/// Generate a new API key: 256-bit random token + Argon2id hash.
1248///
1249/// Returns `(plaintext_token, argon2id_hash_phc_string)`.
1250/// The plaintext is shown once to the user and never stored.
1251///
1252/// # Errors
1253///
1254/// Returns an error if salt encoding or Argon2id hashing fails
1255/// (should not happen with valid inputs, but we avoid panicking).
1256pub fn generate_api_key() -> Result<(String, String), McpxError> {
1257    let mut token_bytes = [0u8; 32];
1258    rand::fill(&mut token_bytes);
1259    let token = URL_SAFE_NO_PAD.encode(token_bytes);
1260
1261    // Generate 16 random bytes for salt, encode as base64 for SaltString.
1262    let mut salt_bytes = [0u8; 16];
1263    rand::fill(&mut salt_bytes);
1264    let salt = SaltString::encode_b64(&salt_bytes)
1265        .map_err(|e| McpxError::Auth(format!("salt encoding failed: {e}")))?;
1266    let hash = Argon2::default()
1267        .hash_password(token.as_bytes(), &salt)
1268        .map_err(|e| McpxError::Auth(format!("argon2id hashing failed: {e}")))?
1269        .to_string();
1270
1271    Ok((token, hash))
1272}
1273
1274fn build_www_authenticate_value(
1275    advertise_resource_metadata: bool,
1276    failure: AuthFailureClass,
1277) -> String {
1278    let (error, error_description) = failure.bearer_error();
1279    if advertise_resource_metadata {
1280        return format!(
1281            "Bearer resource_metadata=\"/.well-known/oauth-protected-resource\", error=\"{error}\", error_description=\"{error_description}\""
1282        );
1283    }
1284    format!("Bearer error=\"{error}\", error_description=\"{error_description}\"")
1285}
1286
1287fn auth_method_label(method: AuthMethod) -> &'static str {
1288    match method {
1289        AuthMethod::MtlsCertificate => "mTLS",
1290        AuthMethod::BearerToken => "bearer token",
1291        AuthMethod::OAuthJwt => "OAuth JWT",
1292    }
1293}
1294
1295#[cfg_attr(not(feature = "oauth"), allow(unused_variables))]
1296fn unauthorized_response(state: &AuthState, failure_class: AuthFailureClass) -> Response {
1297    #[cfg(feature = "oauth")]
1298    let advertise_resource_metadata = state.jwks_cache.is_some();
1299    #[cfg(not(feature = "oauth"))]
1300    let advertise_resource_metadata = false;
1301
1302    let challenge = build_www_authenticate_value(advertise_resource_metadata, failure_class);
1303    (
1304        axum::http::StatusCode::UNAUTHORIZED,
1305        [(header::WWW_AUTHENTICATE, challenge)],
1306        failure_class.response_body(),
1307    )
1308        .into_response()
1309}
1310
1311async fn authenticate_bearer_identity(
1312    state: &AuthState,
1313    token: &str,
1314) -> Result<AuthIdentity, AuthFailureClass> {
1315    let mut failure_class = AuthFailureClass::MissingCredential;
1316
1317    #[cfg(feature = "oauth")]
1318    if let Some(ref cache) = state.jwks_cache
1319        && crate::oauth::looks_like_jwt(token)
1320    {
1321        match cache.validate_token_with_reason(token).await {
1322            Ok(mut id) => {
1323                id.raw_token = Some(SecretString::from(token.to_owned()));
1324                return Ok(id);
1325            }
1326            Err(crate::oauth::JwtValidationFailure::Expired) => {
1327                failure_class = AuthFailureClass::ExpiredCredential;
1328            }
1329            Err(crate::oauth::JwtValidationFailure::Invalid) => {
1330                failure_class = AuthFailureClass::InvalidCredential;
1331            }
1332        }
1333    }
1334
1335    let token = token.to_owned();
1336    let keys = state.api_keys.load_full(); // Arc clone, lock-free
1337
1338    // Argon2id is CPU-bound - offload to blocking thread pool.
1339    let identity = tokio::task::spawn_blocking(move || verify_bearer_token(&token, &keys))
1340        .await
1341        .ok()
1342        .flatten();
1343
1344    if let Some(id) = identity {
1345        return Ok(id);
1346    }
1347
1348    if failure_class == AuthFailureClass::MissingCredential {
1349        failure_class = AuthFailureClass::InvalidCredential;
1350    }
1351
1352    Err(failure_class)
1353}
1354
1355/// Consult the pre-auth abuse gate for the given peer.
1356///
1357/// Returns `Some(response)` if the request should be rejected (limiter
1358/// configured AND quota exhausted for this source IP). Returns `None`
1359/// otherwise (limiter absent, peer address unknown, or quota available),
1360/// in which case the caller should proceed with credential verification.
1361///
1362/// Side effects on rejection: increments the `pre_auth_gate` failure
1363/// counter and emits a warn-level log. mTLS-authenticated requests must
1364/// be admitted by the caller *before* invoking this helper.
1365fn pre_auth_gate(state: &AuthState, client_ip: Option<IpAddr>) -> Option<Response> {
1366    let limiter = state.pre_auth_limiter.as_ref()?;
1367    let ip = client_ip?;
1368    let Err(wait) = limiter.check_key_wait(&ip) else {
1369        return None;
1370    };
1371    state.counters.record_failure(AuthFailureClass::PreAuthGate);
1372    tracing::warn!(
1373        %ip,
1374        "auth rate limited by pre-auth gate (request rejected before credential verification)"
1375    );
1376    Some(
1377        McpxError::RateLimitedFor {
1378            message: "too many unauthenticated requests from this source".into(),
1379            retry_after: wait,
1380        }
1381        .into_response(),
1382    )
1383}
1384
1385/// Axum middleware that enforces authentication.
1386///
1387/// Tries authentication methods in priority order:
1388/// 1. mTLS client certificate identity (populated by TLS acceptor)
1389/// 2. Bearer token from `Authorization` header
1390///
1391/// Failed authentication attempts are rate-limited per source IP.
1392/// Successful authentications do not consume rate limit budget.
1393pub(crate) async fn auth_middleware(
1394    state: Arc<AuthState>,
1395    req: Request<Body>,
1396    next: Next,
1397) -> Response {
1398    // Extract the mTLS identity from ConnectInfo (TLS / mTLS:
1399    // ConnectInfo<TlsConnInfo> carries the verified identity directly on
1400    // the connection — no shared map, no port-reuse aliasing) and the
1401    // rate-limit key (resolved client IP when trusted-forwarder mode is
1402    // active, else the direct peer; see transport::limiter_client_ip).
1403    let tls_info = req.extensions().get::<ConnectInfo<TlsConnInfo>>().cloned();
1404    let client_ip = crate::transport::limiter_client_ip(req.extensions());
1405
1406    // 1. Try mTLS identity (extracted by the TLS acceptor during handshake
1407    //    and attached to the connection itself).
1408    //
1409    //    mTLS connections bypass the pre-auth abuse gate below: the TLS
1410    //    handshake already performed expensive crypto with a verified peer,
1411    //    so we trust them not to be a CPU-spray attacker.
1412    if let Some(id) = tls_info.and_then(|ci| ci.0.identity) {
1413        state.log_auth(&id, "mTLS");
1414        let mut req = req;
1415        req.extensions_mut().insert(id);
1416        return next.run(req).await;
1417    }
1418
1419    // 2. Pre-auth abuse gate: rejects CPU-spray attacks BEFORE the Argon2id
1420    //    verification path runs. Keyed by source IP. mTLS connections (above)
1421    //    are exempt; this gate only protects the bearer/JWT verification path.
1422    if let Some(blocked) = pre_auth_gate(&state, client_ip) {
1423        return blocked;
1424    }
1425
1426    let failure_class = if let Some(value) = req.headers().get(header::AUTHORIZATION) {
1427        match value.to_str().ok().and_then(extract_bearer) {
1428            Some(token) => match authenticate_bearer_identity(&state, token).await {
1429                Ok(id) => {
1430                    state.log_auth(&id, auth_method_label(id.method));
1431                    let mut req = req;
1432                    req.extensions_mut().insert(id);
1433                    return next.run(req).await;
1434                }
1435                Err(class) => class,
1436            },
1437            None => AuthFailureClass::InvalidCredential,
1438        }
1439    } else {
1440        AuthFailureClass::MissingCredential
1441    };
1442
1443    tracing::warn!(failure_class = %failure_class.as_str(), "auth failed");
1444
1445    // Rate limit check (applied after auth failure only).
1446    // Successful authentications do not consume rate limit budget.
1447    if let (Some(limiter), Some(ip)) = (&state.rate_limiter, client_ip)
1448        && let Err(wait) = limiter.check_key_wait(&ip)
1449    {
1450        state.counters.record_failure(AuthFailureClass::RateLimited);
1451        tracing::warn!(%ip, "auth rate limited after repeated failures");
1452        return McpxError::RateLimitedFor {
1453            message: "too many failed authentication attempts".into(),
1454            retry_after: wait,
1455        }
1456        .into_response();
1457    }
1458
1459    state.counters.record_failure(failure_class);
1460    unauthorized_response(&state, failure_class)
1461}
1462
1463#[cfg(test)]
1464mod tests {
1465    use super::*;
1466
1467    #[test]
1468    fn generate_and_verify_api_key() {
1469        let (token, hash) = generate_api_key().unwrap();
1470
1471        // Token is 43 chars (256-bit base64url, no padding)
1472        assert_eq!(token.len(), 43);
1473
1474        // Hash is a valid PHC string
1475        assert!(hash.starts_with("$argon2id$"));
1476
1477        // Verification succeeds with correct token
1478        let keys = vec![ApiKeyEntry {
1479            name: "test".into(),
1480            hash,
1481            role: "viewer".into(),
1482            expires_at: None,
1483        }];
1484        let id = verify_bearer_token(&token, &keys);
1485        assert!(id.is_some());
1486        let id = id.unwrap();
1487        assert_eq!(id.name, "test");
1488        assert_eq!(id.role, "viewer");
1489        assert_eq!(id.method, AuthMethod::BearerToken);
1490    }
1491
1492    #[test]
1493    fn wrong_token_rejected() {
1494        let (_token, hash) = generate_api_key().unwrap();
1495        let keys = vec![ApiKeyEntry {
1496            name: "test".into(),
1497            hash,
1498            role: "viewer".into(),
1499            expires_at: None,
1500        }];
1501        assert!(verify_bearer_token("wrong-token", &keys).is_none());
1502    }
1503
1504    #[test]
1505    fn expired_key_rejected() {
1506        let (token, hash) = generate_api_key().unwrap();
1507        let keys = vec![ApiKeyEntry {
1508            name: "test".into(),
1509            hash,
1510            role: "viewer".into(),
1511            expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1512        }];
1513        assert!(verify_bearer_token(&token, &keys).is_none());
1514    }
1515
1516    #[test]
1517    fn match_in_last_slot_still_authenticates() {
1518        let (token, hash) = generate_api_key().unwrap();
1519        let (_other_token, other_hash) = generate_api_key().unwrap();
1520        let keys = vec![
1521            ApiKeyEntry {
1522                name: "first".into(),
1523                hash: other_hash.clone(),
1524                role: "viewer".into(),
1525                expires_at: None,
1526            },
1527            ApiKeyEntry {
1528                name: "second".into(),
1529                hash: other_hash,
1530                role: "viewer".into(),
1531                expires_at: None,
1532            },
1533            ApiKeyEntry {
1534                name: "match".into(),
1535                hash,
1536                role: "ops".into(),
1537                expires_at: None,
1538            },
1539        ];
1540        let id = verify_bearer_token(&token, &keys).expect("last-slot match must authenticate");
1541        assert_eq!(id.name, "match");
1542        assert_eq!(id.role, "ops");
1543    }
1544
1545    #[test]
1546    fn expired_slot_before_valid_match_does_not_short_circuit() {
1547        let (token, hash) = generate_api_key().unwrap();
1548        let (_, other_hash) = generate_api_key().unwrap();
1549        let keys = vec![
1550            ApiKeyEntry {
1551                name: "expired".into(),
1552                hash: other_hash,
1553                role: "viewer".into(),
1554                expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1555            },
1556            ApiKeyEntry {
1557                name: "valid".into(),
1558                hash,
1559                role: "ops".into(),
1560                expires_at: None,
1561            },
1562        ];
1563        let id = verify_bearer_token(&token, &keys)
1564            .expect("valid slot following an expired slot must authenticate");
1565        assert_eq!(id.name, "valid");
1566    }
1567
1568    #[test]
1569    fn malformed_hash_slot_does_not_short_circuit() {
1570        let (token, hash) = generate_api_key().unwrap();
1571        let keys = vec![
1572            ApiKeyEntry {
1573                name: "broken".into(),
1574                hash: "this-is-not-a-phc-string".into(),
1575                role: "viewer".into(),
1576                expires_at: None,
1577            },
1578            ApiKeyEntry {
1579                name: "valid".into(),
1580                hash,
1581                role: "ops".into(),
1582                expires_at: None,
1583            },
1584        ];
1585        let id = verify_bearer_token(&token, &keys)
1586            .expect("valid slot following a malformed-hash slot must authenticate");
1587        assert_eq!(id.name, "valid");
1588    }
1589
1590    // Regression tests for H3 (api_key_expires_at_fail_open).
1591    //
1592    // Prior to 1.6.0 the runtime expiry check used a chained
1593    // `if let Some(_) && let Ok(exp) = parse(_) && exp < now` which
1594    // silently fell through on parse error, letting a key with
1595    // `expires_at = "not-a-date"` authenticate forever. These tests
1596    // pin the type-system fix: malformed RFC 3339 is rejected at
1597    // deserialization time (no `RfcTimestamp` can ever be malformed),
1598    // and the runtime check is a pure comparison with no parse path.
1599
1600    #[test]
1601    fn rfc_timestamp_parse_rejects_malformed() {
1602        for bad in [
1603            "not-a-date",
1604            "",
1605            "2025-13-01T00:00:00Z", // month 13
1606            "2025-01-32T00:00:00Z", // day 32
1607            "2025-01-01T00:00:00",  // missing offset
1608            "01/01/2025",           // wrong format
1609            "2025-01-01T25:00:00Z", // hour 25
1610        ] {
1611            assert!(
1612                RfcTimestamp::parse(bad).is_err(),
1613                "RfcTimestamp::parse must reject {bad:?}"
1614            );
1615        }
1616    }
1617
1618    #[test]
1619    fn rfc_timestamp_parse_accepts_valid() {
1620        for good in [
1621            "2025-01-01T00:00:00Z",
1622            "2025-01-01T00:00:00+00:00",
1623            "2025-12-31T23:59:59-08:00",
1624            "2099-01-01T00:00:00.123456789Z",
1625        ] {
1626            assert!(
1627                RfcTimestamp::parse(good).is_ok(),
1628                "RfcTimestamp::parse must accept {good:?}"
1629            );
1630        }
1631    }
1632
1633    #[test]
1634    fn api_key_entry_deserialize_rejects_malformed_expires_at() {
1635        // TOML with a malformed expires_at must fail to deserialize.
1636        // This is the load-time defense: a typo in auth.toml aborts
1637        // config load with a clear serde error, instead of producing
1638        // a key that authenticates forever (the H3 fail-open).
1639        let toml = r#"
1640            name = "bad-key"
1641            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1642            role = "viewer"
1643            expires_at = "not-a-date"
1644        "#;
1645        let result: Result<ApiKeyEntry, _> = toml::from_str(toml);
1646        assert!(
1647            result.is_err(),
1648            "deserialization must reject malformed expires_at"
1649        );
1650    }
1651
1652    #[test]
1653    fn api_key_entry_deserialize_accepts_valid_expires_at() {
1654        let toml = r#"
1655            name = "good-key"
1656            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1657            role = "viewer"
1658            expires_at = "2099-01-01T00:00:00Z"
1659        "#;
1660        let entry: ApiKeyEntry = toml::from_str(toml).expect("valid RFC 3339 must deserialize");
1661        assert!(entry.expires_at.is_some());
1662    }
1663
1664    #[test]
1665    fn api_key_entry_deserialize_accepts_missing_expires_at() {
1666        // Omitting expires_at must continue to mean "no expiry"; this
1667        // is the documented contract and must survive the H3 fix.
1668        let toml = r#"
1669            name = "eternal-key"
1670            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1671            role = "viewer"
1672        "#;
1673        let entry: ApiKeyEntry = toml::from_str(toml).expect("missing expires_at must deserialize");
1674        assert!(entry.expires_at.is_none());
1675    }
1676
1677    #[test]
1678    fn try_with_expiry_rejects_malformed() {
1679        let entry = ApiKeyEntry::new("k", "hash", "viewer");
1680        assert!(entry.try_with_expiry("not-a-date").is_err());
1681    }
1682
1683    #[test]
1684    fn try_with_expiry_accepts_valid() {
1685        let entry = ApiKeyEntry::new("k", "hash", "viewer")
1686            .try_with_expiry("2099-01-01T00:00:00Z")
1687            .expect("valid RFC 3339 must be accepted");
1688        assert!(entry.expires_at.is_some());
1689    }
1690
1691    #[test]
1692    fn api_key_summary_serializes_expires_at_as_rfc3339() {
1693        // The admin endpoint wire format is `{"expires_at": "RFC 3339 str"}`.
1694        // Pinning this prevents an accidental serialization-format change
1695        // (e.g. chrono's debug form, a Unix timestamp) that would silently
1696        // break operator tooling that parses these payloads.
1697        let summary = ApiKeySummary {
1698            name: "k".into(),
1699            role: "viewer".into(),
1700            expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
1701        };
1702        let json = serde_json::to_string(&summary).unwrap();
1703        assert!(
1704            json.contains(r#""expires_at":"2030-01-01T00:00:00+00:00""#),
1705            "wire format regressed: {json}"
1706        );
1707    }
1708
1709    #[test]
1710    fn future_expiry_accepted() {
1711        let (token, hash) = generate_api_key().unwrap();
1712        let keys = vec![ApiKeyEntry {
1713            name: "test".into(),
1714            hash,
1715            role: "viewer".into(),
1716            expires_at: Some(RfcTimestamp::parse("2099-01-01T00:00:00Z").unwrap()),
1717        }];
1718        assert!(verify_bearer_token(&token, &keys).is_some());
1719    }
1720
1721    #[test]
1722    fn multiple_keys_first_match_wins() {
1723        let (token, hash) = generate_api_key().unwrap();
1724        let keys = vec![
1725            ApiKeyEntry {
1726                name: "wrong".into(),
1727                hash: "$argon2id$v=19$m=19456,t=2,p=1$invalid$invalid".into(),
1728                role: "ops".into(),
1729                expires_at: None,
1730            },
1731            ApiKeyEntry {
1732                name: "correct".into(),
1733                hash,
1734                role: "deploy".into(),
1735                expires_at: None,
1736            },
1737        ];
1738        let id = verify_bearer_token(&token, &keys).unwrap();
1739        assert_eq!(id.name, "correct");
1740        assert_eq!(id.role, "deploy");
1741    }
1742
1743    #[test]
1744    fn rate_limiter_allows_within_quota() {
1745        let config = RateLimitConfig {
1746            max_attempts_per_minute: 5,
1747            pre_auth_max_per_minute: None,
1748            max_tracked_keys: default_max_tracked_keys(),
1749            idle_eviction: default_idle_eviction(),
1750            burst: None,
1751            pre_auth_burst: None,
1752        };
1753        let limiter = build_rate_limiter(&config);
1754        let ip: IpAddr = "10.0.0.1".parse().unwrap();
1755
1756        // First 5 should succeed.
1757        for _ in 0..5 {
1758            assert!(limiter.check_key(&ip).is_ok());
1759        }
1760        // 6th should fail.
1761        assert!(limiter.check_key(&ip).is_err());
1762    }
1763
1764    #[test]
1765    fn rate_limiter_separate_ips() {
1766        let config = RateLimitConfig {
1767            max_attempts_per_minute: 2,
1768            pre_auth_max_per_minute: None,
1769            max_tracked_keys: default_max_tracked_keys(),
1770            idle_eviction: default_idle_eviction(),
1771            burst: None,
1772            pre_auth_burst: None,
1773        };
1774        let limiter = build_rate_limiter(&config);
1775        let ip1: IpAddr = "10.0.0.1".parse().unwrap();
1776        let ip2: IpAddr = "10.0.0.2".parse().unwrap();
1777
1778        // Exhaust ip1's quota.
1779        assert!(limiter.check_key(&ip1).is_ok());
1780        assert!(limiter.check_key(&ip1).is_ok());
1781        assert!(limiter.check_key(&ip1).is_err());
1782
1783        // ip2 should still have quota.
1784        assert!(limiter.check_key(&ip2).is_ok());
1785    }
1786
1787    #[test]
1788    fn extract_mtls_identity_from_cn() {
1789        // Generate a cert with explicit CN.
1790        let mut params = rcgen::CertificateParams::new(vec!["test-client.local".into()]).unwrap();
1791        params.distinguished_name = rcgen::DistinguishedName::new();
1792        params
1793            .distinguished_name
1794            .push(rcgen::DnType::CommonName, "test-client");
1795        let cert = params
1796            .self_signed(&rcgen::KeyPair::generate().unwrap())
1797            .unwrap();
1798        let der = cert.der();
1799
1800        let id = extract_mtls_identity(der, "ops").unwrap();
1801        assert_eq!(id.name, "test-client");
1802        assert_eq!(id.role, "ops");
1803        assert_eq!(id.method, AuthMethod::MtlsCertificate);
1804    }
1805
1806    #[test]
1807    fn extract_mtls_identity_falls_back_to_san() {
1808        // Cert with no CN but has a DNS SAN.
1809        let mut params =
1810            rcgen::CertificateParams::new(vec!["san-only.example.com".into()]).unwrap();
1811        params.distinguished_name = rcgen::DistinguishedName::new();
1812        // No CN set - should fall back to DNS SAN.
1813        let cert = params
1814            .self_signed(&rcgen::KeyPair::generate().unwrap())
1815            .unwrap();
1816        let der = cert.der();
1817
1818        let id = extract_mtls_identity(der, "viewer").unwrap();
1819        assert_eq!(id.name, "san-only.example.com");
1820        assert_eq!(id.role, "viewer");
1821    }
1822
1823    #[test]
1824    fn extract_mtls_identity_invalid_der() {
1825        assert!(extract_mtls_identity(b"not-a-cert", "viewer").is_none());
1826    }
1827
1828    // -- auth_middleware integration tests --
1829
1830    use axum::{
1831        body::Body,
1832        http::{Request, StatusCode},
1833    };
1834    use tower::ServiceExt as _;
1835
1836    fn auth_router(state: Arc<AuthState>) -> axum::Router {
1837        axum::Router::new()
1838            .route("/mcp", axum::routing::post(|| async { "ok" }))
1839            .layer(axum::middleware::from_fn(move |req, next| {
1840                let s = Arc::clone(&state);
1841                auth_middleware(s, req, next)
1842            }))
1843    }
1844
1845    fn test_auth_state(keys: Vec<ApiKeyEntry>) -> Arc<AuthState> {
1846        Arc::new(AuthState {
1847            api_keys: ArcSwap::new(Arc::new(keys)),
1848            rate_limiter: None,
1849            pre_auth_limiter: None,
1850            #[cfg(feature = "oauth")]
1851            jwks_cache: None,
1852            seen_identities: SeenIdentitySet::new(),
1853            counters: AuthCounters::default(),
1854        })
1855    }
1856
1857    #[tokio::test]
1858    async fn middleware_rejects_no_credentials() {
1859        let state = test_auth_state(vec![]);
1860        let app = auth_router(Arc::clone(&state));
1861        let req = Request::builder()
1862            .method(axum::http::Method::POST)
1863            .uri("/mcp")
1864            .body(Body::empty())
1865            .unwrap();
1866        let resp = app.oneshot(req).await.unwrap();
1867        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1868        let challenge = resp
1869            .headers()
1870            .get(header::WWW_AUTHENTICATE)
1871            .unwrap()
1872            .to_str()
1873            .unwrap();
1874        assert!(challenge.contains("error=\"invalid_request\""));
1875
1876        let counters = state.counters_snapshot();
1877        assert_eq!(counters.failure_missing_credential, 1);
1878    }
1879
1880    #[tokio::test]
1881    async fn middleware_accepts_valid_bearer() {
1882        let (token, hash) = generate_api_key().unwrap();
1883        let keys = vec![ApiKeyEntry {
1884            name: "test-key".into(),
1885            hash,
1886            role: "ops".into(),
1887            expires_at: None,
1888        }];
1889        let state = test_auth_state(keys);
1890        let app = auth_router(Arc::clone(&state));
1891        let req = Request::builder()
1892            .method(axum::http::Method::POST)
1893            .uri("/mcp")
1894            .header("authorization", format!("Bearer {token}"))
1895            .body(Body::empty())
1896            .unwrap();
1897        let resp = app.oneshot(req).await.unwrap();
1898        assert_eq!(resp.status(), StatusCode::OK);
1899
1900        let counters = state.counters_snapshot();
1901        assert_eq!(counters.success_bearer, 1);
1902    }
1903
1904    #[tokio::test]
1905    async fn middleware_rejects_wrong_bearer() {
1906        let (_token, hash) = generate_api_key().unwrap();
1907        let keys = vec![ApiKeyEntry {
1908            name: "test-key".into(),
1909            hash,
1910            role: "ops".into(),
1911            expires_at: None,
1912        }];
1913        let state = test_auth_state(keys);
1914        let app = auth_router(Arc::clone(&state));
1915        let req = Request::builder()
1916            .method(axum::http::Method::POST)
1917            .uri("/mcp")
1918            .header("authorization", "Bearer wrong-token-here")
1919            .body(Body::empty())
1920            .unwrap();
1921        let resp = app.oneshot(req).await.unwrap();
1922        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1923        let challenge = resp
1924            .headers()
1925            .get(header::WWW_AUTHENTICATE)
1926            .unwrap()
1927            .to_str()
1928            .unwrap();
1929        assert!(challenge.contains("error=\"invalid_token\""));
1930
1931        let counters = state.counters_snapshot();
1932        assert_eq!(counters.failure_invalid_credential, 1);
1933    }
1934
1935    #[tokio::test]
1936    async fn middleware_rate_limits() {
1937        let state = Arc::new(AuthState {
1938            api_keys: ArcSwap::new(Arc::new(vec![])),
1939            rate_limiter: Some(build_rate_limiter(&RateLimitConfig {
1940                max_attempts_per_minute: 1,
1941                pre_auth_max_per_minute: None,
1942                max_tracked_keys: default_max_tracked_keys(),
1943                idle_eviction: default_idle_eviction(),
1944                burst: None,
1945                pre_auth_burst: None,
1946            })),
1947            pre_auth_limiter: None,
1948            #[cfg(feature = "oauth")]
1949            jwks_cache: None,
1950            seen_identities: SeenIdentitySet::new(),
1951            counters: AuthCounters::default(),
1952        });
1953        let app = auth_router(state);
1954
1955        // First request: UNAUTHORIZED (no credentials, but not rate limited)
1956        let req = Request::builder()
1957            .method(axum::http::Method::POST)
1958            .uri("/mcp")
1959            .body(Body::empty())
1960            .unwrap();
1961        let resp = app.clone().oneshot(req).await.unwrap();
1962        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1963
1964        // Second request from same "IP" (no ConnectInfo in test, so peer_addr is None
1965        // and rate limiter won't fire). That's expected -- rate limiting requires
1966        // ConnectInfo which isn't available in unit tests without a real server.
1967        // This test verifies the middleware wiring doesn't panic.
1968    }
1969
1970    /// Verify that rate limit semantics: only failed auth attempts consume budget.
1971    ///
1972    /// This is a unit test of the limiter behavior. The middleware integration
1973    /// is that on auth failure, `check_key` is called; on auth success, it is NOT.
1974    /// Full e2e tests verify the middleware routing but require `ConnectInfo`.
1975    #[test]
1976    fn rate_limit_semantics_failed_only() {
1977        let config = RateLimitConfig {
1978            max_attempts_per_minute: 3,
1979            pre_auth_max_per_minute: None,
1980            max_tracked_keys: default_max_tracked_keys(),
1981            idle_eviction: default_idle_eviction(),
1982            burst: None,
1983            pre_auth_burst: None,
1984        };
1985        let limiter = build_rate_limiter(&config);
1986        let ip: IpAddr = "192.168.1.100".parse().unwrap();
1987
1988        // Simulate: 3 failed attempts should exhaust quota.
1989        assert!(
1990            limiter.check_key(&ip).is_ok(),
1991            "failure 1 should be allowed"
1992        );
1993        assert!(
1994            limiter.check_key(&ip).is_ok(),
1995            "failure 2 should be allowed"
1996        );
1997        assert!(
1998            limiter.check_key(&ip).is_ok(),
1999            "failure 3 should be allowed"
2000        );
2001        assert!(
2002            limiter.check_key(&ip).is_err(),
2003            "failure 4 should be blocked"
2004        );
2005
2006        // In the actual middleware flow:
2007        // - Successful auth: verify_bearer_token returns Some, we return early
2008        //   WITHOUT calling check_key, so no budget consumed.
2009        // - Failed auth: verify_bearer_token returns None, we call check_key
2010        //   THEN return 401, so budget is consumed.
2011        //
2012        // This means N successful requests followed by M failed requests
2013        // will only count M toward the rate limit, not N+M.
2014    }
2015
2016    // -- pre-auth abuse gate (H-S1) --
2017
2018    /// The pre-auth gate must default to ~10x the post-failure quota so honest
2019    /// retry storms never trip it but a Argon2-spray attacker is throttled.
2020    #[test]
2021    fn pre_auth_default_multiplier_is_10x() {
2022        let config = RateLimitConfig {
2023            max_attempts_per_minute: 5,
2024            pre_auth_max_per_minute: None,
2025            max_tracked_keys: default_max_tracked_keys(),
2026            idle_eviction: default_idle_eviction(),
2027            burst: None,
2028            pre_auth_burst: None,
2029        };
2030        let limiter = build_pre_auth_limiter(&config);
2031        let ip: IpAddr = "10.0.0.1".parse().unwrap();
2032
2033        // Quota should be 50 (5 * 10), not 5. We expect the first 50 to pass.
2034        for i in 0..50 {
2035            assert!(
2036                limiter.check_key(&ip).is_ok(),
2037                "pre-auth attempt {i} (of expected 50) should be allowed under default 10x multiplier"
2038            );
2039        }
2040        // The 51st attempt must be blocked: confirms quota is bounded, not infinite.
2041        assert!(
2042            limiter.check_key(&ip).is_err(),
2043            "pre-auth attempt 51 should be blocked (quota is 50, not unbounded)"
2044        );
2045    }
2046
2047    /// An explicit `pre_auth_max_per_minute` override must win over the
2048    /// 10x-multiplier default.
2049    #[test]
2050    fn pre_auth_explicit_override_wins() {
2051        let config = RateLimitConfig {
2052            max_attempts_per_minute: 100,     // would default to 1000 pre-auth quota
2053            pre_auth_max_per_minute: Some(2), // but operator caps at 2
2054            max_tracked_keys: default_max_tracked_keys(),
2055            idle_eviction: default_idle_eviction(),
2056            burst: None,
2057            pre_auth_burst: None,
2058        };
2059        let limiter = build_pre_auth_limiter(&config);
2060        let ip: IpAddr = "10.0.0.2".parse().unwrap();
2061
2062        assert!(limiter.check_key(&ip).is_ok(), "attempt 1 allowed");
2063        assert!(limiter.check_key(&ip).is_ok(), "attempt 2 allowed");
2064        assert!(
2065            limiter.check_key(&ip).is_err(),
2066            "attempt 3 must be blocked (explicit override of 2 wins over 10x default of 1000)"
2067        );
2068    }
2069
2070    /// The pre-auth gate's 429 must carry a Retry-After header.
2071    #[test]
2072    fn pre_auth_gate_deny_sets_retry_after() {
2073        let config = RateLimitConfig::new(100).with_pre_auth_max_per_minute(1);
2074        let state = AuthState {
2075            api_keys: ArcSwap::new(Arc::new(vec![])),
2076            rate_limiter: None,
2077            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2078            #[cfg(feature = "oauth")]
2079            jwks_cache: None,
2080            seen_identities: SeenIdentitySet::new(),
2081            counters: AuthCounters::default(),
2082        };
2083        let ip: IpAddr = "10.7.7.7".parse().unwrap();
2084        assert!(
2085            pre_auth_gate(&state, Some(ip)).is_none(),
2086            "first request within quota"
2087        );
2088        let resp = pre_auth_gate(&state, Some(ip)).expect("second request must be gated");
2089        assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
2090        let retry_after = resp
2091            .headers()
2092            .get(header::RETRY_AFTER)
2093            .expect("Retry-After present")
2094            .to_str()
2095            .unwrap()
2096            .parse::<u64>()
2097            .unwrap();
2098        assert!(retry_after >= 1, "delta-seconds must be >= 1");
2099    }
2100
2101    /// Post-failure limiter honors an explicit burst capacity.
2102    #[test]
2103    fn post_failure_limiter_burst_allows_initial_spike() {
2104        let config = RateLimitConfig::new(1).with_burst(3);
2105        let limiter = build_rate_limiter(&config);
2106        let ip: IpAddr = "10.6.6.6".parse().unwrap();
2107        for i in 0..3 {
2108            assert!(limiter.check_key(&ip).is_ok(), "burst attempt {i}");
2109        }
2110        assert!(
2111            limiter.check_key(&ip).is_err(),
2112            "attempt 4 must exceed the burst bucket"
2113        );
2114    }
2115
2116    /// End-to-end: the pre-auth gate must reject before the bearer-verification
2117    /// path runs. We exhaust the gate's quota (Some(1)) with one bad-bearer
2118    /// request, then the second request must be rejected with 429 + the
2119    /// `pre_auth_gate` failure counter incremented (NOT
2120    /// `failure_invalid_credential`, which would prove Argon2 ran).
2121    #[tokio::test]
2122    async fn pre_auth_gate_blocks_before_argon2_verification() {
2123        let (_token, hash) = generate_api_key().unwrap();
2124        let keys = vec![ApiKeyEntry {
2125            name: "test-key".into(),
2126            hash,
2127            role: "ops".into(),
2128            expires_at: None,
2129        }];
2130        let config = RateLimitConfig {
2131            max_attempts_per_minute: 100,
2132            pre_auth_max_per_minute: Some(1),
2133            max_tracked_keys: default_max_tracked_keys(),
2134            idle_eviction: default_idle_eviction(),
2135            burst: None,
2136            pre_auth_burst: None,
2137        };
2138        let state = Arc::new(AuthState {
2139            api_keys: ArcSwap::new(Arc::new(keys)),
2140            rate_limiter: None,
2141            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2142            #[cfg(feature = "oauth")]
2143            jwks_cache: None,
2144            seen_identities: SeenIdentitySet::new(),
2145            counters: AuthCounters::default(),
2146        });
2147        let app = auth_router(Arc::clone(&state));
2148        let peer: SocketAddr = "10.0.0.10:54321".parse().unwrap();
2149
2150        // First bad-bearer request: gate has quota, bearer verification runs,
2151        // returns 401 (invalid credential).
2152        let mut req1 = Request::builder()
2153            .method(axum::http::Method::POST)
2154            .uri("/mcp")
2155            .header("authorization", "Bearer obviously-not-a-real-token")
2156            .body(Body::empty())
2157            .unwrap();
2158        req1.extensions_mut().insert(ConnectInfo(peer));
2159        let resp1 = app.clone().oneshot(req1).await.unwrap();
2160        assert_eq!(
2161            resp1.status(),
2162            StatusCode::UNAUTHORIZED,
2163            "first attempt: gate has quota, falls through to bearer auth which fails with 401"
2164        );
2165
2166        // Second bad-bearer request from same IP: gate quota exhausted, must
2167        // reject with 429 BEFORE the Argon2 verification path runs.
2168        let mut req2 = Request::builder()
2169            .method(axum::http::Method::POST)
2170            .uri("/mcp")
2171            .header("authorization", "Bearer also-not-a-real-token")
2172            .body(Body::empty())
2173            .unwrap();
2174        req2.extensions_mut().insert(ConnectInfo(peer));
2175        let resp2 = app.oneshot(req2).await.unwrap();
2176        assert_eq!(
2177            resp2.status(),
2178            StatusCode::TOO_MANY_REQUESTS,
2179            "second attempt from same IP: pre-auth gate must reject with 429"
2180        );
2181
2182        let counters = state.counters_snapshot();
2183        assert_eq!(
2184            counters.failure_pre_auth_gate, 1,
2185            "exactly one request must have been rejected by the pre-auth gate"
2186        );
2187        // Critical: Argon2 verification must NOT have run on the gated request.
2188        // The first request's 401 increments `failure_invalid_credential` to 1;
2189        // the second (gated) request must NOT increment it further.
2190        assert_eq!(
2191            counters.failure_invalid_credential, 1,
2192            "bearer verification must run exactly once (only the un-gated first request)"
2193        );
2194    }
2195
2196    /// mTLS-authenticated requests must bypass the pre-auth gate entirely.
2197    /// The TLS handshake already performed expensive crypto with a verified
2198    /// peer, so mTLS callers should never be throttled by this gate.
2199    ///
2200    /// Setup: a pre-auth gate with quota 1 (very tight). Submit two mTLS
2201    /// requests in quick succession from the same IP. Both must succeed.
2202    #[tokio::test]
2203    async fn pre_auth_gate_does_not_throttle_mtls() {
2204        let config = RateLimitConfig {
2205            max_attempts_per_minute: 100,
2206            pre_auth_max_per_minute: Some(1), // tight: would block 2nd plain request
2207            max_tracked_keys: default_max_tracked_keys(),
2208            idle_eviction: default_idle_eviction(),
2209            burst: None,
2210            pre_auth_burst: None,
2211        };
2212        let state = Arc::new(AuthState {
2213            api_keys: ArcSwap::new(Arc::new(vec![])),
2214            rate_limiter: None,
2215            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2216            #[cfg(feature = "oauth")]
2217            jwks_cache: None,
2218            seen_identities: SeenIdentitySet::new(),
2219            counters: AuthCounters::default(),
2220        });
2221        let app = auth_router(Arc::clone(&state));
2222        let peer: SocketAddr = "10.0.0.20:54321".parse().unwrap();
2223        let identity = AuthIdentity {
2224            name: "cn=test-client".into(),
2225            role: "viewer".into(),
2226            method: AuthMethod::MtlsCertificate,
2227            raw_token: None,
2228            sub: None,
2229        };
2230        let tls_info = TlsConnInfo::new(peer, Some(identity));
2231
2232        for i in 0..3 {
2233            let mut req = Request::builder()
2234                .method(axum::http::Method::POST)
2235                .uri("/mcp")
2236                .body(Body::empty())
2237                .unwrap();
2238            req.extensions_mut().insert(ConnectInfo(tls_info.clone()));
2239            let resp = app.clone().oneshot(req).await.unwrap();
2240            assert_eq!(
2241                resp.status(),
2242                StatusCode::OK,
2243                "mTLS request {i} must succeed: pre-auth gate must not apply to mTLS callers"
2244            );
2245        }
2246
2247        let counters = state.counters_snapshot();
2248        assert_eq!(
2249            counters.failure_pre_auth_gate, 0,
2250            "pre-auth gate counter must remain at zero: mTLS bypasses the gate"
2251        );
2252        assert_eq!(
2253            counters.success_mtls, 3,
2254            "all three mTLS requests must have been counted as successful"
2255        );
2256    }
2257
2258    // -------------------------------------------------------------------
2259    // RFC 7235 §2.1 case-insensitive scheme parsing for `extract_bearer`.
2260    // -------------------------------------------------------------------
2261
2262    #[test]
2263    fn extract_bearer_accepts_canonical_case() {
2264        assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2265    }
2266
2267    #[test]
2268    fn extract_bearer_is_case_insensitive_per_rfc7235() {
2269        // RFC 7235 §2.1: "auth-scheme is case-insensitive".
2270        // Real-world clients (curl, browsers, custom HTTP libs) emit varied
2271        // casings; rejecting any of them is a spec violation.
2272        for header in &[
2273            "bearer abc123",
2274            "BEARER abc123",
2275            "BeArEr abc123",
2276            "bEaReR abc123",
2277        ] {
2278            assert_eq!(
2279                extract_bearer(header),
2280                Some("abc123"),
2281                "header {header:?} must parse as a Bearer token (RFC 7235 §2.1)"
2282            );
2283        }
2284    }
2285
2286    #[test]
2287    fn extract_bearer_rejects_other_schemes() {
2288        assert_eq!(extract_bearer("Basic dXNlcjpwYXNz"), None);
2289        assert_eq!(extract_bearer("Digest username=\"x\""), None);
2290        assert_eq!(extract_bearer("Token abc123"), None);
2291    }
2292
2293    #[test]
2294    fn extract_bearer_rejects_malformed() {
2295        // Empty string, no separator, scheme-only, scheme + only whitespace.
2296        assert_eq!(extract_bearer(""), None);
2297        assert_eq!(extract_bearer("Bearer"), None);
2298        assert_eq!(extract_bearer("Bearer "), None);
2299        assert_eq!(extract_bearer("Bearer    "), None);
2300    }
2301
2302    #[test]
2303    fn extract_bearer_tolerates_extra_separator_whitespace() {
2304        // Some non-conformant clients emit two spaces; we should still parse.
2305        assert_eq!(extract_bearer("Bearer  abc123"), Some("abc123"));
2306        assert_eq!(extract_bearer("Bearer   abc123"), Some("abc123"));
2307    }
2308
2309    // -------------------------------------------------------------------
2310    // Debug redaction: ensure `AuthIdentity` and `ApiKeyEntry` never leak
2311    // secret material via `format!("{:?}", …)` or `tracing::debug!(?…)`.
2312    // -------------------------------------------------------------------
2313
2314    #[test]
2315    fn auth_identity_debug_redacts_raw_token() {
2316        let id = AuthIdentity {
2317            name: "alice".into(),
2318            role: "admin".into(),
2319            method: AuthMethod::OAuthJwt,
2320            raw_token: Some(SecretString::from("super-secret-jwt-payload-xyz")),
2321            sub: Some("keycloak-uuid-2f3c8b".into()),
2322        };
2323        let dbg = format!("{id:?}");
2324
2325        // Plaintext fields must be visible (they are not secrets).
2326        assert!(dbg.contains("alice"), "name should be visible: {dbg}");
2327        assert!(dbg.contains("admin"), "role should be visible: {dbg}");
2328        assert!(dbg.contains("OAuthJwt"), "method should be visible: {dbg}");
2329
2330        // Secret fields must NOT leak.
2331        assert!(
2332            !dbg.contains("super-secret-jwt-payload-xyz"),
2333            "raw_token must be redacted in Debug output: {dbg}"
2334        );
2335        assert!(
2336            !dbg.contains("keycloak-uuid-2f3c8b"),
2337            "sub must be redacted in Debug output: {dbg}"
2338        );
2339        assert!(
2340            dbg.contains("<redacted>"),
2341            "redaction marker missing: {dbg}"
2342        );
2343    }
2344
2345    #[test]
2346    fn auth_identity_debug_marks_absent_secrets() {
2347        // For non-OAuth identities (mTLS / API key) the secret fields are
2348        // None; redacted Debug output should distinguish that from "present".
2349        let id = AuthIdentity {
2350            name: "viewer-key".into(),
2351            role: "viewer".into(),
2352            method: AuthMethod::BearerToken,
2353            raw_token: None,
2354            sub: None,
2355        };
2356        let dbg = format!("{id:?}");
2357        assert!(
2358            dbg.contains("<none>"),
2359            "absent secrets should be marked: {dbg}"
2360        );
2361        assert!(
2362            !dbg.contains("<redacted>"),
2363            "no <redacted> marker when secrets are absent: {dbg}"
2364        );
2365    }
2366
2367    #[test]
2368    fn api_key_entry_debug_redacts_hash() {
2369        let entry = ApiKeyEntry {
2370            name: "viewer-key".into(),
2371            // Realistic Argon2id PHC string (must NOT leak).
2372            hash: "$argon2id$v=19$m=19456,t=2,p=1$c2FsdHNhbHQ$h4sh3dPa55w0rd".into(),
2373            role: "viewer".into(),
2374            expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
2375        };
2376        let dbg = format!("{entry:?}");
2377
2378        // Non-secret fields visible.
2379        assert!(dbg.contains("viewer-key"));
2380        assert!(dbg.contains("viewer"));
2381        assert!(dbg.contains("2030-01-01T00:00:00+00:00"));
2382
2383        // Hash material must NOT leak.
2384        assert!(
2385            !dbg.contains("$argon2id$"),
2386            "argon2 hash leaked into Debug output: {dbg}"
2387        );
2388        assert!(
2389            !dbg.contains("h4sh3dPa55w0rd"),
2390            "hash digest leaked into Debug output: {dbg}"
2391        );
2392        assert!(
2393            dbg.contains("<redacted>"),
2394            "redaction marker missing: {dbg}"
2395        );
2396    }
2397
2398    // -- AuthFailureClass exact-string contract tests --
2399    //
2400    // These tests pin the exact wire strings emitted for each failure
2401    // class. They exist to kill mutation-test mutants that replace the
2402    // match-arm string literals (e.g. with `""` or with the value from
2403    // another arm). Operators and dashboards rely on these literals
2404    // for metric labels and audit-log filters; any change is a
2405    // breaking observability change and must be reflected in
2406    // CHANGELOG.md.
2407
2408    #[test]
2409    fn auth_failure_class_as_str_exact_strings() {
2410        assert_eq!(
2411            AuthFailureClass::MissingCredential.as_str(),
2412            "missing_credential"
2413        );
2414        assert_eq!(
2415            AuthFailureClass::InvalidCredential.as_str(),
2416            "invalid_credential"
2417        );
2418        assert_eq!(
2419            AuthFailureClass::ExpiredCredential.as_str(),
2420            "expired_credential"
2421        );
2422        assert_eq!(AuthFailureClass::RateLimited.as_str(), "rate_limited");
2423        assert_eq!(AuthFailureClass::PreAuthGate.as_str(), "pre_auth_gate");
2424    }
2425
2426    #[test]
2427    fn auth_failure_class_response_body_exact_strings() {
2428        assert_eq!(
2429            AuthFailureClass::MissingCredential.response_body(),
2430            "unauthorized: missing credential"
2431        );
2432        assert_eq!(
2433            AuthFailureClass::InvalidCredential.response_body(),
2434            "unauthorized: invalid credential"
2435        );
2436        assert_eq!(
2437            AuthFailureClass::ExpiredCredential.response_body(),
2438            "unauthorized: expired credential"
2439        );
2440        assert_eq!(
2441            AuthFailureClass::RateLimited.response_body(),
2442            "rate limited"
2443        );
2444        assert_eq!(
2445            AuthFailureClass::PreAuthGate.response_body(),
2446            "rate limited (pre-auth)"
2447        );
2448    }
2449
2450    #[test]
2451    fn auth_failure_class_bearer_error_exact_strings() {
2452        assert_eq!(
2453            AuthFailureClass::MissingCredential.bearer_error(),
2454            (
2455                "invalid_request",
2456                "missing bearer token or mTLS client certificate"
2457            )
2458        );
2459        assert_eq!(
2460            AuthFailureClass::InvalidCredential.bearer_error(),
2461            ("invalid_token", "token is invalid")
2462        );
2463        assert_eq!(
2464            AuthFailureClass::ExpiredCredential.bearer_error(),
2465            ("invalid_token", "token is expired")
2466        );
2467        assert_eq!(
2468            AuthFailureClass::RateLimited.bearer_error(),
2469            ("invalid_request", "too many failed authentication attempts")
2470        );
2471        assert_eq!(
2472            AuthFailureClass::PreAuthGate.bearer_error(),
2473            (
2474                "invalid_request",
2475                "too many unauthenticated requests from this source"
2476            )
2477        );
2478    }
2479
2480    // -- AuthConfig::summary boolean-flag contract tests --
2481    //
2482    // These tests pin the boolean flags emitted by `AuthConfig::summary`
2483    // so that mutations like deleting `!` (which would invert the
2484    // semantics of `bearer`) or replacing `is_some()` with `is_none()`
2485    // are caught immediately. The summary is consumed by `/admin/*`
2486    // diagnostics so any inversion is an operator-visible regression.
2487
2488    #[test]
2489    fn auth_config_summary_bearer_true_when_keys_present() {
2490        let (_token, hash) = generate_api_key().unwrap();
2491        let cfg = AuthConfig::with_keys(vec![ApiKeyEntry::new("k", hash, "viewer")]);
2492        let s = cfg.summary();
2493        assert!(s.enabled, "summary.enabled must reflect AuthConfig.enabled");
2494        assert!(
2495            s.bearer,
2496            "summary.bearer must be true when api_keys is non-empty (kills `!` deletion at L615)"
2497        );
2498        assert!(!s.mtls, "summary.mtls must be false when mtls is None");
2499        assert!(!s.oauth, "summary.oauth must be false when oauth is None");
2500        assert_eq!(s.api_keys.len(), 1);
2501        assert_eq!(s.api_keys[0].name, "k");
2502        assert_eq!(s.api_keys[0].role, "viewer");
2503    }
2504
2505    #[test]
2506    fn auth_config_summary_bearer_false_when_no_keys() {
2507        let cfg = AuthConfig::with_keys(vec![]);
2508        let s = cfg.summary();
2509        assert!(
2510            !s.bearer,
2511            "summary.bearer must be false when api_keys is empty (kills `!` deletion at L615)"
2512        );
2513        assert!(s.api_keys.is_empty());
2514    }
2515
2516    #[test]
2517    fn seen_identity_set_first_then_repeat() {
2518        let set = SeenIdentitySet::new();
2519        assert!(set.insert_is_first("alice"), "first sighting is first");
2520        assert!(
2521            !set.insert_is_first("alice"),
2522            "second sighting is not first"
2523        );
2524        assert!(set.insert_is_first("bob"));
2525        assert_eq!(set.len(), 2);
2526    }
2527
2528    #[test]
2529    fn seen_identity_set_evicts_oldest_at_cap() {
2530        let set = SeenIdentitySet::with_cap(2);
2531        assert!(set.insert_is_first("a"));
2532        assert!(set.insert_is_first("b"));
2533        // Cap reached; inserting "c" evicts "a".
2534        assert!(set.insert_is_first("c"));
2535        assert_eq!(set.len(), 2);
2536        // "a" was evicted, so it re-fires as "first" (matches the documented
2537        // bounded trade-off: re-INFO once on reappearance). Inserting "a"
2538        // here evicts "b" (next oldest), leaving {c, a}.
2539        assert!(set.insert_is_first("a"));
2540        assert_eq!(set.len(), 2);
2541        // "b" has now been evicted in turn, so it re-fires as "first" too.
2542        assert!(set.insert_is_first("b"));
2543        // Sanity: cap is never exceeded regardless of churn pattern.
2544        for i in 0..32 {
2545            set.insert_is_first(&format!("churn-{i}"));
2546            assert!(set.len() <= 2, "cap invariant must hold");
2547        }
2548    }
2549
2550    #[test]
2551    fn seen_identity_set_cap_zero_is_raised_to_one() {
2552        let set = SeenIdentitySet::with_cap(0);
2553        assert!(set.insert_is_first("only"));
2554        assert_eq!(set.len(), 1);
2555        // Next insert evicts "only".
2556        assert!(set.insert_is_first("next"));
2557        assert_eq!(set.len(), 1);
2558    }
2559
2560    #[test]
2561    fn seen_identity_set_fifo_does_not_refresh_on_repeat_hit() {
2562        // Locks in the FIFO contract: repeat hits MUST NOT bump an entry
2563        // to the back of the eviction queue (that would be LRU).
2564        let set = SeenIdentitySet::with_cap(2);
2565        assert!(set.insert_is_first("a")); // order=[a]
2566        assert!(set.insert_is_first("b")); // order=[a,b]
2567        // Repeat hit on "a" - if this were LRU, "a" would move to the back
2568        // and "b" would be the next eviction victim. Under FIFO, "a" stays
2569        // at the front (oldest by insertion).
2570        assert!(!set.insert_is_first("a"));
2571        // Insert "c" forces eviction. Under FIFO, "a" (oldest by insertion)
2572        // is evicted; "b" survives. Under LRU, "b" would have been evicted.
2573        assert!(set.insert_is_first("c"));
2574        // Prove "a" was evicted: re-inserting fires as first again.
2575        assert!(set.insert_is_first("a"));
2576        // Prove "b" was NOT evicted: re-inserting does NOT fire as first.
2577        // (If LRU semantics had snuck in, this assertion would fail.)
2578        // After the previous step, "a" eviction pushed out "b" as the new
2579        // oldest, so we must re-add "b" via a fresh insert path. To keep
2580        // the test deterministic we rebuild a small scenario:
2581        let set = SeenIdentitySet::with_cap(2);
2582        assert!(set.insert_is_first("x")); // order=[x]
2583        assert!(set.insert_is_first("y")); // order=[x,y]
2584        assert!(!set.insert_is_first("x")); // repeat hit (under FIFO: order unchanged)
2585        assert!(set.insert_is_first("z")); // evicts "x" under FIFO
2586        assert!(
2587            !set.insert_is_first("y"),
2588            "y must still be present (FIFO did not evict it)"
2589        );
2590        assert!(
2591            set.insert_is_first("x"),
2592            "x must have been evicted by FIFO (would NOT have been evicted under LRU)"
2593        );
2594    }
2595}