secure-gate 0.9.0-rc.5

Secure wrappers for secrets with explicit access and mandatory zeroization — no_std-compatible, zero-overhead library with audit-friendly access patterns.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

//! URL-safe Base64 encoding trait.
//!
//! > **Import path:** `use secure_gate::ToBase64Url;`
//!
//! This trait provides secure, explicit encoding of byte data to URL-safe
//! base64 strings (no padding, RFC 4648). It is intended for intentional
//! export scenarios only (QR codes, API responses, audited logging).
//!
//! Requires the `encoding-base64` feature.
//!
//! # Security Notes
//!
//! - **Full secret exposure**: The resulting string contains the **entire** secret.
//!   Always treat output as sensitive; do not log or persist without protection.
//! - **Zeroizing variants**: Prefer `to_base64url_zeroizing()`, which returns [`EncodedSecret`]
//!   (wrapping `Zeroizing<String>` with redacted `Debug`). Use plain `to_base64url()`
//!   only for public values.
//! - **Explicit exposure**: `to_base64url()` (and the other encoding methods) perform deliberate full-secret exposure —
//!   the same security contract as `with_secret` or `expose_secret`. Direct calls do not
//!   appear in `grep expose_secret` / `grep with_secret` audit sweeps. For audit-first teams
//!   or multi-step operations, prefer `with_secret(|b| b.to_base64url())` — the borrow
//!   checker enforces the reference cannot escape the closure.
//! - **URL-safe**: No padding (`=`), safe for URLs/JSON/filenames.
//!
//! # Example
//!
//! ```rust
//! # #[cfg(feature = "encoding-base64")]
//! use secure_gate::{Fixed, ToBase64Url, RevealSecret};
//! # #[cfg(feature = "encoding-base64")]
//! {
//! let secret = Fixed::new([0x42u8; 4]);
//!
//! // Blanket impl on the inner byte array (via with_secret):
//! let b64 = secret.with_secret(|s| s.to_base64url());
//! assert_eq!(b64, "QkJCQg");
//!
//! // Wrapper method (Direct Fixed<[u8; N]> API — same result):
//! assert_eq!(secret.to_base64url(), "QkJCQg");
//!
//! // Zeroizing variant for sensitive encoded output:
//! let b64z = secret.to_base64url_zeroizing();
//! // b64z is EncodedSecret — zeroized on drop, redacted Debug
//! }
//! ```
#[cfg(all(feature = "encoding-base64", feature = "alloc"))]
use base64ct::{Base64UrlUnpadded, Encoding};

/// Extension trait for encoding byte data as URL-safe base64 strings (no padding).
///
/// *Requires feature `encoding-base64`.*
///
/// Blanket-implemented for all `AsRef<[u8]>` types. Uses the RFC 4648 URL-safe
/// alphabet without `=` padding. To encode a secret wrapper, call the inherent
/// `to_base64url()` method directly (ergonomically safest for single operations), or
/// use `with_secret(|b| b.to_base64url())` for multi-step operations or when
/// audit-greppability matters.
#[cfg(all(feature = "encoding-base64", feature = "alloc"))]
pub trait ToBase64Url {
    /// Encode bytes as URL-safe base64 (no padding).
    fn to_base64url(&self) -> alloc::string::String;

    /// Encode bytes as URL-safe base64 and wrap the result in [`crate::EncodedSecret`].
    fn to_base64url_zeroizing(&self) -> crate::EncodedSecret;
}

// Blanket impl to cover any AsRef<[u8]> (e.g., &[u8], Vec<u8>, [u8; N], etc.)
#[cfg(all(feature = "encoding-base64", feature = "alloc"))]
impl<T: AsRef<[u8]> + ?Sized> ToBase64Url for T {
    #[inline(always)]
    fn to_base64url(&self) -> alloc::string::String {
        Base64UrlUnpadded::encode_string(self.as_ref())
    }

    #[inline(always)]
    fn to_base64url_zeroizing(&self) -> crate::EncodedSecret {
        crate::EncodedSecret::new(self.to_base64url())
    }
}