//! Generated by `trust-tasks-codegen` — do not edit by hand.
//!
//! Spec slug: `auth/passkey/login/finish`. Version: `0.2`.
#[allow(unused_imports)]
use serde::{Deserialize, Serialize};
/// Error types.
pub mod error {
/// Error from a `TryFrom` or `FromStr` implementation.
pub struct ConversionError(::std::borrow::Cow<'static, str>);
impl ::std::error::Error for ConversionError {}
impl ::std::fmt::Display for ConversionError {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> Result<(), ::std::fmt::Error> {
::std::fmt::Display::fmt(&self.0, f)
}
}
impl ::std::fmt::Debug for ConversionError {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> Result<(), ::std::fmt::Error> {
::std::fmt::Debug::fmt(&self.0, f)
}
}
impl From<&'static str> for ConversionError {
fn from(value: &'static str) -> Self {
Self(value.into())
}
}
impl From<String> for ConversionError {
fn from(value: String) -> Self {
Self(value.into())
}
}
}
///The credential the client returns from `navigator.credentials.get`. Binary fields are base64url-encoded.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "AuthenticatorAssertionResponse (login)",
/// "description": "The credential the client returns from `navigator.credentials.get`. Binary fields are base64url-encoded.",
/// "type": "object",
/// "required": [
/// "id",
/// "rawId",
/// "response",
/// "type"
/// ],
/// "properties": {
/// "authenticatorAttachment": {
/// "enum": [
/// "platform",
/// "cross-platform"
/// ]
/// },
/// "clientExtensionResults": {
/// "type": "object"
/// },
/// "id": {
/// "type": "string"
/// },
/// "rawId": {
/// "type": "string"
/// },
/// "response": {
/// "type": "object",
/// "required": [
/// "authenticatorData",
/// "clientDataJSON",
/// "signature"
/// ],
/// "properties": {
/// "authenticatorData": {
/// "type": "string"
/// },
/// "clientDataJSON": {
/// "type": "string"
/// },
/// "signature": {
/// "type": "string"
/// },
/// "userHandle": {
/// "type": [
/// "string",
/// "null"
/// ]
/// }
/// },
/// "additionalProperties": false
/// },
/// "type": {
/// "const": "public-key"
/// }
/// },
/// "additionalProperties": false,
/// "$anchor": "assertionResponse"
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct AssertionResponse {
#[serde(
rename = "authenticatorAttachment",
default,
skip_serializing_if = "::std::option::Option::is_none"
)]
pub authenticator_attachment: ::std::option::Option<AssertionResponseAuthenticatorAttachment>,
#[serde(
rename = "clientExtensionResults",
default,
skip_serializing_if = "::serde_json::Map::is_empty"
)]
pub client_extension_results: ::serde_json::Map<::std::string::String, ::serde_json::Value>,
pub id: ::std::string::String,
#[serde(rename = "rawId")]
pub raw_id: ::std::string::String,
pub response: AssertionResponseResponse,
#[serde(rename = "type")]
pub type_: ::serde_json::Value,
}
///`AssertionResponseAuthenticatorAttachment`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "enum": [
/// "platform",
/// "cross-platform"
/// ]
///}
/// ```
/// </details>
#[derive(
::serde::Deserialize,
::serde::Serialize,
Clone,
Copy,
Debug,
Eq,
Hash,
Ord,
PartialEq,
PartialOrd,
)]
pub enum AssertionResponseAuthenticatorAttachment {
#[serde(rename = "platform")]
Platform,
#[serde(rename = "cross-platform")]
CrossPlatform,
}
impl ::std::fmt::Display for AssertionResponseAuthenticatorAttachment {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
match *self {
Self::Platform => f.write_str("platform"),
Self::CrossPlatform => f.write_str("cross-platform"),
}
}
}
impl ::std::str::FromStr for AssertionResponseAuthenticatorAttachment {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
match value {
"platform" => Ok(Self::Platform),
"cross-platform" => Ok(Self::CrossPlatform),
_ => Err("invalid value".into()),
}
}
}
impl ::std::convert::TryFrom<&str> for AssertionResponseAuthenticatorAttachment {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for AssertionResponseAuthenticatorAttachment {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for AssertionResponseAuthenticatorAttachment {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
///`AssertionResponseResponse`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "type": "object",
/// "required": [
/// "authenticatorData",
/// "clientDataJSON",
/// "signature"
/// ],
/// "properties": {
/// "authenticatorData": {
/// "type": "string"
/// },
/// "clientDataJSON": {
/// "type": "string"
/// },
/// "signature": {
/// "type": "string"
/// },
/// "userHandle": {
/// "type": [
/// "string",
/// "null"
/// ]
/// }
/// },
/// "additionalProperties": false
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct AssertionResponseResponse {
#[serde(rename = "authenticatorData")]
pub authenticator_data: ::std::string::String,
#[serde(rename = "clientDataJSON")]
pub client_data_json: ::std::string::String,
pub signature: ::std::string::String,
#[serde(
rename = "userHandle",
default,
skip_serializing_if = "::std::option::Option::is_none"
)]
pub user_handle: ::std::option::Option<::std::string::String>,
}
///Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "Ext",
/// "description": "Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.",
/// "type": "object",
/// "minProperties": 1,
/// "additionalProperties": true,
/// "propertyNames": {
/// "pattern": "^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$"
/// }
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(transparent)]
pub struct Ext(pub ::std::collections::HashMap<ExtKey, ::serde_json::Value>);
impl ::std::ops::Deref for Ext {
type Target = ::std::collections::HashMap<ExtKey, ::serde_json::Value>;
fn deref(&self) -> &::std::collections::HashMap<ExtKey, ::serde_json::Value> {
&self.0
}
}
impl ::std::convert::From<Ext> for ::std::collections::HashMap<ExtKey, ::serde_json::Value> {
fn from(value: Ext) -> Self {
value.0
}
}
impl ::std::convert::From<::std::collections::HashMap<ExtKey, ::serde_json::Value>> for Ext {
fn from(value: ::std::collections::HashMap<ExtKey, ::serde_json::Value>) -> Self {
Self(value)
}
}
///`ExtKey`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "type": "string",
/// "pattern": "^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$"
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct ExtKey(::std::string::String);
impl ::std::ops::Deref for ExtKey {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<ExtKey> for ::std::string::String {
fn from(value: ExtKey) -> Self {
value.0
}
}
impl ::std::str::FromStr for ExtKey {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
static PATTERN: ::std::sync::LazyLock<::regress::Regex> =
::std::sync::LazyLock::new(|| {
::regress::Regex::new("^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$").unwrap()
});
if PATTERN.find(value).is_none() {
return Err("doesn't match pattern \"^[a-z][a-z0-9-]*(\\.[a-z0-9-]+)+$\"".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for ExtKey {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for ExtKey {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for ExtKey {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for ExtKey {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///Submit the WebAuthn assertion that completes a passkey login or step-up ceremony. On success the auth service issues a session (login) or elevates an existing session's acr (step-up).
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "$id": "https://trusttasks.org/spec/auth/passkey/login/finish/0.2",
/// "title": "Payload",
/// "description": "Submit the WebAuthn assertion that completes a passkey login or step-up ceremony. On success the auth service issues a session (login) or elevates an existing session's acr (step-up).",
/// "type": "object",
/// "required": [
/// "authId",
/// "credential"
/// ],
/// "properties": {
/// "authId": {
/// "description": "The authId issued by the matching login/start response. Echoed verbatim.",
/// "type": "string",
/// "minLength": 1
/// },
/// "credential": {
/// "description": "AuthenticatorAssertionResponse as returned by `navigator.credentials.get`. Binary fields base64url-encoded.",
/// "$ref": "#/definitions/AssertionResponse"
/// },
/// "ext": {
/// "description": "Ecosystem-defined extension members per SPEC.md §4.5.1.",
/// "$ref": "#/definitions/Ext"
/// }
/// },
/// "additionalProperties": false
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct Payload {
///The authId issued by the matching login/start response. Echoed verbatim.
#[serde(rename = "authId")]
pub auth_id: PayloadAuthId,
///AuthenticatorAssertionResponse as returned by `navigator.credentials.get`. Binary fields base64url-encoded.
pub credential: AssertionResponse,
///Ecosystem-defined extension members per SPEC.md §4.5.1.
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub ext: ::std::option::Option<Ext>,
}
///The authId issued by the matching login/start response. Echoed verbatim.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "The authId issued by the matching login/start response. Echoed verbatim.",
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct PayloadAuthId(::std::string::String);
impl ::std::ops::Deref for PayloadAuthId {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<PayloadAuthId> for ::std::string::String {
fn from(value: PayloadAuthId) -> Self {
value.0
}
}
impl ::std::str::FromStr for PayloadAuthId {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for PayloadAuthId {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for PayloadAuthId {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for PayloadAuthId {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for PayloadAuthId {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///Carried in a Trust Task document whose type is https://trusttasks.org/spec/auth/passkey/login/finish/0.1#response. For `purpose: login` the payload includes the new session + tokens; for `purpose: step-up` only the elevated session is included (the producer's existing tokens are unchanged — they now carry a higher acr at the next token introspection).
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "Response",
/// "description": "Carried in a Trust Task document whose type is https://trusttasks.org/spec/auth/passkey/login/finish/0.1#response. For `purpose: login` the payload includes the new session + tokens; for `purpose: step-up` only the elevated session is included (the producer's existing tokens are unchanged — they now carry a higher acr at the next token introspection).",
/// "type": "object",
/// "required": [
/// "purpose",
/// "session"
/// ],
/// "properties": {
/// "ext": {
/// "$ref": "#/definitions/Ext"
/// },
/// "purpose": {
/// "type": "string",
/// "enum": [
/// "login",
/// "stepUp"
/// ]
/// },
/// "session": {
/// "$ref": "#/definitions/Session"
/// },
/// "tokens": {
/// "description": "Present when `purpose: login` (a new session). Absent for `stepUp` — the producer's existing tokens remain valid and now carry the elevated acr.",
/// "$ref": "#/definitions/TokenBundle"
/// }
/// },
/// "additionalProperties": false,
/// "$anchor": "response"
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct Response {
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub ext: ::std::option::Option<Ext>,
pub purpose: ResponsePurpose,
pub session: Session,
///Present when `purpose: login` (a new session). Absent for `stepUp` — the producer's existing tokens remain valid and now carry the elevated acr.
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub tokens: ::std::option::Option<TokenBundle>,
}
///`ResponsePurpose`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "type": "string",
/// "enum": [
/// "login",
/// "stepUp"
/// ]
///}
/// ```
/// </details>
#[derive(
::serde::Deserialize,
::serde::Serialize,
Clone,
Copy,
Debug,
Eq,
Hash,
Ord,
PartialEq,
PartialOrd,
)]
pub enum ResponsePurpose {
#[serde(rename = "login")]
Login,
#[serde(rename = "stepUp")]
StepUp,
}
impl ::std::fmt::Display for ResponsePurpose {
fn fmt(&self, f: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
match *self {
Self::Login => f.write_str("login"),
Self::StepUp => f.write_str("stepUp"),
}
}
}
impl ::std::str::FromStr for ResponsePurpose {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
match value {
"login" => Ok(Self::Login),
"stepUp" => Ok(Self::StepUp),
_ => Err("invalid value".into()),
}
}
}
impl ::std::convert::TryFrom<&str> for ResponsePurpose {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for ResponsePurpose {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for ResponsePurpose {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
///A logical authentication context bound to a subject. Producers and consumers exchange Session-shaped data in challenge issuance, authentication responses, and introspection (whoami).
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "Session",
/// "description": "A logical authentication context bound to a subject. Producers and consumers exchange Session-shaped data in challenge issuance, authentication responses, and introspection (whoami).",
/// "type": "object",
/// "required": [
/// "expiresAt",
/// "id",
/// "issuedAt",
/// "subject"
/// ],
/// "properties": {
/// "acr": {
/// "description": "Authentication Context Class Reference per [OIDC Core §2]. Profiles define their own values; the recommended set is \"aal1\" (single-factor DID auth), \"aal2\" (a second possession-or-biometric factor confirmed), and \"aal3\" (hardware-bound second factor).",
/// "type": "string"
/// },
/// "amr": {
/// "description": "Authentication Methods References per [RFC 8176]. Typical values: \"did\" (challenge-response), \"passkey\" (WebAuthn), \"vta\" (verifiable-trust agent approval). Multi-factor sessions list every method used.",
/// "type": "array",
/// "items": {
/// "type": "string",
/// "minLength": 1
/// },
/// "minItems": 1
/// },
/// "expiresAt": {
/// "description": "ISO-8601 timestamp when the session ceases to be valid. Producers SHOULD refresh before this time; consumers MUST reject after.",
/// "type": "string",
/// "format": "date-time"
/// },
/// "ext": {
/// "description": "Ecosystem-defined extension members per SPEC.md §4.5.1.",
/// "$ref": "#/definitions/Ext"
/// },
/// "id": {
/// "description": "Opaque, server-chosen session identifier. Stable for the lifetime of the session. Consumers MUST treat the value as opaque; no structure is implied.",
/// "type": "string",
/// "minLength": 1
/// },
/// "issuedAt": {
/// "description": "ISO-8601 timestamp when the session was created.",
/// "type": "string",
/// "format": "date-time"
/// },
/// "subject": {
/// "description": "The authenticated party's VID (typically a DID URL).",
/// "type": "string",
/// "minLength": 1
/// }
/// },
/// "additionalProperties": false,
/// "$anchor": "session"
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct Session {
///Authentication Context Class Reference per [OIDC Core §2]. Profiles define their own values; the recommended set is "aal1" (single-factor DID auth), "aal2" (a second possession-or-biometric factor confirmed), and "aal3" (hardware-bound second factor).
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub acr: ::std::option::Option<::std::string::String>,
///Authentication Methods References per [RFC 8176]. Typical values: "did" (challenge-response), "passkey" (WebAuthn), "vta" (verifiable-trust agent approval). Multi-factor sessions list every method used.
#[serde(default, skip_serializing_if = "::std::vec::Vec::is_empty")]
pub amr: ::std::vec::Vec<SessionAmrItem>,
///ISO-8601 timestamp when the session ceases to be valid. Producers SHOULD refresh before this time; consumers MUST reject after.
#[serde(rename = "expiresAt")]
pub expires_at: ::chrono::DateTime<::chrono::offset::Utc>,
///Ecosystem-defined extension members per SPEC.md §4.5.1.
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub ext: ::std::option::Option<Ext>,
///Opaque, server-chosen session identifier. Stable for the lifetime of the session. Consumers MUST treat the value as opaque; no structure is implied.
pub id: SessionId,
///ISO-8601 timestamp when the session was created.
#[serde(rename = "issuedAt")]
pub issued_at: ::chrono::DateTime<::chrono::offset::Utc>,
///The authenticated party's VID (typically a DID URL).
pub subject: SessionSubject,
}
///`SessionAmrItem`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct SessionAmrItem(::std::string::String);
impl ::std::ops::Deref for SessionAmrItem {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<SessionAmrItem> for ::std::string::String {
fn from(value: SessionAmrItem) -> Self {
value.0
}
}
impl ::std::str::FromStr for SessionAmrItem {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for SessionAmrItem {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for SessionAmrItem {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for SessionAmrItem {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for SessionAmrItem {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///Opaque, server-chosen session identifier. Stable for the lifetime of the session. Consumers MUST treat the value as opaque; no structure is implied.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "Opaque, server-chosen session identifier. Stable for the lifetime of the session. Consumers MUST treat the value as opaque; no structure is implied.",
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct SessionId(::std::string::String);
impl ::std::ops::Deref for SessionId {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<SessionId> for ::std::string::String {
fn from(value: SessionId) -> Self {
value.0
}
}
impl ::std::str::FromStr for SessionId {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for SessionId {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for SessionId {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for SessionId {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for SessionId {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///The authenticated party's VID (typically a DID URL).
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "The authenticated party's VID (typically a DID URL).",
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct SessionSubject(::std::string::String);
impl ::std::ops::Deref for SessionSubject {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<SessionSubject> for ::std::string::String {
fn from(value: SessionSubject) -> Self {
value.0
}
}
impl ::std::str::FromStr for SessionSubject {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for SessionSubject {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for SessionSubject {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for SessionSubject {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for SessionSubject {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///An access token (typically short-lived JWT) paired with an optional refresh token (typically long-lived opaque string). The shapes follow OAuth 2.0 (RFC 6749 §5.1) conventions but are not coupled to any particular OAuth profile.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "title": "TokenBundle",
/// "description": "An access token (typically short-lived JWT) paired with an optional refresh token (typically long-lived opaque string). The shapes follow OAuth 2.0 (RFC 6749 §5.1) conventions but are not coupled to any particular OAuth profile.",
/// "type": "object",
/// "required": [
/// "accessToken",
/// "expiresIn",
/// "tokenType"
/// ],
/// "properties": {
/// "accessToken": {
/// "description": "Bearer-style access token. Consumers presenting this token to downstream services prove the holder of the original session. Format is consumer-defined — JWT is common, but opaque strings are also valid.",
/// "type": "string",
/// "minLength": 1
/// },
/// "expiresIn": {
/// "description": "Seconds from issuance until the access token expires.",
/// "type": "integer",
/// "minimum": 1.0
/// },
/// "ext": {
/// "description": "Ecosystem-defined extension members per SPEC.md §4.5.1.",
/// "$ref": "#/definitions/Ext"
/// },
/// "refreshExpiresIn": {
/// "description": "Seconds from issuance until the refresh token expires, when one was issued.",
/// "type": "integer",
/// "minimum": 1.0
/// },
/// "refreshToken": {
/// "description": "Long-lived token redeemable via auth/refresh for a new access token. MAY be absent when the issuer does not support refresh.",
/// "type": "string",
/// "minLength": 1
/// },
/// "scope": {
/// "description": "Capability tags effective on this token. Format is consumer-defined; the framework imposes no syntax.",
/// "type": "array",
/// "items": {
/// "type": "string",
/// "minLength": 1
/// }
/// },
/// "tokenType": {
/// "description": "Token presentation scheme. Almost always \"Bearer\"; reserved for future schemes.",
/// "type": "string",
/// "minLength": 1
/// }
/// },
/// "additionalProperties": false,
/// "$anchor": "tokenBundle"
///}
/// ```
/// </details>
#[derive(::serde::Deserialize, ::serde::Serialize, Clone, Debug)]
#[serde(deny_unknown_fields)]
pub struct TokenBundle {
///Bearer-style access token. Consumers presenting this token to downstream services prove the holder of the original session. Format is consumer-defined — JWT is common, but opaque strings are also valid.
#[serde(rename = "accessToken")]
pub access_token: TokenBundleAccessToken,
///Seconds from issuance until the access token expires.
#[serde(rename = "expiresIn")]
pub expires_in: ::std::num::NonZeroU64,
///Ecosystem-defined extension members per SPEC.md §4.5.1.
#[serde(default, skip_serializing_if = "::std::option::Option::is_none")]
pub ext: ::std::option::Option<Ext>,
///Seconds from issuance until the refresh token expires, when one was issued.
#[serde(
rename = "refreshExpiresIn",
default,
skip_serializing_if = "::std::option::Option::is_none"
)]
pub refresh_expires_in: ::std::option::Option<::std::num::NonZeroU64>,
///Long-lived token redeemable via auth/refresh for a new access token. MAY be absent when the issuer does not support refresh.
#[serde(
rename = "refreshToken",
default,
skip_serializing_if = "::std::option::Option::is_none"
)]
pub refresh_token: ::std::option::Option<TokenBundleRefreshToken>,
///Capability tags effective on this token. Format is consumer-defined; the framework imposes no syntax.
#[serde(default, skip_serializing_if = "::std::vec::Vec::is_empty")]
pub scope: ::std::vec::Vec<TokenBundleScopeItem>,
///Token presentation scheme. Almost always "Bearer"; reserved for future schemes.
#[serde(rename = "tokenType")]
pub token_type: TokenBundleTokenType,
}
///Bearer-style access token. Consumers presenting this token to downstream services prove the holder of the original session. Format is consumer-defined — JWT is common, but opaque strings are also valid.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "Bearer-style access token. Consumers presenting this token to downstream services prove the holder of the original session. Format is consumer-defined — JWT is common, but opaque strings are also valid.",
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct TokenBundleAccessToken(::std::string::String);
impl ::std::ops::Deref for TokenBundleAccessToken {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<TokenBundleAccessToken> for ::std::string::String {
fn from(value: TokenBundleAccessToken) -> Self {
value.0
}
}
impl ::std::str::FromStr for TokenBundleAccessToken {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for TokenBundleAccessToken {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for TokenBundleAccessToken {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for TokenBundleAccessToken {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for TokenBundleAccessToken {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///Long-lived token redeemable via auth/refresh for a new access token. MAY be absent when the issuer does not support refresh.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "Long-lived token redeemable via auth/refresh for a new access token. MAY be absent when the issuer does not support refresh.",
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct TokenBundleRefreshToken(::std::string::String);
impl ::std::ops::Deref for TokenBundleRefreshToken {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<TokenBundleRefreshToken> for ::std::string::String {
fn from(value: TokenBundleRefreshToken) -> Self {
value.0
}
}
impl ::std::str::FromStr for TokenBundleRefreshToken {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for TokenBundleRefreshToken {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for TokenBundleRefreshToken {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for TokenBundleRefreshToken {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for TokenBundleRefreshToken {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///`TokenBundleScopeItem`
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct TokenBundleScopeItem(::std::string::String);
impl ::std::ops::Deref for TokenBundleScopeItem {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<TokenBundleScopeItem> for ::std::string::String {
fn from(value: TokenBundleScopeItem) -> Self {
value.0
}
}
impl ::std::str::FromStr for TokenBundleScopeItem {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for TokenBundleScopeItem {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for TokenBundleScopeItem {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for TokenBundleScopeItem {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for TokenBundleScopeItem {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
///Token presentation scheme. Almost always "Bearer"; reserved for future schemes.
///
/// <details><summary>JSON schema</summary>
///
/// ```json
///{
/// "description": "Token presentation scheme. Almost always \"Bearer\"; reserved for future schemes.",
/// "type": "string",
/// "minLength": 1
///}
/// ```
/// </details>
#[derive(::serde::Serialize, Clone, Debug, Eq, Hash, Ord, PartialEq, PartialOrd)]
#[serde(transparent)]
pub struct TokenBundleTokenType(::std::string::String);
impl ::std::ops::Deref for TokenBundleTokenType {
type Target = ::std::string::String;
fn deref(&self) -> &::std::string::String {
&self.0
}
}
impl ::std::convert::From<TokenBundleTokenType> for ::std::string::String {
fn from(value: TokenBundleTokenType) -> Self {
value.0
}
}
impl ::std::str::FromStr for TokenBundleTokenType {
type Err = self::error::ConversionError;
fn from_str(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
if value.chars().count() < 1usize {
return Err("shorter than 1 characters".into());
}
Ok(Self(value.to_string()))
}
}
impl ::std::convert::TryFrom<&str> for TokenBundleTokenType {
type Error = self::error::ConversionError;
fn try_from(value: &str) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<&::std::string::String> for TokenBundleTokenType {
type Error = self::error::ConversionError;
fn try_from(
value: &::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl ::std::convert::TryFrom<::std::string::String> for TokenBundleTokenType {
type Error = self::error::ConversionError;
fn try_from(
value: ::std::string::String,
) -> ::std::result::Result<Self, self::error::ConversionError> {
value.parse()
}
}
impl<'de> ::serde::Deserialize<'de> for TokenBundleTokenType {
fn deserialize<D>(deserializer: D) -> ::std::result::Result<Self, D::Error>
where
D: ::serde::Deserializer<'de>,
{
::std::string::String::deserialize(deserializer)?
.parse()
.map_err(|e: self::error::ConversionError| {
<D::Error as ::serde::de::Error>::custom(e.to_string())
})
}
}
impl crate::Payload for Payload {
const TYPE_URI: &'static str = "https://trusttasks.org/spec/auth/passkey/login/finish/0.2";
const IS_RECIPIENT_REQUIRED: bool = true;
}
impl crate::Payload for Response {
const TYPE_URI: &'static str =
"https://trusttasks.org/spec/auth/passkey/login/finish/0.2#response";
const IS_RECIPIENT_REQUIRED: bool = true;
}
#[cfg(feature = "validate")]
impl crate::validate::ValidatedPayload for Payload {
const SCHEMA_JSON: &'static str = "{\n \"$defs\": {\n \"AssertionResponse\": {\n \"$anchor\": \"assertionResponse\",\n \"additionalProperties\": false,\n \"description\": \"The credential the client returns from `navigator.credentials.get`. Binary fields are base64url-encoded.\",\n \"properties\": {\n \"authenticatorAttachment\": {\n \"enum\": [\n \"platform\",\n \"cross-platform\"\n ]\n },\n \"clientExtensionResults\": {\n \"type\": \"object\"\n },\n \"id\": {\n \"type\": \"string\"\n },\n \"rawId\": {\n \"type\": \"string\"\n },\n \"response\": {\n \"additionalProperties\": false,\n \"properties\": {\n \"authenticatorData\": {\n \"type\": \"string\"\n },\n \"clientDataJSON\": {\n \"type\": \"string\"\n },\n \"signature\": {\n \"type\": \"string\"\n },\n \"userHandle\": {\n \"type\": [\n \"string\",\n \"null\"\n ]\n }\n },\n \"required\": [\n \"clientDataJSON\",\n \"authenticatorData\",\n \"signature\"\n ],\n \"type\": \"object\"\n },\n \"type\": {\n \"const\": \"public-key\"\n }\n },\n \"required\": [\n \"id\",\n \"rawId\",\n \"type\",\n \"response\"\n ],\n \"title\": \"AuthenticatorAssertionResponse (login)\",\n \"type\": \"object\"\n },\n \"Ext\": {\n \"additionalProperties\": true,\n \"description\": \"Vendor-namespaced extension object per SPEC.md §4.5.1. Each immediate key MUST be a reverse-DNS namespace; structure under each namespace is opaque to the framework.\",\n \"minProperties\": 1,\n \"propertyNames\": {\n \"pattern\": \"^[a-z][a-z0-9-]*(\\\\.[a-z0-9-]+)+$\"\n },\n \"title\": \"Ext\",\n \"type\": \"object\"\n },\n \"Response\": {\n \"$anchor\": \"response\",\n \"additionalProperties\": false,\n \"description\": \"Carried in a Trust Task document whose type is https://trusttasks.org/spec/auth/passkey/login/finish/0.1#response. For `purpose: login` the payload includes the new session + tokens; for `purpose: step-up` only the elevated session is included (the producer's existing tokens are unchanged — they now carry a higher acr at the next token introspection).\",\n \"properties\": {\n \"ext\": {\n \"$ref\": \"#/$defs/Ext\"\n },\n \"purpose\": {\n \"enum\": [\n \"login\",\n \"stepUp\"\n ],\n \"type\": \"string\"\n },\n \"session\": {\n \"$ref\": \"#/$defs/Session\"\n },\n \"tokens\": {\n \"$ref\": \"#/$defs/TokenBundle\",\n \"description\": \"Present when `purpose: login` (a new session). Absent for `stepUp` — the producer's existing tokens remain valid and now carry the elevated acr.\"\n }\n },\n \"required\": [\n \"session\",\n \"purpose\"\n ],\n \"title\": \"Auth Passkey Login Finish — response payload\",\n \"type\": \"object\"\n },\n \"Session\": {\n \"$anchor\": \"session\",\n \"additionalProperties\": false,\n \"description\": \"A logical authentication context bound to a subject. Producers and consumers exchange Session-shaped data in challenge issuance, authentication responses, and introspection (whoami).\",\n \"properties\": {\n \"acr\": {\n \"description\": \"Authentication Context Class Reference per [OIDC Core §2]. Profiles define their own values; the recommended set is \\\"aal1\\\" (single-factor DID auth), \\\"aal2\\\" (a second possession-or-biometric factor confirmed), and \\\"aal3\\\" (hardware-bound second factor).\",\n \"type\": \"string\"\n },\n \"amr\": {\n \"description\": \"Authentication Methods References per [RFC 8176]. Typical values: \\\"did\\\" (challenge-response), \\\"passkey\\\" (WebAuthn), \\\"vta\\\" (verifiable-trust agent approval). Multi-factor sessions list every method used.\",\n \"items\": {\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"minItems\": 1,\n \"type\": \"array\"\n },\n \"expiresAt\": {\n \"description\": \"ISO-8601 timestamp when the session ceases to be valid. Producers SHOULD refresh before this time; consumers MUST reject after.\",\n \"format\": \"date-time\",\n \"type\": \"string\"\n },\n \"ext\": {\n \"$ref\": \"#/$defs/Ext\",\n \"description\": \"Ecosystem-defined extension members per SPEC.md §4.5.1.\"\n },\n \"id\": {\n \"description\": \"Opaque, server-chosen session identifier. Stable for the lifetime of the session. Consumers MUST treat the value as opaque; no structure is implied.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"issuedAt\": {\n \"description\": \"ISO-8601 timestamp when the session was created.\",\n \"format\": \"date-time\",\n \"type\": \"string\"\n },\n \"subject\": {\n \"description\": \"The authenticated party's VID (typically a DID URL).\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"id\",\n \"subject\",\n \"issuedAt\",\n \"expiresAt\"\n ],\n \"title\": \"Session\",\n \"type\": \"object\"\n },\n \"TokenBundle\": {\n \"$anchor\": \"tokenBundle\",\n \"additionalProperties\": false,\n \"description\": \"An access token (typically short-lived JWT) paired with an optional refresh token (typically long-lived opaque string). The shapes follow OAuth 2.0 (RFC 6749 §5.1) conventions but are not coupled to any particular OAuth profile.\",\n \"properties\": {\n \"accessToken\": {\n \"description\": \"Bearer-style access token. Consumers presenting this token to downstream services prove the holder of the original session. Format is consumer-defined — JWT is common, but opaque strings are also valid.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"expiresIn\": {\n \"description\": \"Seconds from issuance until the access token expires.\",\n \"minimum\": 1,\n \"type\": \"integer\"\n },\n \"ext\": {\n \"$ref\": \"#/$defs/Ext\",\n \"description\": \"Ecosystem-defined extension members per SPEC.md §4.5.1.\"\n },\n \"refreshExpiresIn\": {\n \"description\": \"Seconds from issuance until the refresh token expires, when one was issued.\",\n \"minimum\": 1,\n \"type\": \"integer\"\n },\n \"refreshToken\": {\n \"description\": \"Long-lived token redeemable via auth/refresh for a new access token. MAY be absent when the issuer does not support refresh.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"scope\": {\n \"description\": \"Capability tags effective on this token. Format is consumer-defined; the framework imposes no syntax.\",\n \"items\": {\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"tokenType\": {\n \"description\": \"Token presentation scheme. Almost always \\\"Bearer\\\"; reserved for future schemes.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"accessToken\",\n \"tokenType\",\n \"expiresIn\"\n ],\n \"title\": \"TokenBundle\",\n \"type\": \"object\"\n }\n },\n \"$id\": \"https://trusttasks.org/spec/auth/passkey/login/finish/0.2\",\n \"$schema\": \"https://json-schema.org/draft/2020-12/schema\",\n \"additionalProperties\": false,\n \"description\": \"Submit the WebAuthn assertion that completes a passkey login or step-up ceremony. On success the auth service issues a session (login) or elevates an existing session's acr (step-up).\",\n \"properties\": {\n \"authId\": {\n \"description\": \"The authId issued by the matching login/start response. Echoed verbatim.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"credential\": {\n \"$ref\": \"#/$defs/AssertionResponse\",\n \"description\": \"AuthenticatorAssertionResponse as returned by `navigator.credentials.get`. Binary fields base64url-encoded.\"\n },\n \"ext\": {\n \"$ref\": \"#/$defs/Ext\",\n \"description\": \"Ecosystem-defined extension members per SPEC.md §4.5.1.\"\n }\n },\n \"required\": [\n \"authId\",\n \"credential\"\n ],\n \"title\": \"Auth — Passkey Login (finish)\",\n \"type\": \"object\"\n}\n";
}
#[cfg(test)]
mod conformance {
//! Round-trip tests harvested from the spec's `spec.md`,
//! plus a `rejects_invalid_examples` test for any fixtures
//! in `payload.invalid-examples.json` (validate feature).
#[test]
fn response_example_1() {
const JSON: &str = "{\n \"id\": \"00000000-7777-8888-9999-aaaaaaaaaaaa\",\n \"type\": \"https://trusttasks.org/spec/auth/passkey/login/finish/0.2#response\",\n \"threadId\": \"eeeeeeee-5555-6666-7777-888888888888\",\n \"issuer\": \"did:web:auth.example\",\n \"recipient\": \"did:web:client.example\",\n \"issuedAt\": \"2026-05-23T13:00:31Z\",\n \"payload\": {\n \"purpose\": \"login\",\n \"session\": {\n \"id\": \"fa7d3c89-3f49-49b2-9d7d-2a8c0a8a7b9b\",\n \"subject\": \"did:web:alice.example\",\n \"issuedAt\": \"2026-05-23T13:00:31Z\",\n \"expiresAt\": \"2026-05-23T13:30:31Z\",\n \"amr\": [\"passkey\"],\n \"acr\": \"aal2\"\n },\n \"tokens\": {\n \"accessToken\": \"eyJhbGciOi…\",\n \"refreshToken\": \"rt_passkey_abc\",\n \"tokenType\": \"Bearer\",\n \"expiresIn\": 1800\n }\n }\n}\n";
let doc: crate::TrustTask<super::Response> =
serde_json::from_str(JSON).expect("deserialize response example");
let rendered = serde_json::to_value(&doc).expect("re-serialize");
let expected: serde_json::Value = serde_json::from_str(JSON).expect("re-parse expected");
assert_eq!(rendered, expected, "response example failed round-trip");
}
#[test]
fn response_example_2() {
const JSON: &str = "{\n \"id\": \"11111100-8888-9999-aaaa-bbbbbbbbbbbb\",\n \"type\": \"https://trusttasks.org/spec/auth/passkey/login/finish/0.2#response\",\n \"threadId\": \"ffffffff-6666-7777-8888-999999999999\",\n \"issuer\": \"did:web:auth.example\",\n \"recipient\": \"did:web:alice.example\",\n \"issuedAt\": \"2026-05-23T13:00:31Z\",\n \"payload\": {\n \"purpose\": \"stepUp\",\n \"session\": {\n \"id\": \"ec5d3c89-3f49-49b2-9d7d-2a8c0a8a7b9b\",\n \"subject\": \"did:web:alice.example\",\n \"issuedAt\": \"2026-05-23T10:00:31Z\",\n \"expiresAt\": \"2026-05-23T13:30:31Z\",\n \"amr\": [\"did\", \"passkey\"],\n \"acr\": \"aal2\"\n }\n }\n}\n";
let doc: crate::TrustTask<super::Response> =
serde_json::from_str(JSON).expect("deserialize response example");
let rendered = serde_json::to_value(&doc).expect("re-serialize");
let expected: serde_json::Value = serde_json::from_str(JSON).expect("re-parse expected");
assert_eq!(rendered, expected, "response example failed round-trip");
}
/// Each fixture in `payload.invalid-examples.json` MUST be
/// rejected by at least one of: serde deserialization, or
/// JSON-Schema validation under the `validate` feature. The
/// fixture file documents the producer-side bug class that
/// each payload exemplifies; this generated test pins it.
#[cfg(feature = "validate")]
#[test]
fn rejects_invalid_examples() {
use crate::validate::ValidatedPayload;
let fixtures: &[(&str, &str)] = &[
(
"Missing required authId.",
"{\n \"credential\": {\n \"id\": \"x\",\n \"rawId\": \"x\",\n \"response\": {\n \"authenticatorData\": \"x\",\n \"clientDataJSON\": \"x\",\n \"signature\": \"x\"\n },\n \"type\": \"public-key\"\n }\n}",
),
(
"Missing required credential.",
"{\n \"authId\": \"auth_3c4d5e6f7890abcd\"\n}",
),
(
"credential.response missing required signature.",
"{\n \"authId\": \"auth_3c4d5e6f7890abcd\",\n \"credential\": {\n \"id\": \"x\",\n \"rawId\": \"x\",\n \"response\": {\n \"authenticatorData\": \"x\",\n \"clientDataJSON\": \"x\"\n },\n \"type\": \"public-key\"\n }\n}",
),
];
for (i, (note, raw)) in fixtures.iter().enumerate() {
let value: serde_json::Value = match serde_json::from_str(raw) {
Ok(v) => v,
Err(_) => continue,
};
let serde_ok = serde_json::from_value::<super::Payload>(value.clone()).is_ok();
let schema_ok = super::Payload::validate_value(&value).is_ok();
assert!(
!(serde_ok && schema_ok),
"invalid-example #{} ({:?}) was accepted by both serde and JSON Schema; \
the fixture's stated failure class is no longer caught:\n{}",
i + 1,
note,
raw
);
}
}
}