turul-a2a-auth 0.1.17

Auth middleware for turul-a2a: Bearer/JWT and API Key
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

//! Bearer/JWT auth middleware.

use std::sync::Arc;

use async_trait::async_trait;
use turul_a2a::middleware::{
    A2aMiddleware, AuthFailureKind, AuthIdentity, MiddlewareError, RequestContext,
    SecurityContribution,
};
use turul_jwt_validator::JwtValidator;

/// Bearer token auth middleware using JWT validation.
///
/// Extracts owner from a configurable JWT claim (default: "sub").
/// Rejects empty/missing principals.
pub struct BearerMiddleware {
    validator: Arc<JwtValidator>,
    /// JWT claim to extract as owner (default: "sub")
    principal_claim: String,
    /// Required scopes (empty = no scope requirement)
    required_scopes: Vec<String>,
}

impl BearerMiddleware {
    pub fn new(validator: Arc<JwtValidator>) -> Self {
        Self {
            validator,
            principal_claim: "sub".into(),
            required_scopes: vec![],
        }
    }

    pub fn with_principal_claim(mut self, claim: impl Into<String>) -> Self {
        self.principal_claim = claim.into();
        self
    }

    pub fn with_required_scopes(mut self, scopes: Vec<String>) -> Self {
        self.required_scopes = scopes;
        self
    }
}

#[async_trait]
impl A2aMiddleware for BearerMiddleware {
    async fn before_request(&self, ctx: &mut RequestContext) -> Result<(), MiddlewareError> {
        let token = ctx
            .bearer_token
            .as_deref()
            .ok_or(MiddlewareError::HttpChallenge(
                AuthFailureKind::MissingCredential,
            ))?;

        // every validator failure collapses to `InvalidToken`.
        // The original validator error is intentionally discarded — leaking
        // it through `error_description` would expose JWKS URLs, jsonwebtoken
        // internals, or token fragments on the public response header.
        let claims = self
            .validator
            .validate(token)
            .await
            .map_err(|_| MiddlewareError::HttpChallenge(AuthFailureKind::InvalidToken))?;

        // Extract principal from configured claim
        let owner = if self.principal_claim == "sub" {
            claims.sub.clone()
        } else {
            claims
                .extra
                .get(&self.principal_claim)
                .and_then(|v| v.as_str())
                .unwrap_or("")
                .to_string()
        };

        // Reject empty/whitespace principal
        if owner.trim().is_empty() {
            return Err(MiddlewareError::Unauthenticated(
                AuthFailureKind::EmptyPrincipal,
            ));
        }

        let claims_json = serde_json::to_value(&claims).ok();

        ctx.identity = AuthIdentity::Authenticated {
            owner,
            claims: claims_json,
        };
        Ok(())
    }

    fn security_contribution(&self) -> SecurityContribution {
        SecurityContribution::new().with_scheme(
            "bearer",
            turul_a2a_proto::SecurityScheme {
                scheme: Some(
                    turul_a2a_proto::security_scheme::Scheme::HttpAuthSecurityScheme(
                        turul_a2a_proto::HttpAuthSecurityScheme {
                            description: String::new(),
                            scheme: "Bearer".into(),
                            bearer_format: "JWT".into(),
                        },
                    ),
                ),
            },
            self.required_scopes.clone(),
        )
    }
}