Module auth 

Authentication gates: HTTP Basic, static API-key / bearer-token, and JWT (HS*/RS*/ES*/PS* with either a static key or a fetched, cached JWKS).

Every proxied request passes through exactly one AuthEngine (selected by auth.mode). The engine returns a Decision carrying, on success, an optional principal — the authenticated identity (Basic username, API-key id, or JWT sub) that the per-key rate limiter keys on. The internal /__edgeguard/* endpoints never reach the engine; they are separate routes outside the proxy fallback.

Structs

JwtValidator

Verifies bearer JWTs against a configured key source, enforcing the configured algorithm, issuer, audience, and expiry/leeway. The token’s own alg header is never trusted to pick the algorithm — Validation is pinned to the single configured algorithm, closing the alg=none/HS-vs-RS confusion class of attacks.

Enums

AuthEngine

Per-request authentication engine, built once from AuthCfg and held in the hot-swappable runtime.

Challenge

What to put in the WWW-Authenticate header of a 401.

Decision

The outcome of an authentication attempt.

Functions

check_basic_auth

Verify HTTP Basic credentials against the configured users. A stored value beginning with $argon2 is verified as a PHC hash; otherwise it is compared as plaintext (dev mode).

hash_password

Hash a password into an Argon2id PHC string suitable for an auth.users value. Used by the --hash CLI helper so operators can produce a hash without a separate argon2 tool.

verify_api_key

Check a request against the set of accepted API keys. A key may be presented either as Authorization: Bearer <key> or in the configured header (default X-API-Key). Returns the principal (a stable, non-reversible id derived from the matched key) on success. The comparison is constant-time and scans all keys so timing doesn’t reveal which key — if any — matched.