Struct AuthorizationVerifier 

pub struct AuthorizationVerifier { /* private fields */ }

Builder for verifying Hessra authorization tokens with flexible configuration.

This builder allows you to configure various verification parameters including optional domain restrictions and service chain attestation.

Example

use hessra_token_authz::{AuthorizationVerifier, ServiceNode, create_token};
use hessra_token_core::KeyPair;

// Create a token
let keypair = KeyPair::new();
let public_key = keypair.public();
let token = create_token(
    "user123".to_string(),
    "resource456".to_string(),
    "read".to_string(),
    keypair,
)?;

// Basic authorization verification
AuthorizationVerifier::new(
    token.clone(),
    public_key,
    "user123".to_string(),
    "resource456".to_string(),
    "read".to_string(),
)
.verify()?;

// With domain restriction
AuthorizationVerifier::new(
    token.clone(),
    public_key,
    "user123".to_string(),
    "resource456".to_string(),
    "read".to_string(),
)
.with_domain("example.com".to_string())
.verify()?;

// With service chain attestation
let service_nodes = vec![
    ServiceNode {
        component: "api-gateway".to_string(),
        public_key: "ed25519/abcd1234...".to_string(),
    }
];
AuthorizationVerifier::new(
    token,
    public_key,
    "user123".to_string(),
    "resource456".to_string(),
    "read".to_string(),
)
.with_service_chain(service_nodes, Some("api-gateway".to_string()))
.verify()?;

Implementations

impl AuthorizationVerifier

pub fn new( token: String, public_key: PublicKey, subject: String, resource: String, operation: String, ) -> AuthorizationVerifier

Creates a new authorization verifier for a base64-encoded token.

Arguments

• token - The base64-encoded authorization token to verify
• public_key - The public key used to verify the token signature
• subject - The subject (user) identifier to verify authorization for
• resource - The resource identifier to verify authorization against
• operation - The operation to verify authorization for

pub fn from_bytes( token: Vec<u8>, public_key: PublicKey, subject: String, resource: String, operation: String, ) -> Result<AuthorizationVerifier, TokenError>

Creates a new authorization verifier from raw token bytes.

Arguments

• token - The raw binary Biscuit token bytes
• public_key - The public key used to verify the token signature
• subject - The subject (user) identifier to verify authorization for
• resource - The resource identifier to verify authorization against
• operation - The operation to verify authorization for

pub fn new_capability( token: String, public_key: PublicKey, resource: String, operation: String, ) -> AuthorizationVerifier

Creates a new capability-based verifier (no subject required).

This verifier will accept any token that grants the specified capability (resource + operation), regardless of the subject. The subject is derived from the token’s rights instead of being provided explicitly.

Arguments

• token - The base64-encoded authorization token to verify
• public_key - The public key used to verify the token signature
• resource - The resource identifier to verify authorization against
• operation - The operation to verify authorization for

pub fn from_bytes_capability( token: Vec<u8>, public_key: PublicKey, resource: String, operation: String, ) -> Result<AuthorizationVerifier, TokenError>

Creates a new capability-based verifier from raw token bytes.

This is the binary token version of new_capability. It accepts any token that grants the specified capability (resource + operation), regardless of the subject.

Arguments

• token - The raw binary Biscuit token bytes
• public_key - The public key used to verify the token signature
• resource - The resource identifier to verify authorization against
• operation - The operation to verify authorization for

pub fn with_domain(self, domain: String) -> AuthorizationVerifier

Adds a domain restriction to the verification.

When set, adds a domain fact to the authorizer. This is required for verifying domain-restricted tokens.

Arguments

• domain - The domain to verify against (e.g., “example.com”)

pub fn with_prefix(self, prefix: String) -> AuthorizationVerifier

Adds a prefix restriction to the verification.

When set, adds a prefix fact to the authorizer. This is required for verifying prefix-restricted tokens.

Arguments

• prefix - The prefix to verify against (e.g., “tenant/TENANTID/user/USERID/”)

pub fn with_service_chain( self, service_nodes: Vec<ServiceNode>, component: Option<String>, ) -> AuthorizationVerifier

Adds service chain attestation verification.

When set, verifies that the token has been properly attested by the specified service chain nodes.

Arguments

• service_nodes - The list of service nodes in the chain
• component - Optional specific component to verify in the chain

pub fn verify(self) -> Result<(), TokenError>

Performs the token verification with the configured parameters.

Returns

• Ok(()) - If the token is valid and meets all verification requirements
• Err(TokenError) - If verification fails for any reason

Errors

Returns an error if:

• The token is malformed or cannot be parsed
• The token signature is invalid
• The token has expired
• The token does not grant the required access rights
• The domain doesn’t match (if domain restriction is set on token)
• Service chain attestation fails (if service chain is configured)