hyperion_vault_core/
auth.rs1use base64::Engine;
2use sha2::{Digest, Sha256};
3use subtle::ConstantTimeEq;
4
5use crate::crypto::fill_random;
6
7pub const TOKEN_BYTES: usize = 32;
8pub const FINGERPRINT_LEN: usize = 32;
9
10pub fn generate_token() -> String {
11 let mut bytes = [0u8; TOKEN_BYTES];
12 fill_random(&mut bytes);
13 base64::engine::general_purpose::URL_SAFE_NO_PAD.encode(bytes)
14}
15
16pub fn fingerprint(token: &str) -> [u8; FINGERPRINT_LEN] {
17 let mut hasher = Sha256::new();
18 hasher.update(token.as_bytes());
19 let digest = hasher.finalize();
20 let mut out = [0u8; FINGERPRINT_LEN];
21 out.copy_from_slice(&digest);
22 out
23}
24
25pub fn verify(token: &str, expected_fingerprint: &[u8]) -> bool {
26 let computed = fingerprint(token);
27 computed.as_slice().ct_eq(expected_fingerprint).into()
28}
29
30pub fn fingerprints_match(a: &[u8], b: &[u8]) -> bool {
31 a.ct_eq(b).into()
32}