Expand description
Authentication for jerrycan: argon2 password hashing, AEAD session cookies, HS256 JWTs, role guards. Vetted RustCrypto primitives; hand-rolled envelopes (see module docs). #![forbid(unsafe_code)].
Re-exports§
pub use api_key::ApiKey;pub use api_key::ApiKeyFuture;pub use api_key::ApiKeyRecord;pub use api_key::ApiKeyStore;pub use api_key::ApiKeys;pub use api_key::InMemoryApiKeyStore;pub use api_key::MintedApiKey;pub use api_key::hash_key;pub use api_key::mint;pub use api_key::require_scope;pub use api_key::verify;pub use guard::Bearer;pub use guard::Session;pub use guard::require_role;pub use password::hash_password;pub use password::verify_password;pub use session::SessionStore;
Modules§
- api_key
- Scoped API keys (spec §v2.4 Task 2): mint a high-entropy key, store only its SHA-256 hash, authenticate requests, and scope-check them.
- guard
- Guards are dependencies (spec §4.3):
Session<T>/Bearer<T>are extractors returning 401;require_rolereturns 403. No auth middleware. - jwt
- HS256 JWTs: signed, NOT encrypted (interop bearer tokens — never put secrets
in a JWT). We hand-roll the
header.payload.signatureenvelope over thehmaccrate; we do NOT implement HMAC ourselves. - password
- Password hashing via argon2 (RustCrypto). We never invent crypto — argon2 does the KDF; we expose a thin, misuse-resistant pair.
- session
- Session cookies: server-private state, ChaCha20-Poly1305 AEAD
(confidential + tamper-evident). Wire format:
base64url(nonce[12] ‖ ciphertext+tag). The cookie is Secure/HttpOnly/SameSite=Lax by default (spec §4.4). - webhook
- Webhook signature verification primitives: HMAC over the EXACT request
bytes (pair with the
RawBodyextractor — re-serialized JSON never verifies). Comparisons are constant-time viahmac’sverify_slice.
Structs§
- Auth
- The auth extension: holds the derived session, token-at-rest, and JWT keys,
registered as a dependency so
Session/Bearerextractors can resolve it.