nonce_auth/

lib.rs

//! A lightweight, secure nonce-based authentication library for Rust.
//!
//! This library provides a simple, robust solution for preventing replay attacks
//! in APIs and other network services. It uses a combination of nonces, timestamps,
//! and HMAC signatures to ensure that each request is unique and authentic.
//!
//! For a quick start, see the [README.md](https://github.com/kookyleo/nonce-auth/blob/main/README.md).
//! For configuration options, see [CONFIGURATION.md](https://github.com/kookyleo/nonce-auth/blob/main/CONFIGURATION.md).

use hmac::Hmac;
use serde::{Deserialize, Serialize};
use sha2::Sha256;

pub mod nonce;
pub mod storage {
    //! Pluggable storage backends for nonce persistence.
    pub use crate::nonce::storage::*;
}

// Re-export key types for easy access.
pub use nonce::{NonceClient, NonceConfig, NonceError, NonceServer};

/// Internal type alias for HMAC-SHA256 operations.
type HmacSha256 = Hmac<Sha256>;

/// A self-contained cryptographic credential used to authenticate a request.
///
/// This structure is generated by a `NonceClient` and verified by a `NonceServer`.
/// It is designed to be serialized and sent alongside your application's request data.
///
/// # Fields
///
/// - `timestamp`: Unix timestamp indicating when the credential was created.
/// - `nonce`: A unique, single-use value to prevent replay attacks.
/// - `signature`: An HMAC-SHA256 signature covering the timestamp, nonce, and user-defined payload.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct NonceCredential {
    pub timestamp: u64,
    pub nonce: String,
    pub signature: String,
}

#[cfg(test)]
mod tests {
    use crate::nonce::{NonceClient, NonceError, NonceServer};

    #[tokio::test]
    async fn test_client_server_separation() {
        let client = NonceClient::new(b"test_secret");
        let server = NonceServer::builder().build_and_init().await.unwrap();
        let payload = b"test_payload";

        // Client creates a credential
        let credential = client.credential_builder().sign(payload).unwrap();

        // Server verifies the credential using the standard method
        let result = server
            .credential_verifier(&credential)
            .with_secret(b"test_secret")
            .verify(payload)
            .await;

        assert!(result.is_ok());

        // Same nonce should be rejected
        let result = server
            .credential_verifier(&credential)
            .with_secret(b"test_secret")
            .verify(payload)
            .await;

        assert!(matches!(result, Err(NonceError::DuplicateNonce)));
    }

    #[tokio::test]
    async fn test_context_isolation() {
        let client = NonceClient::new(b"test_secret");
        let server = NonceServer::builder().build_and_init().await.unwrap();
        let payload = b"test_payload";

        let credential = client.credential_builder().sign(payload).unwrap();

        // Same nonce should work in different contexts
        server
            .credential_verifier(&credential)
            .with_secret(b"test_secret")
            .with_context(Some("context1"))
            .verify(payload)
            .await
            .unwrap();

        server
            .credential_verifier(&credential)
            .with_secret(b"test_secret")
            .with_context(Some("context2"))
            .verify(payload)
            .await
            .unwrap();

        // But should fail if used twice in same context
        let result = server
            .credential_verifier(&credential)
            .with_secret(b"test_secret")
            .with_context(Some("context1"))
            .verify(payload)
            .await;

        assert!(matches!(result, Err(NonceError::DuplicateNonce)));
    }

    #[tokio::test]
    async fn test_timestamp_validation() {
        let client = NonceClient::new(b"test_secret");
        let server = NonceServer::builder()
            .with_time_window(std::time::Duration::from_secs(1))
            .build_and_init()
            .await
            .unwrap();
        let payload = b"test_payload";

        // Create credential with old timestamp
        let mut credential = client.credential_builder().sign(payload).unwrap();

        // Simulate old timestamp (2 seconds ago, but time window is 1 second)
        credential.timestamp = std::time::SystemTime::now()
            .duration_since(std::time::UNIX_EPOCH)
            .unwrap()
            .as_secs()
            - 2;

        let result = server
            .credential_verifier(&credential)
            .with_secret(b"test_secret")
            .verify(payload)
            .await;

        assert!(matches!(result, Err(NonceError::TimestampOutOfWindow)));
    }

    #[tokio::test]
    async fn test_signature_verification() {
        let client = NonceClient::new(b"test_secret");
        let server = NonceServer::builder().build_and_init().await.unwrap();
        let payload = b"test_payload";

        let credential = client.credential_builder().sign(payload).unwrap();

        let result = server
            .credential_verifier(&credential)
            .with_secret(b"different_secret") // Different secret from client
            .verify(payload)
            .await;

        assert!(matches!(result, Err(NonceError::InvalidSignature)));
    }

    #[tokio::test]
    async fn test_serialization() {
        let client = NonceClient::new(b"test_secret");
        let credential = client.credential_builder().sign(b"test_payload").unwrap();

        // Test JSON serialization
        let json = serde_json::to_string(&credential).unwrap();
        let deserialized: super::NonceCredential = serde_json::from_str(&json).unwrap();

        assert_eq!(credential.timestamp, deserialized.timestamp);
        assert_eq!(credential.nonce, deserialized.nonce);
        assert_eq!(credential.signature, deserialized.signature);
    }
}