Module auth_classifier

Expand description

Two-stage auth-block classifier.

Stage 1 (classify_auth_block) inspects a single (request, response) pair and returns an AuthBlockSignature when auth involvement is detected. Stage 2 (super::auth_equivalence::auth_gate_decision) compares baseline and probe signatures and decides whether to gate the technique (both sides equivalent, no oracle differential), preserve evidence (non-equivalent auth-related differential), or fall through to other gates (no auth involvement).

Critical invariant: the gate may suppress only non-differential same-layer auth blocks. Status, body, header, location, or challenge-parameter differentials must be preserved as oracle evidence — see scan_idor_403_vs_404 for the canonical 403/404 BOLA pattern.

Functions§

classify_403_auth_block: Classifies a 403 response. Returns Some only when an auth-layer signal is present — WWW-Authenticate header or insufficient_scope / invalid_token body. Otherwise returns None so the 403 propagates as potential oracle evidence (BOLA / IDOR territory).
classify_auth_block: Classifies a single request/response pair as auth-involved or not.