ppoppo_token/access_token/

verify_config.rs

//! Per-request verification configuration for the RFC 9068 access-token
//! profile.
//!
//! ── Composition ────────────────────────────────────────────────────────
//!
//! JOSE-shared fields (`issuer`, `audience`, `expected_typ`,
//! `max_token_size`, `algorithms`) live in `engine::SharedVerifyConfig`
//! and are reached via `self.shared`. Access-token-specific axes
//! (replay/session/epoch revocation ports) stay on this struct. The
//! engine submodules `check_algorithm` / `check_header` / `raw` read
//! only from `&SharedVerifyConfig`; `check_claims` / `check_domain` /
//! revocation checks read from this struct (and reach the shared
//! fields via `cfg.shared.*`).
//!
//! ── Phase 5 — orthogonal port slots ────────────────────────────────────
//!
//! Three optional ports model the orthogonal revocation axes (M35-M38 +
//! sv). Each is `Option<Arc<dyn ...>>` so callers wire only what their
//! deployment substrate supports — `None` short-circuits the gate
//! (legacy admit / sibling-test config / migration phases).

use std::sync::Arc;

use super::epoch_revocation::EpochRevocation;
use super::replay_defense::ReplayDefense;
use super::session_revocation::SessionRevocation;
use crate::algorithm::Algorithm;
use crate::engine::shared_config::SharedVerifyConfig;

#[derive(Debug, Clone)]
#[allow(dead_code)] // ports consumed across Phase 5+
pub struct VerifyConfig {
    pub(crate) shared: SharedVerifyConfig,

    // ── Phase 5 revocation port slots ──────────────────────────────────
    /// M35 jti replay defense (Phase 5 commit 5.1).
    pub(crate) replay: Option<Arc<dyn ReplayDefense>>,
    /// M36 session-row liveness (Phase 5 commit 5.2).
    pub(crate) session: Option<Arc<dyn SessionRevocation>>,
    /// sv-port per-account epoch (Phase 5 commits 5.5-5.7).
    pub(crate) epoch: Option<Arc<dyn EpochRevocation>>,
}

impl VerifyConfig {
    /// Canonical access-token config: `at+jwt` typ, EdDSA-only algorithm
    /// whitelist, 8 KB token size cap (M34). All revocation port slots
    /// default to `None`; callers opt in via the builders.
    pub fn access_token(issuer: impl Into<String>, audience: impl Into<String>) -> Self {
        Self {
            shared: SharedVerifyConfig::new(
                issuer,
                audience,
                "at+jwt",
                8 * 1024,
                vec![Algorithm::EdDSA],
            ),
            replay: None,
            session: None,
            epoch: None,
        }
    }

    /// Override the algorithm whitelist. Test-only escape hatch — production
    /// callers MUST go through `access_token` so the EdDSA pin is the default.
    #[must_use]
    pub fn with_algorithms(mut self, algorithms: Vec<Algorithm>) -> Self {
        self.shared.algorithms = algorithms;
        self
    }

    /// Wire the M35 jti replay defense port.
    #[must_use]
    pub fn with_replay_defense(mut self, port: Arc<dyn ReplayDefense>) -> Self {
        self.replay = Some(port);
        self
    }

    /// Wire the M36 session-row liveness port.
    #[must_use]
    pub fn with_session_revocation(mut self, port: Arc<dyn SessionRevocation>) -> Self {
        self.session = Some(port);
        self
    }

    /// Wire the sv-port per-account epoch revocation.
    #[must_use]
    pub fn with_epoch_revocation(mut self, port: Arc<dyn EpochRevocation>) -> Self {
        self.epoch = Some(port);
        self
    }
}