Skip to main content

ppoppo_token/access_token/
verify_config.rs

1//! Per-request verification configuration for the RFC 9068 access-token
2//! profile.
3//!
4//! ── Composition ────────────────────────────────────────────────────────
5//!
6//! JOSE-shared fields (`issuer`, `audience`, `expected_typ`,
7//! `max_token_size`, `algorithms`) live in `engine::SharedVerifyConfig`
8//! and are reached via `self.shared`. Access-token-specific axes
9//! (replay/session/epoch revocation ports) stay on this struct. The
10//! engine submodules `check_algorithm` / `check_header` / `raw` read
11//! only from `&SharedVerifyConfig`; `check_claims` / `check_domain` /
12//! revocation checks read from this struct (and reach the shared
13//! fields via `cfg.shared.*`).
14//!
15//! ── Phase 5 — orthogonal port slots ────────────────────────────────────
16//!
17//! Three optional ports model the orthogonal revocation axes (M35-M38 +
18//! sv). Each is `Option<Arc<dyn ...>>` so callers wire only what their
19//! deployment substrate supports — `None` short-circuits the gate
20//! (legacy admit / sibling-test config / migration phases).
21
22use std::sync::Arc;
23
24use super::epoch_revocation::EpochRevocation;
25use super::replay_defense::ReplayDefense;
26use super::session_revocation::SessionRevocation;
27use crate::algorithm::Algorithm;
28use crate::engine::shared_config::SharedVerifyConfig;
29
30#[derive(Debug, Clone)]
31#[allow(dead_code)] // ports consumed across Phase 5+
32pub struct VerifyConfig {
33    pub(crate) shared: SharedVerifyConfig,
34
35    // ── Phase 5 revocation port slots ──────────────────────────────────
36    /// M35 jti replay defense (Phase 5 commit 5.1).
37    pub(crate) replay: Option<Arc<dyn ReplayDefense>>,
38    /// M36 session-row liveness (Phase 5 commit 5.2).
39    pub(crate) session: Option<Arc<dyn SessionRevocation>>,
40    /// sv-port per-account epoch (Phase 5 commits 5.5-5.7).
41    pub(crate) epoch: Option<Arc<dyn EpochRevocation>>,
42}
43
44impl VerifyConfig {
45    /// Canonical access-token config: `at+jwt` typ, EdDSA-only algorithm
46    /// whitelist, 8 KB token size cap (M34). All revocation port slots
47    /// default to `None`; callers opt in via the builders.
48    pub fn access_token(issuer: impl Into<String>, audience: impl Into<String>) -> Self {
49        Self {
50            shared: SharedVerifyConfig::new(
51                issuer,
52                audience,
53                "at+jwt",
54                8 * 1024,
55                vec![Algorithm::EdDSA],
56            ),
57            replay: None,
58            session: None,
59            epoch: None,
60        }
61    }
62
63    /// Override the algorithm whitelist. Test-only escape hatch — production
64    /// callers MUST go through `access_token` so the EdDSA pin is the default.
65    #[must_use]
66    pub fn with_algorithms(mut self, algorithms: Vec<Algorithm>) -> Self {
67        self.shared.algorithms = algorithms;
68        self
69    }
70
71    /// Wire the M35 jti replay defense port.
72    #[must_use]
73    pub fn with_replay_defense(mut self, port: Arc<dyn ReplayDefense>) -> Self {
74        self.replay = Some(port);
75        self
76    }
77
78    /// Wire the M36 session-row liveness port.
79    #[must_use]
80    pub fn with_session_revocation(mut self, port: Arc<dyn SessionRevocation>) -> Self {
81        self.session = Some(port);
82        self
83    }
84
85    /// Wire the sv-port per-account epoch revocation.
86    #[must_use]
87    pub fn with_epoch_revocation(mut self, port: Arc<dyn EpochRevocation>) -> Self {
88        self.epoch = Some(port);
89        self
90    }
91}