pub struct AuthConfig { /* private fields */ }Expand description
API key authentication for the HTTP server.
Configured from RECURSIVE_HTTP_AUTH_KEYS, a comma-separated list of
keys the server will accept in the X-API-Key request header. An empty
key set (the default) disables auth entirely — every route is reachable
without credentials. This preserves zero-config behavior and keeps the
public default backward-compatible.
Distinct from RECURSIVE_API_KEY (singular): that variable holds the
outbound credential the agent uses to talk to its LLM provider.
RECURSIVE_HTTP_AUTH_KEYS (plural) holds the inbound credentials
the HTTP server accepts from clients. The names are deliberately
dissimilar to avoid confusion at the operator’s shell.
/health and /metrics are always exempt (k8s liveness probes and
Prometheus scrapers must work unauthenticated).
Implementations§
Source§impl AuthConfig
impl AuthConfig
Sourcepub fn new(keys: Vec<String>) -> Self
pub fn new(keys: Vec<String>) -> Self
Build an AuthConfig from an explicit key list. Pass an empty
vec to disable API-key auth (a JWT verifier may still be
attached via AuthConfig::with_jwt).
Sourcepub fn with_jwt(self, jwt: JwtConfig) -> Self
pub fn with_jwt(self, jwt: JwtConfig) -> Self
Attach a JWT verifier. Call after AuthConfig::new to get
“X-API-Key OR Bearer JWT” semantics — either valid credential
type lets a request through. Without this call the behavior
is X-API-Key-only (the original g135 behavior).
Sourcepub fn is_valid(&self, presented: &str) -> bool
pub fn is_valid(&self, presented: &str) -> bool
Constant-time check whether presented is in the configured
API-key set.
Returns true if no API keys are configured. Endpoints must
rely on the middleware layering, not this method, for the
“auth disabled” semantics — see [auth_middleware].
The loop runs over every configured key regardless of an early match, to keep the comparison constant-time and avoid leaking key-set membership timing.
Sourcepub fn is_enabled(&self) -> bool
pub fn is_enabled(&self) -> bool
Whether ANY auth modality is enabled — non-empty API key set
OR a JWT verifier attached. When this returns false, the
middleware is a pass-through.
Trait Implementations§
Source§impl Clone for AuthConfig
impl Clone for AuthConfig
Source§fn clone(&self) -> AuthConfig
fn clone(&self) -> AuthConfig
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Default for AuthConfig
impl Default for AuthConfig
Source§fn default() -> AuthConfig
fn default() -> AuthConfig
Auto Trait Implementations§
impl Freeze for AuthConfig
impl RefUnwindSafe for AuthConfig
impl Send for AuthConfig
impl Sync for AuthConfig
impl Unpin for AuthConfig
impl UnsafeUnpin for AuthConfig
impl UnwindSafe for AuthConfig
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
impl<A, B, T> HttpServerConnExec<A, B> for Twhere
B: Body,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more