Skip to main content

rmcp_server_kit/
auth.rs

1//! Authentication middleware for MCP servers.
2//!
3//! Supports multiple authentication methods tried in priority order:
4//! 1. mTLS client certificate (if configured and peer cert present)
5//! 2. Bearer token (API key) with Argon2id hash verification
6//!
7//! Includes per-source-IP rate limiting on authentication attempts.
8
9use std::{
10    collections::HashSet,
11    net::{IpAddr, SocketAddr},
12    num::NonZeroU32,
13    path::PathBuf,
14    sync::{
15        Arc, LazyLock, Mutex,
16        atomic::{AtomicU64, Ordering},
17    },
18    time::Duration,
19};
20
21use arc_swap::ArcSwap;
22use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
23use axum::{
24    body::Body,
25    extract::ConnectInfo,
26    http::{Request, header},
27    middleware::Next,
28    response::{IntoResponse, Response},
29};
30use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
31use secrecy::SecretString;
32use serde::Deserialize;
33use x509_parser::prelude::*;
34
35use crate::{bounded_limiter::BoundedKeyedLimiter, error::McpxError};
36
37/// Identity of an authenticated caller.
38///
39/// The [`Debug`] impl is **manually written** to redact the raw bearer token
40/// and the JWT `sub` claim. This prevents accidental disclosure if an
41/// `AuthIdentity` is ever logged via `tracing::debug!(?identity, …)` or
42/// `format!("{identity:?}")`. Only `name`, `role`, and `method` are printed
43/// in the clear; `raw_token` and `sub` are rendered as `<redacted>` /
44/// `<present>` / `<none>` markers.
45#[derive(Clone)]
46#[non_exhaustive]
47pub struct AuthIdentity {
48    /// Human-readable identity name (e.g. API key label or cert CN).
49    pub name: String,
50    /// RBAC role associated with this identity.
51    pub role: String,
52    /// Which authentication mechanism produced this identity.
53    pub method: AuthMethod,
54    /// Raw bearer token from the `Authorization` header, wrapped in
55    /// [`SecretString`] so it is never accidentally logged or serialized.
56    /// Present for OAuth JWT; `None` for mTLS and API-key auth.
57    /// Tool handlers use this for downstream token passthrough via
58    /// [`crate::rbac::current_token`].
59    pub raw_token: Option<SecretString>,
60    /// JWT `sub` claim (stable user identifier, e.g. Keycloak UUID).
61    /// Used for token store keying. `None` for non-JWT auth.
62    pub sub: Option<String>,
63}
64
65impl std::fmt::Debug for AuthIdentity {
66    /// Redacts `raw_token` and `sub` to prevent secret leakage via
67    /// `format!("{:?}")` or `tracing::debug!(?identity)`.
68    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69        f.debug_struct("AuthIdentity")
70            .field("name", &self.name)
71            .field("role", &self.role)
72            .field("method", &self.method)
73            .field(
74                "raw_token",
75                &if self.raw_token.is_some() {
76                    "<redacted>"
77                } else {
78                    "<none>"
79                },
80            )
81            .field(
82                "sub",
83                &if self.sub.is_some() {
84                    "<redacted>"
85                } else {
86                    "<none>"
87                },
88            )
89            .finish()
90    }
91}
92
93/// How the caller authenticated.
94#[derive(Debug, Clone, Copy, PartialEq, Eq)]
95#[non_exhaustive]
96pub enum AuthMethod {
97    /// Bearer API key (Argon2id-hashed, configured statically).
98    BearerToken,
99    /// Mutual TLS client certificate.
100    MtlsCertificate,
101    /// OAuth 2.1 JWT bearer token (validated via JWKS).
102    OAuthJwt,
103}
104
105#[derive(Debug, Clone, Copy, PartialEq, Eq)]
106enum AuthFailureClass {
107    MissingCredential,
108    InvalidCredential,
109    #[cfg_attr(not(feature = "oauth"), allow(dead_code))]
110    ExpiredCredential,
111    /// Source IP exceeded the post-failure backoff limit.
112    RateLimited,
113    /// Source IP exceeded the pre-auth abuse gate (rejected before any
114    /// password-hash work — see [`AuthState::pre_auth_limiter`]).
115    PreAuthGate,
116}
117
118impl AuthFailureClass {
119    fn as_str(self) -> &'static str {
120        match self {
121            Self::MissingCredential => "missing_credential",
122            Self::InvalidCredential => "invalid_credential",
123            Self::ExpiredCredential => "expired_credential",
124            Self::RateLimited => "rate_limited",
125            Self::PreAuthGate => "pre_auth_gate",
126        }
127    }
128
129    fn bearer_error(self) -> (&'static str, &'static str) {
130        match self {
131            Self::MissingCredential => (
132                "invalid_request",
133                "missing bearer token or mTLS client certificate",
134            ),
135            Self::InvalidCredential => ("invalid_token", "token is invalid"),
136            Self::ExpiredCredential => ("invalid_token", "token is expired"),
137            Self::RateLimited => ("invalid_request", "too many failed authentication attempts"),
138            Self::PreAuthGate => (
139                "invalid_request",
140                "too many unauthenticated requests from this source",
141            ),
142        }
143    }
144
145    fn response_body(self) -> &'static str {
146        match self {
147            Self::MissingCredential => "unauthorized: missing credential",
148            Self::InvalidCredential => "unauthorized: invalid credential",
149            Self::ExpiredCredential => "unauthorized: expired credential",
150            Self::RateLimited => "rate limited",
151            Self::PreAuthGate => "rate limited (pre-auth)",
152        }
153    }
154}
155
156/// Snapshot of authentication success/failure counters.
157#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize)]
158#[non_exhaustive]
159pub struct AuthCountersSnapshot {
160    /// Successful mTLS authentications.
161    pub success_mtls: u64,
162    /// Successful bearer-token authentications.
163    pub success_bearer: u64,
164    /// Successful OAuth JWT authentications.
165    pub success_oauth_jwt: u64,
166    /// Failures because no credential was presented.
167    pub failure_missing_credential: u64,
168    /// Failures because the credential was malformed or wrong.
169    pub failure_invalid_credential: u64,
170    /// Failures because the credential had expired.
171    pub failure_expired_credential: u64,
172    /// Failures because the source IP was rate-limited (post-failure backoff).
173    pub failure_rate_limited: u64,
174    /// Failures because the source IP exceeded the pre-auth abuse gate.
175    /// These never reach the password-hash verification path.
176    pub failure_pre_auth_gate: u64,
177}
178
179/// Internal atomic counters backing [`AuthCountersSnapshot`].
180#[derive(Debug, Default)]
181pub(crate) struct AuthCounters {
182    success_mtls: AtomicU64,
183    success_bearer: AtomicU64,
184    success_oauth_jwt: AtomicU64,
185    failure_missing_credential: AtomicU64,
186    failure_invalid_credential: AtomicU64,
187    failure_expired_credential: AtomicU64,
188    failure_rate_limited: AtomicU64,
189    failure_pre_auth_gate: AtomicU64,
190}
191
192impl AuthCounters {
193    fn record_success(&self, method: AuthMethod) {
194        match method {
195            AuthMethod::MtlsCertificate => {
196                self.success_mtls.fetch_add(1, Ordering::Relaxed);
197            }
198            AuthMethod::BearerToken => {
199                self.success_bearer.fetch_add(1, Ordering::Relaxed);
200            }
201            AuthMethod::OAuthJwt => {
202                self.success_oauth_jwt.fetch_add(1, Ordering::Relaxed);
203            }
204        }
205    }
206
207    fn record_failure(&self, class: AuthFailureClass) {
208        match class {
209            AuthFailureClass::MissingCredential => {
210                self.failure_missing_credential
211                    .fetch_add(1, Ordering::Relaxed);
212            }
213            AuthFailureClass::InvalidCredential => {
214                self.failure_invalid_credential
215                    .fetch_add(1, Ordering::Relaxed);
216            }
217            AuthFailureClass::ExpiredCredential => {
218                self.failure_expired_credential
219                    .fetch_add(1, Ordering::Relaxed);
220            }
221            AuthFailureClass::RateLimited => {
222                self.failure_rate_limited.fetch_add(1, Ordering::Relaxed);
223            }
224            AuthFailureClass::PreAuthGate => {
225                self.failure_pre_auth_gate.fetch_add(1, Ordering::Relaxed);
226            }
227        }
228    }
229
230    fn snapshot(&self) -> AuthCountersSnapshot {
231        AuthCountersSnapshot {
232            success_mtls: self.success_mtls.load(Ordering::Relaxed),
233            success_bearer: self.success_bearer.load(Ordering::Relaxed),
234            success_oauth_jwt: self.success_oauth_jwt.load(Ordering::Relaxed),
235            failure_missing_credential: self.failure_missing_credential.load(Ordering::Relaxed),
236            failure_invalid_credential: self.failure_invalid_credential.load(Ordering::Relaxed),
237            failure_expired_credential: self.failure_expired_credential.load(Ordering::Relaxed),
238            failure_rate_limited: self.failure_rate_limited.load(Ordering::Relaxed),
239            failure_pre_auth_gate: self.failure_pre_auth_gate.load(Ordering::Relaxed),
240        }
241    }
242}
243
244/// RFC 3339 timestamp, parsed at deserialization time.
245///
246/// Use this for any public field that needs to carry an RFC 3339 timestamp from
247/// TOML/JSON config or builder APIs. Construction is fallible (`parse`); once
248/// constructed the value is guaranteed to be a real RFC 3339 timestamp with a
249/// known offset, so downstream code does not need to handle parse errors.
250///
251/// Wraps [`chrono::DateTime<chrono::FixedOffset>`]; the underlying value is
252/// available via [`Self::as_datetime`] or [`Self::into_inner`]. `Serialize`
253/// emits the canonical RFC 3339 form via [`chrono::DateTime::to_rfc3339`], so
254/// the on-the-wire format for `ApiKeySummary` (admin endpoints) is unchanged.
255#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
256#[non_exhaustive]
257pub struct RfcTimestamp(chrono::DateTime<chrono::FixedOffset>);
258
259impl RfcTimestamp {
260    /// Parse an RFC 3339 timestamp.
261    ///
262    /// # Errors
263    ///
264    /// Returns the underlying [`chrono::ParseError`] when `s` is not a valid
265    /// RFC 3339 timestamp (e.g. missing the `T` separator, missing the offset
266    /// suffix, or out-of-range fields).
267    pub fn parse(s: &str) -> Result<Self, chrono::ParseError> {
268        chrono::DateTime::parse_from_rfc3339(s).map(Self)
269    }
270
271    /// Borrow the underlying [`chrono::DateTime`].
272    #[must_use]
273    pub fn as_datetime(&self) -> &chrono::DateTime<chrono::FixedOffset> {
274        &self.0
275    }
276
277    /// Consume the wrapper and return the underlying [`chrono::DateTime`].
278    #[must_use]
279    pub fn into_inner(self) -> chrono::DateTime<chrono::FixedOffset> {
280        self.0
281    }
282}
283
284impl std::fmt::Display for RfcTimestamp {
285    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
286        // Canonical RFC 3339 form; matches the deserialization input contract.
287        write!(f, "{}", self.0.to_rfc3339())
288    }
289}
290
291impl std::fmt::Debug for RfcTimestamp {
292    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
293        // Render as the canonical RFC 3339 string (not chrono's internal
294        // debug form) so existing `ApiKeyEntry` Debug-redaction tests --
295        // which look for the literal `"2030-01-01T00:00:00Z"` form in the
296        // formatted output -- continue to hold without bespoke handling.
297        write!(f, "{}", self.0.to_rfc3339())
298    }
299}
300
301impl<'de> Deserialize<'de> for RfcTimestamp {
302    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
303    where
304        D: serde::Deserializer<'de>,
305    {
306        // Validate at deserialization time: a malformed `expires_at` in
307        // TOML or JSON aborts config load with a clear serde error rather
308        // than silently producing a key that fails open at runtime.
309        let s = String::deserialize(deserializer)?;
310        Self::parse(&s).map_err(serde::de::Error::custom)
311    }
312}
313
314impl serde::Serialize for RfcTimestamp {
315    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
316    where
317        S: serde::Serializer,
318    {
319        serializer.serialize_str(&self.0.to_rfc3339())
320    }
321}
322
323impl From<chrono::DateTime<chrono::FixedOffset>> for RfcTimestamp {
324    fn from(value: chrono::DateTime<chrono::FixedOffset>) -> Self {
325        Self(value)
326    }
327}
328
329/// A single API key entry (stored as Argon2id hash in config).
330///
331/// The [`Debug`] impl is **manually written** to redact the Argon2id hash.
332/// Although the hash is not directly reversible, treating it as a secret
333/// prevents offline brute-force attempts from leaked logs and matches the
334/// defense-in-depth posture used for [`AuthIdentity`].
335#[derive(Clone, Deserialize)]
336#[non_exhaustive]
337pub struct ApiKeyEntry {
338    /// Human-readable key label (used in logs and audit records).
339    pub name: String,
340    /// Argon2id hash of the token (PHC string format).
341    pub hash: String,
342    /// RBAC role granted when this key authenticates successfully.
343    pub role: String,
344    /// Optional expiry, parsed from an RFC 3339 string at deserialization
345    /// time. Construction from a raw string is fallible (see
346    /// [`RfcTimestamp::parse`] and [`ApiKeyEntry::try_with_expiry`]),
347    /// which guarantees `verify_bearer_token` never sees a malformed value.
348    pub expires_at: Option<RfcTimestamp>,
349}
350
351impl std::fmt::Debug for ApiKeyEntry {
352    /// Redacts the Argon2id `hash` to keep it out of logs, panic backtraces,
353    /// and admin-endpoint responses that might `format!("{:?}", …)` an entry.
354    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
355        f.debug_struct("ApiKeyEntry")
356            .field("name", &self.name)
357            .field("hash", &"<redacted>")
358            .field("role", &self.role)
359            .field("expires_at", &self.expires_at)
360            .finish()
361    }
362}
363
364impl ApiKeyEntry {
365    /// Create a new API key entry (no expiry).
366    #[must_use]
367    pub fn new(name: impl Into<String>, hash: impl Into<String>, role: impl Into<String>) -> Self {
368        Self {
369            name: name.into(),
370            hash: hash.into(),
371            role: role.into(),
372            expires_at: None,
373        }
374    }
375
376    /// Set an RFC 3339 expiry on this key.
377    ///
378    /// Takes an already-parsed [`RfcTimestamp`]; for ergonomic construction
379    /// from a raw string see [`Self::try_with_expiry`].
380    #[must_use]
381    pub fn with_expiry(mut self, expires_at: RfcTimestamp) -> Self {
382        self.expires_at = Some(expires_at);
383        self
384    }
385
386    /// Set an RFC 3339 expiry on this key from a raw string.
387    ///
388    /// # Errors
389    ///
390    /// Returns the underlying [`chrono::ParseError`] when `expires_at` is
391    /// not a valid RFC 3339 timestamp. This is the fallible counterpart to
392    /// [`Self::with_expiry`].
393    pub fn try_with_expiry(
394        mut self,
395        expires_at: impl AsRef<str>,
396    ) -> Result<Self, chrono::ParseError> {
397        self.expires_at = Some(RfcTimestamp::parse(expires_at.as_ref())?);
398        Ok(self)
399    }
400}
401
402/// mTLS client certificate authentication configuration.
403#[derive(Debug, Clone, Deserialize)]
404#[allow(
405    clippy::struct_excessive_bools,
406    reason = "mTLS CRL behavior is intentionally configured as independent booleans"
407)]
408#[non_exhaustive]
409pub struct MtlsConfig {
410    /// Path to CA certificate(s) for verifying client certs (PEM format).
411    pub ca_cert_path: PathBuf,
412    /// If true, clients MUST present a valid certificate.
413    /// If false, client certs are optional (verified if presented).
414    #[serde(default)]
415    pub required: bool,
416    /// Default RBAC role for mTLS-authenticated clients.
417    /// The client cert CN becomes the identity name.
418    #[serde(default = "default_mtls_role")]
419    pub default_role: String,
420    /// Enable CRL-based certificate revocation checks using CDP URLs from the
421    /// configured CA chain and connecting client certificates.
422    #[serde(default = "default_true")]
423    pub crl_enabled: bool,
424    /// Optional fixed refresh interval for known CRLs. When omitted, refresh
425    /// cadence is derived from `nextUpdate` and clamped internally.
426    #[serde(default, with = "humantime_serde::option")]
427    pub crl_refresh_interval: Option<Duration>,
428    /// Timeout for individual CRL fetches.
429    #[serde(default = "default_crl_fetch_timeout", with = "humantime_serde")]
430    pub crl_fetch_timeout: Duration,
431    /// Grace window during which stale CRLs may still be used when refresh
432    /// attempts fail.
433    #[serde(default = "default_crl_stale_grace", with = "humantime_serde")]
434    pub crl_stale_grace: Duration,
435    /// When true, missing or unavailable CRLs cause revocation checks to fail
436    /// closed.
437    #[serde(default)]
438    pub crl_deny_on_unavailable: bool,
439    /// When true, apply revocation checks only to the end-entity certificate.
440    #[serde(default)]
441    pub crl_end_entity_only: bool,
442    /// Allow HTTP CRL distribution-point URLs in addition to HTTPS.
443    ///
444    /// Defaults to `true` because RFC 5280 §4.2.1.13 designates HTTP (and
445    /// LDAP) as the canonical transport for CRL distribution points.
446    /// SSRF defense for HTTP CDPs is provided by the IP-allowlist guard
447    /// (private/loopback/link-local/multicast/cloud-metadata addresses are
448    /// always rejected), redirect=none, body-size cap, and per-host
449    /// concurrency limit -- not by forcing HTTPS.
450    #[serde(default = "default_true")]
451    pub crl_allow_http: bool,
452    /// Enforce CRL expiration during certificate validation.
453    #[serde(default = "default_true")]
454    pub crl_enforce_expiration: bool,
455    /// Maximum concurrent CRL fetches across all hosts. Defense in depth
456    /// against SSRF amplification: even if many CDPs are discovered, no
457    /// more than this many fetches run in parallel. Per-host concurrency
458    /// is independently capped at 1 regardless of this value.
459    /// Default: `4`.
460    #[serde(default = "default_crl_max_concurrent_fetches")]
461    pub crl_max_concurrent_fetches: usize,
462    /// Hard cap on each CRL response body in bytes. Fetches exceeding this
463    /// are aborted mid-stream to bound memory and prevent gzip-bomb-style
464    /// amplification. Default: 5 MiB (`5 * 1024 * 1024`).
465    #[serde(default = "default_crl_max_response_bytes")]
466    pub crl_max_response_bytes: u64,
467    /// Global CDP discovery rate limit, in URLs per minute. Throttles
468    /// how many *new* CDP URLs the verifier may admit into the fetch
469    /// pipeline across the whole process, bounding asymmetric `DoS`
470    /// amplification when attacker-controlled certificates carry large
471    /// CDP lists. The limit is global (not per-source-IP) in this
472    /// release; per-IP scoping is deferred to a future version because
473    /// it requires plumbing the peer `SocketAddr` through the rustls
474    /// verifier hook (a different subsystem than ordinary request
475    /// middleware). Note: the **bearer pre-auth limiter** that gates
476    /// API-key / OAuth `Authorization` headers is already per-IP — see
477    /// [`RateLimitConfig::pre_auth_max_per_minute`] and the keyed
478    /// governor built by `build_pre_auth_limiter`. URLs that lose the
479    /// rate-limiter race are *not* marked as seen, so subsequent
480    /// handshakes observing the same URL can retry admission.
481    /// Default: `60`.
482    #[serde(default = "default_crl_discovery_rate_per_min")]
483    pub crl_discovery_rate_per_min: u32,
484    /// Maximum number of distinct hosts that may hold a CRL fetch
485    /// semaphore at any time. At the cap, idle entries (no in-flight
486    /// fetch) are evicted on demand so new hosts keep working; only when
487    /// every entry has a concurrent in-flight fetch does the request
488    /// return [`McpxError::Config`] containing the literal substring
489    /// `"crl_host_semaphore_cap_exceeded"`. Bounds memory growth from
490    /// attacker-controlled CDP URLs pointing at unique hostnames.
491    /// Default: 1024.
492    #[serde(default = "default_crl_max_host_semaphores")]
493    pub crl_max_host_semaphores: usize,
494    /// Maximum number of distinct URLs tracked in the "seen" set.
495    /// Beyond this, additional discovered URLs are silently dropped
496    /// with a rate-limited warn! log; no error surfaces. Default: 4096.
497    #[serde(default = "default_crl_max_seen_urls")]
498    pub crl_max_seen_urls: usize,
499    /// Maximum number of cached CRL entries. Beyond this, new
500    /// successful fetches are silently dropped with a rate-limited
501    /// warn! log (newest-rejected, not LRU-evicted). Default: 1024.
502    #[serde(default = "default_crl_max_cache_entries")]
503    pub crl_max_cache_entries: usize,
504}
505
506fn default_mtls_role() -> String {
507    "viewer".into()
508}
509
510const fn default_true() -> bool {
511    true
512}
513
514const fn default_crl_fetch_timeout() -> Duration {
515    Duration::from_secs(30)
516}
517
518const fn default_crl_stale_grace() -> Duration {
519    Duration::from_hours(24)
520}
521
522const fn default_crl_max_concurrent_fetches() -> usize {
523    4
524}
525
526const fn default_crl_max_response_bytes() -> u64 {
527    5 * 1024 * 1024
528}
529
530const fn default_crl_discovery_rate_per_min() -> u32 {
531    60
532}
533
534const fn default_crl_max_host_semaphores() -> usize {
535    1024
536}
537
538const fn default_crl_max_seen_urls() -> usize {
539    4096
540}
541
542const fn default_crl_max_cache_entries() -> usize {
543    1024
544}
545
546/// Rate limiting configuration for authentication attempts.
547///
548/// rmcp-server-kit uses two independent per-IP token-bucket limiters for auth:
549///
550/// 1. **Pre-auth abuse gate** ([`Self::pre_auth_max_per_minute`]): consulted
551///    *before* any password-hash work. Throttles unauthenticated traffic from
552///    a single source IP so an attacker cannot pin the CPU on Argon2id by
553///    spraying invalid bearer tokens. Sized generously (default = 10× the
554///    post-failure quota) so legitimate clients are unaffected. mTLS-
555///    authenticated connections bypass this gate entirely (the TLS handshake
556///    already performed expensive crypto with a verified peer).
557/// 2. **Post-failure backoff** ([`Self::max_attempts_per_minute`]): consulted
558///    *after* an authentication attempt fails. Provides explicit backpressure
559///    on bad credentials.
560#[derive(Debug, Clone, Deserialize)]
561#[non_exhaustive]
562pub struct RateLimitConfig {
563    /// Maximum failed authentication attempts per source IP per minute.
564    /// Successful authentications do not consume this budget.
565    #[serde(default = "default_max_attempts")]
566    pub max_attempts_per_minute: u32,
567    /// Maximum *unauthenticated* requests per source IP per minute admitted
568    /// to the password-hash verification path. When `None`, defaults to
569    /// `max_attempts_per_minute * 10` at limiter-construction time.
570    ///
571    /// Set higher than [`Self::max_attempts_per_minute`] so honest clients
572    /// retrying with the wrong key never trip this gate; its purpose is only
573    /// to bound CPU usage under spray attacks.
574    #[serde(default)]
575    pub pre_auth_max_per_minute: Option<u32>,
576    /// Hard cap on the number of distinct source IPs tracked per limiter.
577    /// When reached, idle entries are pruned first; if still full, the
578    /// oldest (LRU) entry is evicted to make room for the new one. This
579    /// bounds memory under IP-spray attacks. Default: `10_000`.
580    #[serde(default = "default_max_tracked_keys")]
581    pub max_tracked_keys: usize,
582    /// Per-IP entries idle for longer than this are eligible for
583    /// opportunistic pruning. Default: 15 minutes.
584    #[serde(default = "default_idle_eviction", with = "humantime_serde")]
585    pub idle_eviction: Duration,
586    /// Burst capacity for the post-failure limiter: the maximum number
587    /// of failed attempts admitted back-to-back before the sustained
588    /// `max_attempts_per_minute` rate applies. `None` (default) keeps
589    /// governor's default of burst = rate. Must be greater than zero
590    /// when set. May be smaller than the rate (smoothing) or larger
591    /// (spike tolerance).
592    #[serde(default)]
593    pub burst: Option<u32>,
594    /// Burst capacity for the pre-auth abuse gate. `None` (default)
595    /// keeps burst = the gate's resolved rate. Legal regardless of
596    /// whether [`Self::pre_auth_max_per_minute`] is set — the gate's
597    /// base rate always resolves (`max_attempts_per_minute * 10` when
598    /// unset). Must be greater than zero when set.
599    #[serde(default)]
600    pub pre_auth_burst: Option<u32>,
601}
602
603impl Default for RateLimitConfig {
604    fn default() -> Self {
605        Self {
606            max_attempts_per_minute: default_max_attempts(),
607            pre_auth_max_per_minute: None,
608            max_tracked_keys: default_max_tracked_keys(),
609            idle_eviction: default_idle_eviction(),
610            burst: None,
611            pre_auth_burst: None,
612        }
613    }
614}
615
616impl RateLimitConfig {
617    /// Create a rate limit config with the given max failed attempts per minute.
618    /// Pre-auth gate defaults to `10x` this value at limiter-construction time.
619    /// Memory-bound defaults are `10_000` tracked keys with 15-minute idle eviction.
620    #[must_use]
621    pub fn new(max_attempts_per_minute: u32) -> Self {
622        Self {
623            max_attempts_per_minute,
624            ..Self::default()
625        }
626    }
627
628    /// Override the pre-auth abuse-gate quota (per source IP per minute).
629    /// When unset, defaults to `max_attempts_per_minute * 10`.
630    #[must_use]
631    pub fn with_pre_auth_max_per_minute(mut self, quota: u32) -> Self {
632        self.pre_auth_max_per_minute = Some(quota);
633        self
634    }
635
636    /// Override the per-limiter cap on tracked source-IP keys (default `10_000`).
637    #[must_use]
638    pub fn with_max_tracked_keys(mut self, max: usize) -> Self {
639        self.max_tracked_keys = max;
640        self
641    }
642
643    /// Override the idle-eviction window (default 15 minutes).
644    #[must_use]
645    pub fn with_idle_eviction(mut self, idle: Duration) -> Self {
646        self.idle_eviction = idle;
647        self
648    }
649
650    /// Set the burst capacity for the post-failure limiter. Must be
651    /// greater than zero (validated at server-config validation time).
652    #[must_use]
653    pub fn with_burst(mut self, burst: u32) -> Self {
654        self.burst = Some(burst);
655        self
656    }
657
658    /// Set the burst capacity for the pre-auth abuse gate. Must be
659    /// greater than zero (validated at server-config validation time).
660    #[must_use]
661    pub fn with_pre_auth_burst(mut self, burst: u32) -> Self {
662        self.pre_auth_burst = Some(burst);
663        self
664    }
665}
666
667fn default_max_attempts() -> u32 {
668    30
669}
670
671fn default_max_tracked_keys() -> usize {
672    10_000
673}
674
675fn default_idle_eviction() -> Duration {
676    Duration::from_mins(15)
677}
678
679/// Authentication configuration.
680#[derive(Debug, Clone, Default, Deserialize)]
681#[non_exhaustive]
682pub struct AuthConfig {
683    /// Master switch - when false, all requests are allowed through.
684    #[serde(default)]
685    pub enabled: bool,
686    /// Bearer token API keys.
687    #[serde(default)]
688    pub api_keys: Vec<ApiKeyEntry>,
689    /// mTLS client certificate authentication.
690    pub mtls: Option<MtlsConfig>,
691    /// Rate limiting for auth attempts.
692    pub rate_limit: Option<RateLimitConfig>,
693    /// OAuth 2.1 JWT bearer token authentication.
694    #[cfg(feature = "oauth")]
695    pub oauth: Option<crate::oauth::OAuthConfig>,
696}
697
698impl AuthConfig {
699    /// Create an enabled auth config with the given API keys.
700    #[must_use]
701    pub fn with_keys(keys: Vec<ApiKeyEntry>) -> Self {
702        Self {
703            enabled: true,
704            api_keys: keys,
705            mtls: None,
706            rate_limit: None,
707            #[cfg(feature = "oauth")]
708            oauth: None,
709        }
710    }
711
712    /// Set rate limiting on this auth config.
713    #[must_use]
714    pub fn with_rate_limit(mut self, rate_limit: RateLimitConfig) -> Self {
715        self.rate_limit = Some(rate_limit);
716        self
717    }
718}
719
720/// Summary of a single API key suitable for admin endpoints.
721///
722/// Intentionally omits the Argon2id hash - only metadata is exposed.
723#[derive(Debug, Clone, serde::Serialize)]
724#[non_exhaustive]
725pub struct ApiKeySummary {
726    /// Human-readable key label.
727    pub name: String,
728    /// RBAC role granted when this key authenticates.
729    pub role: String,
730    /// Optional RFC 3339 expiry timestamp. Serialized as a canonical
731    /// RFC 3339 string so the admin-endpoint wire format is preserved.
732    pub expires_at: Option<RfcTimestamp>,
733}
734
735/// Snapshot of the enabled authentication methods for admin endpoints.
736#[derive(Debug, Clone, serde::Serialize)]
737#[allow(
738    clippy::struct_excessive_bools,
739    reason = "this is a flat summary of independent auth-method booleans"
740)]
741#[non_exhaustive]
742pub struct AuthConfigSummary {
743    /// Master enabled flag from config.
744    pub enabled: bool,
745    /// Whether API-key bearer auth is configured.
746    pub bearer: bool,
747    /// Whether mTLS client auth is configured.
748    pub mtls: bool,
749    /// Whether OAuth JWT validation is configured.
750    pub oauth: bool,
751    /// Current API-key list (no hashes).
752    pub api_keys: Vec<ApiKeySummary>,
753}
754
755impl AuthConfig {
756    /// Produce a hash-free summary of the auth config for admin endpoints.
757    #[must_use]
758    pub fn summary(&self) -> AuthConfigSummary {
759        AuthConfigSummary {
760            enabled: self.enabled,
761            bearer: !self.api_keys.is_empty(),
762            mtls: self.mtls.is_some(),
763            #[cfg(feature = "oauth")]
764            oauth: self.oauth.is_some(),
765            #[cfg(not(feature = "oauth"))]
766            oauth: false,
767            api_keys: self
768                .api_keys
769                .iter()
770                .map(|k| ApiKeySummary {
771                    name: k.name.clone(),
772                    role: k.role.clone(),
773                    expires_at: k.expires_at,
774                })
775                .collect(),
776        }
777    }
778}
779
780/// Keyed rate limiter type (per source IP). Memory-bounded by
781/// [`RateLimitConfig::max_tracked_keys`] to defend against IP-spray `DoS`.
782pub(crate) type KeyedLimiter = BoundedKeyedLimiter<IpAddr>;
783
784/// Connection info for TLS connections, carrying the peer socket address
785/// and (when mTLS is configured) the verified client identity extracted
786/// from the peer certificate during the TLS handshake.
787///
788/// Defined as a local type so we can implement axum's `Connected` trait
789/// for our custom `TlsListener` without orphan rule issues. The `identity`
790/// field travels with the connection itself (via the wrapping IO type),
791/// so there is no shared map to race against, no port-reuse aliasing, and
792/// no eviction policy to maintain.
793#[derive(Clone, Debug)]
794#[non_exhaustive]
795pub(crate) struct TlsConnInfo {
796    /// Remote peer socket address.
797    pub addr: SocketAddr,
798    /// Verified mTLS client identity, if a client certificate was presented
799    /// and successfully extracted during the TLS handshake.
800    pub identity: Option<AuthIdentity>,
801}
802
803impl TlsConnInfo {
804    /// Construct a new [`TlsConnInfo`].
805    #[must_use]
806    pub(crate) const fn new(addr: SocketAddr, identity: Option<AuthIdentity>) -> Self {
807        Self { addr, identity }
808    }
809}
810
811/// Default hard cap on the number of distinct authenticated identities
812/// remembered by [`SeenIdentitySet`].
813///
814/// Sized to comfortably exceed realistic identity churn for an MCP server
815/// while bounding worst-case memory at roughly `4096 * avg_name_len`
816/// (~256 KiB at 64-byte names). Honest clients will never trigger eviction;
817/// hostile churn (rotating mTLS subjects or OAuth `sub` values) is bounded.
818const DEFAULT_SEEN_IDENTITY_CAP: usize = 4096;
819
820/// Bounded set tracking which authenticated identities have already been
821/// logged at INFO level (subsequent auths fall back to DEBUG).
822///
823/// # Why bounded?
824///
825/// `id.name` is attacker-influenced under mTLS (SAN/CN) and OAuth (`sub`).
826/// An unbounded [`std::collections::HashSet`] would grow with churn,
827/// producing both a slow memory leak and unbounded log-cardinality
828/// downstream (Loki/ES). The cap follows the same trade-off documented in
829/// [`crate::bounded_limiter`]: when an evicted identity reappears it
830/// re-fires INFO once. This is acceptable for diagnostic logging.
831///
832/// # Concurrency
833///
834/// Uses [`std::sync::Mutex`] because [`Self::insert_is_first`] is purely
835/// synchronous and the critical section never `.await`s. The mutex is
836/// poison-tolerant: a poisoned set is still logically consistent
837/// (only writer is `insert_is_first`, which performs an atomic insert
838/// + bounded eviction; no torn invariants are possible).
839pub(crate) struct SeenIdentitySet {
840    inner: Mutex<SeenInner>,
841}
842
843struct SeenInner {
844    set: HashSet<String>,
845    /// Insertion-order FIFO used for bounded eviction. Tracking strict LRU
846    /// would require touching the queue on every hit (under the mutex);
847    /// FIFO is sufficient because the contract only promises "bounded
848    /// memory", not "remember the most recently seen identities".
849    order: std::collections::VecDeque<String>,
850    cap: usize,
851}
852
853impl SeenIdentitySet {
854    /// Construct with the default cap of [`DEFAULT_SEEN_IDENTITY_CAP`].
855    #[must_use]
856    pub(crate) fn new() -> Self {
857        Self::with_cap(DEFAULT_SEEN_IDENTITY_CAP)
858    }
859
860    /// Construct with an explicit cap. A `cap` of `0` is silently raised
861    /// to `1` to keep the invariant `set.len() <= cap` non-vacuous.
862    #[must_use]
863    pub(crate) fn with_cap(cap: usize) -> Self {
864        let cap = cap.max(1);
865        Self {
866            inner: Mutex::new(SeenInner {
867                set: HashSet::with_capacity(cap.min(64)),
868                order: std::collections::VecDeque::with_capacity(cap.min(64)),
869                cap,
870            }),
871        }
872    }
873
874    /// Insert `name`. Returns `true` if this is the first time `name` was
875    /// inserted (or it was previously evicted and reinserted), `false`
876    /// if it was already present.
877    ///
878    /// When the cap is reached, the oldest inserted entry is evicted to
879    /// make room. Eviction never blocks the caller.
880    pub(crate) fn insert_is_first(&self, name: &str) -> bool {
881        // SAFETY: the only writer is this method; a poisoned set remains
882        // logically consistent (atomic insert + bounded eviction preserve
883        // the `set.len() <= cap` invariant). Continuing past poison only
884        // affects diagnostic logging granularity, not correctness or
885        // security.
886        let mut guard = self
887            .inner
888            .lock()
889            .unwrap_or_else(std::sync::PoisonError::into_inner);
890
891        if guard.set.contains(name) {
892            return false;
893        }
894        // Cap enforcement: evict-then-insert keeps the invariant
895        // `set.len() <= cap` even when the cap is `1`.
896        if guard.set.len() >= guard.cap
897            && let Some(evicted) = guard.order.pop_front()
898        {
899            guard.set.remove(&evicted);
900        }
901        let owned = name.to_owned();
902        guard.set.insert(owned.clone());
903        guard.order.push_back(owned);
904        true
905    }
906
907    /// Test-only snapshot of the current size.
908    #[cfg(test)]
909    pub(crate) fn len(&self) -> usize {
910        self.inner
911            .lock()
912            .unwrap_or_else(std::sync::PoisonError::into_inner)
913            .set
914            .len()
915    }
916}
917
918impl Default for SeenIdentitySet {
919    fn default() -> Self {
920        Self::new()
921    }
922}
923
924/// Shared state for the auth middleware.
925///
926/// `api_keys` uses [`ArcSwap`] so the SIGHUP handler can atomically
927/// swap in a new key list without blocking in-flight requests.
928#[allow(
929    missing_debug_implementations,
930    reason = "contains governor RateLimiter and JwksCache without Debug impls"
931)]
932#[non_exhaustive]
933pub(crate) struct AuthState {
934    /// Active set of API keys (hot-swappable).
935    pub api_keys: ArcSwap<Vec<ApiKeyEntry>>,
936    /// Optional per-IP post-failure rate limiter (consulted *after* auth fails).
937    pub rate_limiter: Option<Arc<KeyedLimiter>>,
938    /// Optional per-IP pre-auth abuse gate (consulted *before* password-hash work).
939    /// mTLS-authenticated connections bypass this gate.
940    pub pre_auth_limiter: Option<Arc<KeyedLimiter>>,
941    #[cfg(feature = "oauth")]
942    /// Optional JWKS cache for OAuth JWT validation.
943    pub jwks_cache: Option<Arc<crate::oauth::JwksCache>>,
944    /// Tracks identity names that have already been logged at INFO level.
945    /// Subsequent auths for the same identity are logged at DEBUG.
946    /// Bounded to prevent attacker-driven memory growth via churned
947    /// mTLS subjects or OAuth `sub` claims (see [`SeenIdentitySet`]).
948    pub seen_identities: SeenIdentitySet,
949    /// Lightweight in-memory auth success/failure counters for diagnostics.
950    pub counters: AuthCounters,
951}
952
953impl AuthState {
954    /// Atomically replace the API key list (lock-free, wait-free).
955    ///
956    /// New requests immediately see the updated keys.
957    /// In-flight requests that already loaded the old list finish
958    /// using it -- no torn reads.
959    pub(crate) fn reload_keys(&self, keys: Vec<ApiKeyEntry>) {
960        let count = keys.len();
961        self.api_keys.store(Arc::new(keys));
962        tracing::info!(keys = count, "API keys reloaded");
963    }
964
965    /// Snapshot auth counters for diagnostics and tests.
966    #[must_use]
967    pub(crate) fn counters_snapshot(&self) -> AuthCountersSnapshot {
968        self.counters.snapshot()
969    }
970
971    /// Produce the admin-endpoint list of API keys (metadata only, no hashes).
972    #[must_use]
973    pub(crate) fn api_key_summaries(&self) -> Vec<ApiKeySummary> {
974        self.api_keys
975            .load()
976            .iter()
977            .map(|k| ApiKeySummary {
978                name: k.name.clone(),
979                role: k.role.clone(),
980                expires_at: k.expires_at,
981            })
982            .collect()
983    }
984
985    /// Log auth success: INFO on first occurrence per identity, DEBUG after.
986    ///
987    /// Backed by [`SeenIdentitySet`], a bounded FIFO set that caps
988    /// retained identities to prevent attacker-driven memory growth.
989    /// FIFO (not LRU) is intentional: this cache de-duplicates INFO logs,
990    /// not security state, so per-hit eviction-order mutation is not
991    /// justified. See [`SeenIdentitySet`] for the full trade-off rationale.
992    fn log_auth(&self, id: &AuthIdentity, method: &str) {
993        self.counters.record_success(id.method);
994        let first = self.seen_identities.insert_is_first(&id.name);
995        if first {
996            tracing::info!(name = %id.name, role = %id.role, "{method} authenticated");
997        } else {
998            tracing::debug!(name = %id.name, role = %id.role, "{method} authenticated");
999        }
1000    }
1001}
1002
1003/// Default auth rate limit: 30 attempts per minute per source IP.
1004// SAFETY: unwrap() is safe - literal 30 is provably non-zero (const-evaluated).
1005const DEFAULT_AUTH_RATE: NonZeroU32 = NonZeroU32::new(30).unwrap();
1006
1007/// Apply an optional burst capacity to a quota. `None` keeps governor's
1008/// default (burst = rate). Zero values are rejected at config-validation
1009/// time; the `NonZeroU32` filter here is defensive only.
1010fn apply_burst(quota: governor::Quota, burst: Option<u32>) -> governor::Quota {
1011    match burst.and_then(NonZeroU32::new) {
1012        Some(b) => quota.allow_burst(b),
1013        None => quota,
1014    }
1015}
1016
1017/// Create a post-failure rate limiter from config.
1018#[must_use]
1019pub(crate) fn build_rate_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1020    let quota = governor::Quota::per_minute(
1021        NonZeroU32::new(config.max_attempts_per_minute).unwrap_or(DEFAULT_AUTH_RATE),
1022    );
1023    let quota = apply_burst(quota, config.burst);
1024    Arc::new(BoundedKeyedLimiter::new(
1025        quota,
1026        config.max_tracked_keys,
1027        config.idle_eviction,
1028    ))
1029}
1030
1031/// Create a pre-auth abuse-gate rate limiter from config.
1032///
1033/// Quota: `pre_auth_max_per_minute` if set, otherwise
1034/// `max_attempts_per_minute * 10` (capped at `u32::MAX`). The 10× factor
1035/// keeps the gate generous enough for honest retries while still bounding
1036/// attacker CPU on Argon2 verification.
1037#[must_use]
1038pub(crate) fn build_pre_auth_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1039    let resolved = config.pre_auth_max_per_minute.unwrap_or_else(|| {
1040        config
1041            .max_attempts_per_minute
1042            .saturating_mul(PRE_AUTH_DEFAULT_MULTIPLIER)
1043    });
1044    let quota =
1045        governor::Quota::per_minute(NonZeroU32::new(resolved).unwrap_or(DEFAULT_PRE_AUTH_RATE));
1046    let quota = apply_burst(quota, config.pre_auth_burst);
1047    Arc::new(BoundedKeyedLimiter::new(
1048        quota,
1049        config.max_tracked_keys,
1050        config.idle_eviction,
1051    ))
1052}
1053
1054/// Default multiplier applied to `max_attempts_per_minute` when the operator
1055/// does not set `pre_auth_max_per_minute` explicitly.
1056const PRE_AUTH_DEFAULT_MULTIPLIER: u32 = 10;
1057
1058/// Default pre-auth abuse-gate rate (used only if both the configured value
1059/// and the multiplied fallback are zero, which `NonZeroU32::new` rejects).
1060// SAFETY: unwrap() is safe - literal 300 is provably non-zero (const-evaluated).
1061const DEFAULT_PRE_AUTH_RATE: NonZeroU32 = NonZeroU32::new(300).unwrap();
1062
1063/// Parse an mTLS client certificate and extract an `AuthIdentity`.
1064///
1065/// Reads the Subject CN as the identity name. Falls back to the first
1066/// DNS SAN if CN is absent. The role is taken from the `MtlsConfig`.
1067#[must_use]
1068pub fn extract_mtls_identity(cert_der: &[u8], default_role: &str) -> Option<AuthIdentity> {
1069    let (_, cert) = X509Certificate::from_der(cert_der).ok()?;
1070
1071    // Try CN from Subject first.
1072    let cn = cert
1073        .subject()
1074        .iter_common_name()
1075        .next()
1076        .and_then(|attr| attr.as_str().ok())
1077        .map(String::from);
1078
1079    // Fall back to first DNS SAN.
1080    let name = cn.or_else(|| {
1081        cert.subject_alternative_name()
1082            .ok()
1083            .flatten()
1084            .and_then(|san| {
1085                #[allow(
1086                    clippy::wildcard_enum_match_arm,
1087                    reason = "x509-parser GeneralName is a large external enum; only DNSName is meaningful here"
1088                )]
1089                san.value.general_names.iter().find_map(|gn| match gn {
1090                    GeneralName::DNSName(dns) => Some((*dns).to_owned()),
1091                    _ => None,
1092                })
1093            })
1094    })?;
1095
1096    // Reject identities with characters unsafe for logging and RBAC matching.
1097    if !name
1098        .chars()
1099        .all(|c| c.is_alphanumeric() || matches!(c, '-' | '.' | '_' | '@'))
1100    {
1101        tracing::warn!(cn = %name, "mTLS identity rejected: invalid characters in CN/SAN");
1102        return None;
1103    }
1104
1105    Some(AuthIdentity {
1106        name,
1107        role: default_role.to_owned(),
1108        method: AuthMethod::MtlsCertificate,
1109        raw_token: None,
1110        sub: None,
1111    })
1112}
1113
1114/// Extract the bearer token from an `Authorization` header value.
1115///
1116/// Implements RFC 7235 §2.1: the auth-scheme token is **case-insensitive**.
1117/// `Bearer`, `bearer`, `BEARER`, and `BeArEr` all parse equivalently. Any
1118/// leading whitespace between the scheme and the token is trimmed (per
1119/// RFC 7235 the separator is one or more SP characters; we accept the
1120/// common single-space form plus tolerate extras).
1121///
1122/// Returns `None` if the header value:
1123/// - does not contain a space (no scheme/credentials boundary), or
1124/// - uses a scheme other than `Bearer` (case-insensitively).
1125///
1126/// The caller is responsible for token-level validation (length, charset,
1127/// signature, etc.); this helper only handles the scheme prefix.
1128fn extract_bearer(value: &str) -> Option<&str> {
1129    let (scheme, rest) = value.split_once(' ')?;
1130    if scheme.eq_ignore_ascii_case("Bearer") {
1131        let token = rest.trim_start_matches(' ');
1132        if token.is_empty() { None } else { Some(token) }
1133    } else {
1134        None
1135    }
1136}
1137
1138/// Verify a bearer token against configured API keys.
1139///
1140/// Argon2id verification is CPU-intensive, so this should be called via
1141/// `spawn_blocking`. Returns the matching identity if the token is valid.
1142///
1143/// # Timing-side-channel resistance
1144///
1145/// Always performs **exactly one Argon2id verification per configured key**,
1146/// regardless of:
1147///
1148/// * which slot (if any) matches the presented token, or
1149/// * whether a key has expired.
1150///
1151/// Expired and post-match slots are verified against an internal dummy PHC hash,
1152/// a fixed Argon2id PHC string with the same cost parameters as the real
1153/// hashes. This bounds the timing observable to "one Argon2 per configured
1154/// key" regardless of which (if any) slot held the matching credential,
1155/// closing the first-match latency oracle (CWE-208) and the expired-slot
1156/// timing leak.
1157///
1158/// `subtle::ConstantTimeEq` is used to fold per-slot match bits into the
1159/// final result so the compiler cannot reintroduce a data-dependent branch.
1160///
1161/// # Panics
1162///
1163/// Panics if the internal dummy PHC hash cannot be parsed as an Argon2id PHC string.
1164/// This is impossible by construction: the static is generated by
1165/// [`argon2::Argon2::hash_password`] which always emits a valid PHC string.
1166#[must_use]
1167pub fn verify_bearer_token(token: &str, keys: &[ApiKeyEntry]) -> Option<AuthIdentity> {
1168    use subtle::ConstantTimeEq as _;
1169
1170    let now = chrono::Utc::now();
1171    #[allow(
1172        clippy::expect_used,
1173        reason = "DUMMY_PHC_HASH is a static LazyLock built from a fixed Argon2id PHC string by construction; PasswordHash::new on it is infallible. See DUMMY_PHC_HASH definition."
1174    )]
1175    let dummy_hash = PasswordHash::new(&DUMMY_PHC_HASH)
1176        .expect("DUMMY_PHC_HASH is a valid Argon2id PHC string by construction");
1177
1178    let mut matched_index: usize = usize::MAX;
1179    let mut any_match: u8 = 0;
1180
1181    for (idx, key) in keys.iter().enumerate() {
1182        let expired = key.expires_at.is_some_and(|exp| exp.as_datetime() < &now);
1183
1184        let real_hash = PasswordHash::new(&key.hash);
1185        let verify_against = match (&real_hash, expired, any_match) {
1186            (Ok(h), false, 0) => h,
1187            _ => &dummy_hash,
1188        };
1189
1190        let slot_ok = u8::from(
1191            Argon2::default()
1192                .verify_password(token.as_bytes(), verify_against)
1193                .is_ok(),
1194        );
1195
1196        let real_match = slot_ok & u8::from(!expired) & u8::from(real_hash.is_ok());
1197        let first_real_match = real_match & (1 - any_match);
1198        if first_real_match.ct_eq(&1).into() {
1199            matched_index = idx;
1200        }
1201        any_match |= real_match;
1202    }
1203
1204    if any_match == 0 {
1205        return None;
1206    }
1207    let key = keys.get(matched_index)?;
1208    Some(AuthIdentity {
1209        name: key.name.clone(),
1210        role: key.role.clone(),
1211        method: AuthMethod::BearerToken,
1212        raw_token: None,
1213        sub: None,
1214    })
1215}
1216
1217/// Fixed Argon2id PHC hash used as a constant-time placeholder when an
1218/// API-key slot is expired, malformed, or follows the matching slot.
1219///
1220/// Generated once on first access using the same default Argon2 cost
1221/// parameters as live verifications, so the dummy verify takes
1222/// indistinguishable wall time from a real one. The plaintext
1223/// (`"rmcp-server-kit-dummy"`) and the fixed salt are unrelated to any
1224/// real credential — randomness is unnecessary because this hash is
1225/// only ever compared against attacker-supplied input on slots that
1226/// will be discarded regardless of match result. Using a fixed salt
1227/// avoids depending on `rand_core`'s `getrandom` feature, which is not
1228/// activated transitively in every feature configuration of this crate.
1229static DUMMY_PHC_HASH: LazyLock<String> = LazyLock::new(|| {
1230    // 16 bytes of base64 (`AAAA...`) — minimum valid Argon2 salt length.
1231    #[allow(
1232        clippy::expect_used,
1233        reason = "fixed 22-char base64 ('AAAA...') decodes to a valid 16-byte salt; SaltString::from_b64 is infallible on this literal"
1234    )]
1235    let salt = SaltString::from_b64("AAAAAAAAAAAAAAAAAAAAAA")
1236        .expect("fixed 16-byte base64 salt is well-formed");
1237    #[allow(
1238        clippy::expect_used,
1239        reason = "Argon2::default() with a fixed plaintext and a well-formed salt is infallible; only fails on bad params/salt"
1240    )]
1241    Argon2::default()
1242        .hash_password(b"rmcp-server-kit-dummy", &salt)
1243        .expect("Argon2 default params hash a fixed plaintext")
1244        .to_string()
1245});
1246
1247/// Generate a new API key: 256-bit random token + Argon2id hash.
1248///
1249/// Returns `(plaintext_token, argon2id_hash_phc_string)`.
1250/// The plaintext is shown once to the user and never stored.
1251///
1252/// # Errors
1253///
1254/// Returns an error if salt encoding or Argon2id hashing fails
1255/// (should not happen with valid inputs, but we avoid panicking).
1256pub fn generate_api_key() -> Result<(String, String), McpxError> {
1257    let mut token_bytes = [0u8; 32];
1258    rand::fill(&mut token_bytes);
1259    let token = URL_SAFE_NO_PAD.encode(token_bytes);
1260
1261    // Generate 16 random bytes for salt, encode as base64 for SaltString.
1262    let mut salt_bytes = [0u8; 16];
1263    rand::fill(&mut salt_bytes);
1264    let salt = SaltString::encode_b64(&salt_bytes)
1265        .map_err(|e| McpxError::Auth(format!("salt encoding failed: {e}")))?;
1266    let hash = Argon2::default()
1267        .hash_password(token.as_bytes(), &salt)
1268        .map_err(|e| McpxError::Auth(format!("argon2id hashing failed: {e}")))?
1269        .to_string();
1270
1271    Ok((token, hash))
1272}
1273
1274fn build_www_authenticate_value(
1275    advertise_resource_metadata: bool,
1276    failure: AuthFailureClass,
1277) -> String {
1278    let (error, error_description) = failure.bearer_error();
1279    if advertise_resource_metadata {
1280        return format!(
1281            "Bearer resource_metadata=\"/.well-known/oauth-protected-resource\", error=\"{error}\", error_description=\"{error_description}\""
1282        );
1283    }
1284    format!("Bearer error=\"{error}\", error_description=\"{error_description}\"")
1285}
1286
1287fn auth_method_label(method: AuthMethod) -> &'static str {
1288    match method {
1289        AuthMethod::MtlsCertificate => "mTLS",
1290        AuthMethod::BearerToken => "bearer token",
1291        AuthMethod::OAuthJwt => "OAuth JWT",
1292    }
1293}
1294
1295#[cfg_attr(not(feature = "oauth"), allow(unused_variables))]
1296fn unauthorized_response(state: &AuthState, failure_class: AuthFailureClass) -> Response {
1297    #[cfg(feature = "oauth")]
1298    let advertise_resource_metadata = state.jwks_cache.is_some();
1299    #[cfg(not(feature = "oauth"))]
1300    let advertise_resource_metadata = false;
1301
1302    let challenge = build_www_authenticate_value(advertise_resource_metadata, failure_class);
1303    (
1304        axum::http::StatusCode::UNAUTHORIZED,
1305        [(header::WWW_AUTHENTICATE, challenge)],
1306        failure_class.response_body(),
1307    )
1308        .into_response()
1309}
1310
1311async fn authenticate_bearer_identity(
1312    state: &AuthState,
1313    token: &str,
1314) -> Result<AuthIdentity, AuthFailureClass> {
1315    let mut failure_class = AuthFailureClass::MissingCredential;
1316
1317    #[cfg(feature = "oauth")]
1318    if let Some(ref cache) = state.jwks_cache
1319        && crate::oauth::looks_like_jwt(token)
1320    {
1321        match cache.validate_token_with_reason(token).await {
1322            Ok(mut id) => {
1323                id.raw_token = Some(SecretString::from(token.to_owned()));
1324                return Ok(id);
1325            }
1326            Err(crate::oauth::JwtValidationFailure::Expired) => {
1327                failure_class = AuthFailureClass::ExpiredCredential;
1328            }
1329            Err(crate::oauth::JwtValidationFailure::Invalid) => {
1330                failure_class = AuthFailureClass::InvalidCredential;
1331            }
1332        }
1333    }
1334
1335    let token = token.to_owned();
1336    let keys = state.api_keys.load_full(); // Arc clone, lock-free
1337
1338    // Argon2id is CPU-bound - offload to blocking thread pool.
1339    let identity = tokio::task::spawn_blocking(move || verify_bearer_token(&token, &keys))
1340        .await
1341        .ok()
1342        .flatten();
1343
1344    if let Some(id) = identity {
1345        return Ok(id);
1346    }
1347
1348    if failure_class == AuthFailureClass::MissingCredential {
1349        failure_class = AuthFailureClass::InvalidCredential;
1350    }
1351
1352    Err(failure_class)
1353}
1354
1355/// Consult the pre-auth abuse gate for the given peer.
1356///
1357/// Returns `Some(response)` if the request should be rejected (limiter
1358/// configured AND quota exhausted for this source IP). Returns `None`
1359/// otherwise (limiter absent, peer address unknown, or quota available),
1360/// in which case the caller should proceed with credential verification.
1361///
1362/// Side effects on rejection: increments the `pre_auth_gate` failure
1363/// counter and emits a warn-level log. mTLS-authenticated requests must
1364/// be admitted by the caller *before* invoking this helper.
1365fn pre_auth_gate(state: &AuthState, peer_addr: Option<SocketAddr>) -> Option<Response> {
1366    let limiter = state.pre_auth_limiter.as_ref()?;
1367    let addr = peer_addr?;
1368    let Err(wait) = limiter.check_key_wait(&addr.ip()) else {
1369        return None;
1370    };
1371    state.counters.record_failure(AuthFailureClass::PreAuthGate);
1372    tracing::warn!(
1373        ip = %addr.ip(),
1374        "auth rate limited by pre-auth gate (request rejected before credential verification)"
1375    );
1376    Some(
1377        McpxError::RateLimitedFor {
1378            message: "too many unauthenticated requests from this source".into(),
1379            retry_after: wait,
1380        }
1381        .into_response(),
1382    )
1383}
1384
1385/// Axum middleware that enforces authentication.
1386///
1387/// Tries authentication methods in priority order:
1388/// 1. mTLS client certificate identity (populated by TLS acceptor)
1389/// 2. Bearer token from `Authorization` header
1390///
1391/// Failed authentication attempts are rate-limited per source IP.
1392/// Successful authentications do not consume rate limit budget.
1393pub(crate) async fn auth_middleware(
1394    state: Arc<AuthState>,
1395    req: Request<Body>,
1396    next: Next,
1397) -> Response {
1398    // Extract peer address (and any mTLS identity) from ConnectInfo.
1399    // Plain TCP: ConnectInfo<SocketAddr>. TLS / mTLS: ConnectInfo<TlsConnInfo>,
1400    // which carries the verified identity directly on the connection — no
1401    // shared map, no port-reuse aliasing.
1402    let tls_info = req.extensions().get::<ConnectInfo<TlsConnInfo>>().cloned();
1403    let peer_addr = req
1404        .extensions()
1405        .get::<ConnectInfo<SocketAddr>>()
1406        .map(|ci| ci.0)
1407        .or_else(|| tls_info.as_ref().map(|ci| ci.0.addr));
1408
1409    // 1. Try mTLS identity (extracted by the TLS acceptor during handshake
1410    //    and attached to the connection itself).
1411    //
1412    //    mTLS connections bypass the pre-auth abuse gate below: the TLS
1413    //    handshake already performed expensive crypto with a verified peer,
1414    //    so we trust them not to be a CPU-spray attacker.
1415    if let Some(id) = tls_info.and_then(|ci| ci.0.identity) {
1416        state.log_auth(&id, "mTLS");
1417        let mut req = req;
1418        req.extensions_mut().insert(id);
1419        return next.run(req).await;
1420    }
1421
1422    // 2. Pre-auth abuse gate: rejects CPU-spray attacks BEFORE the Argon2id
1423    //    verification path runs. Keyed by source IP. mTLS connections (above)
1424    //    are exempt; this gate only protects the bearer/JWT verification path.
1425    if let Some(blocked) = pre_auth_gate(&state, peer_addr) {
1426        return blocked;
1427    }
1428
1429    let failure_class = if let Some(value) = req.headers().get(header::AUTHORIZATION) {
1430        match value.to_str().ok().and_then(extract_bearer) {
1431            Some(token) => match authenticate_bearer_identity(&state, token).await {
1432                Ok(id) => {
1433                    state.log_auth(&id, auth_method_label(id.method));
1434                    let mut req = req;
1435                    req.extensions_mut().insert(id);
1436                    return next.run(req).await;
1437                }
1438                Err(class) => class,
1439            },
1440            None => AuthFailureClass::InvalidCredential,
1441        }
1442    } else {
1443        AuthFailureClass::MissingCredential
1444    };
1445
1446    tracing::warn!(failure_class = %failure_class.as_str(), "auth failed");
1447
1448    // Rate limit check (applied after auth failure only).
1449    // Successful authentications do not consume rate limit budget.
1450    if let (Some(limiter), Some(addr)) = (&state.rate_limiter, peer_addr)
1451        && let Err(wait) = limiter.check_key_wait(&addr.ip())
1452    {
1453        state.counters.record_failure(AuthFailureClass::RateLimited);
1454        tracing::warn!(ip = %addr.ip(), "auth rate limited after repeated failures");
1455        return McpxError::RateLimitedFor {
1456            message: "too many failed authentication attempts".into(),
1457            retry_after: wait,
1458        }
1459        .into_response();
1460    }
1461
1462    state.counters.record_failure(failure_class);
1463    unauthorized_response(&state, failure_class)
1464}
1465
1466#[cfg(test)]
1467mod tests {
1468    use super::*;
1469
1470    #[test]
1471    fn generate_and_verify_api_key() {
1472        let (token, hash) = generate_api_key().unwrap();
1473
1474        // Token is 43 chars (256-bit base64url, no padding)
1475        assert_eq!(token.len(), 43);
1476
1477        // Hash is a valid PHC string
1478        assert!(hash.starts_with("$argon2id$"));
1479
1480        // Verification succeeds with correct token
1481        let keys = vec![ApiKeyEntry {
1482            name: "test".into(),
1483            hash,
1484            role: "viewer".into(),
1485            expires_at: None,
1486        }];
1487        let id = verify_bearer_token(&token, &keys);
1488        assert!(id.is_some());
1489        let id = id.unwrap();
1490        assert_eq!(id.name, "test");
1491        assert_eq!(id.role, "viewer");
1492        assert_eq!(id.method, AuthMethod::BearerToken);
1493    }
1494
1495    #[test]
1496    fn wrong_token_rejected() {
1497        let (_token, hash) = generate_api_key().unwrap();
1498        let keys = vec![ApiKeyEntry {
1499            name: "test".into(),
1500            hash,
1501            role: "viewer".into(),
1502            expires_at: None,
1503        }];
1504        assert!(verify_bearer_token("wrong-token", &keys).is_none());
1505    }
1506
1507    #[test]
1508    fn expired_key_rejected() {
1509        let (token, hash) = generate_api_key().unwrap();
1510        let keys = vec![ApiKeyEntry {
1511            name: "test".into(),
1512            hash,
1513            role: "viewer".into(),
1514            expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1515        }];
1516        assert!(verify_bearer_token(&token, &keys).is_none());
1517    }
1518
1519    #[test]
1520    fn match_in_last_slot_still_authenticates() {
1521        let (token, hash) = generate_api_key().unwrap();
1522        let (_other_token, other_hash) = generate_api_key().unwrap();
1523        let keys = vec![
1524            ApiKeyEntry {
1525                name: "first".into(),
1526                hash: other_hash.clone(),
1527                role: "viewer".into(),
1528                expires_at: None,
1529            },
1530            ApiKeyEntry {
1531                name: "second".into(),
1532                hash: other_hash,
1533                role: "viewer".into(),
1534                expires_at: None,
1535            },
1536            ApiKeyEntry {
1537                name: "match".into(),
1538                hash,
1539                role: "ops".into(),
1540                expires_at: None,
1541            },
1542        ];
1543        let id = verify_bearer_token(&token, &keys).expect("last-slot match must authenticate");
1544        assert_eq!(id.name, "match");
1545        assert_eq!(id.role, "ops");
1546    }
1547
1548    #[test]
1549    fn expired_slot_before_valid_match_does_not_short_circuit() {
1550        let (token, hash) = generate_api_key().unwrap();
1551        let (_, other_hash) = generate_api_key().unwrap();
1552        let keys = vec![
1553            ApiKeyEntry {
1554                name: "expired".into(),
1555                hash: other_hash,
1556                role: "viewer".into(),
1557                expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1558            },
1559            ApiKeyEntry {
1560                name: "valid".into(),
1561                hash,
1562                role: "ops".into(),
1563                expires_at: None,
1564            },
1565        ];
1566        let id = verify_bearer_token(&token, &keys)
1567            .expect("valid slot following an expired slot must authenticate");
1568        assert_eq!(id.name, "valid");
1569    }
1570
1571    #[test]
1572    fn malformed_hash_slot_does_not_short_circuit() {
1573        let (token, hash) = generate_api_key().unwrap();
1574        let keys = vec![
1575            ApiKeyEntry {
1576                name: "broken".into(),
1577                hash: "this-is-not-a-phc-string".into(),
1578                role: "viewer".into(),
1579                expires_at: None,
1580            },
1581            ApiKeyEntry {
1582                name: "valid".into(),
1583                hash,
1584                role: "ops".into(),
1585                expires_at: None,
1586            },
1587        ];
1588        let id = verify_bearer_token(&token, &keys)
1589            .expect("valid slot following a malformed-hash slot must authenticate");
1590        assert_eq!(id.name, "valid");
1591    }
1592
1593    // Regression tests for H3 (api_key_expires_at_fail_open).
1594    //
1595    // Prior to 1.6.0 the runtime expiry check used a chained
1596    // `if let Some(_) && let Ok(exp) = parse(_) && exp < now` which
1597    // silently fell through on parse error, letting a key with
1598    // `expires_at = "not-a-date"` authenticate forever. These tests
1599    // pin the type-system fix: malformed RFC 3339 is rejected at
1600    // deserialization time (no `RfcTimestamp` can ever be malformed),
1601    // and the runtime check is a pure comparison with no parse path.
1602
1603    #[test]
1604    fn rfc_timestamp_parse_rejects_malformed() {
1605        for bad in [
1606            "not-a-date",
1607            "",
1608            "2025-13-01T00:00:00Z", // month 13
1609            "2025-01-32T00:00:00Z", // day 32
1610            "2025-01-01T00:00:00",  // missing offset
1611            "01/01/2025",           // wrong format
1612            "2025-01-01T25:00:00Z", // hour 25
1613        ] {
1614            assert!(
1615                RfcTimestamp::parse(bad).is_err(),
1616                "RfcTimestamp::parse must reject {bad:?}"
1617            );
1618        }
1619    }
1620
1621    #[test]
1622    fn rfc_timestamp_parse_accepts_valid() {
1623        for good in [
1624            "2025-01-01T00:00:00Z",
1625            "2025-01-01T00:00:00+00:00",
1626            "2025-12-31T23:59:59-08:00",
1627            "2099-01-01T00:00:00.123456789Z",
1628        ] {
1629            assert!(
1630                RfcTimestamp::parse(good).is_ok(),
1631                "RfcTimestamp::parse must accept {good:?}"
1632            );
1633        }
1634    }
1635
1636    #[test]
1637    fn api_key_entry_deserialize_rejects_malformed_expires_at() {
1638        // TOML with a malformed expires_at must fail to deserialize.
1639        // This is the load-time defense: a typo in auth.toml aborts
1640        // config load with a clear serde error, instead of producing
1641        // a key that authenticates forever (the H3 fail-open).
1642        let toml = r#"
1643            name = "bad-key"
1644            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1645            role = "viewer"
1646            expires_at = "not-a-date"
1647        "#;
1648        let result: Result<ApiKeyEntry, _> = toml::from_str(toml);
1649        assert!(
1650            result.is_err(),
1651            "deserialization must reject malformed expires_at"
1652        );
1653    }
1654
1655    #[test]
1656    fn api_key_entry_deserialize_accepts_valid_expires_at() {
1657        let toml = r#"
1658            name = "good-key"
1659            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1660            role = "viewer"
1661            expires_at = "2099-01-01T00:00:00Z"
1662        "#;
1663        let entry: ApiKeyEntry = toml::from_str(toml).expect("valid RFC 3339 must deserialize");
1664        assert!(entry.expires_at.is_some());
1665    }
1666
1667    #[test]
1668    fn api_key_entry_deserialize_accepts_missing_expires_at() {
1669        // Omitting expires_at must continue to mean "no expiry"; this
1670        // is the documented contract and must survive the H3 fix.
1671        let toml = r#"
1672            name = "eternal-key"
1673            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1674            role = "viewer"
1675        "#;
1676        let entry: ApiKeyEntry = toml::from_str(toml).expect("missing expires_at must deserialize");
1677        assert!(entry.expires_at.is_none());
1678    }
1679
1680    #[test]
1681    fn try_with_expiry_rejects_malformed() {
1682        let entry = ApiKeyEntry::new("k", "hash", "viewer");
1683        assert!(entry.try_with_expiry("not-a-date").is_err());
1684    }
1685
1686    #[test]
1687    fn try_with_expiry_accepts_valid() {
1688        let entry = ApiKeyEntry::new("k", "hash", "viewer")
1689            .try_with_expiry("2099-01-01T00:00:00Z")
1690            .expect("valid RFC 3339 must be accepted");
1691        assert!(entry.expires_at.is_some());
1692    }
1693
1694    #[test]
1695    fn api_key_summary_serializes_expires_at_as_rfc3339() {
1696        // The admin endpoint wire format is `{"expires_at": "RFC 3339 str"}`.
1697        // Pinning this prevents an accidental serialization-format change
1698        // (e.g. chrono's debug form, a Unix timestamp) that would silently
1699        // break operator tooling that parses these payloads.
1700        let summary = ApiKeySummary {
1701            name: "k".into(),
1702            role: "viewer".into(),
1703            expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
1704        };
1705        let json = serde_json::to_string(&summary).unwrap();
1706        assert!(
1707            json.contains(r#""expires_at":"2030-01-01T00:00:00+00:00""#),
1708            "wire format regressed: {json}"
1709        );
1710    }
1711
1712    #[test]
1713    fn future_expiry_accepted() {
1714        let (token, hash) = generate_api_key().unwrap();
1715        let keys = vec![ApiKeyEntry {
1716            name: "test".into(),
1717            hash,
1718            role: "viewer".into(),
1719            expires_at: Some(RfcTimestamp::parse("2099-01-01T00:00:00Z").unwrap()),
1720        }];
1721        assert!(verify_bearer_token(&token, &keys).is_some());
1722    }
1723
1724    #[test]
1725    fn multiple_keys_first_match_wins() {
1726        let (token, hash) = generate_api_key().unwrap();
1727        let keys = vec![
1728            ApiKeyEntry {
1729                name: "wrong".into(),
1730                hash: "$argon2id$v=19$m=19456,t=2,p=1$invalid$invalid".into(),
1731                role: "ops".into(),
1732                expires_at: None,
1733            },
1734            ApiKeyEntry {
1735                name: "correct".into(),
1736                hash,
1737                role: "deploy".into(),
1738                expires_at: None,
1739            },
1740        ];
1741        let id = verify_bearer_token(&token, &keys).unwrap();
1742        assert_eq!(id.name, "correct");
1743        assert_eq!(id.role, "deploy");
1744    }
1745
1746    #[test]
1747    fn rate_limiter_allows_within_quota() {
1748        let config = RateLimitConfig {
1749            max_attempts_per_minute: 5,
1750            pre_auth_max_per_minute: None,
1751            max_tracked_keys: default_max_tracked_keys(),
1752            idle_eviction: default_idle_eviction(),
1753            burst: None,
1754            pre_auth_burst: None,
1755        };
1756        let limiter = build_rate_limiter(&config);
1757        let ip: IpAddr = "10.0.0.1".parse().unwrap();
1758
1759        // First 5 should succeed.
1760        for _ in 0..5 {
1761            assert!(limiter.check_key(&ip).is_ok());
1762        }
1763        // 6th should fail.
1764        assert!(limiter.check_key(&ip).is_err());
1765    }
1766
1767    #[test]
1768    fn rate_limiter_separate_ips() {
1769        let config = RateLimitConfig {
1770            max_attempts_per_minute: 2,
1771            pre_auth_max_per_minute: None,
1772            max_tracked_keys: default_max_tracked_keys(),
1773            idle_eviction: default_idle_eviction(),
1774            burst: None,
1775            pre_auth_burst: None,
1776        };
1777        let limiter = build_rate_limiter(&config);
1778        let ip1: IpAddr = "10.0.0.1".parse().unwrap();
1779        let ip2: IpAddr = "10.0.0.2".parse().unwrap();
1780
1781        // Exhaust ip1's quota.
1782        assert!(limiter.check_key(&ip1).is_ok());
1783        assert!(limiter.check_key(&ip1).is_ok());
1784        assert!(limiter.check_key(&ip1).is_err());
1785
1786        // ip2 should still have quota.
1787        assert!(limiter.check_key(&ip2).is_ok());
1788    }
1789
1790    #[test]
1791    fn extract_mtls_identity_from_cn() {
1792        // Generate a cert with explicit CN.
1793        let mut params = rcgen::CertificateParams::new(vec!["test-client.local".into()]).unwrap();
1794        params.distinguished_name = rcgen::DistinguishedName::new();
1795        params
1796            .distinguished_name
1797            .push(rcgen::DnType::CommonName, "test-client");
1798        let cert = params
1799            .self_signed(&rcgen::KeyPair::generate().unwrap())
1800            .unwrap();
1801        let der = cert.der();
1802
1803        let id = extract_mtls_identity(der, "ops").unwrap();
1804        assert_eq!(id.name, "test-client");
1805        assert_eq!(id.role, "ops");
1806        assert_eq!(id.method, AuthMethod::MtlsCertificate);
1807    }
1808
1809    #[test]
1810    fn extract_mtls_identity_falls_back_to_san() {
1811        // Cert with no CN but has a DNS SAN.
1812        let mut params =
1813            rcgen::CertificateParams::new(vec!["san-only.example.com".into()]).unwrap();
1814        params.distinguished_name = rcgen::DistinguishedName::new();
1815        // No CN set - should fall back to DNS SAN.
1816        let cert = params
1817            .self_signed(&rcgen::KeyPair::generate().unwrap())
1818            .unwrap();
1819        let der = cert.der();
1820
1821        let id = extract_mtls_identity(der, "viewer").unwrap();
1822        assert_eq!(id.name, "san-only.example.com");
1823        assert_eq!(id.role, "viewer");
1824    }
1825
1826    #[test]
1827    fn extract_mtls_identity_invalid_der() {
1828        assert!(extract_mtls_identity(b"not-a-cert", "viewer").is_none());
1829    }
1830
1831    // -- auth_middleware integration tests --
1832
1833    use axum::{
1834        body::Body,
1835        http::{Request, StatusCode},
1836    };
1837    use tower::ServiceExt as _;
1838
1839    fn auth_router(state: Arc<AuthState>) -> axum::Router {
1840        axum::Router::new()
1841            .route("/mcp", axum::routing::post(|| async { "ok" }))
1842            .layer(axum::middleware::from_fn(move |req, next| {
1843                let s = Arc::clone(&state);
1844                auth_middleware(s, req, next)
1845            }))
1846    }
1847
1848    fn test_auth_state(keys: Vec<ApiKeyEntry>) -> Arc<AuthState> {
1849        Arc::new(AuthState {
1850            api_keys: ArcSwap::new(Arc::new(keys)),
1851            rate_limiter: None,
1852            pre_auth_limiter: None,
1853            #[cfg(feature = "oauth")]
1854            jwks_cache: None,
1855            seen_identities: SeenIdentitySet::new(),
1856            counters: AuthCounters::default(),
1857        })
1858    }
1859
1860    #[tokio::test]
1861    async fn middleware_rejects_no_credentials() {
1862        let state = test_auth_state(vec![]);
1863        let app = auth_router(Arc::clone(&state));
1864        let req = Request::builder()
1865            .method(axum::http::Method::POST)
1866            .uri("/mcp")
1867            .body(Body::empty())
1868            .unwrap();
1869        let resp = app.oneshot(req).await.unwrap();
1870        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1871        let challenge = resp
1872            .headers()
1873            .get(header::WWW_AUTHENTICATE)
1874            .unwrap()
1875            .to_str()
1876            .unwrap();
1877        assert!(challenge.contains("error=\"invalid_request\""));
1878
1879        let counters = state.counters_snapshot();
1880        assert_eq!(counters.failure_missing_credential, 1);
1881    }
1882
1883    #[tokio::test]
1884    async fn middleware_accepts_valid_bearer() {
1885        let (token, hash) = generate_api_key().unwrap();
1886        let keys = vec![ApiKeyEntry {
1887            name: "test-key".into(),
1888            hash,
1889            role: "ops".into(),
1890            expires_at: None,
1891        }];
1892        let state = test_auth_state(keys);
1893        let app = auth_router(Arc::clone(&state));
1894        let req = Request::builder()
1895            .method(axum::http::Method::POST)
1896            .uri("/mcp")
1897            .header("authorization", format!("Bearer {token}"))
1898            .body(Body::empty())
1899            .unwrap();
1900        let resp = app.oneshot(req).await.unwrap();
1901        assert_eq!(resp.status(), StatusCode::OK);
1902
1903        let counters = state.counters_snapshot();
1904        assert_eq!(counters.success_bearer, 1);
1905    }
1906
1907    #[tokio::test]
1908    async fn middleware_rejects_wrong_bearer() {
1909        let (_token, hash) = generate_api_key().unwrap();
1910        let keys = vec![ApiKeyEntry {
1911            name: "test-key".into(),
1912            hash,
1913            role: "ops".into(),
1914            expires_at: None,
1915        }];
1916        let state = test_auth_state(keys);
1917        let app = auth_router(Arc::clone(&state));
1918        let req = Request::builder()
1919            .method(axum::http::Method::POST)
1920            .uri("/mcp")
1921            .header("authorization", "Bearer wrong-token-here")
1922            .body(Body::empty())
1923            .unwrap();
1924        let resp = app.oneshot(req).await.unwrap();
1925        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1926        let challenge = resp
1927            .headers()
1928            .get(header::WWW_AUTHENTICATE)
1929            .unwrap()
1930            .to_str()
1931            .unwrap();
1932        assert!(challenge.contains("error=\"invalid_token\""));
1933
1934        let counters = state.counters_snapshot();
1935        assert_eq!(counters.failure_invalid_credential, 1);
1936    }
1937
1938    #[tokio::test]
1939    async fn middleware_rate_limits() {
1940        let state = Arc::new(AuthState {
1941            api_keys: ArcSwap::new(Arc::new(vec![])),
1942            rate_limiter: Some(build_rate_limiter(&RateLimitConfig {
1943                max_attempts_per_minute: 1,
1944                pre_auth_max_per_minute: None,
1945                max_tracked_keys: default_max_tracked_keys(),
1946                idle_eviction: default_idle_eviction(),
1947                burst: None,
1948                pre_auth_burst: None,
1949            })),
1950            pre_auth_limiter: None,
1951            #[cfg(feature = "oauth")]
1952            jwks_cache: None,
1953            seen_identities: SeenIdentitySet::new(),
1954            counters: AuthCounters::default(),
1955        });
1956        let app = auth_router(state);
1957
1958        // First request: UNAUTHORIZED (no credentials, but not rate limited)
1959        let req = Request::builder()
1960            .method(axum::http::Method::POST)
1961            .uri("/mcp")
1962            .body(Body::empty())
1963            .unwrap();
1964        let resp = app.clone().oneshot(req).await.unwrap();
1965        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1966
1967        // Second request from same "IP" (no ConnectInfo in test, so peer_addr is None
1968        // and rate limiter won't fire). That's expected -- rate limiting requires
1969        // ConnectInfo which isn't available in unit tests without a real server.
1970        // This test verifies the middleware wiring doesn't panic.
1971    }
1972
1973    /// Verify that rate limit semantics: only failed auth attempts consume budget.
1974    ///
1975    /// This is a unit test of the limiter behavior. The middleware integration
1976    /// is that on auth failure, `check_key` is called; on auth success, it is NOT.
1977    /// Full e2e tests verify the middleware routing but require `ConnectInfo`.
1978    #[test]
1979    fn rate_limit_semantics_failed_only() {
1980        let config = RateLimitConfig {
1981            max_attempts_per_minute: 3,
1982            pre_auth_max_per_minute: None,
1983            max_tracked_keys: default_max_tracked_keys(),
1984            idle_eviction: default_idle_eviction(),
1985            burst: None,
1986            pre_auth_burst: None,
1987        };
1988        let limiter = build_rate_limiter(&config);
1989        let ip: IpAddr = "192.168.1.100".parse().unwrap();
1990
1991        // Simulate: 3 failed attempts should exhaust quota.
1992        assert!(
1993            limiter.check_key(&ip).is_ok(),
1994            "failure 1 should be allowed"
1995        );
1996        assert!(
1997            limiter.check_key(&ip).is_ok(),
1998            "failure 2 should be allowed"
1999        );
2000        assert!(
2001            limiter.check_key(&ip).is_ok(),
2002            "failure 3 should be allowed"
2003        );
2004        assert!(
2005            limiter.check_key(&ip).is_err(),
2006            "failure 4 should be blocked"
2007        );
2008
2009        // In the actual middleware flow:
2010        // - Successful auth: verify_bearer_token returns Some, we return early
2011        //   WITHOUT calling check_key, so no budget consumed.
2012        // - Failed auth: verify_bearer_token returns None, we call check_key
2013        //   THEN return 401, so budget is consumed.
2014        //
2015        // This means N successful requests followed by M failed requests
2016        // will only count M toward the rate limit, not N+M.
2017    }
2018
2019    // -- pre-auth abuse gate (H-S1) --
2020
2021    /// The pre-auth gate must default to ~10x the post-failure quota so honest
2022    /// retry storms never trip it but a Argon2-spray attacker is throttled.
2023    #[test]
2024    fn pre_auth_default_multiplier_is_10x() {
2025        let config = RateLimitConfig {
2026            max_attempts_per_minute: 5,
2027            pre_auth_max_per_minute: None,
2028            max_tracked_keys: default_max_tracked_keys(),
2029            idle_eviction: default_idle_eviction(),
2030            burst: None,
2031            pre_auth_burst: None,
2032        };
2033        let limiter = build_pre_auth_limiter(&config);
2034        let ip: IpAddr = "10.0.0.1".parse().unwrap();
2035
2036        // Quota should be 50 (5 * 10), not 5. We expect the first 50 to pass.
2037        for i in 0..50 {
2038            assert!(
2039                limiter.check_key(&ip).is_ok(),
2040                "pre-auth attempt {i} (of expected 50) should be allowed under default 10x multiplier"
2041            );
2042        }
2043        // The 51st attempt must be blocked: confirms quota is bounded, not infinite.
2044        assert!(
2045            limiter.check_key(&ip).is_err(),
2046            "pre-auth attempt 51 should be blocked (quota is 50, not unbounded)"
2047        );
2048    }
2049
2050    /// An explicit `pre_auth_max_per_minute` override must win over the
2051    /// 10x-multiplier default.
2052    #[test]
2053    fn pre_auth_explicit_override_wins() {
2054        let config = RateLimitConfig {
2055            max_attempts_per_minute: 100,     // would default to 1000 pre-auth quota
2056            pre_auth_max_per_minute: Some(2), // but operator caps at 2
2057            max_tracked_keys: default_max_tracked_keys(),
2058            idle_eviction: default_idle_eviction(),
2059            burst: None,
2060            pre_auth_burst: None,
2061        };
2062        let limiter = build_pre_auth_limiter(&config);
2063        let ip: IpAddr = "10.0.0.2".parse().unwrap();
2064
2065        assert!(limiter.check_key(&ip).is_ok(), "attempt 1 allowed");
2066        assert!(limiter.check_key(&ip).is_ok(), "attempt 2 allowed");
2067        assert!(
2068            limiter.check_key(&ip).is_err(),
2069            "attempt 3 must be blocked (explicit override of 2 wins over 10x default of 1000)"
2070        );
2071    }
2072
2073    /// The pre-auth gate's 429 must carry a Retry-After header.
2074    #[test]
2075    fn pre_auth_gate_deny_sets_retry_after() {
2076        let config = RateLimitConfig::new(100).with_pre_auth_max_per_minute(1);
2077        let state = AuthState {
2078            api_keys: ArcSwap::new(Arc::new(vec![])),
2079            rate_limiter: None,
2080            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2081            #[cfg(feature = "oauth")]
2082            jwks_cache: None,
2083            seen_identities: SeenIdentitySet::new(),
2084            counters: AuthCounters::default(),
2085        };
2086        let addr: SocketAddr = "10.7.7.7:55555".parse().unwrap();
2087        assert!(
2088            pre_auth_gate(&state, Some(addr)).is_none(),
2089            "first request within quota"
2090        );
2091        let resp = pre_auth_gate(&state, Some(addr)).expect("second request must be gated");
2092        assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
2093        let retry_after = resp
2094            .headers()
2095            .get(header::RETRY_AFTER)
2096            .expect("Retry-After present")
2097            .to_str()
2098            .unwrap()
2099            .parse::<u64>()
2100            .unwrap();
2101        assert!(retry_after >= 1, "delta-seconds must be >= 1");
2102    }
2103
2104    /// Post-failure limiter honors an explicit burst capacity.
2105    #[test]
2106    fn post_failure_limiter_burst_allows_initial_spike() {
2107        let config = RateLimitConfig::new(1).with_burst(3);
2108        let limiter = build_rate_limiter(&config);
2109        let ip: IpAddr = "10.6.6.6".parse().unwrap();
2110        for i in 0..3 {
2111            assert!(limiter.check_key(&ip).is_ok(), "burst attempt {i}");
2112        }
2113        assert!(
2114            limiter.check_key(&ip).is_err(),
2115            "attempt 4 must exceed the burst bucket"
2116        );
2117    }
2118
2119    /// End-to-end: the pre-auth gate must reject before the bearer-verification
2120    /// path runs. We exhaust the gate's quota (Some(1)) with one bad-bearer
2121    /// request, then the second request must be rejected with 429 + the
2122    /// `pre_auth_gate` failure counter incremented (NOT
2123    /// `failure_invalid_credential`, which would prove Argon2 ran).
2124    #[tokio::test]
2125    async fn pre_auth_gate_blocks_before_argon2_verification() {
2126        let (_token, hash) = generate_api_key().unwrap();
2127        let keys = vec![ApiKeyEntry {
2128            name: "test-key".into(),
2129            hash,
2130            role: "ops".into(),
2131            expires_at: None,
2132        }];
2133        let config = RateLimitConfig {
2134            max_attempts_per_minute: 100,
2135            pre_auth_max_per_minute: Some(1),
2136            max_tracked_keys: default_max_tracked_keys(),
2137            idle_eviction: default_idle_eviction(),
2138            burst: None,
2139            pre_auth_burst: None,
2140        };
2141        let state = Arc::new(AuthState {
2142            api_keys: ArcSwap::new(Arc::new(keys)),
2143            rate_limiter: None,
2144            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2145            #[cfg(feature = "oauth")]
2146            jwks_cache: None,
2147            seen_identities: SeenIdentitySet::new(),
2148            counters: AuthCounters::default(),
2149        });
2150        let app = auth_router(Arc::clone(&state));
2151        let peer: SocketAddr = "10.0.0.10:54321".parse().unwrap();
2152
2153        // First bad-bearer request: gate has quota, bearer verification runs,
2154        // returns 401 (invalid credential).
2155        let mut req1 = Request::builder()
2156            .method(axum::http::Method::POST)
2157            .uri("/mcp")
2158            .header("authorization", "Bearer obviously-not-a-real-token")
2159            .body(Body::empty())
2160            .unwrap();
2161        req1.extensions_mut().insert(ConnectInfo(peer));
2162        let resp1 = app.clone().oneshot(req1).await.unwrap();
2163        assert_eq!(
2164            resp1.status(),
2165            StatusCode::UNAUTHORIZED,
2166            "first attempt: gate has quota, falls through to bearer auth which fails with 401"
2167        );
2168
2169        // Second bad-bearer request from same IP: gate quota exhausted, must
2170        // reject with 429 BEFORE the Argon2 verification path runs.
2171        let mut req2 = Request::builder()
2172            .method(axum::http::Method::POST)
2173            .uri("/mcp")
2174            .header("authorization", "Bearer also-not-a-real-token")
2175            .body(Body::empty())
2176            .unwrap();
2177        req2.extensions_mut().insert(ConnectInfo(peer));
2178        let resp2 = app.oneshot(req2).await.unwrap();
2179        assert_eq!(
2180            resp2.status(),
2181            StatusCode::TOO_MANY_REQUESTS,
2182            "second attempt from same IP: pre-auth gate must reject with 429"
2183        );
2184
2185        let counters = state.counters_snapshot();
2186        assert_eq!(
2187            counters.failure_pre_auth_gate, 1,
2188            "exactly one request must have been rejected by the pre-auth gate"
2189        );
2190        // Critical: Argon2 verification must NOT have run on the gated request.
2191        // The first request's 401 increments `failure_invalid_credential` to 1;
2192        // the second (gated) request must NOT increment it further.
2193        assert_eq!(
2194            counters.failure_invalid_credential, 1,
2195            "bearer verification must run exactly once (only the un-gated first request)"
2196        );
2197    }
2198
2199    /// mTLS-authenticated requests must bypass the pre-auth gate entirely.
2200    /// The TLS handshake already performed expensive crypto with a verified
2201    /// peer, so mTLS callers should never be throttled by this gate.
2202    ///
2203    /// Setup: a pre-auth gate with quota 1 (very tight). Submit two mTLS
2204    /// requests in quick succession from the same IP. Both must succeed.
2205    #[tokio::test]
2206    async fn pre_auth_gate_does_not_throttle_mtls() {
2207        let config = RateLimitConfig {
2208            max_attempts_per_minute: 100,
2209            pre_auth_max_per_minute: Some(1), // tight: would block 2nd plain request
2210            max_tracked_keys: default_max_tracked_keys(),
2211            idle_eviction: default_idle_eviction(),
2212            burst: None,
2213            pre_auth_burst: None,
2214        };
2215        let state = Arc::new(AuthState {
2216            api_keys: ArcSwap::new(Arc::new(vec![])),
2217            rate_limiter: None,
2218            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2219            #[cfg(feature = "oauth")]
2220            jwks_cache: None,
2221            seen_identities: SeenIdentitySet::new(),
2222            counters: AuthCounters::default(),
2223        });
2224        let app = auth_router(Arc::clone(&state));
2225        let peer: SocketAddr = "10.0.0.20:54321".parse().unwrap();
2226        let identity = AuthIdentity {
2227            name: "cn=test-client".into(),
2228            role: "viewer".into(),
2229            method: AuthMethod::MtlsCertificate,
2230            raw_token: None,
2231            sub: None,
2232        };
2233        let tls_info = TlsConnInfo::new(peer, Some(identity));
2234
2235        for i in 0..3 {
2236            let mut req = Request::builder()
2237                .method(axum::http::Method::POST)
2238                .uri("/mcp")
2239                .body(Body::empty())
2240                .unwrap();
2241            req.extensions_mut().insert(ConnectInfo(tls_info.clone()));
2242            let resp = app.clone().oneshot(req).await.unwrap();
2243            assert_eq!(
2244                resp.status(),
2245                StatusCode::OK,
2246                "mTLS request {i} must succeed: pre-auth gate must not apply to mTLS callers"
2247            );
2248        }
2249
2250        let counters = state.counters_snapshot();
2251        assert_eq!(
2252            counters.failure_pre_auth_gate, 0,
2253            "pre-auth gate counter must remain at zero: mTLS bypasses the gate"
2254        );
2255        assert_eq!(
2256            counters.success_mtls, 3,
2257            "all three mTLS requests must have been counted as successful"
2258        );
2259    }
2260
2261    // -------------------------------------------------------------------
2262    // RFC 7235 §2.1 case-insensitive scheme parsing for `extract_bearer`.
2263    // -------------------------------------------------------------------
2264
2265    #[test]
2266    fn extract_bearer_accepts_canonical_case() {
2267        assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2268    }
2269
2270    #[test]
2271    fn extract_bearer_is_case_insensitive_per_rfc7235() {
2272        // RFC 7235 §2.1: "auth-scheme is case-insensitive".
2273        // Real-world clients (curl, browsers, custom HTTP libs) emit varied
2274        // casings; rejecting any of them is a spec violation.
2275        for header in &[
2276            "bearer abc123",
2277            "BEARER abc123",
2278            "BeArEr abc123",
2279            "bEaReR abc123",
2280        ] {
2281            assert_eq!(
2282                extract_bearer(header),
2283                Some("abc123"),
2284                "header {header:?} must parse as a Bearer token (RFC 7235 §2.1)"
2285            );
2286        }
2287    }
2288
2289    #[test]
2290    fn extract_bearer_rejects_other_schemes() {
2291        assert_eq!(extract_bearer("Basic dXNlcjpwYXNz"), None);
2292        assert_eq!(extract_bearer("Digest username=\"x\""), None);
2293        assert_eq!(extract_bearer("Token abc123"), None);
2294    }
2295
2296    #[test]
2297    fn extract_bearer_rejects_malformed() {
2298        // Empty string, no separator, scheme-only, scheme + only whitespace.
2299        assert_eq!(extract_bearer(""), None);
2300        assert_eq!(extract_bearer("Bearer"), None);
2301        assert_eq!(extract_bearer("Bearer "), None);
2302        assert_eq!(extract_bearer("Bearer    "), None);
2303    }
2304
2305    #[test]
2306    fn extract_bearer_tolerates_extra_separator_whitespace() {
2307        // Some non-conformant clients emit two spaces; we should still parse.
2308        assert_eq!(extract_bearer("Bearer  abc123"), Some("abc123"));
2309        assert_eq!(extract_bearer("Bearer   abc123"), Some("abc123"));
2310    }
2311
2312    // -------------------------------------------------------------------
2313    // Debug redaction: ensure `AuthIdentity` and `ApiKeyEntry` never leak
2314    // secret material via `format!("{:?}", …)` or `tracing::debug!(?…)`.
2315    // -------------------------------------------------------------------
2316
2317    #[test]
2318    fn auth_identity_debug_redacts_raw_token() {
2319        let id = AuthIdentity {
2320            name: "alice".into(),
2321            role: "admin".into(),
2322            method: AuthMethod::OAuthJwt,
2323            raw_token: Some(SecretString::from("super-secret-jwt-payload-xyz")),
2324            sub: Some("keycloak-uuid-2f3c8b".into()),
2325        };
2326        let dbg = format!("{id:?}");
2327
2328        // Plaintext fields must be visible (they are not secrets).
2329        assert!(dbg.contains("alice"), "name should be visible: {dbg}");
2330        assert!(dbg.contains("admin"), "role should be visible: {dbg}");
2331        assert!(dbg.contains("OAuthJwt"), "method should be visible: {dbg}");
2332
2333        // Secret fields must NOT leak.
2334        assert!(
2335            !dbg.contains("super-secret-jwt-payload-xyz"),
2336            "raw_token must be redacted in Debug output: {dbg}"
2337        );
2338        assert!(
2339            !dbg.contains("keycloak-uuid-2f3c8b"),
2340            "sub must be redacted in Debug output: {dbg}"
2341        );
2342        assert!(
2343            dbg.contains("<redacted>"),
2344            "redaction marker missing: {dbg}"
2345        );
2346    }
2347
2348    #[test]
2349    fn auth_identity_debug_marks_absent_secrets() {
2350        // For non-OAuth identities (mTLS / API key) the secret fields are
2351        // None; redacted Debug output should distinguish that from "present".
2352        let id = AuthIdentity {
2353            name: "viewer-key".into(),
2354            role: "viewer".into(),
2355            method: AuthMethod::BearerToken,
2356            raw_token: None,
2357            sub: None,
2358        };
2359        let dbg = format!("{id:?}");
2360        assert!(
2361            dbg.contains("<none>"),
2362            "absent secrets should be marked: {dbg}"
2363        );
2364        assert!(
2365            !dbg.contains("<redacted>"),
2366            "no <redacted> marker when secrets are absent: {dbg}"
2367        );
2368    }
2369
2370    #[test]
2371    fn api_key_entry_debug_redacts_hash() {
2372        let entry = ApiKeyEntry {
2373            name: "viewer-key".into(),
2374            // Realistic Argon2id PHC string (must NOT leak).
2375            hash: "$argon2id$v=19$m=19456,t=2,p=1$c2FsdHNhbHQ$h4sh3dPa55w0rd".into(),
2376            role: "viewer".into(),
2377            expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
2378        };
2379        let dbg = format!("{entry:?}");
2380
2381        // Non-secret fields visible.
2382        assert!(dbg.contains("viewer-key"));
2383        assert!(dbg.contains("viewer"));
2384        assert!(dbg.contains("2030-01-01T00:00:00+00:00"));
2385
2386        // Hash material must NOT leak.
2387        assert!(
2388            !dbg.contains("$argon2id$"),
2389            "argon2 hash leaked into Debug output: {dbg}"
2390        );
2391        assert!(
2392            !dbg.contains("h4sh3dPa55w0rd"),
2393            "hash digest leaked into Debug output: {dbg}"
2394        );
2395        assert!(
2396            dbg.contains("<redacted>"),
2397            "redaction marker missing: {dbg}"
2398        );
2399    }
2400
2401    // -- AuthFailureClass exact-string contract tests --
2402    //
2403    // These tests pin the exact wire strings emitted for each failure
2404    // class. They exist to kill mutation-test mutants that replace the
2405    // match-arm string literals (e.g. with `""` or with the value from
2406    // another arm). Operators and dashboards rely on these literals
2407    // for metric labels and audit-log filters; any change is a
2408    // breaking observability change and must be reflected in
2409    // CHANGELOG.md.
2410
2411    #[test]
2412    fn auth_failure_class_as_str_exact_strings() {
2413        assert_eq!(
2414            AuthFailureClass::MissingCredential.as_str(),
2415            "missing_credential"
2416        );
2417        assert_eq!(
2418            AuthFailureClass::InvalidCredential.as_str(),
2419            "invalid_credential"
2420        );
2421        assert_eq!(
2422            AuthFailureClass::ExpiredCredential.as_str(),
2423            "expired_credential"
2424        );
2425        assert_eq!(AuthFailureClass::RateLimited.as_str(), "rate_limited");
2426        assert_eq!(AuthFailureClass::PreAuthGate.as_str(), "pre_auth_gate");
2427    }
2428
2429    #[test]
2430    fn auth_failure_class_response_body_exact_strings() {
2431        assert_eq!(
2432            AuthFailureClass::MissingCredential.response_body(),
2433            "unauthorized: missing credential"
2434        );
2435        assert_eq!(
2436            AuthFailureClass::InvalidCredential.response_body(),
2437            "unauthorized: invalid credential"
2438        );
2439        assert_eq!(
2440            AuthFailureClass::ExpiredCredential.response_body(),
2441            "unauthorized: expired credential"
2442        );
2443        assert_eq!(
2444            AuthFailureClass::RateLimited.response_body(),
2445            "rate limited"
2446        );
2447        assert_eq!(
2448            AuthFailureClass::PreAuthGate.response_body(),
2449            "rate limited (pre-auth)"
2450        );
2451    }
2452
2453    #[test]
2454    fn auth_failure_class_bearer_error_exact_strings() {
2455        assert_eq!(
2456            AuthFailureClass::MissingCredential.bearer_error(),
2457            (
2458                "invalid_request",
2459                "missing bearer token or mTLS client certificate"
2460            )
2461        );
2462        assert_eq!(
2463            AuthFailureClass::InvalidCredential.bearer_error(),
2464            ("invalid_token", "token is invalid")
2465        );
2466        assert_eq!(
2467            AuthFailureClass::ExpiredCredential.bearer_error(),
2468            ("invalid_token", "token is expired")
2469        );
2470        assert_eq!(
2471            AuthFailureClass::RateLimited.bearer_error(),
2472            ("invalid_request", "too many failed authentication attempts")
2473        );
2474        assert_eq!(
2475            AuthFailureClass::PreAuthGate.bearer_error(),
2476            (
2477                "invalid_request",
2478                "too many unauthenticated requests from this source"
2479            )
2480        );
2481    }
2482
2483    // -- AuthConfig::summary boolean-flag contract tests --
2484    //
2485    // These tests pin the boolean flags emitted by `AuthConfig::summary`
2486    // so that mutations like deleting `!` (which would invert the
2487    // semantics of `bearer`) or replacing `is_some()` with `is_none()`
2488    // are caught immediately. The summary is consumed by `/admin/*`
2489    // diagnostics so any inversion is an operator-visible regression.
2490
2491    #[test]
2492    fn auth_config_summary_bearer_true_when_keys_present() {
2493        let (_token, hash) = generate_api_key().unwrap();
2494        let cfg = AuthConfig::with_keys(vec![ApiKeyEntry::new("k", hash, "viewer")]);
2495        let s = cfg.summary();
2496        assert!(s.enabled, "summary.enabled must reflect AuthConfig.enabled");
2497        assert!(
2498            s.bearer,
2499            "summary.bearer must be true when api_keys is non-empty (kills `!` deletion at L615)"
2500        );
2501        assert!(!s.mtls, "summary.mtls must be false when mtls is None");
2502        assert!(!s.oauth, "summary.oauth must be false when oauth is None");
2503        assert_eq!(s.api_keys.len(), 1);
2504        assert_eq!(s.api_keys[0].name, "k");
2505        assert_eq!(s.api_keys[0].role, "viewer");
2506    }
2507
2508    #[test]
2509    fn auth_config_summary_bearer_false_when_no_keys() {
2510        let cfg = AuthConfig::with_keys(vec![]);
2511        let s = cfg.summary();
2512        assert!(
2513            !s.bearer,
2514            "summary.bearer must be false when api_keys is empty (kills `!` deletion at L615)"
2515        );
2516        assert!(s.api_keys.is_empty());
2517    }
2518
2519    #[test]
2520    fn seen_identity_set_first_then_repeat() {
2521        let set = SeenIdentitySet::new();
2522        assert!(set.insert_is_first("alice"), "first sighting is first");
2523        assert!(
2524            !set.insert_is_first("alice"),
2525            "second sighting is not first"
2526        );
2527        assert!(set.insert_is_first("bob"));
2528        assert_eq!(set.len(), 2);
2529    }
2530
2531    #[test]
2532    fn seen_identity_set_evicts_oldest_at_cap() {
2533        let set = SeenIdentitySet::with_cap(2);
2534        assert!(set.insert_is_first("a"));
2535        assert!(set.insert_is_first("b"));
2536        // Cap reached; inserting "c" evicts "a".
2537        assert!(set.insert_is_first("c"));
2538        assert_eq!(set.len(), 2);
2539        // "a" was evicted, so it re-fires as "first" (matches the documented
2540        // bounded trade-off: re-INFO once on reappearance). Inserting "a"
2541        // here evicts "b" (next oldest), leaving {c, a}.
2542        assert!(set.insert_is_first("a"));
2543        assert_eq!(set.len(), 2);
2544        // "b" has now been evicted in turn, so it re-fires as "first" too.
2545        assert!(set.insert_is_first("b"));
2546        // Sanity: cap is never exceeded regardless of churn pattern.
2547        for i in 0..32 {
2548            set.insert_is_first(&format!("churn-{i}"));
2549            assert!(set.len() <= 2, "cap invariant must hold");
2550        }
2551    }
2552
2553    #[test]
2554    fn seen_identity_set_cap_zero_is_raised_to_one() {
2555        let set = SeenIdentitySet::with_cap(0);
2556        assert!(set.insert_is_first("only"));
2557        assert_eq!(set.len(), 1);
2558        // Next insert evicts "only".
2559        assert!(set.insert_is_first("next"));
2560        assert_eq!(set.len(), 1);
2561    }
2562
2563    #[test]
2564    fn seen_identity_set_fifo_does_not_refresh_on_repeat_hit() {
2565        // Locks in the FIFO contract: repeat hits MUST NOT bump an entry
2566        // to the back of the eviction queue (that would be LRU).
2567        let set = SeenIdentitySet::with_cap(2);
2568        assert!(set.insert_is_first("a")); // order=[a]
2569        assert!(set.insert_is_first("b")); // order=[a,b]
2570        // Repeat hit on "a" - if this were LRU, "a" would move to the back
2571        // and "b" would be the next eviction victim. Under FIFO, "a" stays
2572        // at the front (oldest by insertion).
2573        assert!(!set.insert_is_first("a"));
2574        // Insert "c" forces eviction. Under FIFO, "a" (oldest by insertion)
2575        // is evicted; "b" survives. Under LRU, "b" would have been evicted.
2576        assert!(set.insert_is_first("c"));
2577        // Prove "a" was evicted: re-inserting fires as first again.
2578        assert!(set.insert_is_first("a"));
2579        // Prove "b" was NOT evicted: re-inserting does NOT fire as first.
2580        // (If LRU semantics had snuck in, this assertion would fail.)
2581        // After the previous step, "a" eviction pushed out "b" as the new
2582        // oldest, so we must re-add "b" via a fresh insert path. To keep
2583        // the test deterministic we rebuild a small scenario:
2584        let set = SeenIdentitySet::with_cap(2);
2585        assert!(set.insert_is_first("x")); // order=[x]
2586        assert!(set.insert_is_first("y")); // order=[x,y]
2587        assert!(!set.insert_is_first("x")); // repeat hit (under FIFO: order unchanged)
2588        assert!(set.insert_is_first("z")); // evicts "x" under FIFO
2589        assert!(
2590            !set.insert_is_first("y"),
2591            "y must still be present (FIFO did not evict it)"
2592        );
2593        assert!(
2594            set.insert_is_first("x"),
2595            "x must have been evicted by FIFO (would NOT have been evicted under LRU)"
2596        );
2597    }
2598}