Skip to main content

rmcp_server_kit/
auth.rs

1//! Authentication middleware for MCP servers.
2//!
3//! Supports multiple authentication methods tried in priority order:
4//! 1. mTLS client certificate (if configured and peer cert present)
5//! 2. Bearer token (API key) with Argon2id hash verification
6//!
7//! Includes per-source-IP rate limiting on authentication attempts.
8
9use std::{
10    collections::HashSet,
11    net::{IpAddr, SocketAddr},
12    num::NonZeroU32,
13    path::PathBuf,
14    sync::{
15        Arc, LazyLock, Mutex,
16        atomic::{AtomicU64, Ordering},
17    },
18    time::Duration,
19};
20
21use arc_swap::ArcSwap;
22use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
23use axum::{
24    body::Body,
25    extract::ConnectInfo,
26    http::{Request, header},
27    middleware::Next,
28    response::{IntoResponse, Response},
29};
30use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD};
31use secrecy::SecretString;
32use serde::Deserialize;
33use x509_parser::prelude::*;
34
35use crate::{bounded_limiter::BoundedKeyedLimiter, error::McpxError};
36
37/// Identity of an authenticated caller.
38///
39/// The [`Debug`] impl is **manually written** to redact the raw bearer token
40/// and the JWT `sub` claim. This prevents accidental disclosure if an
41/// `AuthIdentity` is ever logged via `tracing::debug!(?identity, …)` or
42/// `format!("{identity:?}")`. Only `name`, `role`, and `method` are printed
43/// in the clear; `raw_token` and `sub` are rendered as `<redacted>` /
44/// `<present>` / `<none>` markers.
45#[derive(Clone)]
46#[non_exhaustive]
47pub struct AuthIdentity {
48    /// Human-readable identity name (e.g. API key label or cert CN).
49    pub name: String,
50    /// RBAC role associated with this identity.
51    pub role: String,
52    /// Which authentication mechanism produced this identity.
53    pub method: AuthMethod,
54    /// Raw bearer token from the `Authorization` header, wrapped in
55    /// [`SecretString`] so it is never accidentally logged or serialized.
56    /// Present for OAuth JWT; `None` for mTLS and API-key auth.
57    /// Tool handlers use this for downstream token passthrough via
58    /// [`crate::rbac::current_token`].
59    pub raw_token: Option<SecretString>,
60    /// JWT `sub` claim (stable user identifier, e.g. Keycloak UUID).
61    /// Used for token store keying. `None` for non-JWT auth.
62    pub sub: Option<String>,
63}
64
65impl std::fmt::Debug for AuthIdentity {
66    /// Redacts `raw_token` and `sub` to prevent secret leakage via
67    /// `format!("{:?}")` or `tracing::debug!(?identity)`.
68    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
69        f.debug_struct("AuthIdentity")
70            .field("name", &self.name)
71            .field("role", &self.role)
72            .field("method", &self.method)
73            .field(
74                "raw_token",
75                &if self.raw_token.is_some() {
76                    "<redacted>"
77                } else {
78                    "<none>"
79                },
80            )
81            .field(
82                "sub",
83                &if self.sub.is_some() {
84                    "<redacted>"
85                } else {
86                    "<none>"
87                },
88            )
89            .finish()
90    }
91}
92
93/// How the caller authenticated.
94#[derive(Debug, Clone, Copy, PartialEq, Eq)]
95#[non_exhaustive]
96pub enum AuthMethod {
97    /// Bearer API key (Argon2id-hashed, configured statically).
98    BearerToken,
99    /// Mutual TLS client certificate.
100    MtlsCertificate,
101    /// OAuth 2.1 JWT bearer token (validated via JWKS).
102    OAuthJwt,
103}
104
105#[derive(Debug, Clone, Copy, PartialEq, Eq)]
106enum AuthFailureClass {
107    MissingCredential,
108    InvalidCredential,
109    #[cfg_attr(not(feature = "oauth"), allow(dead_code))]
110    ExpiredCredential,
111    /// Source IP exceeded the post-failure backoff limit.
112    RateLimited,
113    /// Source IP exceeded the pre-auth abuse gate (rejected before any
114    /// password-hash work — see [`AuthState::pre_auth_limiter`]).
115    PreAuthGate,
116}
117
118impl AuthFailureClass {
119    fn as_str(self) -> &'static str {
120        match self {
121            Self::MissingCredential => "missing_credential",
122            Self::InvalidCredential => "invalid_credential",
123            Self::ExpiredCredential => "expired_credential",
124            Self::RateLimited => "rate_limited",
125            Self::PreAuthGate => "pre_auth_gate",
126        }
127    }
128
129    fn bearer_error(self) -> (&'static str, &'static str) {
130        match self {
131            Self::MissingCredential => (
132                "invalid_request",
133                "missing bearer token or mTLS client certificate",
134            ),
135            Self::InvalidCredential => ("invalid_token", "token is invalid"),
136            Self::ExpiredCredential => ("invalid_token", "token is expired"),
137            Self::RateLimited => ("invalid_request", "too many failed authentication attempts"),
138            Self::PreAuthGate => (
139                "invalid_request",
140                "too many unauthenticated requests from this source",
141            ),
142        }
143    }
144
145    fn response_body(self) -> &'static str {
146        match self {
147            Self::MissingCredential => "unauthorized: missing credential",
148            Self::InvalidCredential => "unauthorized: invalid credential",
149            Self::ExpiredCredential => "unauthorized: expired credential",
150            Self::RateLimited => "rate limited",
151            Self::PreAuthGate => "rate limited (pre-auth)",
152        }
153    }
154}
155
156/// Snapshot of authentication success/failure counters.
157#[derive(Debug, Clone, Copy, PartialEq, Eq, serde::Serialize)]
158#[non_exhaustive]
159pub struct AuthCountersSnapshot {
160    /// Successful mTLS authentications.
161    pub success_mtls: u64,
162    /// Successful bearer-token authentications.
163    pub success_bearer: u64,
164    /// Successful OAuth JWT authentications.
165    pub success_oauth_jwt: u64,
166    /// Failures because no credential was presented.
167    pub failure_missing_credential: u64,
168    /// Failures because the credential was malformed or wrong.
169    pub failure_invalid_credential: u64,
170    /// Failures because the credential had expired.
171    pub failure_expired_credential: u64,
172    /// Failures because the source IP was rate-limited (post-failure backoff).
173    pub failure_rate_limited: u64,
174    /// Failures because the source IP exceeded the pre-auth abuse gate.
175    /// These never reach the password-hash verification path.
176    pub failure_pre_auth_gate: u64,
177}
178
179/// Internal atomic counters backing [`AuthCountersSnapshot`].
180#[derive(Debug, Default)]
181pub(crate) struct AuthCounters {
182    success_mtls: AtomicU64,
183    success_bearer: AtomicU64,
184    success_oauth_jwt: AtomicU64,
185    failure_missing_credential: AtomicU64,
186    failure_invalid_credential: AtomicU64,
187    failure_expired_credential: AtomicU64,
188    failure_rate_limited: AtomicU64,
189    failure_pre_auth_gate: AtomicU64,
190}
191
192impl AuthCounters {
193    fn record_success(&self, method: AuthMethod) {
194        match method {
195            AuthMethod::MtlsCertificate => {
196                self.success_mtls.fetch_add(1, Ordering::Relaxed);
197            }
198            AuthMethod::BearerToken => {
199                self.success_bearer.fetch_add(1, Ordering::Relaxed);
200            }
201            AuthMethod::OAuthJwt => {
202                self.success_oauth_jwt.fetch_add(1, Ordering::Relaxed);
203            }
204        }
205    }
206
207    fn record_failure(&self, class: AuthFailureClass) {
208        match class {
209            AuthFailureClass::MissingCredential => {
210                self.failure_missing_credential
211                    .fetch_add(1, Ordering::Relaxed);
212            }
213            AuthFailureClass::InvalidCredential => {
214                self.failure_invalid_credential
215                    .fetch_add(1, Ordering::Relaxed);
216            }
217            AuthFailureClass::ExpiredCredential => {
218                self.failure_expired_credential
219                    .fetch_add(1, Ordering::Relaxed);
220            }
221            AuthFailureClass::RateLimited => {
222                self.failure_rate_limited.fetch_add(1, Ordering::Relaxed);
223            }
224            AuthFailureClass::PreAuthGate => {
225                self.failure_pre_auth_gate.fetch_add(1, Ordering::Relaxed);
226            }
227        }
228    }
229
230    fn snapshot(&self) -> AuthCountersSnapshot {
231        AuthCountersSnapshot {
232            success_mtls: self.success_mtls.load(Ordering::Relaxed),
233            success_bearer: self.success_bearer.load(Ordering::Relaxed),
234            success_oauth_jwt: self.success_oauth_jwt.load(Ordering::Relaxed),
235            failure_missing_credential: self.failure_missing_credential.load(Ordering::Relaxed),
236            failure_invalid_credential: self.failure_invalid_credential.load(Ordering::Relaxed),
237            failure_expired_credential: self.failure_expired_credential.load(Ordering::Relaxed),
238            failure_rate_limited: self.failure_rate_limited.load(Ordering::Relaxed),
239            failure_pre_auth_gate: self.failure_pre_auth_gate.load(Ordering::Relaxed),
240        }
241    }
242}
243
244/// RFC 3339 timestamp, parsed at deserialization time.
245///
246/// Use this for any public field that needs to carry an RFC 3339 timestamp from
247/// TOML/JSON config or builder APIs. Construction is fallible (`parse`); once
248/// constructed the value is guaranteed to be a real RFC 3339 timestamp with a
249/// known offset, so downstream code does not need to handle parse errors.
250///
251/// Wraps [`chrono::DateTime<chrono::FixedOffset>`]; the underlying value is
252/// available via [`Self::as_datetime`] or [`Self::into_inner`]. `Serialize`
253/// emits the canonical RFC 3339 form via [`chrono::DateTime::to_rfc3339`], so
254/// the on-the-wire format for `ApiKeySummary` (admin endpoints) is unchanged.
255#[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash)]
256#[non_exhaustive]
257pub struct RfcTimestamp(chrono::DateTime<chrono::FixedOffset>);
258
259impl RfcTimestamp {
260    /// Parse an RFC 3339 timestamp.
261    ///
262    /// # Errors
263    ///
264    /// Returns the underlying [`chrono::ParseError`] when `s` is not a valid
265    /// RFC 3339 timestamp (e.g. missing the `T` separator, missing the offset
266    /// suffix, or out-of-range fields).
267    pub fn parse(s: &str) -> Result<Self, chrono::ParseError> {
268        chrono::DateTime::parse_from_rfc3339(s).map(Self)
269    }
270
271    /// Borrow the underlying [`chrono::DateTime`].
272    #[must_use]
273    pub fn as_datetime(&self) -> &chrono::DateTime<chrono::FixedOffset> {
274        &self.0
275    }
276
277    /// Consume the wrapper and return the underlying [`chrono::DateTime`].
278    #[must_use]
279    pub fn into_inner(self) -> chrono::DateTime<chrono::FixedOffset> {
280        self.0
281    }
282}
283
284impl std::fmt::Display for RfcTimestamp {
285    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
286        // Canonical RFC 3339 form; matches the deserialization input contract.
287        write!(f, "{}", self.0.to_rfc3339())
288    }
289}
290
291impl std::fmt::Debug for RfcTimestamp {
292    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
293        // Render as the canonical RFC 3339 string (not chrono's internal
294        // debug form) so existing `ApiKeyEntry` Debug-redaction tests --
295        // which look for the literal `"2030-01-01T00:00:00Z"` form in the
296        // formatted output -- continue to hold without bespoke handling.
297        write!(f, "{}", self.0.to_rfc3339())
298    }
299}
300
301impl<'de> Deserialize<'de> for RfcTimestamp {
302    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
303    where
304        D: serde::Deserializer<'de>,
305    {
306        // Validate at deserialization time: a malformed `expires_at` in
307        // TOML or JSON aborts config load with a clear serde error rather
308        // than silently producing a key that fails open at runtime.
309        let s = String::deserialize(deserializer)?;
310        Self::parse(&s).map_err(serde::de::Error::custom)
311    }
312}
313
314impl serde::Serialize for RfcTimestamp {
315    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
316    where
317        S: serde::Serializer,
318    {
319        serializer.serialize_str(&self.0.to_rfc3339())
320    }
321}
322
323impl From<chrono::DateTime<chrono::FixedOffset>> for RfcTimestamp {
324    fn from(value: chrono::DateTime<chrono::FixedOffset>) -> Self {
325        Self(value)
326    }
327}
328
329/// A single API key entry (stored as Argon2id hash in config).
330///
331/// The [`Debug`] impl is **manually written** to redact the Argon2id hash.
332/// Although the hash is not directly reversible, treating it as a secret
333/// prevents offline brute-force attempts from leaked logs and matches the
334/// defense-in-depth posture used for [`AuthIdentity`].
335#[derive(Clone, Deserialize)]
336#[non_exhaustive]
337pub struct ApiKeyEntry {
338    /// Human-readable key label (used in logs and audit records).
339    pub name: String,
340    /// Argon2id hash of the token (PHC string format).
341    pub hash: String,
342    /// RBAC role granted when this key authenticates successfully.
343    pub role: String,
344    /// Optional expiry, parsed from an RFC 3339 string at deserialization
345    /// time. Construction from a raw string is fallible (see
346    /// [`RfcTimestamp::parse`] and [`ApiKeyEntry::try_with_expiry`]),
347    /// which guarantees `verify_bearer_token` never sees a malformed value.
348    pub expires_at: Option<RfcTimestamp>,
349}
350
351impl std::fmt::Debug for ApiKeyEntry {
352    /// Redacts the Argon2id `hash` to keep it out of logs, panic backtraces,
353    /// and admin-endpoint responses that might `format!("{:?}", …)` an entry.
354    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
355        f.debug_struct("ApiKeyEntry")
356            .field("name", &self.name)
357            .field("hash", &"<redacted>")
358            .field("role", &self.role)
359            .field("expires_at", &self.expires_at)
360            .finish()
361    }
362}
363
364impl ApiKeyEntry {
365    /// Create a new API key entry (no expiry).
366    #[must_use]
367    pub fn new(name: impl Into<String>, hash: impl Into<String>, role: impl Into<String>) -> Self {
368        Self {
369            name: name.into(),
370            hash: hash.into(),
371            role: role.into(),
372            expires_at: None,
373        }
374    }
375
376    /// Set an RFC 3339 expiry on this key.
377    ///
378    /// Takes an already-parsed [`RfcTimestamp`]; for ergonomic construction
379    /// from a raw string see [`Self::try_with_expiry`].
380    #[must_use]
381    pub fn with_expiry(mut self, expires_at: RfcTimestamp) -> Self {
382        self.expires_at = Some(expires_at);
383        self
384    }
385
386    /// Set an RFC 3339 expiry on this key from a raw string.
387    ///
388    /// # Errors
389    ///
390    /// Returns the underlying [`chrono::ParseError`] when `expires_at` is
391    /// not a valid RFC 3339 timestamp. This is the fallible counterpart to
392    /// [`Self::with_expiry`].
393    pub fn try_with_expiry(
394        mut self,
395        expires_at: impl AsRef<str>,
396    ) -> Result<Self, chrono::ParseError> {
397        self.expires_at = Some(RfcTimestamp::parse(expires_at.as_ref())?);
398        Ok(self)
399    }
400}
401
402/// mTLS client certificate authentication configuration.
403#[derive(Debug, Clone, Deserialize)]
404#[allow(
405    clippy::struct_excessive_bools,
406    reason = "mTLS CRL behavior is intentionally configured as independent booleans"
407)]
408#[non_exhaustive]
409pub struct MtlsConfig {
410    /// Path to CA certificate(s) for verifying client certs (PEM format).
411    pub ca_cert_path: PathBuf,
412    /// If true, clients MUST present a valid certificate.
413    /// If false, client certs are optional (verified if presented).
414    #[serde(default)]
415    pub required: bool,
416    /// Default RBAC role for mTLS-authenticated clients.
417    /// The client cert CN becomes the identity name.
418    #[serde(default = "default_mtls_role")]
419    pub default_role: String,
420    /// Enable CRL-based certificate revocation checks using CDP URLs from the
421    /// configured CA chain and connecting client certificates.
422    #[serde(default = "default_true")]
423    pub crl_enabled: bool,
424    /// Optional fixed refresh interval for known CRLs. When omitted, refresh
425    /// cadence is derived from `nextUpdate` and clamped internally.
426    #[serde(default, with = "humantime_serde::option")]
427    pub crl_refresh_interval: Option<Duration>,
428    /// Timeout for individual CRL fetches.
429    #[serde(default = "default_crl_fetch_timeout", with = "humantime_serde")]
430    pub crl_fetch_timeout: Duration,
431    /// Grace window during which stale CRLs may still be used when refresh
432    /// attempts fail.
433    #[serde(default = "default_crl_stale_grace", with = "humantime_serde")]
434    pub crl_stale_grace: Duration,
435    /// When true, missing or unavailable CRLs cause revocation checks to fail
436    /// closed.
437    #[serde(default)]
438    pub crl_deny_on_unavailable: bool,
439    /// When true, apply revocation checks only to the end-entity certificate.
440    #[serde(default)]
441    pub crl_end_entity_only: bool,
442    /// Allow HTTP CRL distribution-point URLs in addition to HTTPS.
443    ///
444    /// Defaults to `true` because RFC 5280 §4.2.1.13 designates HTTP (and
445    /// LDAP) as the canonical transport for CRL distribution points.
446    /// SSRF defense for HTTP CDPs is provided by the IP-allowlist guard
447    /// (private/loopback/link-local/multicast/cloud-metadata addresses are
448    /// always rejected), redirect=none, body-size cap, and per-host
449    /// concurrency limit -- not by forcing HTTPS.
450    #[serde(default = "default_true")]
451    pub crl_allow_http: bool,
452    /// Enforce CRL expiration during certificate validation.
453    #[serde(default = "default_true")]
454    pub crl_enforce_expiration: bool,
455    /// Maximum concurrent CRL fetches across all hosts. Defense in depth
456    /// against SSRF amplification: even if many CDPs are discovered, no
457    /// more than this many fetches run in parallel. Per-host concurrency
458    /// is independently capped at 1 regardless of this value.
459    /// Default: `4`.
460    #[serde(default = "default_crl_max_concurrent_fetches")]
461    pub crl_max_concurrent_fetches: usize,
462    /// Hard cap on each CRL response body in bytes. Fetches exceeding this
463    /// are aborted mid-stream to bound memory and prevent gzip-bomb-style
464    /// amplification. Default: 5 MiB (`5 * 1024 * 1024`).
465    #[serde(default = "default_crl_max_response_bytes")]
466    pub crl_max_response_bytes: u64,
467    /// Global CDP discovery rate limit, in URLs per minute. Throttles
468    /// how many *new* CDP URLs the verifier may admit into the fetch
469    /// pipeline across the whole process, bounding asymmetric `DoS`
470    /// amplification when attacker-controlled certificates carry large
471    /// CDP lists. The limit is global (not per-source-IP) in this
472    /// release; per-IP scoping is deferred to a future version because
473    /// it requires plumbing the peer `SocketAddr` through the rustls
474    /// verifier hook (a different subsystem than ordinary request
475    /// middleware). Note: the **bearer pre-auth limiter** that gates
476    /// API-key / OAuth `Authorization` headers is already per-IP — see
477    /// [`RateLimitConfig::pre_auth_max_per_minute`] and the keyed
478    /// governor built by `build_pre_auth_limiter`. URLs that lose the
479    /// rate-limiter race are *not* marked as seen, so subsequent
480    /// handshakes observing the same URL can retry admission.
481    /// Default: `60`.
482    #[serde(default = "default_crl_discovery_rate_per_min")]
483    pub crl_discovery_rate_per_min: u32,
484    /// Maximum number of distinct hosts that may hold a CRL fetch
485    /// semaphore at any time. At the cap, idle entries (no in-flight
486    /// fetch) are evicted on demand so new hosts keep working; only when
487    /// every entry has a concurrent in-flight fetch does the request
488    /// return [`McpxError::Config`] containing the literal substring
489    /// `"crl_host_semaphore_cap_exceeded"`. Bounds memory growth from
490    /// attacker-controlled CDP URLs pointing at unique hostnames.
491    /// Default: 1024.
492    #[serde(default = "default_crl_max_host_semaphores")]
493    pub crl_max_host_semaphores: usize,
494    /// Maximum number of distinct URLs tracked in the "seen" set.
495    /// Beyond this, additional discovered URLs are silently dropped
496    /// with a rate-limited warn! log; no error surfaces. Default: 4096.
497    #[serde(default = "default_crl_max_seen_urls")]
498    pub crl_max_seen_urls: usize,
499    /// Maximum number of cached CRL entries. Beyond this, new
500    /// successful fetches are silently dropped with a rate-limited
501    /// warn! log (newest-rejected, not LRU-evicted). Default: 1024.
502    #[serde(default = "default_crl_max_cache_entries")]
503    pub crl_max_cache_entries: usize,
504}
505
506fn default_mtls_role() -> String {
507    "viewer".into()
508}
509
510const fn default_true() -> bool {
511    true
512}
513
514const fn default_crl_fetch_timeout() -> Duration {
515    Duration::from_secs(30)
516}
517
518const fn default_crl_stale_grace() -> Duration {
519    Duration::from_hours(24)
520}
521
522const fn default_crl_max_concurrent_fetches() -> usize {
523    4
524}
525
526const fn default_crl_max_response_bytes() -> u64 {
527    5 * 1024 * 1024
528}
529
530const fn default_crl_discovery_rate_per_min() -> u32 {
531    60
532}
533
534const fn default_crl_max_host_semaphores() -> usize {
535    1024
536}
537
538const fn default_crl_max_seen_urls() -> usize {
539    4096
540}
541
542const fn default_crl_max_cache_entries() -> usize {
543    1024
544}
545
546/// Rate limiting configuration for authentication attempts.
547///
548/// rmcp-server-kit uses two independent per-IP token-bucket limiters for auth:
549///
550/// 1. **Pre-auth abuse gate** ([`Self::pre_auth_max_per_minute`]): consulted
551///    *before* any password-hash work. Throttles unauthenticated traffic from
552///    a single source IP so an attacker cannot pin the CPU on Argon2id by
553///    spraying invalid bearer tokens. Sized generously (default = 10× the
554///    post-failure quota) so legitimate clients are unaffected. mTLS-
555///    authenticated connections bypass this gate entirely (the TLS handshake
556///    already performed expensive crypto with a verified peer).
557/// 2. **Post-failure backoff** ([`Self::max_attempts_per_minute`]): consulted
558///    *after* an authentication attempt fails. Provides explicit backpressure
559///    on bad credentials.
560#[derive(Debug, Clone, Deserialize)]
561#[non_exhaustive]
562pub struct RateLimitConfig {
563    /// Maximum failed authentication attempts per source IP per minute.
564    /// Successful authentications do not consume this budget.
565    #[serde(default = "default_max_attempts")]
566    pub max_attempts_per_minute: u32,
567    /// Maximum *unauthenticated* requests per source IP per minute admitted
568    /// to the password-hash verification path. When `None`, defaults to
569    /// `max_attempts_per_minute * 10` at limiter-construction time.
570    ///
571    /// Set higher than [`Self::max_attempts_per_minute`] so honest clients
572    /// retrying with the wrong key never trip this gate; its purpose is only
573    /// to bound CPU usage under spray attacks.
574    #[serde(default)]
575    pub pre_auth_max_per_minute: Option<u32>,
576    /// Hard cap on the number of distinct source IPs tracked per limiter.
577    /// When reached, idle entries are pruned first; if still full, the
578    /// oldest (LRU) entry is evicted to make room for the new one. This
579    /// bounds memory under IP-spray attacks. Default: `10_000`.
580    #[serde(default = "default_max_tracked_keys")]
581    pub max_tracked_keys: usize,
582    /// Per-IP entries idle for longer than this are eligible for
583    /// opportunistic pruning. Default: 15 minutes.
584    #[serde(default = "default_idle_eviction", with = "humantime_serde")]
585    pub idle_eviction: Duration,
586    /// Burst capacity for the post-failure limiter: the maximum number
587    /// of failed attempts admitted back-to-back before the sustained
588    /// `max_attempts_per_minute` rate applies. `None` (default) keeps
589    /// governor's default of burst = rate. Must be greater than zero
590    /// when set. May be smaller than the rate (smoothing) or larger
591    /// (spike tolerance).
592    #[serde(default)]
593    pub burst: Option<u32>,
594    /// Burst capacity for the pre-auth abuse gate. `None` (default)
595    /// keeps burst = the gate's resolved rate. Legal regardless of
596    /// whether [`Self::pre_auth_max_per_minute`] is set — the gate's
597    /// base rate always resolves (`max_attempts_per_minute * 10` when
598    /// unset). Must be greater than zero when set.
599    #[serde(default)]
600    pub pre_auth_burst: Option<u32>,
601}
602
603impl Default for RateLimitConfig {
604    fn default() -> Self {
605        Self {
606            max_attempts_per_minute: default_max_attempts(),
607            pre_auth_max_per_minute: None,
608            max_tracked_keys: default_max_tracked_keys(),
609            idle_eviction: default_idle_eviction(),
610            burst: None,
611            pre_auth_burst: None,
612        }
613    }
614}
615
616impl RateLimitConfig {
617    /// Create a rate limit config with the given max failed attempts per minute.
618    /// Pre-auth gate defaults to `10x` this value at limiter-construction time.
619    /// Memory-bound defaults are `10_000` tracked keys with 15-minute idle eviction.
620    #[must_use]
621    pub fn new(max_attempts_per_minute: u32) -> Self {
622        Self {
623            max_attempts_per_minute,
624            ..Self::default()
625        }
626    }
627
628    /// Override the pre-auth abuse-gate quota (per source IP per minute).
629    /// When unset, defaults to `max_attempts_per_minute * 10`.
630    #[must_use]
631    pub fn with_pre_auth_max_per_minute(mut self, quota: u32) -> Self {
632        self.pre_auth_max_per_minute = Some(quota);
633        self
634    }
635
636    /// Override the per-limiter cap on tracked source-IP keys (default `10_000`).
637    #[must_use]
638    pub fn with_max_tracked_keys(mut self, max: usize) -> Self {
639        self.max_tracked_keys = max;
640        self
641    }
642
643    /// Override the idle-eviction window (default 15 minutes).
644    #[must_use]
645    pub fn with_idle_eviction(mut self, idle: Duration) -> Self {
646        self.idle_eviction = idle;
647        self
648    }
649
650    /// Set the burst capacity for the post-failure limiter. Must be
651    /// greater than zero (validated at server-config validation time).
652    #[must_use]
653    pub fn with_burst(mut self, burst: u32) -> Self {
654        self.burst = Some(burst);
655        self
656    }
657
658    /// Set the burst capacity for the pre-auth abuse gate. Must be
659    /// greater than zero (validated at server-config validation time).
660    #[must_use]
661    pub fn with_pre_auth_burst(mut self, burst: u32) -> Self {
662        self.pre_auth_burst = Some(burst);
663        self
664    }
665}
666
667fn default_max_attempts() -> u32 {
668    30
669}
670
671fn default_max_tracked_keys() -> usize {
672    10_000
673}
674
675fn default_idle_eviction() -> Duration {
676    Duration::from_mins(15)
677}
678
679/// Authentication configuration.
680#[derive(Debug, Clone, Default, Deserialize)]
681#[non_exhaustive]
682pub struct AuthConfig {
683    /// Master switch - when false, all requests are allowed through.
684    #[serde(default)]
685    pub enabled: bool,
686    /// Bearer token API keys.
687    #[serde(default)]
688    pub api_keys: Vec<ApiKeyEntry>,
689    /// mTLS client certificate authentication.
690    pub mtls: Option<MtlsConfig>,
691    /// Rate limiting for auth attempts.
692    pub rate_limit: Option<RateLimitConfig>,
693    /// OAuth 2.1 JWT bearer token authentication.
694    #[cfg(feature = "oauth")]
695    pub oauth: Option<crate::oauth::OAuthConfig>,
696}
697
698impl AuthConfig {
699    /// Create an enabled auth config with the given API keys.
700    #[must_use]
701    pub fn with_keys(keys: Vec<ApiKeyEntry>) -> Self {
702        Self {
703            enabled: true,
704            api_keys: keys,
705            mtls: None,
706            rate_limit: None,
707            #[cfg(feature = "oauth")]
708            oauth: None,
709        }
710    }
711
712    /// Set rate limiting on this auth config.
713    #[must_use]
714    pub fn with_rate_limit(mut self, rate_limit: RateLimitConfig) -> Self {
715        self.rate_limit = Some(rate_limit);
716        self
717    }
718}
719
720/// Summary of a single API key suitable for admin endpoints.
721///
722/// Intentionally omits the Argon2id hash - only metadata is exposed.
723#[derive(Debug, Clone, serde::Serialize)]
724#[non_exhaustive]
725pub struct ApiKeySummary {
726    /// Human-readable key label.
727    pub name: String,
728    /// RBAC role granted when this key authenticates.
729    pub role: String,
730    /// Optional RFC 3339 expiry timestamp. Serialized as a canonical
731    /// RFC 3339 string so the admin-endpoint wire format is preserved.
732    pub expires_at: Option<RfcTimestamp>,
733}
734
735/// Snapshot of the enabled authentication methods for admin endpoints.
736#[derive(Debug, Clone, serde::Serialize)]
737#[allow(
738    clippy::struct_excessive_bools,
739    reason = "this is a flat summary of independent auth-method booleans"
740)]
741#[non_exhaustive]
742pub struct AuthConfigSummary {
743    /// Master enabled flag from config.
744    pub enabled: bool,
745    /// Whether API-key bearer auth is configured.
746    pub bearer: bool,
747    /// Whether mTLS client auth is configured.
748    pub mtls: bool,
749    /// Whether OAuth JWT validation is configured.
750    pub oauth: bool,
751    /// Current API-key list (no hashes).
752    pub api_keys: Vec<ApiKeySummary>,
753}
754
755impl AuthConfig {
756    /// Produce a hash-free summary of the auth config for admin endpoints.
757    #[must_use]
758    pub fn summary(&self) -> AuthConfigSummary {
759        AuthConfigSummary {
760            enabled: self.enabled,
761            bearer: !self.api_keys.is_empty(),
762            mtls: self.mtls.is_some(),
763            #[cfg(feature = "oauth")]
764            oauth: self.oauth.is_some(),
765            #[cfg(not(feature = "oauth"))]
766            oauth: false,
767            api_keys: self
768                .api_keys
769                .iter()
770                .map(|k| ApiKeySummary {
771                    name: k.name.clone(),
772                    role: k.role.clone(),
773                    expires_at: k.expires_at,
774                })
775                .collect(),
776        }
777    }
778}
779
780/// Keyed rate limiter type (per source IP). Memory-bounded by
781/// [`RateLimitConfig::max_tracked_keys`] to defend against IP-spray `DoS`.
782pub(crate) type KeyedLimiter = BoundedKeyedLimiter<IpAddr>;
783
784/// Connection info for TLS connections, carrying the peer socket address
785/// and (when mTLS is configured) the verified client identity extracted
786/// from the peer certificate during the TLS handshake.
787///
788/// Defined as a local type so we can implement axum's `Connected` trait
789/// for our custom `TlsListener` without orphan rule issues. The `identity`
790/// field travels with the connection itself (via the wrapping IO type),
791/// so there is no shared map to race against, no port-reuse aliasing, and
792/// no eviction policy to maintain.
793#[derive(Clone, Debug)]
794#[non_exhaustive]
795pub(crate) struct TlsConnInfo {
796    /// Remote peer socket address.
797    pub addr: SocketAddr,
798    /// Verified mTLS client identity, if a client certificate was presented
799    /// and successfully extracted during the TLS handshake.
800    pub identity: Option<AuthIdentity>,
801}
802
803impl TlsConnInfo {
804    /// Construct a new [`TlsConnInfo`].
805    #[must_use]
806    pub(crate) const fn new(addr: SocketAddr, identity: Option<AuthIdentity>) -> Self {
807        Self { addr, identity }
808    }
809}
810
811/// Default hard cap on the number of distinct authenticated identities
812/// remembered by [`SeenIdentitySet`].
813///
814/// Sized to comfortably exceed realistic identity churn for an MCP server
815/// while bounding worst-case memory at roughly `4096 * avg_name_len`
816/// (~256 KiB at 64-byte names). Honest clients will never trigger eviction;
817/// hostile churn (rotating mTLS subjects or OAuth `sub` values) is bounded.
818const DEFAULT_SEEN_IDENTITY_CAP: usize = 4096;
819
820/// Bounded set tracking which authenticated identities have already been
821/// logged at INFO level (subsequent auths fall back to DEBUG).
822///
823/// # Why bounded?
824///
825/// `id.name` is attacker-influenced under mTLS (SAN/CN) and OAuth (`sub`).
826/// An unbounded [`std::collections::HashSet`] would grow with churn,
827/// producing both a slow memory leak and unbounded log-cardinality
828/// downstream (Loki/ES). The cap follows the same trade-off documented in
829/// [`crate::bounded_limiter`]: when an evicted identity reappears it
830/// re-fires INFO once. This is acceptable for diagnostic logging.
831///
832/// # Concurrency
833///
834/// Uses [`std::sync::Mutex`] because [`Self::insert_is_first`] is purely
835/// synchronous and the critical section never `.await`s. The mutex is
836/// poison-tolerant: a poisoned set is still logically consistent
837/// (only writer is `insert_is_first`, which performs an atomic insert
838/// + bounded eviction; no torn invariants are possible).
839pub(crate) struct SeenIdentitySet {
840    inner: Mutex<SeenInner>,
841}
842
843struct SeenInner {
844    set: HashSet<String>,
845    /// Insertion-order FIFO used for bounded eviction. Tracking strict LRU
846    /// would require touching the queue on every hit (under the mutex);
847    /// FIFO is sufficient because the contract only promises "bounded
848    /// memory", not "remember the most recently seen identities".
849    order: std::collections::VecDeque<String>,
850    cap: usize,
851}
852
853impl SeenIdentitySet {
854    /// Construct with the default cap of [`DEFAULT_SEEN_IDENTITY_CAP`].
855    #[must_use]
856    pub(crate) fn new() -> Self {
857        Self::with_cap(DEFAULT_SEEN_IDENTITY_CAP)
858    }
859
860    /// Construct with an explicit cap. A `cap` of `0` is silently raised
861    /// to `1` to keep the invariant `set.len() <= cap` non-vacuous.
862    #[must_use]
863    pub(crate) fn with_cap(cap: usize) -> Self {
864        let cap = cap.max(1);
865        Self {
866            inner: Mutex::new(SeenInner {
867                set: HashSet::with_capacity(cap.min(64)),
868                order: std::collections::VecDeque::with_capacity(cap.min(64)),
869                cap,
870            }),
871        }
872    }
873
874    /// Insert `name`. Returns `true` if this is the first time `name` was
875    /// inserted (or it was previously evicted and reinserted), `false`
876    /// if it was already present.
877    ///
878    /// When the cap is reached, the oldest inserted entry is evicted to
879    /// make room. Eviction never blocks the caller.
880    pub(crate) fn insert_is_first(&self, name: &str) -> bool {
881        // SAFETY: the only writer is this method; a poisoned set remains
882        // logically consistent (atomic insert + bounded eviction preserve
883        // the `set.len() <= cap` invariant). Continuing past poison only
884        // affects diagnostic logging granularity, not correctness or
885        // security.
886        let mut guard = self
887            .inner
888            .lock()
889            .unwrap_or_else(std::sync::PoisonError::into_inner);
890
891        if guard.set.contains(name) {
892            return false;
893        }
894        // Cap enforcement: evict-then-insert keeps the invariant
895        // `set.len() <= cap` even when the cap is `1`.
896        if guard.set.len() >= guard.cap
897            && let Some(evicted) = guard.order.pop_front()
898        {
899            guard.set.remove(&evicted);
900        }
901        let owned = name.to_owned();
902        guard.set.insert(owned.clone());
903        guard.order.push_back(owned);
904        true
905    }
906
907    /// Test-only snapshot of the current size.
908    #[cfg(test)]
909    pub(crate) fn len(&self) -> usize {
910        self.inner
911            .lock()
912            .unwrap_or_else(std::sync::PoisonError::into_inner)
913            .set
914            .len()
915    }
916}
917
918impl Default for SeenIdentitySet {
919    fn default() -> Self {
920        Self::new()
921    }
922}
923
924/// Shared state for the auth middleware.
925///
926/// `api_keys` uses [`ArcSwap`] so the SIGHUP handler can atomically
927/// swap in a new key list without blocking in-flight requests.
928#[allow(
929    missing_debug_implementations,
930    reason = "contains governor RateLimiter and JwksCache without Debug impls"
931)]
932#[non_exhaustive]
933pub(crate) struct AuthState {
934    /// Active set of API keys (hot-swappable).
935    pub api_keys: ArcSwap<Vec<ApiKeyEntry>>,
936    /// Optional per-IP post-failure rate limiter (consulted *after* auth fails).
937    pub rate_limiter: Option<Arc<KeyedLimiter>>,
938    /// Optional per-IP pre-auth abuse gate (consulted *before* password-hash work).
939    /// mTLS-authenticated connections bypass this gate.
940    pub pre_auth_limiter: Option<Arc<KeyedLimiter>>,
941    #[cfg(feature = "oauth")]
942    /// Optional JWKS cache for OAuth JWT validation.
943    pub jwks_cache: Option<Arc<crate::oauth::JwksCache>>,
944    /// Tracks identity names that have already been logged at INFO level.
945    /// Subsequent auths for the same identity are logged at DEBUG.
946    /// Bounded to prevent attacker-driven memory growth via churned
947    /// mTLS subjects or OAuth `sub` claims (see [`SeenIdentitySet`]).
948    pub seen_identities: SeenIdentitySet,
949    /// Lightweight in-memory auth success/failure counters for diagnostics.
950    pub counters: AuthCounters,
951}
952
953impl AuthState {
954    /// Atomically replace the API key list (lock-free, wait-free).
955    ///
956    /// New requests immediately see the updated keys.
957    /// In-flight requests that already loaded the old list finish
958    /// using it -- no torn reads.
959    pub(crate) fn reload_keys(&self, keys: Vec<ApiKeyEntry>) {
960        let count = keys.len();
961        self.api_keys.store(Arc::new(keys));
962        tracing::info!(keys = count, "API keys reloaded");
963    }
964
965    /// Snapshot auth counters for diagnostics and tests.
966    #[must_use]
967    pub(crate) fn counters_snapshot(&self) -> AuthCountersSnapshot {
968        self.counters.snapshot()
969    }
970
971    /// Produce the admin-endpoint list of API keys (metadata only, no hashes).
972    #[must_use]
973    pub(crate) fn api_key_summaries(&self) -> Vec<ApiKeySummary> {
974        self.api_keys
975            .load()
976            .iter()
977            .map(|k| ApiKeySummary {
978                name: k.name.clone(),
979                role: k.role.clone(),
980                expires_at: k.expires_at,
981            })
982            .collect()
983    }
984
985    /// Log auth success: INFO on first occurrence per identity, DEBUG after.
986    ///
987    /// Backed by [`SeenIdentitySet`], a bounded FIFO set that caps
988    /// retained identities to prevent attacker-driven memory growth.
989    /// FIFO (not LRU) is intentional: this cache de-duplicates INFO logs,
990    /// not security state, so per-hit eviction-order mutation is not
991    /// justified. See [`SeenIdentitySet`] for the full trade-off rationale.
992    fn log_auth(&self, id: &AuthIdentity, method: &str) {
993        self.counters.record_success(id.method);
994        let first = self.seen_identities.insert_is_first(&id.name);
995        if first {
996            tracing::info!(name = %id.name, role = %id.role, "{method} authenticated");
997        } else {
998            tracing::debug!(name = %id.name, role = %id.role, "{method} authenticated");
999        }
1000    }
1001}
1002
1003/// Default auth rate limit: 30 attempts per minute per source IP.
1004// SAFETY: unwrap() is safe - literal 30 is provably non-zero (const-evaluated).
1005const DEFAULT_AUTH_RATE: NonZeroU32 = NonZeroU32::new(30).unwrap();
1006
1007/// Apply an optional burst capacity to a quota. `None` keeps governor's
1008/// default (burst = rate). Zero values are rejected at config-validation
1009/// time; the `NonZeroU32` filter here is defensive only.
1010fn apply_burst(quota: governor::Quota, burst: Option<u32>) -> governor::Quota {
1011    match burst.and_then(NonZeroU32::new) {
1012        Some(b) => quota.allow_burst(b),
1013        None => quota,
1014    }
1015}
1016
1017/// Create a post-failure rate limiter from config.
1018#[must_use]
1019pub(crate) fn build_rate_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1020    let quota = governor::Quota::per_minute(
1021        NonZeroU32::new(config.max_attempts_per_minute).unwrap_or(DEFAULT_AUTH_RATE),
1022    );
1023    let quota = apply_burst(quota, config.burst);
1024    Arc::new(BoundedKeyedLimiter::new(
1025        quota,
1026        config.max_tracked_keys,
1027        config.idle_eviction,
1028    ))
1029}
1030
1031/// Create a pre-auth abuse-gate rate limiter from config.
1032///
1033/// Quota: `pre_auth_max_per_minute` if set, otherwise
1034/// `max_attempts_per_minute * 10` (capped at `u32::MAX`). The 10× factor
1035/// keeps the gate generous enough for honest retries while still bounding
1036/// attacker CPU on Argon2 verification.
1037#[must_use]
1038pub(crate) fn build_pre_auth_limiter(config: &RateLimitConfig) -> Arc<KeyedLimiter> {
1039    let resolved = config.pre_auth_max_per_minute.unwrap_or_else(|| {
1040        config
1041            .max_attempts_per_minute
1042            .saturating_mul(PRE_AUTH_DEFAULT_MULTIPLIER)
1043    });
1044    let quota =
1045        governor::Quota::per_minute(NonZeroU32::new(resolved).unwrap_or(DEFAULT_PRE_AUTH_RATE));
1046    let quota = apply_burst(quota, config.pre_auth_burst);
1047    Arc::new(BoundedKeyedLimiter::new(
1048        quota,
1049        config.max_tracked_keys,
1050        config.idle_eviction,
1051    ))
1052}
1053
1054/// Default multiplier applied to `max_attempts_per_minute` when the operator
1055/// does not set `pre_auth_max_per_minute` explicitly.
1056const PRE_AUTH_DEFAULT_MULTIPLIER: u32 = 10;
1057
1058/// Default pre-auth abuse-gate rate (used only if both the configured value
1059/// and the multiplied fallback are zero, which `NonZeroU32::new` rejects).
1060// SAFETY: unwrap() is safe - literal 300 is provably non-zero (const-evaluated).
1061const DEFAULT_PRE_AUTH_RATE: NonZeroU32 = NonZeroU32::new(300).unwrap();
1062
1063/// Parse an mTLS client certificate and extract an `AuthIdentity`.
1064///
1065/// Reads the Subject CN as the identity name. Falls back to the first
1066/// DNS SAN if CN is absent. The role is taken from the `MtlsConfig`.
1067#[must_use]
1068pub fn extract_mtls_identity(cert_der: &[u8], default_role: &str) -> Option<AuthIdentity> {
1069    let (_, cert) = X509Certificate::from_der(cert_der).ok()?;
1070
1071    // Try CN from Subject first.
1072    let cn = cert
1073        .subject()
1074        .iter_common_name()
1075        .next()
1076        .and_then(|attr| attr.as_str().ok())
1077        .map(String::from);
1078
1079    // Fall back to first DNS SAN.
1080    let name = cn.or_else(|| {
1081        cert.subject_alternative_name()
1082            .ok()
1083            .flatten()
1084            .and_then(|san| {
1085                #[allow(
1086                    clippy::wildcard_enum_match_arm,
1087                    reason = "x509-parser GeneralName is a large external enum; only DNSName is meaningful here"
1088                )]
1089                san.value.general_names.iter().find_map(|gn| match gn {
1090                    GeneralName::DNSName(dns) => Some((*dns).to_owned()),
1091                    _ => None,
1092                })
1093            })
1094    })?;
1095
1096    // Reject identities with characters unsafe for logging and RBAC matching.
1097    if !name
1098        .chars()
1099        .all(|c| c.is_alphanumeric() || matches!(c, '-' | '.' | '_' | '@'))
1100    {
1101        tracing::warn!(cn = %name, "mTLS identity rejected: invalid characters in CN/SAN");
1102        return None;
1103    }
1104
1105    Some(AuthIdentity {
1106        name,
1107        role: default_role.to_owned(),
1108        method: AuthMethod::MtlsCertificate,
1109        raw_token: None,
1110        sub: None,
1111    })
1112}
1113
1114/// Extract the bearer token from an `Authorization` header value.
1115///
1116/// Implements RFC 7235 §2.1: the auth-scheme token is **case-insensitive**.
1117/// `Bearer`, `bearer`, `BEARER`, and `BeArEr` all parse equivalently. Any
1118/// leading whitespace between the scheme and the token is trimmed (per
1119/// RFC 7235 the separator is one or more SP characters; we accept the
1120/// common single-space form plus tolerate extras).
1121///
1122/// Returns `None` if the header value:
1123/// - does not contain a space (no scheme/credentials boundary), or
1124/// - uses a scheme other than `Bearer` (case-insensitively).
1125///
1126/// The caller is responsible for token-level validation (length, charset,
1127/// signature, etc.); this helper only handles the scheme prefix.
1128fn extract_bearer(value: &str) -> Option<&str> {
1129    let (scheme, rest) = value.split_once(' ')?;
1130    if scheme.eq_ignore_ascii_case("Bearer") {
1131        let token = rest.trim_start_matches(' ');
1132        if token.is_empty() { None } else { Some(token) }
1133    } else {
1134        None
1135    }
1136}
1137
1138/// Verify a bearer token against configured API keys.
1139///
1140/// Argon2id verification is CPU-intensive, so this should be called via
1141/// `spawn_blocking`. Returns the matching identity if the token is valid.
1142///
1143/// # Timing-side-channel resistance
1144///
1145/// Always performs **exactly one Argon2id verification per configured key**,
1146/// regardless of:
1147///
1148/// * which slot (if any) matches the presented token, or
1149/// * whether a key has expired.
1150///
1151/// Expired and post-match slots are verified against an internal dummy PHC hash,
1152/// a fixed Argon2id PHC string with the same cost parameters as the real
1153/// hashes. This bounds the timing observable to "one Argon2 per configured
1154/// key" regardless of which (if any) slot held the matching credential,
1155/// closing the first-match latency oracle (CWE-208) and the expired-slot
1156/// timing leak.
1157///
1158/// `subtle::ConstantTimeEq` is used to fold per-slot match bits into the
1159/// final result so the compiler cannot reintroduce a data-dependent branch.
1160///
1161/// # Panics
1162///
1163/// Panics if the internal dummy PHC hash cannot be parsed as an Argon2id PHC string.
1164/// This is impossible by construction: the static is generated by
1165/// [`argon2::Argon2::hash_password`] which always emits a valid PHC string.
1166#[must_use]
1167pub fn verify_bearer_token(token: &str, keys: &[ApiKeyEntry]) -> Option<AuthIdentity> {
1168    use subtle::ConstantTimeEq as _;
1169
1170    let now = chrono::Utc::now();
1171    #[allow(
1172        clippy::expect_used,
1173        reason = "DUMMY_PHC_HASH is a static LazyLock built from a fixed Argon2id PHC string by construction; PasswordHash::new on it is infallible. See DUMMY_PHC_HASH definition."
1174    )]
1175    let dummy_hash = PasswordHash::new(&DUMMY_PHC_HASH)
1176        .expect("DUMMY_PHC_HASH is a valid Argon2id PHC string by construction");
1177
1178    let mut matched_index: usize = usize::MAX;
1179    let mut any_match: u8 = 0;
1180
1181    for (idx, key) in keys.iter().enumerate() {
1182        let expired = key.expires_at.is_some_and(|exp| exp.as_datetime() < &now);
1183
1184        let real_hash = PasswordHash::new(&key.hash);
1185        let verify_against = match (&real_hash, expired, any_match) {
1186            (Ok(h), false, 0) => h,
1187            _ => &dummy_hash,
1188        };
1189
1190        let slot_ok = u8::from(
1191            Argon2::default()
1192                .verify_password(token.as_bytes(), verify_against)
1193                .is_ok(),
1194        );
1195
1196        let real_match = slot_ok & u8::from(!expired) & u8::from(real_hash.is_ok());
1197        let first_real_match = real_match & (1 - any_match);
1198        if first_real_match.ct_eq(&1).into() {
1199            matched_index = idx;
1200        }
1201        any_match |= real_match;
1202    }
1203
1204    if any_match == 0 {
1205        return None;
1206    }
1207    let key = keys.get(matched_index)?;
1208    Some(AuthIdentity {
1209        name: key.name.clone(),
1210        role: key.role.clone(),
1211        method: AuthMethod::BearerToken,
1212        raw_token: None,
1213        sub: None,
1214    })
1215}
1216
1217/// Fixed Argon2id PHC hash used as a constant-time placeholder when an
1218/// API-key slot is expired, malformed, or follows the matching slot.
1219///
1220/// Generated once on first access using the same default Argon2 cost
1221/// parameters as live verifications, so the dummy verify takes
1222/// indistinguishable wall time from a real one. The plaintext
1223/// (`"rmcp-server-kit-dummy"`) and the fixed salt are unrelated to any
1224/// real credential — randomness is unnecessary because this hash is
1225/// only ever compared against attacker-supplied input on slots that
1226/// will be discarded regardless of match result. Using a fixed salt
1227/// avoids depending on `rand_core`'s `getrandom` feature, which is not
1228/// activated transitively in every feature configuration of this crate.
1229static DUMMY_PHC_HASH: LazyLock<String> = LazyLock::new(|| {
1230    // 16 bytes of base64 (`AAAA...`) — minimum valid Argon2 salt length.
1231    #[allow(
1232        clippy::expect_used,
1233        reason = "fixed 22-char base64 ('AAAA...') decodes to a valid 16-byte salt; SaltString::from_b64 is infallible on this literal"
1234    )]
1235    let salt = SaltString::from_b64("AAAAAAAAAAAAAAAAAAAAAA")
1236        .expect("fixed 16-byte base64 salt is well-formed");
1237    #[allow(
1238        clippy::expect_used,
1239        reason = "Argon2::default() with a fixed plaintext and a well-formed salt is infallible; only fails on bad params/salt"
1240    )]
1241    Argon2::default()
1242        .hash_password(b"rmcp-server-kit-dummy", &salt)
1243        .expect("Argon2 default params hash a fixed plaintext")
1244        .to_string()
1245});
1246
1247/// Generate a new API key: 256-bit random token + Argon2id hash.
1248///
1249/// Returns `(plaintext_token, argon2id_hash_phc_string)`.
1250/// The plaintext is shown once to the user and never stored.
1251///
1252/// # Errors
1253///
1254/// Returns an error if salt encoding or Argon2id hashing fails
1255/// (should not happen with valid inputs, but we avoid panicking).
1256pub fn generate_api_key() -> Result<(String, String), McpxError> {
1257    let mut token_bytes = [0u8; 32];
1258    rand::fill(&mut token_bytes);
1259    let token = URL_SAFE_NO_PAD.encode(token_bytes);
1260
1261    // Generate 16 random bytes for salt, encode as base64 for SaltString.
1262    let mut salt_bytes = [0u8; 16];
1263    rand::fill(&mut salt_bytes);
1264    let salt = SaltString::encode_b64(&salt_bytes)
1265        .map_err(|e| McpxError::Auth(format!("salt encoding failed: {e}")))?;
1266    let hash = Argon2::default()
1267        .hash_password(token.as_bytes(), &salt)
1268        .map_err(|e| McpxError::Auth(format!("argon2id hashing failed: {e}")))?
1269        .to_string();
1270
1271    Ok((token, hash))
1272}
1273
1274fn build_www_authenticate_value(
1275    advertise_resource_metadata: bool,
1276    failure: AuthFailureClass,
1277) -> String {
1278    let (error, error_description) = failure.bearer_error();
1279    if advertise_resource_metadata {
1280        return format!(
1281            "Bearer resource_metadata=\"/.well-known/oauth-protected-resource\", error=\"{error}\", error_description=\"{error_description}\""
1282        );
1283    }
1284    format!("Bearer error=\"{error}\", error_description=\"{error_description}\"")
1285}
1286
1287fn auth_method_label(method: AuthMethod) -> &'static str {
1288    match method {
1289        AuthMethod::MtlsCertificate => "mTLS",
1290        AuthMethod::BearerToken => "bearer token",
1291        AuthMethod::OAuthJwt => "OAuth JWT",
1292    }
1293}
1294
1295#[cfg_attr(not(feature = "oauth"), allow(unused_variables))]
1296fn unauthorized_response(state: &AuthState, failure_class: AuthFailureClass) -> Response {
1297    #[cfg(feature = "oauth")]
1298    let advertise_resource_metadata = state.jwks_cache.is_some();
1299    #[cfg(not(feature = "oauth"))]
1300    let advertise_resource_metadata = false;
1301
1302    let challenge = build_www_authenticate_value(advertise_resource_metadata, failure_class);
1303    (
1304        axum::http::StatusCode::UNAUTHORIZED,
1305        [(header::WWW_AUTHENTICATE, challenge)],
1306        failure_class.response_body(),
1307    )
1308        .into_response()
1309}
1310
1311// cancel-safe: no shared-state mutation. The Argon2 verification is offloaded
1312// to `spawn_blocking`; dropping its `JoinHandle` on cancellation detaches the
1313// task (the hash completes off-task, harmlessly) rather than tearing partial
1314// state. The OAuth branch delegates to `validate_token_with_reason`, which is
1315// itself cancel-safe (read-only JWKS lookup + pure claim checks).
1316async fn authenticate_bearer_identity(
1317    state: &AuthState,
1318    token: &str,
1319) -> Result<AuthIdentity, AuthFailureClass> {
1320    let mut failure_class = AuthFailureClass::MissingCredential;
1321
1322    #[cfg(feature = "oauth")]
1323    if let Some(ref cache) = state.jwks_cache
1324        && crate::oauth::looks_like_jwt(token)
1325    {
1326        match cache.validate_token_with_reason(token).await {
1327            Ok(mut id) => {
1328                id.raw_token = Some(SecretString::from(token.to_owned()));
1329                return Ok(id);
1330            }
1331            Err(crate::oauth::JwtValidationFailure::Expired) => {
1332                failure_class = AuthFailureClass::ExpiredCredential;
1333            }
1334            Err(crate::oauth::JwtValidationFailure::Invalid) => {
1335                failure_class = AuthFailureClass::InvalidCredential;
1336            }
1337        }
1338    }
1339
1340    let token = token.to_owned();
1341    let keys = state.api_keys.load_full(); // Arc clone, lock-free
1342
1343    // Argon2id is CPU-bound - offload to blocking thread pool.
1344    let identity = tokio::task::spawn_blocking(move || verify_bearer_token(&token, &keys))
1345        .await
1346        .ok()
1347        .flatten();
1348
1349    if let Some(id) = identity {
1350        return Ok(id);
1351    }
1352
1353    if failure_class == AuthFailureClass::MissingCredential {
1354        failure_class = AuthFailureClass::InvalidCredential;
1355    }
1356
1357    Err(failure_class)
1358}
1359
1360/// Consult the pre-auth abuse gate for the given peer.
1361///
1362/// Returns `Some(response)` if the request should be rejected (limiter
1363/// configured AND quota exhausted for this source IP). Returns `None`
1364/// otherwise (limiter absent, peer address unknown, or quota available),
1365/// in which case the caller should proceed with credential verification.
1366///
1367/// Side effects on rejection: increments the `pre_auth_gate` failure
1368/// counter and emits a warn-level log. mTLS-authenticated requests must
1369/// be admitted by the caller *before* invoking this helper.
1370fn pre_auth_gate(state: &AuthState, client_ip: Option<IpAddr>) -> Option<Response> {
1371    let limiter = state.pre_auth_limiter.as_ref()?;
1372    let ip = client_ip?;
1373    let Err(wait) = limiter.check_key_wait(&ip) else {
1374        return None;
1375    };
1376    state.counters.record_failure(AuthFailureClass::PreAuthGate);
1377    tracing::warn!(
1378        %ip,
1379        "auth rate limited by pre-auth gate (request rejected before credential verification)"
1380    );
1381    Some(
1382        McpxError::RateLimitedFor {
1383            message: "too many unauthenticated requests from this source".into(),
1384            retry_after: wait,
1385        }
1386        .into_response(),
1387    )
1388}
1389
1390/// Axum middleware that enforces authentication.
1391///
1392/// Tries authentication methods in priority order:
1393/// 1. mTLS client certificate identity (populated by TLS acceptor)
1394/// 2. Bearer token from `Authorization` header
1395///
1396/// Failed authentication attempts are rate-limited per source IP.
1397/// Successful authentications do not consume rate limit budget.
1398pub(crate) async fn auth_middleware(
1399    state: Arc<AuthState>,
1400    req: Request<Body>,
1401    next: Next,
1402) -> Response {
1403    // Extract the mTLS identity from ConnectInfo (TLS / mTLS:
1404    // ConnectInfo<TlsConnInfo> carries the verified identity directly on
1405    // the connection — no shared map, no port-reuse aliasing) and the
1406    // rate-limit key (resolved client IP when trusted-forwarder mode is
1407    // active, else the direct peer; see transport::limiter_client_ip).
1408    let tls_info = req.extensions().get::<ConnectInfo<TlsConnInfo>>().cloned();
1409    let client_ip = crate::transport::limiter_client_ip(req.extensions());
1410
1411    // 1. Try mTLS identity (extracted by the TLS acceptor during handshake
1412    //    and attached to the connection itself).
1413    //
1414    //    mTLS connections bypass the pre-auth abuse gate below: the TLS
1415    //    handshake already performed expensive crypto with a verified peer,
1416    //    so we trust them not to be a CPU-spray attacker.
1417    if let Some(id) = tls_info.and_then(|ci| ci.0.identity) {
1418        state.log_auth(&id, "mTLS");
1419        let mut req = req;
1420        req.extensions_mut().insert(id);
1421        return next.run(req).await;
1422    }
1423
1424    // 2. Pre-auth abuse gate: rejects CPU-spray attacks BEFORE the Argon2id
1425    //    verification path runs. Keyed by source IP. mTLS connections (above)
1426    //    are exempt; this gate only protects the bearer/JWT verification path.
1427    if let Some(blocked) = pre_auth_gate(&state, client_ip) {
1428        #[cfg(feature = "metrics")]
1429        crate::metrics::record_rate_limit_deny(req.extensions(), "auth_pre");
1430        return blocked;
1431    }
1432
1433    let failure_class = if let Some(value) = req.headers().get(header::AUTHORIZATION) {
1434        match value.to_str().ok().and_then(extract_bearer) {
1435            Some(token) => match authenticate_bearer_identity(&state, token).await {
1436                Ok(id) => {
1437                    state.log_auth(&id, auth_method_label(id.method));
1438                    let mut req = req;
1439                    req.extensions_mut().insert(id);
1440                    return next.run(req).await;
1441                }
1442                Err(class) => class,
1443            },
1444            None => AuthFailureClass::InvalidCredential,
1445        }
1446    } else {
1447        AuthFailureClass::MissingCredential
1448    };
1449
1450    tracing::warn!(failure_class = %failure_class.as_str(), "auth failed");
1451
1452    // Rate limit check (applied after auth failure only).
1453    // Successful authentications do not consume rate limit budget.
1454    if let (Some(limiter), Some(ip)) = (&state.rate_limiter, client_ip)
1455        && let Err(wait) = limiter.check_key_wait(&ip)
1456    {
1457        state.counters.record_failure(AuthFailureClass::RateLimited);
1458        #[cfg(feature = "metrics")]
1459        crate::metrics::record_rate_limit_deny(req.extensions(), "auth_post");
1460        tracing::warn!(%ip, "auth rate limited after repeated failures");
1461        return McpxError::RateLimitedFor {
1462            message: "too many failed authentication attempts".into(),
1463            retry_after: wait,
1464        }
1465        .into_response();
1466    }
1467
1468    state.counters.record_failure(failure_class);
1469    unauthorized_response(&state, failure_class)
1470}
1471
1472#[cfg(test)]
1473mod tests {
1474    use super::*;
1475
1476    #[test]
1477    fn generate_and_verify_api_key() {
1478        let (token, hash) = generate_api_key().unwrap();
1479
1480        // Token is 43 chars (256-bit base64url, no padding)
1481        assert_eq!(token.len(), 43);
1482
1483        // Hash is a valid PHC string
1484        assert!(hash.starts_with("$argon2id$"));
1485
1486        // Verification succeeds with correct token
1487        let keys = vec![ApiKeyEntry {
1488            name: "test".into(),
1489            hash,
1490            role: "viewer".into(),
1491            expires_at: None,
1492        }];
1493        let id = verify_bearer_token(&token, &keys);
1494        assert!(id.is_some());
1495        let id = id.unwrap();
1496        assert_eq!(id.name, "test");
1497        assert_eq!(id.role, "viewer");
1498        assert_eq!(id.method, AuthMethod::BearerToken);
1499    }
1500
1501    #[test]
1502    fn wrong_token_rejected() {
1503        let (_token, hash) = generate_api_key().unwrap();
1504        let keys = vec![ApiKeyEntry {
1505            name: "test".into(),
1506            hash,
1507            role: "viewer".into(),
1508            expires_at: None,
1509        }];
1510        assert!(verify_bearer_token("wrong-token", &keys).is_none());
1511    }
1512
1513    #[test]
1514    fn expired_key_rejected() {
1515        let (token, hash) = generate_api_key().unwrap();
1516        let keys = vec![ApiKeyEntry {
1517            name: "test".into(),
1518            hash,
1519            role: "viewer".into(),
1520            expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1521        }];
1522        assert!(verify_bearer_token(&token, &keys).is_none());
1523    }
1524
1525    #[test]
1526    fn match_in_last_slot_still_authenticates() {
1527        let (token, hash) = generate_api_key().unwrap();
1528        let (_other_token, other_hash) = generate_api_key().unwrap();
1529        let keys = vec![
1530            ApiKeyEntry {
1531                name: "first".into(),
1532                hash: other_hash.clone(),
1533                role: "viewer".into(),
1534                expires_at: None,
1535            },
1536            ApiKeyEntry {
1537                name: "second".into(),
1538                hash: other_hash,
1539                role: "viewer".into(),
1540                expires_at: None,
1541            },
1542            ApiKeyEntry {
1543                name: "match".into(),
1544                hash,
1545                role: "ops".into(),
1546                expires_at: None,
1547            },
1548        ];
1549        let id = verify_bearer_token(&token, &keys).expect("last-slot match must authenticate");
1550        assert_eq!(id.name, "match");
1551        assert_eq!(id.role, "ops");
1552    }
1553
1554    #[test]
1555    fn expired_slot_before_valid_match_does_not_short_circuit() {
1556        let (token, hash) = generate_api_key().unwrap();
1557        let (_, other_hash) = generate_api_key().unwrap();
1558        let keys = vec![
1559            ApiKeyEntry {
1560                name: "expired".into(),
1561                hash: other_hash,
1562                role: "viewer".into(),
1563                expires_at: Some(RfcTimestamp::parse("2020-01-01T00:00:00Z").unwrap()),
1564            },
1565            ApiKeyEntry {
1566                name: "valid".into(),
1567                hash,
1568                role: "ops".into(),
1569                expires_at: None,
1570            },
1571        ];
1572        let id = verify_bearer_token(&token, &keys)
1573            .expect("valid slot following an expired slot must authenticate");
1574        assert_eq!(id.name, "valid");
1575    }
1576
1577    #[test]
1578    fn malformed_hash_slot_does_not_short_circuit() {
1579        let (token, hash) = generate_api_key().unwrap();
1580        let keys = vec![
1581            ApiKeyEntry {
1582                name: "broken".into(),
1583                hash: "this-is-not-a-phc-string".into(),
1584                role: "viewer".into(),
1585                expires_at: None,
1586            },
1587            ApiKeyEntry {
1588                name: "valid".into(),
1589                hash,
1590                role: "ops".into(),
1591                expires_at: None,
1592            },
1593        ];
1594        let id = verify_bearer_token(&token, &keys)
1595            .expect("valid slot following a malformed-hash slot must authenticate");
1596        assert_eq!(id.name, "valid");
1597    }
1598
1599    // Regression tests for H3 (api_key_expires_at_fail_open).
1600    //
1601    // Prior to 1.6.0 the runtime expiry check used a chained
1602    // `if let Some(_) && let Ok(exp) = parse(_) && exp < now` which
1603    // silently fell through on parse error, letting a key with
1604    // `expires_at = "not-a-date"` authenticate forever. These tests
1605    // pin the type-system fix: malformed RFC 3339 is rejected at
1606    // deserialization time (no `RfcTimestamp` can ever be malformed),
1607    // and the runtime check is a pure comparison with no parse path.
1608
1609    #[test]
1610    fn rfc_timestamp_parse_rejects_malformed() {
1611        for bad in [
1612            "not-a-date",
1613            "",
1614            "2025-13-01T00:00:00Z", // month 13
1615            "2025-01-32T00:00:00Z", // day 32
1616            "2025-01-01T00:00:00",  // missing offset
1617            "01/01/2025",           // wrong format
1618            "2025-01-01T25:00:00Z", // hour 25
1619        ] {
1620            assert!(
1621                RfcTimestamp::parse(bad).is_err(),
1622                "RfcTimestamp::parse must reject {bad:?}"
1623            );
1624        }
1625    }
1626
1627    #[test]
1628    fn rfc_timestamp_parse_accepts_valid() {
1629        for good in [
1630            "2025-01-01T00:00:00Z",
1631            "2025-01-01T00:00:00+00:00",
1632            "2025-12-31T23:59:59-08:00",
1633            "2099-01-01T00:00:00.123456789Z",
1634        ] {
1635            assert!(
1636                RfcTimestamp::parse(good).is_ok(),
1637                "RfcTimestamp::parse must accept {good:?}"
1638            );
1639        }
1640    }
1641
1642    #[test]
1643    fn api_key_entry_deserialize_rejects_malformed_expires_at() {
1644        // TOML with a malformed expires_at must fail to deserialize.
1645        // This is the load-time defense: a typo in auth.toml aborts
1646        // config load with a clear serde error, instead of producing
1647        // a key that authenticates forever (the H3 fail-open).
1648        let toml = r#"
1649            name = "bad-key"
1650            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1651            role = "viewer"
1652            expires_at = "not-a-date"
1653        "#;
1654        let result: Result<ApiKeyEntry, _> = toml::from_str(toml);
1655        assert!(
1656            result.is_err(),
1657            "deserialization must reject malformed expires_at"
1658        );
1659    }
1660
1661    #[test]
1662    fn api_key_entry_deserialize_accepts_valid_expires_at() {
1663        let toml = r#"
1664            name = "good-key"
1665            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1666            role = "viewer"
1667            expires_at = "2099-01-01T00:00:00Z"
1668        "#;
1669        let entry: ApiKeyEntry = toml::from_str(toml).expect("valid RFC 3339 must deserialize");
1670        assert!(entry.expires_at.is_some());
1671    }
1672
1673    #[test]
1674    fn api_key_entry_deserialize_accepts_missing_expires_at() {
1675        // Omitting expires_at must continue to mean "no expiry"; this
1676        // is the documented contract and must survive the H3 fix.
1677        let toml = r#"
1678            name = "eternal-key"
1679            hash = "$argon2id$v=19$m=19456,t=2,p=1$c2FsdA$h4sh"
1680            role = "viewer"
1681        "#;
1682        let entry: ApiKeyEntry = toml::from_str(toml).expect("missing expires_at must deserialize");
1683        assert!(entry.expires_at.is_none());
1684    }
1685
1686    #[test]
1687    fn try_with_expiry_rejects_malformed() {
1688        let entry = ApiKeyEntry::new("k", "hash", "viewer");
1689        assert!(entry.try_with_expiry("not-a-date").is_err());
1690    }
1691
1692    #[test]
1693    fn try_with_expiry_accepts_valid() {
1694        let entry = ApiKeyEntry::new("k", "hash", "viewer")
1695            .try_with_expiry("2099-01-01T00:00:00Z")
1696            .expect("valid RFC 3339 must be accepted");
1697        assert!(entry.expires_at.is_some());
1698    }
1699
1700    #[test]
1701    fn api_key_summary_serializes_expires_at_as_rfc3339() {
1702        // The admin endpoint wire format is `{"expires_at": "RFC 3339 str"}`.
1703        // Pinning this prevents an accidental serialization-format change
1704        // (e.g. chrono's debug form, a Unix timestamp) that would silently
1705        // break operator tooling that parses these payloads.
1706        let summary = ApiKeySummary {
1707            name: "k".into(),
1708            role: "viewer".into(),
1709            expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
1710        };
1711        let json = serde_json::to_string(&summary).unwrap();
1712        assert!(
1713            json.contains(r#""expires_at":"2030-01-01T00:00:00+00:00""#),
1714            "wire format regressed: {json}"
1715        );
1716    }
1717
1718    #[test]
1719    fn future_expiry_accepted() {
1720        let (token, hash) = generate_api_key().unwrap();
1721        let keys = vec![ApiKeyEntry {
1722            name: "test".into(),
1723            hash,
1724            role: "viewer".into(),
1725            expires_at: Some(RfcTimestamp::parse("2099-01-01T00:00:00Z").unwrap()),
1726        }];
1727        assert!(verify_bearer_token(&token, &keys).is_some());
1728    }
1729
1730    #[test]
1731    fn multiple_keys_first_match_wins() {
1732        let (token, hash) = generate_api_key().unwrap();
1733        let keys = vec![
1734            ApiKeyEntry {
1735                name: "wrong".into(),
1736                hash: "$argon2id$v=19$m=19456,t=2,p=1$invalid$invalid".into(),
1737                role: "ops".into(),
1738                expires_at: None,
1739            },
1740            ApiKeyEntry {
1741                name: "correct".into(),
1742                hash,
1743                role: "deploy".into(),
1744                expires_at: None,
1745            },
1746        ];
1747        let id = verify_bearer_token(&token, &keys).unwrap();
1748        assert_eq!(id.name, "correct");
1749        assert_eq!(id.role, "deploy");
1750    }
1751
1752    #[test]
1753    fn rate_limiter_allows_within_quota() {
1754        let config = RateLimitConfig {
1755            max_attempts_per_minute: 5,
1756            pre_auth_max_per_minute: None,
1757            max_tracked_keys: default_max_tracked_keys(),
1758            idle_eviction: default_idle_eviction(),
1759            burst: None,
1760            pre_auth_burst: None,
1761        };
1762        let limiter = build_rate_limiter(&config);
1763        let ip: IpAddr = "10.0.0.1".parse().unwrap();
1764
1765        // First 5 should succeed.
1766        for _ in 0..5 {
1767            assert!(limiter.check_key(&ip).is_ok());
1768        }
1769        // 6th should fail.
1770        assert!(limiter.check_key(&ip).is_err());
1771    }
1772
1773    #[test]
1774    fn rate_limiter_separate_ips() {
1775        let config = RateLimitConfig {
1776            max_attempts_per_minute: 2,
1777            pre_auth_max_per_minute: None,
1778            max_tracked_keys: default_max_tracked_keys(),
1779            idle_eviction: default_idle_eviction(),
1780            burst: None,
1781            pre_auth_burst: None,
1782        };
1783        let limiter = build_rate_limiter(&config);
1784        let ip1: IpAddr = "10.0.0.1".parse().unwrap();
1785        let ip2: IpAddr = "10.0.0.2".parse().unwrap();
1786
1787        // Exhaust ip1's quota.
1788        assert!(limiter.check_key(&ip1).is_ok());
1789        assert!(limiter.check_key(&ip1).is_ok());
1790        assert!(limiter.check_key(&ip1).is_err());
1791
1792        // ip2 should still have quota.
1793        assert!(limiter.check_key(&ip2).is_ok());
1794    }
1795
1796    #[test]
1797    fn extract_mtls_identity_from_cn() {
1798        // Generate a cert with explicit CN.
1799        let mut params = rcgen::CertificateParams::new(vec!["test-client.local".into()]).unwrap();
1800        params.distinguished_name = rcgen::DistinguishedName::new();
1801        params
1802            .distinguished_name
1803            .push(rcgen::DnType::CommonName, "test-client");
1804        let cert = params
1805            .self_signed(&rcgen::KeyPair::generate().unwrap())
1806            .unwrap();
1807        let der = cert.der();
1808
1809        let id = extract_mtls_identity(der, "ops").unwrap();
1810        assert_eq!(id.name, "test-client");
1811        assert_eq!(id.role, "ops");
1812        assert_eq!(id.method, AuthMethod::MtlsCertificate);
1813    }
1814
1815    #[test]
1816    fn extract_mtls_identity_falls_back_to_san() {
1817        // Cert with no CN but has a DNS SAN.
1818        let mut params =
1819            rcgen::CertificateParams::new(vec!["san-only.example.com".into()]).unwrap();
1820        params.distinguished_name = rcgen::DistinguishedName::new();
1821        // No CN set - should fall back to DNS SAN.
1822        let cert = params
1823            .self_signed(&rcgen::KeyPair::generate().unwrap())
1824            .unwrap();
1825        let der = cert.der();
1826
1827        let id = extract_mtls_identity(der, "viewer").unwrap();
1828        assert_eq!(id.name, "san-only.example.com");
1829        assert_eq!(id.role, "viewer");
1830    }
1831
1832    #[test]
1833    fn extract_mtls_identity_invalid_der() {
1834        assert!(extract_mtls_identity(b"not-a-cert", "viewer").is_none());
1835    }
1836
1837    // -- auth_middleware integration tests --
1838
1839    use axum::{
1840        body::Body,
1841        http::{Request, StatusCode},
1842    };
1843    use tower::ServiceExt as _;
1844
1845    fn auth_router(state: Arc<AuthState>) -> axum::Router {
1846        axum::Router::new()
1847            .route("/mcp", axum::routing::post(|| async { "ok" }))
1848            .layer(axum::middleware::from_fn(move |req, next| {
1849                let s = Arc::clone(&state);
1850                auth_middleware(s, req, next)
1851            }))
1852    }
1853
1854    fn test_auth_state(keys: Vec<ApiKeyEntry>) -> Arc<AuthState> {
1855        Arc::new(AuthState {
1856            api_keys: ArcSwap::new(Arc::new(keys)),
1857            rate_limiter: None,
1858            pre_auth_limiter: None,
1859            #[cfg(feature = "oauth")]
1860            jwks_cache: None,
1861            seen_identities: SeenIdentitySet::new(),
1862            counters: AuthCounters::default(),
1863        })
1864    }
1865
1866    #[tokio::test]
1867    async fn middleware_rejects_no_credentials() {
1868        let state = test_auth_state(vec![]);
1869        let app = auth_router(Arc::clone(&state));
1870        let req = Request::builder()
1871            .method(axum::http::Method::POST)
1872            .uri("/mcp")
1873            .body(Body::empty())
1874            .unwrap();
1875        let resp = app.oneshot(req).await.unwrap();
1876        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1877        let challenge = resp
1878            .headers()
1879            .get(header::WWW_AUTHENTICATE)
1880            .unwrap()
1881            .to_str()
1882            .unwrap();
1883        assert!(challenge.contains("error=\"invalid_request\""));
1884
1885        let counters = state.counters_snapshot();
1886        assert_eq!(counters.failure_missing_credential, 1);
1887    }
1888
1889    #[tokio::test]
1890    async fn middleware_accepts_valid_bearer() {
1891        let (token, hash) = generate_api_key().unwrap();
1892        let keys = vec![ApiKeyEntry {
1893            name: "test-key".into(),
1894            hash,
1895            role: "ops".into(),
1896            expires_at: None,
1897        }];
1898        let state = test_auth_state(keys);
1899        let app = auth_router(Arc::clone(&state));
1900        let req = Request::builder()
1901            .method(axum::http::Method::POST)
1902            .uri("/mcp")
1903            .header("authorization", format!("Bearer {token}"))
1904            .body(Body::empty())
1905            .unwrap();
1906        let resp = app.oneshot(req).await.unwrap();
1907        assert_eq!(resp.status(), StatusCode::OK);
1908
1909        let counters = state.counters_snapshot();
1910        assert_eq!(counters.success_bearer, 1);
1911    }
1912
1913    #[tokio::test]
1914    async fn middleware_rejects_wrong_bearer() {
1915        let (_token, hash) = generate_api_key().unwrap();
1916        let keys = vec![ApiKeyEntry {
1917            name: "test-key".into(),
1918            hash,
1919            role: "ops".into(),
1920            expires_at: None,
1921        }];
1922        let state = test_auth_state(keys);
1923        let app = auth_router(Arc::clone(&state));
1924        let req = Request::builder()
1925            .method(axum::http::Method::POST)
1926            .uri("/mcp")
1927            .header("authorization", "Bearer wrong-token-here")
1928            .body(Body::empty())
1929            .unwrap();
1930        let resp = app.oneshot(req).await.unwrap();
1931        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1932        let challenge = resp
1933            .headers()
1934            .get(header::WWW_AUTHENTICATE)
1935            .unwrap()
1936            .to_str()
1937            .unwrap();
1938        assert!(challenge.contains("error=\"invalid_token\""));
1939
1940        let counters = state.counters_snapshot();
1941        assert_eq!(counters.failure_invalid_credential, 1);
1942    }
1943
1944    #[tokio::test]
1945    async fn middleware_rate_limits() {
1946        let state = Arc::new(AuthState {
1947            api_keys: ArcSwap::new(Arc::new(vec![])),
1948            rate_limiter: Some(build_rate_limiter(&RateLimitConfig {
1949                max_attempts_per_minute: 1,
1950                pre_auth_max_per_minute: None,
1951                max_tracked_keys: default_max_tracked_keys(),
1952                idle_eviction: default_idle_eviction(),
1953                burst: None,
1954                pre_auth_burst: None,
1955            })),
1956            pre_auth_limiter: None,
1957            #[cfg(feature = "oauth")]
1958            jwks_cache: None,
1959            seen_identities: SeenIdentitySet::new(),
1960            counters: AuthCounters::default(),
1961        });
1962        let app = auth_router(state);
1963
1964        // First request: UNAUTHORIZED (no credentials, but not rate limited)
1965        let req = Request::builder()
1966            .method(axum::http::Method::POST)
1967            .uri("/mcp")
1968            .body(Body::empty())
1969            .unwrap();
1970        let resp = app.clone().oneshot(req).await.unwrap();
1971        assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
1972
1973        // Second request from same "IP" (no ConnectInfo in test, so peer_addr is None
1974        // and rate limiter won't fire). That's expected -- rate limiting requires
1975        // ConnectInfo which isn't available in unit tests without a real server.
1976        // This test verifies the middleware wiring doesn't panic.
1977    }
1978
1979    /// Verify that rate limit semantics: only failed auth attempts consume budget.
1980    ///
1981    /// This is a unit test of the limiter behavior. The middleware integration
1982    /// is that on auth failure, `check_key` is called; on auth success, it is NOT.
1983    /// Full e2e tests verify the middleware routing but require `ConnectInfo`.
1984    #[test]
1985    fn rate_limit_semantics_failed_only() {
1986        let config = RateLimitConfig {
1987            max_attempts_per_minute: 3,
1988            pre_auth_max_per_minute: None,
1989            max_tracked_keys: default_max_tracked_keys(),
1990            idle_eviction: default_idle_eviction(),
1991            burst: None,
1992            pre_auth_burst: None,
1993        };
1994        let limiter = build_rate_limiter(&config);
1995        let ip: IpAddr = "192.168.1.100".parse().unwrap();
1996
1997        // Simulate: 3 failed attempts should exhaust quota.
1998        assert!(
1999            limiter.check_key(&ip).is_ok(),
2000            "failure 1 should be allowed"
2001        );
2002        assert!(
2003            limiter.check_key(&ip).is_ok(),
2004            "failure 2 should be allowed"
2005        );
2006        assert!(
2007            limiter.check_key(&ip).is_ok(),
2008            "failure 3 should be allowed"
2009        );
2010        assert!(
2011            limiter.check_key(&ip).is_err(),
2012            "failure 4 should be blocked"
2013        );
2014
2015        // In the actual middleware flow:
2016        // - Successful auth: verify_bearer_token returns Some, we return early
2017        //   WITHOUT calling check_key, so no budget consumed.
2018        // - Failed auth: verify_bearer_token returns None, we call check_key
2019        //   THEN return 401, so budget is consumed.
2020        //
2021        // This means N successful requests followed by M failed requests
2022        // will only count M toward the rate limit, not N+M.
2023    }
2024
2025    // -- pre-auth abuse gate (H-S1) --
2026
2027    /// The pre-auth gate must default to ~10x the post-failure quota so honest
2028    /// retry storms never trip it but a Argon2-spray attacker is throttled.
2029    #[test]
2030    fn pre_auth_default_multiplier_is_10x() {
2031        let config = RateLimitConfig {
2032            max_attempts_per_minute: 5,
2033            pre_auth_max_per_minute: None,
2034            max_tracked_keys: default_max_tracked_keys(),
2035            idle_eviction: default_idle_eviction(),
2036            burst: None,
2037            pre_auth_burst: None,
2038        };
2039        let limiter = build_pre_auth_limiter(&config);
2040        let ip: IpAddr = "10.0.0.1".parse().unwrap();
2041
2042        // Quota should be 50 (5 * 10), not 5. We expect the first 50 to pass.
2043        for i in 0..50 {
2044            assert!(
2045                limiter.check_key(&ip).is_ok(),
2046                "pre-auth attempt {i} (of expected 50) should be allowed under default 10x multiplier"
2047            );
2048        }
2049        // The 51st attempt must be blocked: confirms quota is bounded, not infinite.
2050        assert!(
2051            limiter.check_key(&ip).is_err(),
2052            "pre-auth attempt 51 should be blocked (quota is 50, not unbounded)"
2053        );
2054    }
2055
2056    /// An explicit `pre_auth_max_per_minute` override must win over the
2057    /// 10x-multiplier default.
2058    #[test]
2059    fn pre_auth_explicit_override_wins() {
2060        let config = RateLimitConfig {
2061            max_attempts_per_minute: 100,     // would default to 1000 pre-auth quota
2062            pre_auth_max_per_minute: Some(2), // but operator caps at 2
2063            max_tracked_keys: default_max_tracked_keys(),
2064            idle_eviction: default_idle_eviction(),
2065            burst: None,
2066            pre_auth_burst: None,
2067        };
2068        let limiter = build_pre_auth_limiter(&config);
2069        let ip: IpAddr = "10.0.0.2".parse().unwrap();
2070
2071        assert!(limiter.check_key(&ip).is_ok(), "attempt 1 allowed");
2072        assert!(limiter.check_key(&ip).is_ok(), "attempt 2 allowed");
2073        assert!(
2074            limiter.check_key(&ip).is_err(),
2075            "attempt 3 must be blocked (explicit override of 2 wins over 10x default of 1000)"
2076        );
2077    }
2078
2079    /// The pre-auth gate's 429 must carry a Retry-After header.
2080    #[test]
2081    fn pre_auth_gate_deny_sets_retry_after() {
2082        let config = RateLimitConfig::new(100).with_pre_auth_max_per_minute(1);
2083        let state = AuthState {
2084            api_keys: ArcSwap::new(Arc::new(vec![])),
2085            rate_limiter: None,
2086            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2087            #[cfg(feature = "oauth")]
2088            jwks_cache: None,
2089            seen_identities: SeenIdentitySet::new(),
2090            counters: AuthCounters::default(),
2091        };
2092        let ip: IpAddr = "10.7.7.7".parse().unwrap();
2093        assert!(
2094            pre_auth_gate(&state, Some(ip)).is_none(),
2095            "first request within quota"
2096        );
2097        let resp = pre_auth_gate(&state, Some(ip)).expect("second request must be gated");
2098        assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
2099        let retry_after = resp
2100            .headers()
2101            .get(header::RETRY_AFTER)
2102            .expect("Retry-After present")
2103            .to_str()
2104            .unwrap()
2105            .parse::<u64>()
2106            .unwrap();
2107        assert!(retry_after >= 1, "delta-seconds must be >= 1");
2108    }
2109
2110    /// Post-failure limiter honors an explicit burst capacity.
2111    #[test]
2112    fn post_failure_limiter_burst_allows_initial_spike() {
2113        let config = RateLimitConfig::new(1).with_burst(3);
2114        let limiter = build_rate_limiter(&config);
2115        let ip: IpAddr = "10.6.6.6".parse().unwrap();
2116        for i in 0..3 {
2117            assert!(limiter.check_key(&ip).is_ok(), "burst attempt {i}");
2118        }
2119        assert!(
2120            limiter.check_key(&ip).is_err(),
2121            "attempt 4 must exceed the burst bucket"
2122        );
2123    }
2124
2125    /// End-to-end: the pre-auth gate must reject before the bearer-verification
2126    /// path runs. We exhaust the gate's quota (Some(1)) with one bad-bearer
2127    /// request, then the second request must be rejected with 429 + the
2128    /// `pre_auth_gate` failure counter incremented (NOT
2129    /// `failure_invalid_credential`, which would prove Argon2 ran).
2130    #[tokio::test]
2131    async fn pre_auth_gate_blocks_before_argon2_verification() {
2132        let (_token, hash) = generate_api_key().unwrap();
2133        let keys = vec![ApiKeyEntry {
2134            name: "test-key".into(),
2135            hash,
2136            role: "ops".into(),
2137            expires_at: None,
2138        }];
2139        let config = RateLimitConfig {
2140            max_attempts_per_minute: 100,
2141            pre_auth_max_per_minute: Some(1),
2142            max_tracked_keys: default_max_tracked_keys(),
2143            idle_eviction: default_idle_eviction(),
2144            burst: None,
2145            pre_auth_burst: None,
2146        };
2147        let state = Arc::new(AuthState {
2148            api_keys: ArcSwap::new(Arc::new(keys)),
2149            rate_limiter: None,
2150            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2151            #[cfg(feature = "oauth")]
2152            jwks_cache: None,
2153            seen_identities: SeenIdentitySet::new(),
2154            counters: AuthCounters::default(),
2155        });
2156        let app = auth_router(Arc::clone(&state));
2157        let peer: SocketAddr = "10.0.0.10:54321".parse().unwrap();
2158
2159        // First bad-bearer request: gate has quota, bearer verification runs,
2160        // returns 401 (invalid credential).
2161        let mut req1 = Request::builder()
2162            .method(axum::http::Method::POST)
2163            .uri("/mcp")
2164            .header("authorization", "Bearer obviously-not-a-real-token")
2165            .body(Body::empty())
2166            .unwrap();
2167        req1.extensions_mut().insert(ConnectInfo(peer));
2168        let resp1 = app.clone().oneshot(req1).await.unwrap();
2169        assert_eq!(
2170            resp1.status(),
2171            StatusCode::UNAUTHORIZED,
2172            "first attempt: gate has quota, falls through to bearer auth which fails with 401"
2173        );
2174
2175        // Second bad-bearer request from same IP: gate quota exhausted, must
2176        // reject with 429 BEFORE the Argon2 verification path runs.
2177        let mut req2 = Request::builder()
2178            .method(axum::http::Method::POST)
2179            .uri("/mcp")
2180            .header("authorization", "Bearer also-not-a-real-token")
2181            .body(Body::empty())
2182            .unwrap();
2183        req2.extensions_mut().insert(ConnectInfo(peer));
2184        let resp2 = app.oneshot(req2).await.unwrap();
2185        assert_eq!(
2186            resp2.status(),
2187            StatusCode::TOO_MANY_REQUESTS,
2188            "second attempt from same IP: pre-auth gate must reject with 429"
2189        );
2190
2191        let counters = state.counters_snapshot();
2192        assert_eq!(
2193            counters.failure_pre_auth_gate, 1,
2194            "exactly one request must have been rejected by the pre-auth gate"
2195        );
2196        // Critical: Argon2 verification must NOT have run on the gated request.
2197        // The first request's 401 increments `failure_invalid_credential` to 1;
2198        // the second (gated) request must NOT increment it further.
2199        assert_eq!(
2200            counters.failure_invalid_credential, 1,
2201            "bearer verification must run exactly once (only the un-gated first request)"
2202        );
2203    }
2204
2205    /// mTLS-authenticated requests must bypass the pre-auth gate entirely.
2206    /// The TLS handshake already performed expensive crypto with a verified
2207    /// peer, so mTLS callers should never be throttled by this gate.
2208    ///
2209    /// Setup: a pre-auth gate with quota 1 (very tight). Submit two mTLS
2210    /// requests in quick succession from the same IP. Both must succeed.
2211    #[tokio::test]
2212    async fn pre_auth_gate_does_not_throttle_mtls() {
2213        let config = RateLimitConfig {
2214            max_attempts_per_minute: 100,
2215            pre_auth_max_per_minute: Some(1), // tight: would block 2nd plain request
2216            max_tracked_keys: default_max_tracked_keys(),
2217            idle_eviction: default_idle_eviction(),
2218            burst: None,
2219            pre_auth_burst: None,
2220        };
2221        let state = Arc::new(AuthState {
2222            api_keys: ArcSwap::new(Arc::new(vec![])),
2223            rate_limiter: None,
2224            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2225            #[cfg(feature = "oauth")]
2226            jwks_cache: None,
2227            seen_identities: SeenIdentitySet::new(),
2228            counters: AuthCounters::default(),
2229        });
2230        let app = auth_router(Arc::clone(&state));
2231        let peer: SocketAddr = "10.0.0.20:54321".parse().unwrap();
2232        let identity = AuthIdentity {
2233            name: "cn=test-client".into(),
2234            role: "viewer".into(),
2235            method: AuthMethod::MtlsCertificate,
2236            raw_token: None,
2237            sub: None,
2238        };
2239        let tls_info = TlsConnInfo::new(peer, Some(identity));
2240
2241        for i in 0..3 {
2242            let mut req = Request::builder()
2243                .method(axum::http::Method::POST)
2244                .uri("/mcp")
2245                .body(Body::empty())
2246                .unwrap();
2247            req.extensions_mut().insert(ConnectInfo(tls_info.clone()));
2248            let resp = app.clone().oneshot(req).await.unwrap();
2249            assert_eq!(
2250                resp.status(),
2251                StatusCode::OK,
2252                "mTLS request {i} must succeed: pre-auth gate must not apply to mTLS callers"
2253            );
2254        }
2255
2256        let counters = state.counters_snapshot();
2257        assert_eq!(
2258            counters.failure_pre_auth_gate, 0,
2259            "pre-auth gate counter must remain at zero: mTLS bypasses the gate"
2260        );
2261        assert_eq!(
2262            counters.success_mtls, 3,
2263            "all three mTLS requests must have been counted as successful"
2264        );
2265    }
2266
2267    /// Pre-auth-gate denial must increment the `auth_pre` deny counter
2268    /// via the metrics handle in the request extensions.
2269    #[cfg(feature = "metrics")]
2270    #[tokio::test]
2271    async fn pre_auth_gate_deny_increments_counter() {
2272        let config = RateLimitConfig {
2273            max_attempts_per_minute: 100,
2274            pre_auth_max_per_minute: Some(1),
2275            max_tracked_keys: default_max_tracked_keys(),
2276            idle_eviction: default_idle_eviction(),
2277            burst: None,
2278            pre_auth_burst: None,
2279        };
2280        let state = Arc::new(AuthState {
2281            api_keys: ArcSwap::new(Arc::new(vec![])),
2282            rate_limiter: None,
2283            pre_auth_limiter: Some(build_pre_auth_limiter(&config)),
2284            #[cfg(feature = "oauth")]
2285            jwks_cache: None,
2286            seen_identities: SeenIdentitySet::new(),
2287            counters: AuthCounters::default(),
2288        });
2289        let app = auth_router(Arc::clone(&state));
2290        let metrics = Arc::new(crate::metrics::McpMetrics::new().expect("metrics registry"));
2291        let peer: SocketAddr = "10.0.0.30:54321".parse().expect("addr parses");
2292        let mk = || {
2293            let mut req = Request::builder()
2294                .method(axum::http::Method::POST)
2295                .uri("/mcp")
2296                .header("authorization", "Bearer not-a-real-token")
2297                .body(Body::empty())
2298                .expect("request builds");
2299            req.extensions_mut().insert(ConnectInfo(peer));
2300            req.extensions_mut().insert(Arc::clone(&metrics));
2301            req
2302        };
2303        let counter = |label: &str| metrics.rate_limited_total.with_label_values(&[label]).get();
2304
2305        let first = app.clone().oneshot(mk()).await.expect("first request");
2306        assert_eq!(first.status(), StatusCode::UNAUTHORIZED);
2307        assert_eq!(counter("auth_pre"), 0, "un-gated request must not count");
2308
2309        let gated = app.oneshot(mk()).await.expect("second request");
2310        assert_eq!(gated.status(), StatusCode::TOO_MANY_REQUESTS);
2311        assert_eq!(counter("auth_pre"), 1, "gated request must count once");
2312        assert_eq!(counter("auth_post"), 0, "post limiter never fired");
2313    }
2314
2315    /// Post-failure limiter denial must increment the `auth_post` deny
2316    /// counter via the metrics handle in the request extensions.
2317    #[cfg(feature = "metrics")]
2318    #[tokio::test]
2319    async fn post_failure_limiter_deny_increments_counter() {
2320        let config = RateLimitConfig {
2321            max_attempts_per_minute: 1, // tight: 2nd failure trips the limiter
2322            pre_auth_max_per_minute: None,
2323            max_tracked_keys: default_max_tracked_keys(),
2324            idle_eviction: default_idle_eviction(),
2325            burst: None,
2326            pre_auth_burst: None,
2327        };
2328        let state = Arc::new(AuthState {
2329            api_keys: ArcSwap::new(Arc::new(vec![])),
2330            rate_limiter: Some(build_rate_limiter(&config)),
2331            pre_auth_limiter: None,
2332            #[cfg(feature = "oauth")]
2333            jwks_cache: None,
2334            seen_identities: SeenIdentitySet::new(),
2335            counters: AuthCounters::default(),
2336        });
2337        let app = auth_router(Arc::clone(&state));
2338        let metrics = Arc::new(crate::metrics::McpMetrics::new().expect("metrics registry"));
2339        let peer: SocketAddr = "10.0.0.31:54321".parse().expect("addr parses");
2340        let mk = || {
2341            let mut req = Request::builder()
2342                .method(axum::http::Method::POST)
2343                .uri("/mcp")
2344                .header("authorization", "Bearer not-a-real-token")
2345                .body(Body::empty())
2346                .expect("request builds");
2347            req.extensions_mut().insert(ConnectInfo(peer));
2348            req.extensions_mut().insert(Arc::clone(&metrics));
2349            req
2350        };
2351        let counter = |label: &str| metrics.rate_limited_total.with_label_values(&[label]).get();
2352
2353        // First failure consumes the budget but is NOT itself limited.
2354        let first = app.clone().oneshot(mk()).await.expect("first request");
2355        assert_eq!(first.status(), StatusCode::UNAUTHORIZED);
2356        assert_eq!(counter("auth_post"), 0);
2357
2358        // Second failure trips the post-failure limiter.
2359        let limited = app.oneshot(mk()).await.expect("second request");
2360        assert_eq!(limited.status(), StatusCode::TOO_MANY_REQUESTS);
2361        assert_eq!(counter("auth_post"), 1, "deny must count once");
2362        assert_eq!(counter("auth_pre"), 0, "pre-auth gate disabled here");
2363    }
2364
2365    // -------------------------------------------------------------------
2366    // RFC 7235 §2.1 case-insensitive scheme parsing for `extract_bearer`.
2367    // -------------------------------------------------------------------
2368
2369    #[test]
2370    fn extract_bearer_accepts_canonical_case() {
2371        assert_eq!(extract_bearer("Bearer abc123"), Some("abc123"));
2372    }
2373
2374    #[test]
2375    fn extract_bearer_is_case_insensitive_per_rfc7235() {
2376        // RFC 7235 §2.1: "auth-scheme is case-insensitive".
2377        // Real-world clients (curl, browsers, custom HTTP libs) emit varied
2378        // casings; rejecting any of them is a spec violation.
2379        for header in &[
2380            "bearer abc123",
2381            "BEARER abc123",
2382            "BeArEr abc123",
2383            "bEaReR abc123",
2384        ] {
2385            assert_eq!(
2386                extract_bearer(header),
2387                Some("abc123"),
2388                "header {header:?} must parse as a Bearer token (RFC 7235 §2.1)"
2389            );
2390        }
2391    }
2392
2393    #[test]
2394    fn extract_bearer_rejects_other_schemes() {
2395        assert_eq!(extract_bearer("Basic dXNlcjpwYXNz"), None);
2396        assert_eq!(extract_bearer("Digest username=\"x\""), None);
2397        assert_eq!(extract_bearer("Token abc123"), None);
2398    }
2399
2400    #[test]
2401    fn extract_bearer_rejects_malformed() {
2402        // Empty string, no separator, scheme-only, scheme + only whitespace.
2403        assert_eq!(extract_bearer(""), None);
2404        assert_eq!(extract_bearer("Bearer"), None);
2405        assert_eq!(extract_bearer("Bearer "), None);
2406        assert_eq!(extract_bearer("Bearer    "), None);
2407    }
2408
2409    #[test]
2410    fn extract_bearer_tolerates_extra_separator_whitespace() {
2411        // Some non-conformant clients emit two spaces; we should still parse.
2412        assert_eq!(extract_bearer("Bearer  abc123"), Some("abc123"));
2413        assert_eq!(extract_bearer("Bearer   abc123"), Some("abc123"));
2414    }
2415
2416    // -------------------------------------------------------------------
2417    // Debug redaction: ensure `AuthIdentity` and `ApiKeyEntry` never leak
2418    // secret material via `format!("{:?}", …)` or `tracing::debug!(?…)`.
2419    // -------------------------------------------------------------------
2420
2421    #[test]
2422    fn auth_identity_debug_redacts_raw_token() {
2423        let id = AuthIdentity {
2424            name: "alice".into(),
2425            role: "admin".into(),
2426            method: AuthMethod::OAuthJwt,
2427            raw_token: Some(SecretString::from("super-secret-jwt-payload-xyz")),
2428            sub: Some("keycloak-uuid-2f3c8b".into()),
2429        };
2430        let dbg = format!("{id:?}");
2431
2432        // Plaintext fields must be visible (they are not secrets).
2433        assert!(dbg.contains("alice"), "name should be visible: {dbg}");
2434        assert!(dbg.contains("admin"), "role should be visible: {dbg}");
2435        assert!(dbg.contains("OAuthJwt"), "method should be visible: {dbg}");
2436
2437        // Secret fields must NOT leak.
2438        assert!(
2439            !dbg.contains("super-secret-jwt-payload-xyz"),
2440            "raw_token must be redacted in Debug output: {dbg}"
2441        );
2442        assert!(
2443            !dbg.contains("keycloak-uuid-2f3c8b"),
2444            "sub must be redacted in Debug output: {dbg}"
2445        );
2446        assert!(
2447            dbg.contains("<redacted>"),
2448            "redaction marker missing: {dbg}"
2449        );
2450    }
2451
2452    #[test]
2453    fn auth_identity_debug_marks_absent_secrets() {
2454        // For non-OAuth identities (mTLS / API key) the secret fields are
2455        // None; redacted Debug output should distinguish that from "present".
2456        let id = AuthIdentity {
2457            name: "viewer-key".into(),
2458            role: "viewer".into(),
2459            method: AuthMethod::BearerToken,
2460            raw_token: None,
2461            sub: None,
2462        };
2463        let dbg = format!("{id:?}");
2464        assert!(
2465            dbg.contains("<none>"),
2466            "absent secrets should be marked: {dbg}"
2467        );
2468        assert!(
2469            !dbg.contains("<redacted>"),
2470            "no <redacted> marker when secrets are absent: {dbg}"
2471        );
2472    }
2473
2474    #[test]
2475    fn api_key_entry_debug_redacts_hash() {
2476        let entry = ApiKeyEntry {
2477            name: "viewer-key".into(),
2478            // Realistic Argon2id PHC string (must NOT leak).
2479            hash: "$argon2id$v=19$m=19456,t=2,p=1$c2FsdHNhbHQ$h4sh3dPa55w0rd".into(),
2480            role: "viewer".into(),
2481            expires_at: Some(RfcTimestamp::parse("2030-01-01T00:00:00Z").unwrap()),
2482        };
2483        let dbg = format!("{entry:?}");
2484
2485        // Non-secret fields visible.
2486        assert!(dbg.contains("viewer-key"));
2487        assert!(dbg.contains("viewer"));
2488        assert!(dbg.contains("2030-01-01T00:00:00+00:00"));
2489
2490        // Hash material must NOT leak.
2491        assert!(
2492            !dbg.contains("$argon2id$"),
2493            "argon2 hash leaked into Debug output: {dbg}"
2494        );
2495        assert!(
2496            !dbg.contains("h4sh3dPa55w0rd"),
2497            "hash digest leaked into Debug output: {dbg}"
2498        );
2499        assert!(
2500            dbg.contains("<redacted>"),
2501            "redaction marker missing: {dbg}"
2502        );
2503    }
2504
2505    // -- AuthFailureClass exact-string contract tests --
2506    //
2507    // These tests pin the exact wire strings emitted for each failure
2508    // class. They exist to kill mutation-test mutants that replace the
2509    // match-arm string literals (e.g. with `""` or with the value from
2510    // another arm). Operators and dashboards rely on these literals
2511    // for metric labels and audit-log filters; any change is a
2512    // breaking observability change and must be reflected in
2513    // CHANGELOG.md.
2514
2515    #[test]
2516    fn auth_failure_class_as_str_exact_strings() {
2517        assert_eq!(
2518            AuthFailureClass::MissingCredential.as_str(),
2519            "missing_credential"
2520        );
2521        assert_eq!(
2522            AuthFailureClass::InvalidCredential.as_str(),
2523            "invalid_credential"
2524        );
2525        assert_eq!(
2526            AuthFailureClass::ExpiredCredential.as_str(),
2527            "expired_credential"
2528        );
2529        assert_eq!(AuthFailureClass::RateLimited.as_str(), "rate_limited");
2530        assert_eq!(AuthFailureClass::PreAuthGate.as_str(), "pre_auth_gate");
2531    }
2532
2533    #[test]
2534    fn auth_failure_class_response_body_exact_strings() {
2535        assert_eq!(
2536            AuthFailureClass::MissingCredential.response_body(),
2537            "unauthorized: missing credential"
2538        );
2539        assert_eq!(
2540            AuthFailureClass::InvalidCredential.response_body(),
2541            "unauthorized: invalid credential"
2542        );
2543        assert_eq!(
2544            AuthFailureClass::ExpiredCredential.response_body(),
2545            "unauthorized: expired credential"
2546        );
2547        assert_eq!(
2548            AuthFailureClass::RateLimited.response_body(),
2549            "rate limited"
2550        );
2551        assert_eq!(
2552            AuthFailureClass::PreAuthGate.response_body(),
2553            "rate limited (pre-auth)"
2554        );
2555    }
2556
2557    #[test]
2558    fn auth_failure_class_bearer_error_exact_strings() {
2559        assert_eq!(
2560            AuthFailureClass::MissingCredential.bearer_error(),
2561            (
2562                "invalid_request",
2563                "missing bearer token or mTLS client certificate"
2564            )
2565        );
2566        assert_eq!(
2567            AuthFailureClass::InvalidCredential.bearer_error(),
2568            ("invalid_token", "token is invalid")
2569        );
2570        assert_eq!(
2571            AuthFailureClass::ExpiredCredential.bearer_error(),
2572            ("invalid_token", "token is expired")
2573        );
2574        assert_eq!(
2575            AuthFailureClass::RateLimited.bearer_error(),
2576            ("invalid_request", "too many failed authentication attempts")
2577        );
2578        assert_eq!(
2579            AuthFailureClass::PreAuthGate.bearer_error(),
2580            (
2581                "invalid_request",
2582                "too many unauthenticated requests from this source"
2583            )
2584        );
2585    }
2586
2587    // -- AuthConfig::summary boolean-flag contract tests --
2588    //
2589    // These tests pin the boolean flags emitted by `AuthConfig::summary`
2590    // so that mutations like deleting `!` (which would invert the
2591    // semantics of `bearer`) or replacing `is_some()` with `is_none()`
2592    // are caught immediately. The summary is consumed by `/admin/*`
2593    // diagnostics so any inversion is an operator-visible regression.
2594
2595    #[test]
2596    fn auth_config_summary_bearer_true_when_keys_present() {
2597        let (_token, hash) = generate_api_key().unwrap();
2598        let cfg = AuthConfig::with_keys(vec![ApiKeyEntry::new("k", hash, "viewer")]);
2599        let s = cfg.summary();
2600        assert!(s.enabled, "summary.enabled must reflect AuthConfig.enabled");
2601        assert!(
2602            s.bearer,
2603            "summary.bearer must be true when api_keys is non-empty (kills `!` deletion at L615)"
2604        );
2605        assert!(!s.mtls, "summary.mtls must be false when mtls is None");
2606        assert!(!s.oauth, "summary.oauth must be false when oauth is None");
2607        assert_eq!(s.api_keys.len(), 1);
2608        assert_eq!(s.api_keys[0].name, "k");
2609        assert_eq!(s.api_keys[0].role, "viewer");
2610    }
2611
2612    #[test]
2613    fn auth_config_summary_bearer_false_when_no_keys() {
2614        let cfg = AuthConfig::with_keys(vec![]);
2615        let s = cfg.summary();
2616        assert!(
2617            !s.bearer,
2618            "summary.bearer must be false when api_keys is empty (kills `!` deletion at L615)"
2619        );
2620        assert!(s.api_keys.is_empty());
2621    }
2622
2623    #[test]
2624    fn seen_identity_set_first_then_repeat() {
2625        let set = SeenIdentitySet::new();
2626        assert!(set.insert_is_first("alice"), "first sighting is first");
2627        assert!(
2628            !set.insert_is_first("alice"),
2629            "second sighting is not first"
2630        );
2631        assert!(set.insert_is_first("bob"));
2632        assert_eq!(set.len(), 2);
2633    }
2634
2635    #[test]
2636    fn seen_identity_set_evicts_oldest_at_cap() {
2637        let set = SeenIdentitySet::with_cap(2);
2638        assert!(set.insert_is_first("a"));
2639        assert!(set.insert_is_first("b"));
2640        // Cap reached; inserting "c" evicts "a".
2641        assert!(set.insert_is_first("c"));
2642        assert_eq!(set.len(), 2);
2643        // "a" was evicted, so it re-fires as "first" (matches the documented
2644        // bounded trade-off: re-INFO once on reappearance). Inserting "a"
2645        // here evicts "b" (next oldest), leaving {c, a}.
2646        assert!(set.insert_is_first("a"));
2647        assert_eq!(set.len(), 2);
2648        // "b" has now been evicted in turn, so it re-fires as "first" too.
2649        assert!(set.insert_is_first("b"));
2650        // Sanity: cap is never exceeded regardless of churn pattern.
2651        for i in 0..32 {
2652            set.insert_is_first(&format!("churn-{i}"));
2653            assert!(set.len() <= 2, "cap invariant must hold");
2654        }
2655    }
2656
2657    #[test]
2658    fn seen_identity_set_cap_zero_is_raised_to_one() {
2659        let set = SeenIdentitySet::with_cap(0);
2660        assert!(set.insert_is_first("only"));
2661        assert_eq!(set.len(), 1);
2662        // Next insert evicts "only".
2663        assert!(set.insert_is_first("next"));
2664        assert_eq!(set.len(), 1);
2665    }
2666
2667    #[test]
2668    fn seen_identity_set_fifo_does_not_refresh_on_repeat_hit() {
2669        // Locks in the FIFO contract: repeat hits MUST NOT bump an entry
2670        // to the back of the eviction queue (that would be LRU).
2671        let set = SeenIdentitySet::with_cap(2);
2672        assert!(set.insert_is_first("a")); // order=[a]
2673        assert!(set.insert_is_first("b")); // order=[a,b]
2674        // Repeat hit on "a" - if this were LRU, "a" would move to the back
2675        // and "b" would be the next eviction victim. Under FIFO, "a" stays
2676        // at the front (oldest by insertion).
2677        assert!(!set.insert_is_first("a"));
2678        // Insert "c" forces eviction. Under FIFO, "a" (oldest by insertion)
2679        // is evicted; "b" survives. Under LRU, "b" would have been evicted.
2680        assert!(set.insert_is_first("c"));
2681        // Prove "a" was evicted: re-inserting fires as first again.
2682        assert!(set.insert_is_first("a"));
2683        // Prove "b" was NOT evicted: re-inserting does NOT fire as first.
2684        // (If LRU semantics had snuck in, this assertion would fail.)
2685        // After the previous step, "a" eviction pushed out "b" as the new
2686        // oldest, so we must re-add "b" via a fresh insert path. To keep
2687        // the test deterministic we rebuild a small scenario:
2688        let set = SeenIdentitySet::with_cap(2);
2689        assert!(set.insert_is_first("x")); // order=[x]
2690        assert!(set.insert_is_first("y")); // order=[x,y]
2691        assert!(!set.insert_is_first("x")); // repeat hit (under FIFO: order unchanged)
2692        assert!(set.insert_is_first("z")); // evicts "x" under FIFO
2693        assert!(
2694            !set.insert_is_first("y"),
2695            "y must still be present (FIFO did not evict it)"
2696        );
2697        assert!(
2698            set.insert_is_first("x"),
2699            "x must have been evicted by FIFO (would NOT have been evicted under LRU)"
2700        );
2701    }
2702}