Struct DefaultRecoveryPolicy 

pub struct DefaultRecoveryPolicy {
    pub reset_token_ttl: Duration,
    pub request_rate_limit: (u32, Duration),
    pub consume_rate_limit: (u32, Duration),
    pub strict_mailer_required: bool,
}

Length-only / rate-limit-only baseline policy. Public fields plus chainable with_* setters so projects that want to tweak one knob don’t need to author a full trait impl.

Fields

reset_token_ttl: Duration

request_rate_limit: (u32, Duration)

consume_rate_limit: (u32, Duration)

strict_mailer_required: bool

Implementations

impl DefaultRecoveryPolicy

pub fn new() -> Self

New policy with the framework’s locked defaults (DESIGN_RECOVERY.md §17): TTL 1h, request 5/15min, consume 10/5min, strict-mailer guard off.

pub fn with_reset_token_ttl(self, ttl: ChronoDuration) -> Self

Override the reset-token TTL. Projects that want shorter blast-radius windows pass Duration::minutes(30); projects that need user-friendlier deadlines pass Duration::hours(2).

pub fn with_request_rate_limit(self, capacity: u32, window: StdDuration) -> Self

Override the request-endpoint rate-limit shape.

pub fn with_consume_rate_limit(self, capacity: u32, window: StdDuration) -> Self

Override the consume-endpoint rate-limit shape.

pub fn with_strict_mailer_required(self, required: bool) -> Self

Toggle the strict-mailer boot guard. When true, R1’s boot sequence (commits #7+) refuses to start with the default LogMailer. Default false.

Trait Implementations

impl Clone for DefaultRecoveryPolicy

fn clone(&self) -> DefaultRecoveryPolicy

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for DefaultRecoveryPolicy

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for DefaultRecoveryPolicy

fn default() -> Self

Returns the “default value” for a type.

impl RecoveryPolicy for DefaultRecoveryPolicy

fn reset_token_ttl(&self) -> ChronoDuration

How long a freshly-issued reset token stays valid. Default 1 hour. Locked-decision per DESIGN_RECOVERY.md §17.

fn request_rate_limit(&self) -> (u32, StdDuration)

Per-IP rate-limit on POST /admin/forgot-password. Returned as (capacity, window): at most capacity requests within window. Default (5, 15min).

fn consume_rate_limit(&self) -> (u32, StdDuration)

Per-IP rate-limit on POST /admin/reset-password/<token>. Tighter than the request limit since the consume path is the brute-force surface. Default (10, 5min).

fn strict_mailer_required(&self) -> bool

When true, the framework refuses to start at boot if the registered mailer is still the default crate::email::LogMailer (production deployments must opt in to a real mailer). Default false. Enforcement lands when the recovery handlers ship (R1 commit #7+); this commit ships the declaration only.

fn public_site_url(&self, req: &Request) -> Option<String>

Derive the absolute base URL the reset email’s link should point at. Default: see [derive_public_site_url] + trust-boundary docs on this trait. Projects override this method to return a fixed string (e.g. read from config) when header derivation isn’t appropriate for their topology.

fn login_throttle(&self) -> LoginThrottle

Auto-throttle parameters for the login flow. Default LoginThrottle::DEFAULT (5 / 10min / 15min). Projects override to relax for development environments (max_attempts: 100) or tighten for high-sensitivity deployments (max_attempts: 3, lock_minutes: 60).

fn reauth_window(&self) -> ChronoDuration

Window during which a session that has cleared the re-auth wall (/admin/reauth) is considered elevated and may access destructive admin-recovery surfaces (admin-driven password reset, lock, unlock, revoke-sessions). Default 15 minutes (DESIGN_R2_ORGANISATIONAL.md §12 locked-decision).

fn mfa_step_seconds(&self) -> u64

TOTP step interval in seconds. Locked at 30 per DESIGN_R3_MFA.md Appendix B — RFC 6238 industry standard for interop with every common authenticator app (Google Authenticator, Authy, 1Password, Bitwarden, Aegis, Raivo, etc.). Returning a different value would break the QR provisioning URL’s implicit period; the design treats this as a major-version concern.

fn mfa_skew_steps(&self) -> u32

TOTP step skew tolerance, in steps. Locked at 1 per DESIGN_R3_MFA.md Appendix B — gives a 90-second total acceptance window at the canonical 30-second step (current ± 1 ≡ [current - 1, current + 1]). The design treats wider skew as a security regression: 2-step skew would accept a code generated 60 seconds ago, which extends the network-replay window without improving UX for users with reasonable clock drift.

fn scope_for(&self, _identity: &Identity) -> Option<SharedRecoveryPolicy>

Multi-tenant readiness hook. Returns Some(scoped_policy) to scope rate-limits / TTLs / lockout windows per tenant when an authenticated identity is in scope; returns None to mean “no scoping, the caller continues to use the Admin-bound recovery policy unchanged”.