Module auth 

SCRAM SHA-256 authentication primitives for the Haystack auth protocol.

This module implements the cryptographic operations needed for SCRAM (Salted Challenge Response Authentication Mechanism) with SHA-256 as specified by the Project Haystack auth spec.

It provides functions shared by both server and client implementations for the three-phase handshake: HELLO, SCRAM challenge/response, and BEARER token issuance.

Structs

ScramCredentials

Pre-computed SCRAM credentials for a user (stored server-side).

ScramHandshake

In-flight SCRAM handshake state held by the server between the server-first-message and client-final-message exchanges.

Enums

AuthError

Errors that can occur during SCRAM authentication.

AuthHeader

Parsed Haystack Authorization header.

Constants

DEFAULT_ITERATIONS

Default PBKDF2 iteration count for SCRAM SHA-256.

Functions

client_final_message

Client-side: Process server-first-message, produce client-final-message.

client_first_message

Client-side: Create the client-first-message data (base64-encoded).

derive_credentials

Derive SCRAM credentials from a password (for user creation/storage).

extract_client_nonce

Extract the client nonce from a base64-encoded client-first-message.

format_auth_info

Format a Haystack Authentication-Info header with the auth token.

format_www_authenticate

Format a Haystack WWW-Authenticate header for a SCRAM challenge.

generate_nonce

Generate a random nonce string (base64-encoded 18 random bytes).

parse_auth_header

Parse a Haystack Authorization header value.

server_first_message

Server-side: Create the server-first-message data and handshake state.

server_verify_final

Server-side: Verify client-final-message and produce server signature.