Skip to main content

rvoip_auth_core/
lib.rs

1//! # Auth-Core - Authentication and Authorization Primitives for RVoIP
2//!
3//! `rvoip-auth-core` provides cryptographic and token-validation primitives
4//! used across the RVoIP workspace. It does not own SIP dialog state, SIP
5//! request retry orchestration, or `WWW-Authenticate` / `Authorization` header
6//! routing. The SIP application layer in `rvoip-sip` owns those protocol
7//! workflows and calls into this crate for the underlying algorithms.
8//!
9//! ## SIP Digest Primitives
10//!
11//! [`DigestAuthenticator`] generates Digest challenges and validates Digest
12//! responses. [`DigestClient`] computes UAC responses for challenges. They are
13//! used by `rvoip-sip` for SIP Digest over `401 WWW-Authenticate` /
14//! `Authorization` and `407 Proxy-Authenticate` / `Proxy-Authorization`.
15//!
16//! Supported Digest algorithms are MD5, MD5-sess, SHA-256, SHA-256-sess,
17//! SHA-512-256, and SHA-512-256-sess. An omitted Digest `algorithm` defaults
18//! to MD5 for legacy SIP/PBX compatibility; unknown algorithms fail instead of
19//! silently downgrading.
20//!
21//! ## Bearer and Token Validators
22//!
23//! [`BearerValidator`] is the common async validation trait for Bearer tokens.
24//! [`JwtValidator`], [`JwksJwtValidator`], [`OAuth2IntrospectionValidator`],
25//! and [`AAuthValidator`] are concrete validator families that can be plugged
26//! into `rvoip-sip`'s `SipAuthService` for UAS-side SIP Bearer validation.
27//! JWT and JWKS validators can optionally call [`TokenRevocationChecker`] with
28//! token `jti` context after signature, issuer, audience, and expiry checks.
29//!
30//! ## Provider Contracts
31//!
32//! Protocol crates and applications use provider traits to integrate with
33//! users-core, Keycloak/OIDC, LDAP/AD, Redis, IMS infrastructure, or custom
34//! services without coupling protocol code to a database. These contracts
35//! include [`PasswordVerifier`], [`DigestSecretProvider`], [`ApiKeyVerifier`],
36//! [`TokenRevocationChecker`], [`DigestReplayStore`], [`AuthAuditSink`], and
37//! [`AuthRateLimiter`].
38//!
39//! ## Other Auth Building Blocks
40//!
41//! The crate also includes DPoP validation ([`DpopValidator`]) and HTTP
42//! Message Signatures style envelope verification ([`Sig9421Verifier`]).
43//! These are standalone primitives; protocol-specific negotiation and retry
44//! behavior belongs in the crate that owns that protocol surface.
45
46pub mod aauth;
47pub mod bearer;
48pub mod dpop;
49pub mod error;
50pub mod introspection;
51pub mod jwks;
52pub mod jwt;
53pub mod providers;
54pub mod sig9421;
55pub mod sip_digest;
56pub mod types;
57
58pub use aauth::{AAuthValidator, ActorClaims, ActorTokenValidator};
59pub use bearer::{bearer_stub, BearerAuthError, BearerValidator};
60pub use dpop::{
61    jwk_thumbprint, DpopError, DpopProof, DpopValidator, ValidatedDpop, DEFAULT_IAT_LEEWAY,
62    DEFAULT_JTI_CACHE_CAPACITY,
63};
64pub use error::{AuthError, Result};
65pub use introspection::OAuth2IntrospectionValidator;
66pub use jwks::{JwksJwtValidator, DEFAULT_JWKS_CACHE_TTL};
67pub use jwt::JwtValidator;
68pub use providers::{
69    ApiKeyVerifier, AuthAuditEvent, AuthAuditOutcome, AuthAuditScheme, AuthAuditSink,
70    AuthFailureReason, AuthRateLimitKey, AuthRateLimitKind, AuthRateLimitVerdict, AuthRateLimiter,
71    CredentialAuthError, DigestNonceStatus, DigestReplayStore, DigestSecret, DigestSecretProvider,
72    PasswordVerifier, TokenRevocationChecker, TokenRevocationContext, TokenRevocationStatus,
73};
74pub use sig9421::{
75    EnvelopeSignature, KeyResolver, Sig9421Error, Sig9421Verifier, StaticKeyResolver,
76    DEFAULT_REPLAY_CACHE_CAPACITY, DEFAULT_SIG_REPLAY_TTL,
77};
78pub use sip_digest::{
79    DigestAlgorithm, DigestAuthenticator, DigestChallenge, DigestChallengeDetails, DigestClient,
80    DigestComputed, DigestResponse,
81};