Skip to main content

securitydept_token_set_context/access_token_substrate/forwarder/
mod.rs

1// ---------------------------------------------------------------------------
2// Propagation forwarder trait boundary
3// ---------------------------------------------------------------------------
4//
5// These traits define the formal contract between the access-token substrate
6// and any concrete forwarder implementation. The substrate does not own the
7// forwarder directly — it only provides `build_forwarder` using these traits.
8//
9// Traits and the shared error type are unconditionally available. Concrete
10// forwarder implementations (e.g. the axum reverse-proxy forwarder) are
11// feature-gated.
12
13use std::fmt;
14
15mod error;
16
17pub use error::{PropagationForwarderError, PropagationForwarderResult};
18
19use super::propagation::{PropagatedBearer, PropagationRequestTarget, TokenPropagator};
20
21/// Config-source trait for a propagation forwarder.
22///
23/// Implementors carry the configuration needed to construct a concrete
24/// [`PropagationForwarder`]. The associated types bind the config shape to
25/// the forwarder and error types, so
26/// `AccessTokenSubstrateRuntime::build_forwarder` can be generic over any
27/// forwarder implementation.
28pub trait PropagationForwarderConfigSource: fmt::Debug {
29    /// The concrete forwarder type produced by this config.
30    type Forwarder: PropagationForwarder;
31    /// The error type that may occur during forwarder construction.
32    type Error: std::error::Error;
33
34    /// Build a forwarder from this configuration.
35    fn build_forwarder(&self) -> Result<Self::Forwarder, Self::Error>;
36}
37
38/// Runtime trait for a propagation forwarder.
39///
40/// Concrete implementations (e.g. `AxumReverseProxyPropagationForwarder`)
41/// implement `forward` to handle the transport-level forwarding of a
42/// validated bearer token to a downstream target.
43pub trait PropagationForwarder: fmt::Debug + Clone + Send + Sync + 'static {
44    /// The HTTP body type used for both request and response.
45    type Body: Send + 'static;
46
47    /// Validate and forward a bearer token to a downstream propagation target.
48    ///
49    /// The `propagator` handles destination-policy validation and
50    /// authorization header construction. The concrete implementation is
51    /// responsible for the actual HTTP transport.
52    fn forward(
53        &self,
54        propagator: &TokenPropagator,
55        bearer: &PropagatedBearer<'_>,
56        target: &PropagationRequestTarget,
57        request: http::Request<Self::Body>,
58    ) -> impl Future<Output = Result<http::Response<Self::Body>, PropagationForwarderError>> + Send;
59}
60
61// ---------------------------------------------------------------------------
62// Concrete forwarder implementations (feature-gated)
63// ---------------------------------------------------------------------------
64
65#[cfg(feature = "axum-reverse-proxy-propagation-forwarder")]
66mod axum_reverse_proxy;
67
68#[cfg(feature = "axum-reverse-proxy-propagation-forwarder")]
69pub use axum_reverse_proxy::{
70    AxumReverseProxyPropagationForwarder, AxumReverseProxyPropagationForwarderConfig,
71};