pub fn validate_username_token(
security_bytes: &[u8],
get_password: &dyn Fn(&str) -> Option<String>,
nonce_cache: &mut RotatingNonceCache,
tolerance_secs: i64,
now: DateTime<Utc>,
) -> Result<String, SoapFault>Expand description
Validate a WS-Security UsernameToken from a raw <wsse:Security> XML element.
Returns the authenticated username on success, or a SoapFault on failure.
§Arguments
security_bytes: raw XML bytes of the<wsse:Security>header child element.get_password: closure mapping a username to its stored plaintext password, orNoneif the user is unknown. Called with the username from the token.nonce_cache: replay-detection cache. Takes&mut self— the caller must hold an exclusive lock (e.g. viatokio::sync::Mutex) when calling this in an async context. SeeRotatingNonceCachefor thread-safety guidance.tolerance_secs: maximum age in seconds for the<wsu:Created>timestamp. Requests older than this are rejected as expired.now: current UTC time, used for timestamp freshness checks. PassUtc::now()in production; inject a fixed value in tests.
§Validation steps
- Parse the
<wsse:UsernameToken>fromsecurity_bytes. - Look up the stored password via
get_password. - Verify the password (PasswordDigest or PasswordText).
- Check that
<wsu:Created>is withintolerance_secsofnow. - Check the nonce for replay via
nonce_cache.