Skip to main content

validate_username_token

Function validate_username_token 

Source
pub fn validate_username_token(
    security_bytes: &[u8],
    get_password: &dyn Fn(&str) -> Option<String>,
    nonce_cache: &mut RotatingNonceCache,
    tolerance_secs: i64,
    now: DateTime<Utc>,
) -> Result<String, SoapFault>
Expand description

Validate a WS-Security UsernameToken from a raw <wsse:Security> XML element.

Returns the authenticated username on success, or a SoapFault on failure.

§Arguments

  • security_bytes: raw XML bytes of the <wsse:Security> header child element.
  • get_password: closure mapping a username to its stored plaintext password, or None if the user is unknown. Called with the username from the token.
  • nonce_cache: replay-detection cache. Takes &mut self — the caller must hold an exclusive lock (e.g. via tokio::sync::Mutex) when calling this in an async context. See RotatingNonceCache for thread-safety guidance.
  • tolerance_secs: maximum age in seconds for the <wsu:Created> timestamp. Requests older than this are rejected as expired.
  • now: current UTC time, used for timestamp freshness checks. Pass Utc::now() in production; inject a fixed value in tests.

§Validation steps

  1. Parse the <wsse:UsernameToken> from security_bytes.
  2. Look up the stored password via get_password.
  3. Verify the password (PasswordDigest or PasswordText).
  4. Check that <wsu:Created> is within tolerance_secs of now.
  5. Check the nonce for replay via nonce_cache.