pub struct AuthConfig {
pub scopes: Arc<HashMap<String, TokenScope>>,
pub deprecated_count: usize,
pub dev_mode_allowed: bool,
}Expand description
Snapshot of authentication configuration loaded from the process environment at server start. Cloned cheaply into each request.
scopes is empty in dev mode (no TENSOR_WASM_API_TOKENS set or env
empty), in which case bearer_auth passes every request through
unchecked. Otherwise each allowlisted bearer token maps to the
TokenScope that came out of parse_tokens_env at startup.
Fields§
§scopes: Arc<HashMap<String, TokenScope>>Allowlisted bearer tokens → tenant scope. Empty = dev mode (pass-through with startup warning).
deprecated_count: usizeCount of entries that used the legacy bare-token shape. The server emits a single deprecation warning at startup if this is nonzero.
dev_mode_allowed: boolWhether dev-mode pass-through is permitted when scopes is empty.
Only meaningful in dev mode (scopes.is_empty()). When false,
bearer_auth fails closed and rejects every request with
401 Unauthorized rather than passing it through with
AuthContext::dev. Set from ENV_ALLOW_DEV_MODE by
AuthConfig::from_env; defaults to true for programmatic
constructors (see ENV_ALLOW_DEV_MODE for the rationale).
Implementations§
Source§impl AuthConfig
impl AuthConfig
Sourcepub fn from_env() -> Self
pub fn from_env() -> Self
Load the allowlist from $TENSOR_WASM_API_TOKENS. Unset or empty
means “no auth” (dev mode). Logs a one-shot warning in dev mode and
a one-shot deprecation warning whenever any legacy bare entries were
observed.
Sourcepub fn from_tokens<I, S>(iter: I) -> Self
pub fn from_tokens<I, S>(iter: I) -> Self
Construct directly from an explicit allowlist. Each token gets the
wildcard scope — preserves backwards-compatible behaviour for tests
that pre-date scoped tokens. For tests that need a non-wildcard
scope, build the map directly or use AuthConfig::from_scopes.
Sourcepub fn from_scopes<I, S>(iter: I) -> Self
pub fn from_scopes<I, S>(iter: I) -> Self
Construct from an explicit token → scope map. Used by integration tests that drive scoped-token paths directly.
Sourcepub fn accepts(&self, token: &str) -> bool
pub fn accepts(&self, token: &str) -> bool
true if the supplied bearer token is allowlisted.
Uses a constant-time byte comparison against every allowlisted entry
so the time taken to reject a bad token does not leak which prefix
(if any) matched an allowlist entry. Delegates to scope_for.
Sourcepub fn scope_for(&self, token: &str) -> Option<&TokenScope>
pub fn scope_for(&self, token: &str) -> Option<&TokenScope>
Resolve token to its TokenScope if allowlisted.
Iterates the full allowlist and uses subtle::ConstantTimeEq for
each entry rather than a HashMap::get. The hash-table lookup
short-circuits on hash mismatch and then bytes-eq matching entries,
which is timing-leakable for token discovery — an attacker can
measure how long the gateway took to reject a candidate token and
infer how close it got to a real entry. The loop runs over every
allowlist entry on every call, and we deliberately do NOT break
after a hit so the wall-clock cost is constant w.r.t. the matched
entry’s position. Hashing still happens internally (scopes is an
Arc<HashMap> for cheap clones) but the lookup path is no longer
hash-keyed; the map is used purely as a (token, scope) store here.
Sourcepub fn is_dev_mode(&self) -> bool
pub fn is_dev_mode(&self) -> bool
true if no allowlist was configured (dev mode).
Trait Implementations§
Source§impl Clone for AuthConfig
impl Clone for AuthConfig
Source§fn clone(&self) -> AuthConfig
fn clone(&self) -> AuthConfig
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read moreSource§impl Debug for AuthConfig
impl Debug for AuthConfig
Source§impl Default for AuthConfig
impl Default for AuthConfig
Source§fn default() -> Self
fn default() -> Self
An empty allowlist with dev mode allowed. Programmatic construction
is an explicit in-process opt-in, so it preserves the historical
pass-through behaviour (the ENV_ALLOW_DEV_MODE gate applies only to
the env-driven AuthConfig::from_env path).
Auto Trait Implementations§
impl Freeze for AuthConfig
impl RefUnwindSafe for AuthConfig
impl Send for AuthConfig
impl Sync for AuthConfig
impl Unpin for AuthConfig
impl UnsafeUnpin for AuthConfig
impl UnwindSafe for AuthConfig
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
Source§impl<T> FutureExt for T
impl<T> FutureExt for T
Source§fn with_context(self, otel_cx: Context) -> WithContext<Self>
fn with_context(self, otel_cx: Context) -> WithContext<Self>
Source§fn with_current_context(self) -> WithContext<Self>
fn with_current_context(self) -> WithContext<Self>
impl<A, B, T> HttpServerConnExec<A, B> for Twhere
B: Body,
Source§impl<T> Instrument for T
impl<T> Instrument for T
Source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
Source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
Source§impl<T> IntoEither for T
impl<T> IntoEither for T
Source§fn into_either(self, into_left: bool) -> Either<Self, Self>
fn into_either(self, into_left: bool) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left is true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read moreSource§fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
self into a Left variant of Either<Self, Self>
if into_left(&self) returns true.
Converts self into a Right variant of Either<Self, Self>
otherwise. Read more