miroir/crates/miroir-proxy
jedarden bb5f46403a feat(proxy): implement JWT session minting with scope validation (P5.21.b, §13.21)
Implement plan §13.21 auth layer 2 for search UI session tokens:

**JWT Claims Structure (plan §13.21):**
- Add `iss: "miroir"` claim to identify token issuer
- Add `scope: Vec<String>` for allowed actions (search, multi_search, beacon)
- Keep `idx`, `sub`, `iat`, `exp` claims
- Update `sign_jwt` to use "search-ui-session" as default sub

**Scope Validation (defense-in-depth):**
- Add `validate_jwt_scope()` function to check (method, path) against scope
- Validate `idx` claim matches target index for search/beacon endpoints
- Return `JwtValidationError::ScopeDenied` on mismatch
- Integrate into `dispatch_bearer()` for automatic enforcement

**Session Response (plan §13.21):**
- Update `SearchUiSessionResponse` to include `index` and `rate_limit` fields
- Return `token`, `expires_at`, `index`, `rate_limit` from session endpoint

**Authentication Modes:**
- `public`: unauthenticated, IP rate-limited
- `shared_key`: requires X-Search-UI-Key header
- `oauth_proxy`: requires upstream auth headers

Closes: miroir-uhj.21.2

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-24 04:47:27 -04:00
..
src feat(proxy): implement JWT session minting with scope validation (P5.21.b, §13.21) 2026-05-24 04:47:27 -04:00
static Phase 5: Add Advanced Capabilities verification and UI static assets 2026-05-03 19:01:22 -04:00
tests feat(multi-search): implement timeout enforcement and acceptance tests (§13.11) 2026-05-24 01:54:20 -04:00
Cargo.toml fix(proxy): resolve CDC manager type mismatches in FromRef implementations 2026-05-24 04:38:47 -04:00