feat(lib): add auth-kit

2026-02-02 14:26:24 +08:00
parent e49b33a464
commit 27a6791591
19 changed files with 1154 additions and 185 deletions
--- a/tests/jwks_e2e.rs
+++ b/tests/jwks_e2e.rs
@@ -0,0 +1,41 @@
+use axum::{Router, routing::get};
+use uuid::Uuid;
+
+#[tokio::test]
+async fn jwks_endpoint_allows_rs256_verification_via_auth_kit() {
+    let app = Router::new().route(
+        "/.well-known/jwks.json",
+        get(iam_service::handlers::jwks_handler),
+    );
+
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = listener.local_addr().unwrap();
+    let base_url = format!("http://{}", addr);
+
+    let handle = tokio::spawn(async move {
+        axum::serve(listener, app).await.unwrap();
+    });
+
+    let token = iam_service::utils::sign(
+        Uuid::new_v4(),
+        Uuid::new_v4(),
+        vec!["Admin".to_string()],
+        vec!["tenant:read".to_string()],
+        vec![],
+        0,
+    )
+    .unwrap();
+
+    let cfg = auth_kit::jwt::JwtVerifyConfig::rs256_from_jwks(
+        "iam-service",
+        &format!("{}/.well-known/jwks.json", base_url),
+    )
+    .unwrap();
+
+    let claims = auth_kit::jwt::verify(&token, &cfg).await.unwrap();
+    assert_eq!(claims.iss, "iam-service");
+    assert!(!claims.sub.is_empty());
+    assert!(!claims.tenant_id.is_empty());
+
+    handle.abort();
+}