hessra-api
| Crates.io | hessra-api |
| lib.rs | hessra-api |
| version | 0.5.0 |
| created_at | 2025-04-01 19:57:26.85209+00 |
| updated_at | 2025-08-23 17:09:26.801759+00 |
| description | API client for Hessra authentication services |
| homepage | |
| repository | https://github.com/Hessra-Labs/hessra-sdk.rs |
| max_upload_size | |
| id | 1615435 |
| size | 93,327 |
Jake (jcorrv)
documentation
README
Hessra API
HTTP client for Hessra authentication and authorization services.
This crate provides a client for making HTTP requests to the Hessra services. It supports both HTTP/1.1 and HTTP/3 (as an optional feature) and implements the OpenAPI specification for the Hessra service.
Features
- HTTP/1.1 client for Hessra services
- Optional HTTP/3 support via the
http3feature flag - Dual authentication support: mTLS and identity tokens
- Identity token endpoints for authentication without certificates
- Authorization token endpoints with optional identity token authentication
- Multi-party token signing via the
/sign_tokenendpoint - Mutual TLS (mTLS) for secure client authentication (optional for most endpoints)
- Bearer token authentication using identity tokens
- Proper error handling with custom error types
- Comprehensive test coverage
Usage
Creating a Client
use hessra_api::HessraClient;
use hessra_config::HessraConfig;
// Load configuration from environment variables
let config = HessraConfig::from_env("HESSRA")?;
// Create a client using the configuration
let client = HessraClient::builder()
.from_config(&config)
.build()?;
// Or create a client manually
let client = HessraClient::builder()
.base_url("test.hessra.net")
.port(443)
.protocol(Protocol::Http1)
.mtls_cert(include_str!("../certs/client.crt"))
.mtls_key(include_str!("../certs/client.key"))
.server_ca(include_str!("../certs/ca.crt"))
.public_key("optional-public-key")
.personal_keypair("optional-keypair")
.build()?;
Identity Tokens
// Request a new identity token (requires mTLS)
let identity_response = client.request_identity_token(Some("urn:hessra:alice")).await?;
let identity_token = identity_response.token;
// Refresh an identity token (can use existing token for auth)
let refreshed = client.refresh_identity_token(
identity_token.clone(),
Some("urn:hessra:alice")
).await?;
Requesting Authorization Tokens
// Request a token using mTLS authentication
let resource = "example-resource".to_string();
let operation = "read".to_string();
let token = client.request_token(resource, operation).await?;
// Request a token using identity token authentication (no mTLS required)
let token = client.request_token_with_identity(
"example-resource",
"read",
identity_token
).await?;
Verifying a Token
// Verify the token
let subject = "example-user".to_string();
let resource = "example-resource".to_string();
let operation = "read".to_string();
let result = client.verify_token(token, subject, resource, operation).await?;
Getting the Public Key
The public_key endpoint is available for both authenticated and unauthenticated requests. If requesting the public_key with an authenticated request and authentication fails, the request will fail.
// Retrieve the server's public key
let public_key = client.get_public_key().await?;
// Or fetch the public key without creating a client
let public_key = HessraClient::fetch_public_key(
"test.hessra.net",
Some(443),
include_str!("../certs/ca.crt"),
).await?;
Verifying a Service Chain Token
// Verify a service chain token
let result = client.verify_service_chain_token(
token,
subject,
resource,
operation,
Some("component-name".to_string()), // or None to verify the token against the full service chain
).await?;
Multi-Party Token Signing
Sign a token that requires multi-party authorization:
// Sign a token using the /sign_token endpoint
let signed_response = client.sign_token(
"token_to_sign",
"resource_name",
"operation"
).await?;
if let Some(signed_token) = signed_response.token {
println!("Token signed successfully: {}", signed_token);
} else if let Some(pending_signoffs) = signed_response.pending_signoffs {
println!("Token still requires {} more signoffs", pending_signoffs.len());
}
HTTP/3 Support
To use HTTP/3, enable the http3 feature in your Cargo.toml:
[dependencies]
hessra-api = { version = "0.4.0", features = ["http3"] }
Then create a client with the HTTP/3 protocol:
let client = HessraClient::builder()
.protocol(Protocol::Http3)
// ... other configuration
.build()?;
Error Handling
The API client provides a custom error type ApiError that includes detailed information about any errors that occur. Errors are categorized into specific types such as HTTP client errors, SSL configuration errors, token request errors, etc.
match client.request_token(resource).await {
Ok(token) => {
// Use the token
},
Err(e) => {
match e {
ApiError::HttpClient(e) => {
// Handle HTTP client error
},
ApiError::SslConfig(e) => {
// Handle SSL configuration error
},
// Handle other error types
_ => {
// Generic error handling
}
}
}
}
Examples
See the examples directory for complete usage examples:
client_example.rs: Basic usage of the HTTP/1.1 clienthttp3_example.rs: Using the HTTP/3 client (requires thehttp3feature)
Integration with hessra-config
This crate is designed to work seamlessly with the hessra-config crate, which provides configuration management for Hessra services. You can create a client directly from a HessraConfig instance, which makes it easy to share configuration between multiple components.