matrix-org
diff --git a/‎Cargo.toml‎
Lines changed: 12 additions & 0 deletions b/‎Cargo.toml‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎crates/axum-utils/Cargo.toml‎
Lines changed: 3 additions & 0 deletions b/‎crates/axum-utils/Cargo.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎crates/axum-utils/src/client_authorization.rs‎
Lines changed: 11 additions & 0 deletions b/‎crates/axum-utils/src/client_authorization.rs‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎crates/axum-utils/src/cookies.rs‎
Lines changed: 7 additions & 0 deletions b/‎crates/axum-utils/src/cookies.rs‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎crates/axum-utils/src/csrf.rs‎
Lines changed: 14 additions & 0 deletions b/‎crates/axum-utils/src/csrf.rs‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎crates/axum-utils/src/http_client_factory.rs‎
Lines changed: 6 additions & 8 deletions b/‎crates/axum-utils/src/http_client_factory.rs‎
Lines changed: 6 additions & 8 deletions
diff --git a/‎crates/axum-utils/src/lib.rs‎
Lines changed: 2 additions & 9 deletions b/‎crates/axum-utils/src/lib.rs‎
Lines changed: 2 additions & 9 deletions
diff --git a/‎crates/axum-utils/src/session.rs‎
Lines changed: 5 additions & 0 deletions b/‎crates/axum-utils/src/session.rs‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎crates/axum-utils/src/user_authorization.rs‎
Lines changed: 12 additions & 0 deletions b/‎crates/axum-utils/src/user_authorization.rs‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎crates/cli/Cargo.toml‎
Lines changed: 3 additions & 0 deletions b/‎crates/cli/Cargo.toml‎
Lines changed: 3 additions & 0 deletions
@@ -12,6 +12,18 @@ package.edition = "2021"
 package.homepage = "https://matrix-org.github.io/matrix-authentication-service/"
 package.repository = "https://github.com/matrix-org/matrix-authentication-service/"
 
+[workspace.lints.rust]
+unsafe_code = "forbid"
+
+[workspace.lints.clippy]
+all = "deny"
+pedantic = "warn"
+
+str_to_string = "deny"
+
+[workspace.lints.rustdoc]
+broken_intra_doc_links = "deny"
+
 [workspace.dependencies]
 
 # High-level error handling
 
@@ -7,6 +7,9 @@ license.workspace = true
 homepage.workspace = true
 repository.workspace = true
 
+[lints]
+workspace = true
+
 [dependencies]
 async-trait = "0.1.74"
 axum = { version = "0.6.20", features = ["headers"] }
 
@@ -84,6 +84,12 @@ impl Credentials {
         }
     }
 
+    /// Fetch the client from the database
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the client could not be found or if the underlying
+    /// repository errored.
     pub async fn fetch<E>(
         &self,
         repo: &mut impl RepositoryAccess<Error = E>,
@@ -98,6 +104,11 @@ impl Credentials {
         repo.oauth2_client().find_by_client_id(client_id).await
     }
 
+    /// Verify credentials presented by the client for authentication
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the credentials are invalid.
     #[tracing::instrument(skip_all, err)]
     pub async fn verify(
         &self,
 
@@ -146,6 +146,13 @@ impl CookieJar {
         self
     }
 
+    /// Load and deserialize a cookie from the jar
+    ///
+    /// Returns `None` if the cookie is not present
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the cookie cannot be deserialized
     pub fn load<T: DeserializeOwned>(&self, key: &str) -> Result<Option<T>, CookieDecodeError> {
         let Some(cookie) = self.inner.get(key) else {
             return Ok(None);
 
@@ -80,6 +80,10 @@ impl CsrfToken {
     }
 
     /// Verifies that the value got from an HTML form matches this token
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the value in the form does not match this token
     pub fn verify_form_value(&self, form_value: &str) -> Result<(), CsrfError> {
         let form_value = BASE64URL_NOPAD.decode(form_value.as_bytes())?;
         if self.token[..] == form_value {
@@ -108,10 +112,20 @@ pub struct ProtectedForm<T> {
 }
 
 pub trait CsrfExt {
+    /// Get the current CSRF token out of the cookie jar, generating a new one
+    /// if necessary
     fn csrf_token<C, R>(self, clock: &C, rng: R) -> (CsrfToken, Self)
     where
         R: RngCore,
         C: Clock;
+
+    /// Verify that the given CSRF-protected form is valid, returning the inner
+    /// value
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the CSRF cookie is missing or if the value in the
+    /// form is invalid
     fn verify_form<C, T>(&self, clock: &C, form: ProtectedForm<T>) -> Result<T, CsrfError>
     where
         C: Clock;
 
@@ -29,6 +29,12 @@ pub struct HttpClientFactory {
 }
 
 impl HttpClientFactory {
+    /// Constructs a new HTTP client factory
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the client factory failed to initialise, which can
+    /// happen when it fails to load the system's CA certificates.
     pub async fn new() -> Result<Self, ClientInitError> {
         Ok(Self {
             traced_connector: make_traced_connector().await?,
@@ -37,10 +43,6 @@ impl HttpClientFactory {
     }
 
     /// Constructs a new HTTP client
-    ///
-    /// # Errors
-    ///
-    /// Returns an error if the client failed to initialise
     pub fn client<B>(&self, category: &'static str) -> ClientService<TracedClient<B>>
     where
         B: axum::body::HttpBody + Send,
@@ -54,10 +56,6 @@ impl HttpClientFactory {
     }
 
     /// Constructs a new [`HttpService`], suitable for `mas-oidc-client`
-    ///
-    /// # Errors
-    ///
-    /// Returns an error if the client failed to initialise
     pub fn http_service(&self, category: &'static str) -> HttpService {
         let client = self.client(category);
         let client = (
 
@@ -12,15 +12,8 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#![forbid(unsafe_code)]
-#![deny(
-    clippy::all,
-    clippy::str_to_string,
-    rustdoc::broken_intra_doc_links,
-    clippy::future_not_send
-)]
-#![warn(clippy::pedantic)]
-#![allow(clippy::module_name_repetitions, clippy::missing_errors_doc)]
+#![deny(clippy::future_not_send)]
+#![allow(clippy::module_name_repetitions)]
 
 pub mod client_authorization;
 pub mod cookies;
 
@@ -42,6 +42,11 @@ impl SessionInfo {
     }
 
     /// Load the [`BrowserSession`] from database
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the session is not found or if the session is not
+    /// active anymore
     pub async fn load_session<E>(
         &self,
         repo: &mut impl RepositoryAccess<Error = E>,
 
@@ -84,6 +84,13 @@ pub struct UserAuthorization<F = ()> {
 
 impl<F: Send> UserAuthorization<F> {
     // TODO: take scopes to validate as parameter
+    /// Verify a user authorization and return the session and the protected
+    /// form value
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the token is invalid, if the user session ended or
+    /// if the form is missing
     pub async fn protected_form<E>(
         self,
         repo: &mut impl RepositoryAccess<Error = E>,
@@ -103,6 +110,11 @@ impl<F: Send> UserAuthorization<F> {
     }
 
     // TODO: take scopes to validate as parameter
+    /// Verify a user authorization and return the session
+    ///
+    /// # Errors
+    ///
+    /// Returns an error if the token is invalid or if the user session ended
     pub async fn protected<E>(
         self,
         repo: &mut impl RepositoryAccess<Error = E>,
 
@@ -7,6 +7,9 @@ license.workspace = true
 homepage.workspace = true
 repository.workspace = true
 
+[lints]
+workspace = true
+
 [dependencies]
 anyhow.workspace = true
 axum = "0.6.20"