refactor: extract auth surface from http_request.hpp (656 → 497)

Step 2 of the FILE_LOC_MAX ratchet. Moves the auth/credentials member
declarations of class http_request — basic auth getters (get_user,
get_pass, get_digested_user), the TLS / client-certificate cluster
(has_tls_session, has_client_certificate, get_client_cert_*,
is_client_cert_verified, get_client_cert_not_before/after), and the
digest-auth verification entrypoints (check_digest_auth,
check_digest_auth_digest) — into a sibling public header
httpserver/http_request_auth.hpp.

Mechanism: in-class-body #include. The sibling header carries
declarations only and gates itself behind
SRC_HTTPSERVER_HTTP_REQUEST_HPP_INSIDE_CLASS_, which is #define'd
just before the include inside class http_request { ... } and
#undef'd immediately after. Including the sibling in any other
context raises a #error with a pointer back to http_request.hpp.
Doxygen still picks up the declarations through textual inclusion,
so the generated docs are unchanged. The header is installed
(nobase_include_HEADERS) so consumers building against an installed
libhttpserver see it transitively via <httpserver.hpp> /
httpserver/http_request.hpp; it is NOT added to the umbrella's
sub-header list because the inner gate forbids standalone inclusion.

No public ABI change: the methods remain member functions of
http_request, declared in the same access section, same signatures,
same noexcept. Consumer code (test/, examples/) is untouched.

FILE_LOC_MAX stays at 2700 — webserver.cpp (2673) still pins it.
Offender list down to five files.

Verification:
  make check                          51/51 PASS (includes hygiene,
                                      install-layout, doxygen,
                                      examples, readme, release-notes)
  ./scripts/check-file-size.sh        PASS at FILE_LOC_MAX=2700

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: etr

scripts/check-file-size.sh

@@ -35,7 +35,6 @@
 #   src/httpserver/webserver.hpp                845
 #   src/http_utils.cpp                          730
 #   src/httpserver/detail/webserver_impl.hpp    674
-#   src/httpserver/http_request.hpp             656
 #
 # FILE_LOC_MAX is pinned by the largest unfixed file (webserver.cpp at
 # 2673), so it cannot drop until the top offender is decomposed. The

src/Makefile.am

@@ -30,7 +30,7 @@ libhttpserver_la_SOURCES = string_utilities.cpp webserver.cpp http_utils.cpp fil
 # Detail headers (httpserver/detail/*.hpp) live here so they cannot leak to
 # downstream consumers — the public surface comes in through <httpserver.hpp>.
 noinst_HEADERS = httpserver/string_utilities.hpp httpserver/detail/modded_request.hpp httpserver/detail/http_endpoint.hpp httpserver/detail/body.hpp httpserver/detail/webserver_impl.hpp httpserver/detail/http_request_impl.hpp httpserver/detail/route_entry.hpp httpserver/detail/lambda_resource.hpp httpserver/detail/radix_tree.hpp httpserver/detail/route_cache.hpp gettext.h
-nobase_include_HEADERS = httpserver.hpp httpserver/body_kind.hpp httpserver/constants.hpp httpserver/create_webserver.hpp httpserver/create_test_request.hpp httpserver/webserver.hpp httpserver/websocket_handler.hpp httpserver/http_utils.hpp httpserver/ip_representation.hpp httpserver/file_info.hpp httpserver/http_request.hpp httpserver/http_response.hpp httpserver/http_resource.hpp httpserver/feature_unavailable.hpp httpserver/iovec_entry.hpp httpserver/http_arg_value.hpp httpserver/http_method.hpp httpserver/hook_phase.hpp httpserver/hook_action.hpp httpserver/hook_handle.hpp httpserver/hook_context.hpp
+nobase_include_HEADERS = httpserver.hpp httpserver/body_kind.hpp httpserver/constants.hpp httpserver/create_webserver.hpp httpserver/create_test_request.hpp httpserver/webserver.hpp httpserver/websocket_handler.hpp httpserver/http_utils.hpp httpserver/ip_representation.hpp httpserver/file_info.hpp httpserver/http_request.hpp httpserver/http_request_auth.hpp httpserver/http_response.hpp httpserver/http_resource.hpp httpserver/feature_unavailable.hpp httpserver/iovec_entry.hpp httpserver/http_arg_value.hpp httpserver/http_method.hpp httpserver/hook_phase.hpp httpserver/hook_action.hpp httpserver/hook_handle.hpp httpserver/hook_context.hpp
 
 AM_CXXFLAGS += -fPIC -Wall
 

src/httpserver/http_request.hpp

@@ -135,38 +135,13 @@ class http_request {
  public:
      static const char EMPTY[];
 
-     /**
-      * Method used to get the username eventually passed through basic authentication.
-      * @return string representation of the username.
-      * @note The returned view is only valid within the handler's call frame.
-      *       Copy into std::string if the value must outlast the handler.
-      * @note (TASK-034 / PRD-FLG-REQ-001) Declared unconditionally.
-      *       When HAVE_BAUTH is undefined the implementation returns an
-      *       empty std::string_view sentinel (architecture spec §7).
-     **/
-     std::string_view get_user() const;
-
-     /**
-      * Method used to get the username extracted from a digest authentication.
-      * @return the username.
-      * @note The returned view is only valid within the handler's call frame.
-      *       Copy into std::string if the value must outlast the handler.
-      * @note (TASK-034 / PRD-FLG-REQ-001) Declared unconditionally.
-      *       When HAVE_DAUTH is undefined the implementation returns an
-      *       empty std::string_view sentinel (architecture spec §7).
-     **/
-     std::string_view get_digested_user() const;
-
-     /**
-      * Method used to get the password eventually passed through basic authentication.
-      * @return string representation of the password.
-      * @note The returned view is only valid within the handler's call frame.
-      *       Copy into std::string if the value must outlast the handler.
-      * @note (TASK-034 / PRD-FLG-REQ-001) Declared unconditionally.
-      *       When HAVE_BAUTH is undefined the implementation returns an
-      *       empty std::string_view sentinel (architecture spec §7).
-     **/
-     std::string_view get_pass() const;
+     // Basic auth, TLS/client-cert, and digest-auth member declarations
+     // live in a sibling header to keep this class definition under the
+     // project per-file LOC ceiling. The inner gate forces the header
+     // to be included only from within this class body.
+#define SRC_HTTPSERVER_HTTP_REQUEST_HPP_INSIDE_CLASS_
+#include "httpserver/http_request_auth.hpp"
+#undef SRC_HTTPSERVER_HTTP_REQUEST_HPP_INSIDE_CLASS_
 
      /**
       * Method used to get the path requested.
@@ -344,94 +319,6 @@ class http_request {
          return version;
      }
 
-     // ---------------------------------------------------------------
-     // TASK-019: high-level GnuTLS accessors. Declared unconditionally
-     // (no build-flag preprocessor gate) so the public surface is
-     // identical in TLS-enabled and TLS-disabled builds. When the
-     // library is built without GnuTLS the implementations return
-     // empty / false / -1 sentinels without throwing (architecture
-     // spec §7).
-     // ---------------------------------------------------------------
-
-     /**
-      * Method used to check whether the request was carried over a TLS
-      * session.
-      * @return true when a live TLS session is present, false otherwise
-      *         (including when HAVE_GNUTLS is disabled at build time).
-      **/
-     bool has_tls_session() const noexcept;
-
-     /**
-      * Method used to check whether the peer presented a client
-      * certificate over the TLS session.
-      * @return true when a peer certificate is available, false
-      *         otherwise (including when HAVE_GNUTLS is disabled at
-      *         build time).
-      **/
-     bool has_client_certificate() const noexcept;
-
-     /**
-      * Subject Distinguished Name from the client certificate.
-      * @return string_view over the cached subject DN; empty when no
-      *         peer cert is present or HAVE_GNUTLS is disabled.
-      * @note The returned view aliases storage owned by this
-      *       http_request and is only valid for the lifetime of the
-      *       request object (typically the handler invocation). Copy
-      *       into std::string to extend the lifetime.
-      **/
-     std::string_view get_client_cert_dn() const;
-
-     /**
-      * Issuer Distinguished Name from the client certificate.
-      * @return string_view over the cached issuer DN; empty when no
-      *         peer cert is present or HAVE_GNUTLS is disabled.
-      * @note Same lifetime contract as get_client_cert_dn().
-      **/
-     std::string_view get_client_cert_issuer_dn() const;
-
-     /**
-      * Common Name (CN) from the client certificate subject.
-      * @return string_view over the cached CN; empty when no peer cert
-      *         is present, the cert subject has no CN attribute, or
-      *         HAVE_GNUTLS is disabled.
-      * @note Multi-CN subjects: only the first CN is reported.
-      * @note Same lifetime contract as get_client_cert_dn().
-      **/
-     std::string_view get_client_cert_cn() const;
-
-     /**
-      * SHA-256 fingerprint of the client certificate (hex-encoded).
-      * @return string_view over the lowercase hex-encoded SHA-256
-      *         fingerprint (64 hex chars); empty when no peer cert is
-      *         present or HAVE_GNUTLS is disabled.
-      * @note Same lifetime contract as get_client_cert_dn().
-      **/
-     std::string_view get_client_cert_fingerprint_sha256() const;
-
-     /**
-      * Whether the peer certificate chain validated successfully against
-      * the configured trust anchors.
-      * @return true on successful validation, false otherwise (including
-      *         when no cert was presented or HAVE_GNUTLS is disabled).
-      **/
-     bool is_client_cert_verified() const noexcept;
-
-     /**
-      * Activation time (`Not Before`) of the client certificate, in
-      * seconds since the UNIX epoch.
-      * @return seconds-since-epoch as a 64-bit signed integer; -1 when
-      *         no peer cert is present or HAVE_GNUTLS is disabled.
-      **/
-     std::int64_t get_client_cert_not_before() const noexcept;
-
-     /**
-      * Expiration time (`Not After`) of the client certificate, in
-      * seconds since the UNIX epoch.
-      * @return seconds-since-epoch as a 64-bit signed integer; -1 when
-      *         no peer cert is present or HAVE_GNUTLS is disabled.
-      **/
-     std::int64_t get_client_cert_not_after() const noexcept;
-
      /**
       * Method used to get the requestor.
       * @return the requestor (IP address string).
@@ -445,52 +332,6 @@ class http_request {
      **/
      uint16_t get_requestor_port() const;
 
-     /**
-      * Digest-authenticate the current request against (@p realm, @p password).
-      *
-      * (TASK-034 / PRD-FLG-REQ-001) Declared unconditionally. When the
-      * library was built without HAVE_DAUTH the implementation returns
-      * the sentinel `digest_auth_result::WRONG_HEADER` (architecture
-      * spec §7 "returns a sentinel result") without touching MHD.
-      *
-      * @param realm         protection realm advertised in the WWW-Authenticate header.
-      * @param password      cleartext password to verify against.
-      * @param nonce_timeout nonce lifetime in seconds (0 = backend default).
-      * @param max_nc        max accepted nonce-count value (0 = backend default).
-      * @param algo          digest hash algorithm; defaults to SHA-256.
-      * @return one of the @ref httpserver::http::http_utils::digest_auth_result values.
-      **/
-     http::http_utils::digest_auth_result check_digest_auth(
-         const std::string& realm,
-         const std::string& password,
-         unsigned int nonce_timeout = 0,
-         uint32_t max_nc = 0,
-         http::http_utils::digest_algorithm algo = http::http_utils::digest_algorithm::SHA256) const;
-
-     /**
-      * Digest-authenticate using a pre-computed user digest (no cleartext password).
-      *
-      * Variant of @ref check_digest_auth that takes a raw H(A1) digest
-      * instead of a cleartext password. Same feature-flag behaviour:
-      * declared unconditionally; returns
-      * `digest_auth_result::WRONG_HEADER` on HAVE_DAUTH-off builds.
-      *
-      * @param realm          protection realm advertised in the WWW-Authenticate header.
-      * @param userdigest     pre-computed digest of the username/realm/password.
-      * @param userdigest_size size of @p userdigest in bytes.
-      * @param nonce_timeout  nonce lifetime in seconds (0 = backend default).
-      * @param max_nc         max accepted nonce-count value (0 = backend default).
-      * @param algo           digest hash algorithm; defaults to SHA-256.
-      * @return one of the @ref httpserver::http::http_utils::digest_auth_result values.
-     **/
-     http::http_utils::digest_auth_result check_digest_auth_digest(
-         const std::string& realm,
-         const void* userdigest,
-         size_t userdigest_size,
-         unsigned int nonce_timeout = 0,
-         uint32_t max_nc = 0,
-         http::http_utils::digest_algorithm algo = http::http_utils::digest_algorithm::SHA256) const;
-
      friend std::ostream &operator<< (std::ostream &os, http_request &r);
 
      ~http_request();