RubyGems - spikard - Versions diffs - 0.3.6 → 0.6.1 - Mend

spikard 0.3.6 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (142) hide show

checksums.yaml +4 -4
data/LICENSE +1 -1
data/README.md +674 -659
data/ext/spikard_rb/Cargo.toml +17 -17
data/ext/spikard_rb/extconf.rb +13 -10
data/ext/spikard_rb/src/lib.rs +6 -6
data/lib/spikard/app.rb +405 -386
data/lib/spikard/background.rb +27 -27
data/lib/spikard/config.rb +396 -396
data/lib/spikard/converters.rb +13 -13
data/lib/spikard/handler_wrapper.rb +113 -113
data/lib/spikard/provide.rb +214 -214
data/lib/spikard/response.rb +173 -173
data/lib/spikard/schema.rb +243 -243
data/lib/spikard/sse.rb +111 -111
data/lib/spikard/streaming_response.rb +44 -44
data/lib/spikard/testing.rb +256 -221
data/lib/spikard/upload_file.rb +131 -131
data/lib/spikard/version.rb +5 -5
data/lib/spikard/websocket.rb +59 -59
data/lib/spikard.rb +43 -43
data/sig/spikard.rbs +366 -366
data/vendor/crates/spikard-bindings-shared/Cargo.toml +63 -0
data/vendor/crates/spikard-bindings-shared/examples/config_extraction.rs +132 -0
data/vendor/crates/spikard-bindings-shared/src/config_extractor.rs +752 -0
data/vendor/crates/spikard-bindings-shared/src/conversion_traits.rs +194 -0
data/vendor/crates/spikard-bindings-shared/src/di_traits.rs +246 -0
data/vendor/crates/spikard-bindings-shared/src/error_response.rs +401 -0
data/vendor/crates/spikard-bindings-shared/src/handler_base.rs +238 -0
data/vendor/crates/spikard-bindings-shared/src/lib.rs +24 -0
data/vendor/crates/spikard-bindings-shared/src/lifecycle_base.rs +292 -0
data/vendor/crates/spikard-bindings-shared/src/lifecycle_executor.rs +616 -0
data/vendor/crates/spikard-bindings-shared/src/response_builder.rs +305 -0
data/vendor/crates/spikard-bindings-shared/src/test_client_base.rs +248 -0
data/vendor/crates/spikard-bindings-shared/src/validation_helpers.rs +351 -0
data/vendor/crates/spikard-bindings-shared/tests/comprehensive_coverage.rs +454 -0
data/vendor/crates/spikard-bindings-shared/tests/error_response_edge_cases.rs +383 -0
data/vendor/crates/spikard-bindings-shared/tests/handler_base_integration.rs +280 -0
data/vendor/crates/spikard-core/Cargo.toml +40 -40
data/vendor/crates/spikard-core/src/bindings/mod.rs +3 -3
data/vendor/crates/spikard-core/src/bindings/response.rs +133 -133
data/vendor/crates/spikard-core/src/debug.rs +127 -63
data/vendor/crates/spikard-core/src/di/container.rs +702 -726
data/vendor/crates/spikard-core/src/di/dependency.rs +273 -273
data/vendor/crates/spikard-core/src/di/error.rs +118 -118
data/vendor/crates/spikard-core/src/di/factory.rs +534 -538
data/vendor/crates/spikard-core/src/di/graph.rs +506 -545
data/vendor/crates/spikard-core/src/di/mod.rs +192 -192
data/vendor/crates/spikard-core/src/di/resolved.rs +405 -411
data/vendor/crates/spikard-core/src/di/value.rs +281 -283
data/vendor/crates/spikard-core/src/errors.rs +69 -39
data/vendor/crates/spikard-core/src/http.rs +415 -153
data/vendor/crates/spikard-core/src/lib.rs +29 -29
data/vendor/crates/spikard-core/src/lifecycle.rs +1186 -422
data/vendor/crates/spikard-core/src/metadata.rs +389 -0
data/vendor/crates/spikard-core/src/parameters.rs +2525 -722
data/vendor/crates/spikard-core/src/problem.rs +344 -310
data/vendor/crates/spikard-core/src/request_data.rs +1154 -189
data/vendor/crates/spikard-core/src/router.rs +510 -249
data/vendor/crates/spikard-core/src/schema_registry.rs +183 -183
data/vendor/crates/spikard-core/src/type_hints.rs +304 -304
data/vendor/crates/spikard-core/src/validation/error_mapper.rs +696 -0
data/vendor/crates/spikard-core/src/{validation.rs → validation/mod.rs} +457 -699
data/vendor/crates/spikard-http/Cargo.toml +62 -68
data/vendor/crates/spikard-http/examples/sse-notifications.rs +148 -0
data/vendor/crates/spikard-http/examples/websocket-chat.rs +92 -0
data/vendor/crates/spikard-http/src/auth.rs +296 -247
data/vendor/crates/spikard-http/src/background.rs +1860 -249
data/vendor/crates/spikard-http/src/bindings/mod.rs +3 -3
data/vendor/crates/spikard-http/src/bindings/response.rs +1 -1
data/vendor/crates/spikard-http/src/body_metadata.rs +8 -8
data/vendor/crates/spikard-http/src/cors.rs +1005 -490
data/vendor/crates/spikard-http/src/debug.rs +128 -63
data/vendor/crates/spikard-http/src/di_handler.rs +1668 -423
data/vendor/crates/spikard-http/src/handler_response.rs +901 -190
data/vendor/crates/spikard-http/src/handler_trait.rs +838 -228
data/vendor/crates/spikard-http/src/handler_trait_tests.rs +290 -284
data/vendor/crates/spikard-http/src/lib.rs +534 -529
data/vendor/crates/spikard-http/src/lifecycle/adapter.rs +230 -149
data/vendor/crates/spikard-http/src/lifecycle.rs +1193 -428
data/vendor/crates/spikard-http/src/middleware/mod.rs +560 -285
data/vendor/crates/spikard-http/src/middleware/multipart.rs +912 -86
data/vendor/crates/spikard-http/src/middleware/urlencoded.rs +513 -147
data/vendor/crates/spikard-http/src/middleware/validation.rs +768 -287
data/vendor/crates/spikard-http/src/openapi/mod.rs +309 -309
data/vendor/crates/spikard-http/src/openapi/parameter_extraction.rs +535 -190
data/vendor/crates/spikard-http/src/openapi/schema_conversion.rs +1363 -308
data/vendor/crates/spikard-http/src/openapi/spec_generation.rs +665 -195
data/vendor/crates/spikard-http/src/query_parser.rs +793 -369
data/vendor/crates/spikard-http/src/response.rs +720 -399
data/vendor/crates/spikard-http/src/server/handler.rs +1650 -87
data/vendor/crates/spikard-http/src/server/lifecycle_execution.rs +234 -98
data/vendor/crates/spikard-http/src/server/mod.rs +1593 -805
data/vendor/crates/spikard-http/src/server/request_extraction.rs +789 -119
data/vendor/crates/spikard-http/src/server/routing_factory.rs +629 -0
data/vendor/crates/spikard-http/src/sse.rs +1409 -447
data/vendor/crates/spikard-http/src/testing/form.rs +52 -14
data/vendor/crates/spikard-http/src/testing/multipart.rs +64 -60
data/vendor/crates/spikard-http/src/testing/test_client.rs +311 -285
data/vendor/crates/spikard-http/src/testing.rs +406 -377
data/vendor/crates/spikard-http/src/websocket.rs +1404 -324
data/vendor/crates/spikard-http/tests/background_behavior.rs +832 -0
data/vendor/crates/spikard-http/tests/common/handlers.rs +309 -0
data/vendor/crates/spikard-http/tests/common/mod.rs +26 -0
data/vendor/crates/spikard-http/tests/di_integration.rs +192 -0
data/vendor/crates/spikard-http/tests/doc_snippets.rs +5 -0
data/vendor/crates/spikard-http/tests/lifecycle_execution.rs +1093 -0
data/vendor/crates/spikard-http/tests/multipart_behavior.rs +656 -0
data/vendor/crates/spikard-http/tests/server_config_builder.rs +314 -0
data/vendor/crates/spikard-http/tests/sse_behavior.rs +620 -0
data/vendor/crates/spikard-http/tests/websocket_behavior.rs +663 -0
data/vendor/crates/spikard-rb/Cargo.toml +48 -42
data/vendor/crates/spikard-rb/build.rs +199 -8
data/vendor/crates/spikard-rb/src/background.rs +63 -63
data/vendor/crates/spikard-rb/src/config/mod.rs +5 -0
data/vendor/crates/spikard-rb/src/{config.rs → config/server_config.rs} +285 -294
data/vendor/crates/spikard-rb/src/conversion.rs +554 -453
data/vendor/crates/spikard-rb/src/di/builder.rs +100 -0
data/vendor/crates/spikard-rb/src/{di.rs → di/mod.rs} +375 -409
data/vendor/crates/spikard-rb/src/handler.rs +618 -625
data/vendor/crates/spikard-rb/src/integration/mod.rs +3 -0
data/vendor/crates/spikard-rb/src/lib.rs +1806 -2771
data/vendor/crates/spikard-rb/src/lifecycle.rs +275 -274
data/vendor/crates/spikard-rb/src/metadata/mod.rs +5 -0
data/vendor/crates/spikard-rb/src/metadata/route_extraction.rs +442 -0
data/vendor/crates/spikard-rb/src/runtime/mod.rs +5 -0
data/vendor/crates/spikard-rb/src/runtime/server_runner.rs +324 -0
data/vendor/crates/spikard-rb/src/server.rs +305 -283
data/vendor/crates/spikard-rb/src/sse.rs +231 -231
data/vendor/crates/spikard-rb/src/{test_client.rs → testing/client.rs} +538 -404
data/vendor/crates/spikard-rb/src/testing/mod.rs +7 -0
data/vendor/crates/spikard-rb/src/{test_sse.rs → testing/sse.rs} +143 -143
data/vendor/crates/spikard-rb/src/testing/websocket.rs +608 -0
data/vendor/crates/spikard-rb/src/websocket.rs +377 -233
metadata +60 -13
data/vendor/crates/spikard-http/src/parameters.rs +0 -1
data/vendor/crates/spikard-http/src/problem.rs +0 -1
data/vendor/crates/spikard-http/src/router.rs +0 -1
data/vendor/crates/spikard-http/src/schema_registry.rs +0 -1
data/vendor/crates/spikard-http/src/type_hints.rs +0 -1
data/vendor/crates/spikard-http/src/validation.rs +0 -1
data/vendor/crates/spikard-rb/src/test_websocket.rs +0 -221

data/vendor/crates/spikard-http/src/auth.rs CHANGED Viewed

@@ -1,247 +1,296 @@
-//! Authentication middleware for JWT and API keys.
-//!
-//! This module provides tower middleware for authenticating requests using:
-//! - JWT tokens (via the Authorization header)
-//! - API keys (via custom headers)
-use axum::{
-    body::Body,
-    extract::Request,
-    http::{HeaderMap, StatusCode, Uri},
-    middleware::Next,
-    response::{IntoResponse, Response},
-};
-use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode};
-use serde::{Deserialize, Serialize};
-use std::collections::HashSet;
-use crate::{ApiKeyConfig, JwtConfig, ProblemDetails};
-/// Standard type URI for authentication errors (401)
-const TYPE_AUTH_ERROR: &str = "https://spikard.dev/errors/unauthorized";
-/// Standard type URI for configuration errors (500)
-const TYPE_CONFIG_ERROR: &str = "https://spikard.dev/errors/configuration-error";
-/// JWT claims structure - can be extended based on needs
-#[derive(Debug, Serialize, Deserialize)]
-pub struct Claims {
-    pub sub: String,
-    pub exp: usize,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub iat: Option<usize>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub nbf: Option<usize>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub aud: Option<Vec<String>>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub iss: Option<String>,
-}
-/// JWT authentication middleware
-///
-/// Validates JWT tokens from the Authorization header (Bearer scheme).
-/// On success, the validated claims are available to downstream handlers.
-/// On failure, returns 401 Unauthorized with RFC 9457 Problem Details.
-pub async fn jwt_auth_middleware(
-    config: JwtConfig,
-    headers: HeaderMap,
-    request: Request<Body>,
-    next: Next,
-) -> Result<Response, Response> {
-    let auth_header = headers
-        .get("authorization")
-        .and_then(|v| v.to_str().ok())
-        .ok_or_else(|| {
-            let problem = ProblemDetails::new(
-                TYPE_AUTH_ERROR,
-                "Missing or invalid Authorization header",
-                StatusCode::UNAUTHORIZED,
-            )
-            .with_detail("Expected 'Authorization: Bearer <token>'");
-            (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
-        })?;
-    let token = auth_header.strip_prefix("Bearer ").ok_or_else(|| {
-        let problem = ProblemDetails::new(
-            TYPE_AUTH_ERROR,
-            "Invalid Authorization header format",
-            StatusCode::UNAUTHORIZED,
-        )
-        .with_detail("Authorization header must use Bearer scheme: 'Bearer <token>'");
-        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
-    })?;
-    let parts: Vec<&str> = token.split('.').collect();
-    if parts.len() != 3 {
-        let problem = ProblemDetails::new(TYPE_AUTH_ERROR, "Malformed JWT token", StatusCode::UNAUTHORIZED)
-            .with_detail(format!(
-                "Malformed JWT token: expected 3 parts separated by dots, found {}",
-                parts.len()
-            ));
-        return Err((StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response());
-    }
-    let algorithm = parse_algorithm(&config.algorithm).map_err(|_| {
-        let problem = ProblemDetails::new(
-            TYPE_CONFIG_ERROR,
-            "Invalid JWT configuration",
-            StatusCode::INTERNAL_SERVER_ERROR,
-        )
-        .with_detail(format!("Unsupported algorithm: {}", config.algorithm));
-        (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(problem)).into_response()
-    })?;
-    let mut validation = Validation::new(algorithm);
-    if let Some(ref aud) = config.audience {
-        validation.set_audience(aud);
-    }
-    if let Some(ref iss) = config.issuer {
-        validation.set_issuer(std::slice::from_ref(iss));
-    }
-    validation.leeway = config.leeway;
-    validation.validate_nbf = true;
-    let decoding_key = DecodingKey::from_secret(config.secret.as_bytes());
-    let _token_data = decode::<Claims>(token, &decoding_key, &validation).map_err(|e| {
-        let detail = match e.kind() {
-            jsonwebtoken::errors::ErrorKind::ExpiredSignature => "Token has expired".to_string(),
-            jsonwebtoken::errors::ErrorKind::InvalidToken => "Token is invalid".to_string(),
-            jsonwebtoken::errors::ErrorKind::InvalidSignature => "Token signature is invalid".to_string(),
-            jsonwebtoken::errors::ErrorKind::Base64(_) => "Token signature is invalid".to_string(),
-            jsonwebtoken::errors::ErrorKind::InvalidAudience => "Token audience is invalid".to_string(),
-            jsonwebtoken::errors::ErrorKind::InvalidIssuer => {
-                if let Some(ref expected_iss) = config.issuer {
-                    format!("Token issuer is invalid, expected '{}'", expected_iss)
-                } else {
-                    "Token issuer is invalid".to_string()
-                }
-            }
-            jsonwebtoken::errors::ErrorKind::ImmatureSignature => {
-                "JWT not valid yet, not before claim is in the future".to_string()
-            }
-            _ => format!("Token validation failed: {}", e),
-        };
-        let problem =
-            ProblemDetails::new(TYPE_AUTH_ERROR, "JWT validation failed", StatusCode::UNAUTHORIZED).with_detail(detail);
-        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
-    })?;
-    // TODO: Attach claims to request extensions for handlers to access
-    Ok(next.run(request).await)
-}
-/// Parse JWT algorithm string to jsonwebtoken Algorithm enum
-fn parse_algorithm(alg: &str) -> Result<Algorithm, String> {
-    match alg {
-        "HS256" => Ok(Algorithm::HS256),
-        "HS384" => Ok(Algorithm::HS384),
-        "HS512" => Ok(Algorithm::HS512),
-        "RS256" => Ok(Algorithm::RS256),
-        "RS384" => Ok(Algorithm::RS384),
-        "RS512" => Ok(Algorithm::RS512),
-        "ES256" => Ok(Algorithm::ES256),
-        "ES384" => Ok(Algorithm::ES384),
-        "PS256" => Ok(Algorithm::PS256),
-        "PS384" => Ok(Algorithm::PS384),
-        "PS512" => Ok(Algorithm::PS512),
-        _ => Err(format!("Unsupported algorithm: {}", alg)),
-    }
-}
-/// API Key authentication middleware
-///
-/// Validates API keys from a custom header (default: X-API-Key) or query parameter.
-/// Checks header first, then query parameter as fallback.
-/// On success, the request proceeds to the next handler.
-/// On failure, returns 401 Unauthorized with RFC 9457 Problem Details.
-pub async fn api_key_auth_middleware(
-    config: ApiKeyConfig,
-    headers: HeaderMap,
-    request: Request<Body>,
-    next: Next,
-) -> Result<Response, Response> {
-    let valid_keys: HashSet<String> = config.keys.into_iter().collect();
-    let uri = request.uri().clone();
-    let api_key_from_header = headers.get(&config.header_name).and_then(|v| v.to_str().ok());
-    let api_key = if let Some(key) = api_key_from_header {
-        Some(key)
-    } else {
-        extract_api_key_from_query(&uri)
-    };
-    let api_key = api_key.ok_or_else(|| {
-        let problem =
-            ProblemDetails::new(TYPE_AUTH_ERROR, "Missing API key", StatusCode::UNAUTHORIZED).with_detail(format!(
-                "Expected '{}' header or 'api_key' query parameter with valid API key",
-                config.header_name
-            ));
-        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
-    })?;
-    if !valid_keys.contains(api_key) {
-        let problem = ProblemDetails::new(TYPE_AUTH_ERROR, "Invalid API key", StatusCode::UNAUTHORIZED)
-            .with_detail("The provided API key is not valid");
-        return Err((StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response());
-    }
-    Ok(next.run(request).await)
-}
-/// Extract API key from query parameters
-///
-/// Checks for common API key parameter names: api_key, apiKey, key
-fn extract_api_key_from_query(uri: &Uri) -> Option<&str> {
-    let query = uri.query()?;
-    for param in query.split('&') {
-        if let Some((key, value)) = param.split_once('=')
-            && (key == "api_key" || key == "apiKey" || key == "key")
-        {
-            return Some(value);
-        }
-    }
-    None
-}
-#[cfg(test)]
-mod tests {
-    use super::*;
-    #[test]
-    fn test_parse_algorithm() {
-        assert!(matches!(parse_algorithm("HS256"), Ok(Algorithm::HS256)));
-        assert!(matches!(parse_algorithm("HS384"), Ok(Algorithm::HS384)));
-        assert!(matches!(parse_algorithm("HS512"), Ok(Algorithm::HS512)));
-        assert!(matches!(parse_algorithm("RS256"), Ok(Algorithm::RS256)));
-        assert!(matches!(parse_algorithm("RS384"), Ok(Algorithm::RS384)));
-        assert!(matches!(parse_algorithm("RS512"), Ok(Algorithm::RS512)));
-        assert!(matches!(parse_algorithm("ES256"), Ok(Algorithm::ES256)));
-        assert!(matches!(parse_algorithm("ES384"), Ok(Algorithm::ES384)));
-        assert!(matches!(parse_algorithm("PS256"), Ok(Algorithm::PS256)));
-        assert!(matches!(parse_algorithm("PS384"), Ok(Algorithm::PS384)));
-        assert!(matches!(parse_algorithm("PS512"), Ok(Algorithm::PS512)));
-        assert!(parse_algorithm("INVALID").is_err());
-    }
-    #[test]
-    fn test_claims_serialization() {
-        let claims = Claims {
-            sub: "user123".to_string(),
-            exp: 1234567890,
-            iat: Some(1234567800),
-            nbf: None,
-            aud: Some(vec!["https://api.example.com".to_string()]),
-            iss: Some("https://auth.example.com".to_string()),
-        };
-        let json = serde_json::to_string(&claims).unwrap();
-        assert!(json.contains("user123"));
-        assert!(json.contains("1234567890"));
-    }
-}
+//! Authentication middleware for JWT and API keys.
+//!
+//! This module provides tower middleware for authenticating requests using:
+//! - JWT tokens (via the Authorization header)
+//! - API keys (via custom headers)
+use axum::{
+    body::Body,
+    extract::Request,
+    http::{HeaderMap, StatusCode, Uri},
+    middleware::Next,
+    response::{IntoResponse, Response},
+};
+use jsonwebtoken::{Algorithm, DecodingKey, Validation, decode};
+use serde::{Deserialize, Serialize};
+use std::collections::HashSet;
+use crate::{ApiKeyConfig, JwtConfig, ProblemDetails};
+/// Standard type URI for authentication errors (401)
+const TYPE_AUTH_ERROR: &str = "https://spikard.dev/errors/unauthorized";
+/// Standard type URI for configuration errors (500)
+const TYPE_CONFIG_ERROR: &str = "https://spikard.dev/errors/configuration-error";
+/// JWT claims structure - can be extended based on needs
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Claims {
+    pub sub: String,
+    pub exp: usize,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub iat: Option<usize>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub nbf: Option<usize>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub aud: Option<Vec<String>>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub iss: Option<String>,
+}
+/// JWT authentication middleware
+///
+/// Validates JWT tokens from the Authorization header (Bearer scheme).
+/// On success, the validated claims are available to downstream handlers.
+/// On failure, returns 401 Unauthorized with RFC 9457 Problem Details.
+///
+/// Coverage: Tested via integration tests (`auth_integration.rs`)
+///
+/// # Errors
+/// Returns an error response when the Authorization header is missing, malformed,
+/// the token is invalid, or configuration is incorrect.
+#[cfg(not(tarpaulin_include))]
+pub async fn jwt_auth_middleware(
+    config: JwtConfig,
+    headers: HeaderMap,
+    request: Request<Body>,
+    next: Next,
+) -> Result<Response, Response> {
+    let auth_header = headers
+        .get("authorization")
+        .and_then(|v| v.to_str().ok())
+        .ok_or_else(|| {
+            let problem = ProblemDetails::new(
+                TYPE_AUTH_ERROR,
+                "Missing or invalid Authorization header",
+                StatusCode::UNAUTHORIZED,
+            )
+            .with_detail("Expected 'Authorization: Bearer <token>'");
+            (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+        })?;
+    let token = auth_header.strip_prefix("Bearer ").ok_or_else(|| {
+        let problem = ProblemDetails::new(
+            TYPE_AUTH_ERROR,
+            "Invalid Authorization header format",
+            StatusCode::UNAUTHORIZED,
+        )
+        .with_detail("Authorization header must use Bearer scheme: 'Bearer <token>'");
+        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+    })?;
+    let parts: Vec<&str> = token.split('.').collect();
+    if parts.len() != 3 {
+        let problem = ProblemDetails::new(TYPE_AUTH_ERROR, "Malformed JWT token", StatusCode::UNAUTHORIZED)
+            .with_detail(format!(
+                "Malformed JWT token: expected 3 parts separated by dots, found {}",
+                parts.len()
+            ));
+        return Err((StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response());
+    }
+    let algorithm = parse_algorithm(&config.algorithm).map_err(|_| {
+        let problem = ProblemDetails::new(
+            TYPE_CONFIG_ERROR,
+            "Invalid JWT configuration",
+            StatusCode::INTERNAL_SERVER_ERROR,
+        )
+        .with_detail(format!("Unsupported algorithm: {}", config.algorithm));
+        (StatusCode::INTERNAL_SERVER_ERROR, axum::Json(problem)).into_response()
+    })?;
+    let mut validation = Validation::new(algorithm);
+    if let Some(ref aud) = config.audience {
+        validation.set_audience(aud);
+    }
+    if let Some(ref iss) = config.issuer {
+        validation.set_issuer(std::slice::from_ref(iss));
+    }
+    validation.leeway = config.leeway;
+    validation.validate_nbf = true;
+    let decoding_key = DecodingKey::from_secret(config.secret.as_bytes());
+    let _token_data = decode::<Claims>(token, &decoding_key, &validation).map_err(|e| {
+        let detail = match e.kind() {
+            jsonwebtoken::errors::ErrorKind::ExpiredSignature => "Token has expired".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidToken => "Token is invalid".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidSignature | jsonwebtoken::errors::ErrorKind::Base64(_) => {
+                "Token signature is invalid".to_string()
+            }
+            jsonwebtoken::errors::ErrorKind::InvalidAudience => "Token audience is invalid".to_string(),
+            jsonwebtoken::errors::ErrorKind::InvalidIssuer => config.issuer.as_ref().map_or_else(
+                || "Token issuer is invalid".to_string(),
+                |expected_iss| format!("Token issuer is invalid, expected '{expected_iss}'"),
+            ),
+            jsonwebtoken::errors::ErrorKind::ImmatureSignature => {
+                "JWT not valid yet, not before claim is in the future".to_string()
+            }
+            _ => format!("Token validation failed: {e}"),
+        };
+        let problem =
+            ProblemDetails::new(TYPE_AUTH_ERROR, "JWT validation failed", StatusCode::UNAUTHORIZED).with_detail(detail);
+        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+    })?;
+    // TODO: Attach claims to request extensions for handlers to access
+    Ok(next.run(request).await)
+}
+/// Parse JWT algorithm string to jsonwebtoken Algorithm enum
+fn parse_algorithm(alg: &str) -> Result<Algorithm, String> {
+    match alg {
+        "HS256" => Ok(Algorithm::HS256),
+        "HS384" => Ok(Algorithm::HS384),
+        "HS512" => Ok(Algorithm::HS512),
+        "RS256" => Ok(Algorithm::RS256),
+        "RS384" => Ok(Algorithm::RS384),
+        "RS512" => Ok(Algorithm::RS512),
+        "ES256" => Ok(Algorithm::ES256),
+        "ES384" => Ok(Algorithm::ES384),
+        "PS256" => Ok(Algorithm::PS256),
+        "PS384" => Ok(Algorithm::PS384),
+        "PS512" => Ok(Algorithm::PS512),
+        _ => Err(format!("Unsupported algorithm: {alg}")),
+    }
+}
+/// API Key authentication middleware
+///
+/// Validates API keys from a custom header (default: X-API-Key) or query parameter.
+/// Checks header first, then query parameter as fallback.
+/// On success, the request proceeds to the next handler.
+/// On failure, returns 401 Unauthorized with RFC 9457 Problem Details.
+///
+/// Coverage: Tested via integration tests (`auth_integration.rs`)
+///
+/// # Errors
+/// Returns an error response when the API key is missing or invalid.
+#[cfg(not(tarpaulin_include))]
+pub async fn api_key_auth_middleware(
+    config: ApiKeyConfig,
+    headers: HeaderMap,
+    request: Request<Body>,
+    next: Next,
+) -> Result<Response, Response> {
+    let valid_keys: HashSet<String> = config.keys.into_iter().collect();
+    let uri = request.uri().clone();
+    let api_key_from_header = headers.get(&config.header_name).and_then(|v| v.to_str().ok());
+    let api_key = api_key_from_header.map_or_else(|| extract_api_key_from_query(&uri), Some);
+    let api_key = api_key.ok_or_else(|| {
+        let problem =
+            ProblemDetails::new(TYPE_AUTH_ERROR, "Missing API key", StatusCode::UNAUTHORIZED).with_detail(format!(
+                "Expected '{}' header or 'api_key' query parameter with valid API key",
+                config.header_name
+            ));
+        (StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response()
+    })?;
+    if !valid_keys.contains(api_key) {
+        let problem = ProblemDetails::new(TYPE_AUTH_ERROR, "Invalid API key", StatusCode::UNAUTHORIZED)
+            .with_detail("The provided API key is not valid");
+        return Err((StatusCode::UNAUTHORIZED, axum::Json(problem)).into_response());
+    }
+    Ok(next.run(request).await)
+}
+/// Extract API key from query parameters
+///
+/// Checks for common API key parameter names: api_key, apiKey, key
+fn extract_api_key_from_query(uri: &Uri) -> Option<&str> {
+    let query = uri.query()?;
+    for param in query.split('&') {
+        if let Some((key, value)) = param.split_once('=')
+            && (key == "api_key" || key == "apiKey" || key == "key")
+        {
+            return Some(value);
+        }
+    }
+    None
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[test]
+    fn test_parse_algorithm() {
+        assert!(matches!(parse_algorithm("HS256"), Ok(Algorithm::HS256)));
+        assert!(matches!(parse_algorithm("HS384"), Ok(Algorithm::HS384)));
+        assert!(matches!(parse_algorithm("HS512"), Ok(Algorithm::HS512)));
+        assert!(matches!(parse_algorithm("RS256"), Ok(Algorithm::RS256)));
+        assert!(matches!(parse_algorithm("RS384"), Ok(Algorithm::RS384)));
+        assert!(matches!(parse_algorithm("RS512"), Ok(Algorithm::RS512)));
+        assert!(matches!(parse_algorithm("ES256"), Ok(Algorithm::ES256)));
+        assert!(matches!(parse_algorithm("ES384"), Ok(Algorithm::ES384)));
+        assert!(matches!(parse_algorithm("PS256"), Ok(Algorithm::PS256)));
+        assert!(matches!(parse_algorithm("PS384"), Ok(Algorithm::PS384)));
+        assert!(matches!(parse_algorithm("PS512"), Ok(Algorithm::PS512)));
+        assert!(parse_algorithm("INVALID").is_err());
+    }
+    #[test]
+    fn test_claims_serialization() {
+        let claims = Claims {
+            sub: "user123".to_string(),
+            exp: 1234567890,
+            iat: Some(1234567800),
+            nbf: None,
+            aud: Some(vec!["https://api.example.com".to_string()]),
+            iss: Some("https://auth.example.com".to_string()),
+        };
+        let json = serde_json::to_string(&claims).unwrap();
+        assert!(json.contains("user123"));
+        assert!(json.contains("1234567890"));
+    }
+    #[test]
+    fn test_extract_api_key_from_query_api_key() {
+        let uri: axum::http::Uri = "/api/endpoint?api_key=secret123".parse().unwrap();
+        let result = extract_api_key_from_query(&uri);
+        assert_eq!(result, Some("secret123"));
+    }
+    #[test]
+    fn test_extract_api_key_from_query_api_key_camel_case() {
+        let uri: axum::http::Uri = "/api/endpoint?apiKey=mykey456".parse().unwrap();
+        let result = extract_api_key_from_query(&uri);
+        assert_eq!(result, Some("mykey456"));
+    }
+    #[test]
+    fn test_extract_api_key_from_query_key() {
+        let uri: axum::http::Uri = "/api/endpoint?key=testkey789".parse().unwrap();
+        let result = extract_api_key_from_query(&uri);
+        assert_eq!(result, Some("testkey789"));
+    }
+    #[test]
+    fn test_extract_api_key_from_query_no_key() {
+        let uri: axum::http::Uri = "/api/endpoint?foo=bar&baz=qux".parse().unwrap();
+        let result = extract_api_key_from_query(&uri);
+        assert_eq!(result, None);
+    }
+    #[test]
+    fn test_extract_api_key_from_query_empty_string() {
+        let uri: axum::http::Uri = "/api/endpoint".parse().unwrap();
+        let result = extract_api_key_from_query(&uri);
+        assert_eq!(result, None);
+    }
+    #[test]
+    fn test_extract_api_key_from_query_multiple_params() {
+        let uri: axum::http::Uri = "/api/endpoint?foo=bar&api_key=found&baz=qux".parse().unwrap();
+        let result = extract_api_key_from_query(&uri);
+        assert_eq!(result, Some("found"));
+    }
+}