feat: add header integrity check and replay protection to control messages

data-plane/core/auth/Cargo.toml

@@ -18,8 +18,10 @@ default = []
 agntcy-slim-version = { workspace = true }
 base64 = { workspace = true }
 cfg-if = { workspace = true }
+ed25519-dalek = { version = "2.1", default-features = false, features = ["rand_core"] }
 http = { workspace = true }
 itoa = "1"
+p256 = { version = "0.13", default-features = false, features = ["ecdsa", "pkcs8", "std"] }
 parking_lot = { workspace = true }
 prost-types = { workspace = true }
 rand = { workspace = true }

data-plane/core/auth/src/errors.rs

@@ -171,6 +171,8 @@ pub enum AuthError {
     // MLS
     #[error("MLS is not supported by this provider")]
     MlsNotSupported,
+    #[error("MLS signature key generation failed")]
+    MlsKeyGenerationFailed,
     #[error("public key not found in identity claims")]
     PublicKeyNotFound,
     #[error("subject not found in identity claims")]

data-plane/core/auth/src/lib.rs

@@ -8,6 +8,7 @@ pub(crate) mod mac;
 pub mod metadata;
 pub mod shared_secret;
 pub mod traits;
+pub mod utils;
 
 // Native-only modules
 cfg_if::cfg_if! {
@@ -21,5 +22,4 @@ pub mod oidc;
 pub mod resolver;
 #[cfg(not(target_family = "windows"))]
 pub mod spire;
-pub mod utils;
 }}