Lockspire.Protocol.FAPI20EnforcerPlug (lockspire v1.0.0)

Copy Markdown

Boundary fail-fast enforcer for FAPI 2.0 Security Profile.

When the effective security_profile is :fapi_2_0_security, this Plug rejects:

  • GET /authorize requests missing request_uri (FAPI-02 / PAR mandate)
  • POST /token requests missing the dpop header (FAPI-03 / sender-constraining)
  • GET-or-POST /userinfo requests missing the dpop header (FAPI-03 / resource access)

The Plug is exempt for /par (the PAR endpoint by definition has no request_uri) and bypasses any non-FAPI path. On unreachable ServerPolicy it fails CLOSED with 503.

Per-route dispatch table is in 41-02-PLAN.md.

Implementation Notes

  • For /userinfo, enforcement is header-shape only (DPoP header presence + Authorization scheme). No access token decode occurs in the Plug (see <userinfo_strategy> in plan).
  • Per-client opt-in under global :none is supported (G1 scenario). Per-client :none escape hatch under global :fapi_2_0_security is also supported (G2 / D-01).
  • The policy_fn opt in init/1 is used in tests to simulate policy unavailability. In production, pass [] or %{} and the default Repository.get_server_policy/0 function is used.