config: Add TRUSTPUB_AUDIENCE setting

Turbo87 · Turbo87 · commit a598135bf8be · 2025-05-20T12:54:12.000+02:00
This defaults to the domain name (crates.io / staging.crates.io) and controls the expected `aud` claim of the OIDC JWT in the Trusted Publishing token exchange.
diff --git a/src/config/server.rs b/src/config/server.rs
@@ -87,6 +87,10 @@ pub struct Server {
     pub html_render_cache_max_capacity: u64,
 
     pub content_security_policy: Option<HeaderValue>,
+
+    /// The expected audience claim (`aud`) for the Trusted Publishing
+    /// token exchange.
+    pub trustpub_audience: String,
 }
 
 impl Server {
@@ -186,6 +190,9 @@ impl Server {
                 .unwrap_or_default()
         );
 
+        let domain_name = dotenvy::var("DOMAIN_NAME").unwrap_or_else(|_| "crates.io".into());
+        let trustpub_audience = var("TRUSTPUB_AUDIENCE")?.unwrap_or_else(|| domain_name.clone());
+
         Ok(Server {
             db: DatabasePools::full_from_environment(&base)?,
             storage,
@@ -210,7 +217,7 @@ impl Server {
             page_offset_ua_blocklist,
             page_offset_cidr_blocklist,
             excluded_crate_names,
-            domain_name: dotenvy::var("DOMAIN_NAME").unwrap_or_else(|_| "crates.io".into()),
+            domain_name,
             allowed_origins,
             downloads_persist_interval: var_parsed("DOWNLOADS_PERSIST_INTERVAL_MS")?
                 .map(Duration::from_millis)
@@ -233,6 +240,7 @@ impl Server {
             og_image_base_url: var_parsed("OG_IMAGE_BASE_URL")?,
             html_render_cache_max_capacity: var_parsed("HTML_RENDER_CACHE_CAP")?.unwrap_or(1024),
             content_security_policy: Some(content_security_policy.parse()?),
+            trustpub_audience,
         })
     }
 }
diff --git a/src/tests/util/test_app.rs b/src/tests/util/test_app.rs
@@ -17,6 +17,7 @@ use crates_io_index::testing::UpstreamIndex;
 use crates_io_index::{Credentials, RepositoryConfig};
 use crates_io_team_repo::MockTeamRepo;
 use crates_io_test_db::TestDatabase;
+use crates_io_trustpub::github::test_helpers::AUDIENCE;
 use crates_io_worker::Runner;
 use diesel_async::AsyncPgConnection;
 use futures_util::TryStreamExt;
@@ -491,6 +492,7 @@ fn simple_config() -> config::Server {
         og_image_base_url: None,
         html_render_cache_max_capacity: 1024,
         content_security_policy: None,
+        trustpub_audience: AUDIENCE.to_string(),
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ use crates_io_index::testing::UpstreamIndex;`
`17`	`17`	`use crates_io_index::{Credentials, RepositoryConfig};`
`18`	`18`	`use crates_io_team_repo::MockTeamRepo;`
`19`	`19`	`use crates_io_test_db::TestDatabase;`
	`20`	`+use crates_io_trustpub::github::test_helpers::AUDIENCE;`
`20`	`21`	`use crates_io_worker::Runner;`
`21`	`22`	`use diesel_async::AsyncPgConnection;`
`22`	`23`	`use futures_util::TryStreamExt;`
`@@ -491,6 +492,7 @@ fn simple_config() -> config::Server {`
`491`	`492`	`og_image_base_url: None,`
`492`	`493`	`html_render_cache_max_capacity: 1024,`
`493`	`494`	`content_security_policy: None,`
	`495`	`+ trustpub_audience: AUDIENCE.to_string(),`
`494`	`496`	`}`
`495`	`497`	`}`
`496`	`498`