# Authentication Module
`auth.rs` (388 lines) — Proton SRP authentication using the `proton-srp` crate.
## Status
`auth.rs` implements a complete SRP authentication flow but is **not currently wired into `main.rs`** — there is no `mod auth;` declaration. It may be intended for future integration or was designed as a standalone library module.
## SRP Authentication Flow
sequenceDiagram
participant Client as auth.rs (AuthManager)
participant API as Proton API (mail.proton.me)
Client->>API: POST /api/auth/v4/info
Note over Client,API: Send username, get SRP parameters
API-->>Client: modulus, server_ephemeral, salt, version, SRPSession
Client->>Client: Generate SRP proofs (client_ephemeral, client_proof)
Client->>API: POST /api/auth/v4
Note over Client,API: Send username + proofs
API-->>Client: access_token, refresh_token, server_proof
Client->>Client: Verify server_proof
alt 2FA Enabled
Client->>API: POST /api/auth/v4/2fa
Note over Client,API: Submit TOTP code
API-->>Client: Verified
end
Client->>Client: Store AuthSession
## Key Structures
| Structure | Purpose |
|---|---|
| `AuthManager` | Core auth state machine: HTTP client, base URL, session lock, pending 2FA lock |
| `AuthSession` | Session tokens: `uid`, `access_token`, `refresh_token`, `token_type` |
| `AuthError` | Error variants: Network, Srp, InvalidResponse, TwoFactorRequired, InvalidCredentials, NotAuthenticated, HumanVerificationRequired |
## AuthManager API
| Method | Description |
|---|---|
| `new(base_url)` | Creates manager with `reqwest::Client` (no redirects) |
| `login(username, password)` | Full SRP login: get auth info → generate proofs → submit → verify server proof → handle 2FA |
| `submit_2fa(totp_code)` | Submits TOTP code for pending 2FA session |
| `refresh_token()` | Refreshes expired access token via `/api/auth/v4/refresh` |
| `get_session()` | Returns current session (if authenticated) |
| `set_session(session)` | Restores session from persistent storage |
| `logout()` | Invalidates session and clears state |
## Session Management
- Sessions are stored in a `tokio::sync::RwLock>` for thread-safe access
- **Pending 2FA state** is held in a separate `RwLock>` so the partial auth state is preserved while waiting for the TOTP code
- Token refresh posts to `/api/auth/v4/refresh` with the current refresh token
- All API requests use the `x-pm-appversion: web-drive@5.0.0` header
## Cookie Integration (elsewhere)
When auth is wired in, session tokens flow to the WebView via `webview_cookies.rs`, which bridges the `reqwest` cookie jar (where tokens land after login) with WebKit's native cookie store for persistent "Keep me signed in" across app restarts.