InMemoryChallengeCache
Caches issued challenges in memory in a coroutine-safe way. Requires a clock and an offset. The AttestationVerifier passes Makoto's clock and the inverse of Makoto.verificationTimeOffset, since these two values are also encoded into issues challenges.
The cache is bounded by maxChallenges and throws InMemoryChallengeCache.ChallengeCacheFullException from store when that many unexpired challenges are already in flight. Expired entries are pruned before the capacity check and a duplicate nonce overwrites the existing entry even at capacity.
Production deployments should apply caller-aware rate limiting outside this cache and may prefer a distributed TTL-backed ChallengeValidator when multiple verifier instances are used. The cache deliberately owns no backoff state, because backoff needs caller identity, IP, account, or device context.
Throws
if maxChallenges is not positive.
Functions
The contract of this function is that it stores challenges regardless of their contents and performs no sanity checks. Reason: Strong cryptographic nonces are assumed, making collisions unrealistic
The contract of this function is that it returns a ChallengeValidationResult.Success iff a valid challenge matching the passend csr from the client is found. In all other cases, it must return a ChallengeValidationResult.Failure: