Address reviewer feedback: typo fix, error classification, libsodium docs

Co-authored-by: CBenoit <3809077+CBenoit@users.noreply.github.com>

Author: Copilot

README.md

@@ -20,12 +20,16 @@ immediately, without going through the acceptance testing process of our quality
 
 ### From sources
 
-Ensure that you have [the Rust toolchain installed][install_rust], then clone this repository and run:
+Ensure that you have [the Rust toolchain installed][install_rust] and [libsodium][libsodium] installed on your system, then clone this repository and run:
 
 ```shell
 cargo install --path ./devolutions-gateway
 ```
 
+> **Note:** `libsodium` is required as a native dependency for in-memory credential protection.
+> On Windows, it is vendored automatically via vcpkg.
+> On Linux and macOS, install it using your system package manager (e.g., `apt install libsodium-dev` or `brew install libsodium`).
+
 ## Configuration
 
 Devolutions Gateway is configured using a JSON document.
@@ -339,6 +343,7 @@ See the dedicated [README.md file](./.github/workflows/README.md) in the `workfl
 [official_website]: https://devolutions.net/gateway/download/
 [github_release]: https://github.com/Devolutions/devolutions-gateway/releases
 [install_rust]: https://www.rust-lang.org/tools/install
+[libsodium]: https://libsodium.org/
 [psmodule]: https://www.powershellgallery.com/packages/DevolutionsGateway/
 [rustls]: https://crates.io/crates/rustls
 [microsoft_tls]: https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings

devolutions-gateway/src/api/preflight.rs

@@ -337,6 +337,11 @@ async fn handle_operation(
                 });
             }
 
+            // Validate the token JTI up front so that a bad/missing JTI is reported as
+            // InvalidParams (client error) rather than InternalServerError.
+            crate::token::extract_jti(&token)
+                .map_err(|e| PreflightError::new(PreflightAlertStatus::InvalidParams, format!("{e:#}")))?;
+
             let previous_entry = credential_store
                 .insert(token, mapping, time_to_live)
                 .inspect_err(|error| warn!(%operation.id, error = format!("{error:#}"), "Failed to insert credentials"))

devolutions-gateway/src/rd_clean_path.rs

@@ -4,9 +4,9 @@ use std::sync::Arc;
 
 use anyhow::Context as _;
 use ironrdp_connector::sspi;
-use secrecy::ExposeSecret as _;
 use ironrdp_pdu::nego;
 use ironrdp_rdcleanpath::RDCleanPathPdu;
+use secrecy::ExposeSecret as _;
 use tap::prelude::*;
 use thiserror::Error;
 use tokio::io::{AsyncRead, AsyncReadExt as _, AsyncWrite, AsyncWriteExt as _};
@@ -405,7 +405,11 @@ async fn handle_with_credential_injection(
             } = user;
 
             // The username is in the FQDN format. Thus, the domain field can be empty.
-            sspi::CredentialsBuffers::AuthIdentity(sspi::AuthIdentityBuffers::from_utf8(fqdn, "", password.expose_secret()))
+            sspi::CredentialsBuffers::AuthIdentity(sspi::AuthIdentityBuffers::from_utf8(
+                fqdn,
+                "",
+                password.expose_secret(),
+            ))
         });
 
         Some(sspi::KerberosServerConfig {

devolutions-gateway/src/rdp_proxy.rs

@@ -3,11 +3,11 @@ use std::sync::Arc;
 
 use anyhow::Context as _;
 use ironrdp_acceptor::credssp::CredsspProcessGenerator as CredsspServerProcessGenerator;
-use secrecy::ExposeSecret as _;
 use ironrdp_connector::credssp::CredsspProcessGenerator as CredsspClientProcessGenerator;
 use ironrdp_connector::sspi;
 use ironrdp_connector::sspi::generator::{GeneratorState, NetworkRequest};
 use ironrdp_pdu::{mcs, nego, x224};
+use secrecy::ExposeSecret as _;
 use tokio::io::{AsyncRead, AsyncWrite, AsyncWriteExt};
 use typed_builder::TypedBuilder;
 
@@ -131,8 +131,12 @@ where
                 salt: _,
             } = user;
 
-            // The username is an the FQDN format. Thus, the domain field can be empty.
-            sspi::CredentialsBuffers::AuthIdentity(sspi::AuthIdentityBuffers::from_utf8(fqdn, "", password.expose_secret()))
+            // The username is in the FQDN format. Thus, the domain field can be empty.
+            sspi::CredentialsBuffers::AuthIdentity(sspi::AuthIdentityBuffers::from_utf8(
+                fqdn,
+                "",
+                password.expose_secret(),
+            ))
         });
 
         Some(sspi::KerberosServerConfig {