From 153872e696ec0e7f3640d8c63138e73c7febc4f2 Mon Sep 17 00:00:00 2001
From: Tim Geoghegan <timg@divviup.org>
Date: Thu, 21 Sep 2023 15:22:19 -0700
Subject: [PATCH 1/6] works through janus_aggregator_core EXCEPT datastore

---
 aggregator/src/aggregator.rs                  |   3 +-
 .../src/aggregator/aggregate_init_tests.rs    |   5 +-
 .../src/aggregator/collection_job_tests.rs    |   3 +-
 aggregator/src/aggregator/http_handlers.rs    |   7 +-
 aggregator/src/bin/aggregator.rs              |   2 +-
 aggregator_api/src/lib.rs                     |   2 +-
 aggregator_api/src/models.rs                  |   2 +-
 aggregator_api/src/tests.rs                   |   3 +-
 aggregator_core/src/datastore.rs              |   3 +-
 aggregator_core/src/datastore/models.rs       |   3 +-
 aggregator_core/src/task.rs                   | 401 +++++++++++++-----
 aggregator_core/src/taskprov.rs               |   6 +-
 collector/src/lib.rs                          |   4 +-
 core/src/auth_tokens.rs                       | 289 +++++++++++++
 core/src/http.rs                              |   2 +-
 core/src/lib.rs                               |   1 +
 core/src/task.rs                              | 173 +-------
 docs/samples/tasks.yaml                       |  18 +-
 integration_tests/tests/in_cluster.rs         |   2 +-
 .../src/bin/janus_interop_aggregator.rs       |   2 +-
 .../src/bin/janus_interop_collector.rs        |  10 +-
 tools/src/bin/collect.rs                      |   2 +-
 22 files changed, 630 insertions(+), 313 deletions(-)
 create mode 100644 core/src/auth_tokens.rs

diff --git a/aggregator/src/aggregator.rs b/aggregator/src/aggregator.rs
index e4f1dd222..0597483ed 100644
--- a/aggregator/src/aggregator.rs
+++ b/aggregator/src/aggregator.rs
@@ -39,9 +39,10 @@ use janus_aggregator_core::{
 #[cfg(feature = "test-util")]
 use janus_core::test_util::dummy_vdaf;
 use janus_core::{
+    auth_tokens::AuthenticationToken,
     hpke::{self, HpkeApplicationInfo, HpkeKeypair, Label},
     http::response_to_problem_details,
-    task::{AuthenticationToken, VdafInstance, VERIFY_KEY_LENGTH},
+    task::{VdafInstance, VERIFY_KEY_LENGTH},
     time::{Clock, DurationExt, IntervalExt, TimeExt},
 };
 use janus_messages::{
diff --git a/aggregator/src/aggregator/aggregate_init_tests.rs b/aggregator/src/aggregator/aggregate_init_tests.rs
index 3487c0ba1..e1a73d5f7 100644
--- a/aggregator/src/aggregator/aggregate_init_tests.rs
+++ b/aggregator/src/aggregator/aggregate_init_tests.rs
@@ -17,7 +17,8 @@ use janus_aggregator_core::{
     test_util::noop_meter,
 };
 use janus_core::{
-    task::{AuthenticationToken, VdafInstance, DAP_AUTH_HEADER},
+    auth_tokens::{AuthenticationToken, DAP_AUTH_HEADER},
+    task::VdafInstance,
     test_util::{dummy_vdaf, install_test_trace_subscriber, run_vdaf, VdafTranscript},
     time::{Clock, MockClock, TimeExt as _},
 };
@@ -209,7 +210,7 @@ async fn setup_aggregate_init_test_without_sending_request<
     install_test_trace_subscriber();
 
     let task = TaskBuilder::new(QueryType::TimeInterval, vdaf_instance, Role::Helper)
-        .with_aggregator_auth_token(Some(auth_token))
+        .with_aggregator_auth_token(auth_token)
         .build();
     let clock = MockClock::default();
     let ephemeral_datastore = ephemeral_datastore().await;
diff --git a/aggregator/src/aggregator/collection_job_tests.rs b/aggregator/src/aggregator/collection_job_tests.rs
index a190200dd..f8264728d 100644
--- a/aggregator/src/aggregator/collection_job_tests.rs
+++ b/aggregator/src/aggregator/collection_job_tests.rs
@@ -20,11 +20,12 @@ use janus_aggregator_core::{
     test_util::noop_meter,
 };
 use janus_core::{
+    auth_tokens::AuthenticationToken,
     hpke::{
         self, test_util::generate_test_hpke_config_and_private_key, HpkeApplicationInfo,
         HpkeKeypair, Label,
     },
-    task::{AuthenticationToken, VdafInstance},
+    task::VdafInstance,
     test_util::{
         dummy_vdaf::{self, AggregationParam},
         install_test_trace_subscriber,
diff --git a/aggregator/src/aggregator/http_handlers.rs b/aggregator/src/aggregator/http_handlers.rs
index 6581bf7a9..647eac5ef 100644
--- a/aggregator/src/aggregator/http_handlers.rs
+++ b/aggregator/src/aggregator/http_handlers.rs
@@ -4,8 +4,8 @@ use async_trait::async_trait;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use janus_aggregator_core::{datastore::Datastore, instrumented};
 use janus_core::{
+    auth_tokens::{AuthenticationToken, DAP_AUTH_HEADER},
     http::extract_bearer_token,
-    task::{AuthenticationToken, DAP_AUTH_HEADER},
     taskprov::TASKPROV_HEADER,
     time::Clock,
 };
@@ -679,6 +679,7 @@ mod tests {
         test_util::noop_meter,
     };
     use janus_core::{
+        auth_tokens::AuthenticationToken,
         hpke::{
             self,
             test_util::{
@@ -688,7 +689,7 @@ mod tests {
             HpkeApplicationInfo, HpkeKeypair, Label,
         },
         report_id::ReportIdChecksumExt,
-        task::{AuthenticationToken, VdafInstance, VERIFY_KEY_LENGTH},
+        task::{VdafInstance, VERIFY_KEY_LENGTH},
         test_util::{dummy_vdaf, install_test_trace_subscriber, run_vdaf},
         time::{Clock, DurationExt, IntervalExt, MockClock, TimeExt},
     };
@@ -1442,7 +1443,7 @@ mod tests {
             VdafInstance::Prio3Count,
             Role::Helper,
         )
-        .with_aggregator_auth_token(Some(dap_auth_token.clone()))
+        .with_aggregator_auth_token(dap_auth_token.clone())
         .build();
         datastore.put_task(&task).await.unwrap();
 
diff --git a/aggregator/src/bin/aggregator.rs b/aggregator/src/bin/aggregator.rs
index c4428b214..828696431 100644
--- a/aggregator/src/bin/aggregator.rs
+++ b/aggregator/src/bin/aggregator.rs
@@ -11,7 +11,7 @@ use janus_aggregator::{
 };
 use janus_aggregator_api::{self, aggregator_api_handler};
 use janus_aggregator_core::datastore::Datastore;
-use janus_core::{task::AuthenticationToken, time::RealClock};
+use janus_core::{auth_tokens::AuthenticationToken, time::RealClock};
 use serde::{de, Deserialize, Deserializer, Serialize};
 use std::{
     future::{ready, Future},
diff --git a/aggregator_api/src/lib.rs b/aggregator_api/src/lib.rs
index f69827ab4..dd11a72ee 100644
--- a/aggregator_api/src/lib.rs
+++ b/aggregator_api/src/lib.rs
@@ -9,7 +9,7 @@ use janus_aggregator_core::{
     datastore::{self, Datastore},
     instrumented,
 };
-use janus_core::{hpke, http::extract_bearer_token, task::AuthenticationToken, time::Clock};
+use janus_core::{auth_tokens::AuthenticationToken, hpke, http::extract_bearer_token, time::Clock};
 use janus_messages::{HpkeConfigId, RoleParseError, TaskId};
 use routes::*;
 use std::{str::FromStr, sync::Arc};
diff --git a/aggregator_api/src/models.rs b/aggregator_api/src/models.rs
index d7e1625af..c3faf14b9 100644
--- a/aggregator_api/src/models.rs
+++ b/aggregator_api/src/models.rs
@@ -4,7 +4,7 @@ use janus_aggregator_core::{
     task::{QueryType, Task},
     taskprov::{PeerAggregator, VerifyKeyInit},
 };
-use janus_core::task::{AuthenticationToken, VdafInstance};
+use janus_core::{auth_tokens::AuthenticationToken, task::VdafInstance};
 use janus_messages::{
     query_type::Code as SupportedQueryType, Duration, HpkeAeadId, HpkeConfig, HpkeKdfId, HpkeKemId,
     Role, TaskId, Time,
diff --git a/aggregator_api/src/tests.rs b/aggregator_api/src/tests.rs
index baf5ee0a6..6ecfe88e6 100644
--- a/aggregator_api/src/tests.rs
+++ b/aggregator_api/src/tests.rs
@@ -23,6 +23,7 @@ use janus_aggregator_core::{
     SecretBytes,
 };
 use janus_core::{
+    auth_tokens::AuthenticationToken,
     hpke::{
         generate_hpke_config_and_private_key,
         test_util::{
@@ -31,7 +32,7 @@ use janus_core::{
         },
         HpkeKeypair, HpkePrivateKey,
     },
-    task::{AuthenticationToken, VdafInstance},
+    task::VdafInstance,
     test_util::{
         dummy_vdaf::{self, AggregationParam},
         install_test_trace_subscriber,
diff --git a/aggregator_core/src/datastore.rs b/aggregator_core/src/datastore.rs
index 25b9eecf5..315727a6b 100644
--- a/aggregator_core/src/datastore.rs
+++ b/aggregator_core/src/datastore.rs
@@ -16,8 +16,9 @@ use crate::{
 use chrono::NaiveDateTime;
 use futures::future::try_join_all;
 use janus_core::{
+    auth_tokens::AuthenticationToken,
     hpke::{HpkeKeypair, HpkePrivateKey},
-    task::{AuthenticationToken, VdafInstance},
+    task::VdafInstance,
     time::{Clock, TimeExt},
 };
 use janus_messages::{
diff --git a/aggregator_core/src/datastore/models.rs b/aggregator_core/src/datastore/models.rs
index 21994c369..f31f0e703 100644
--- a/aggregator_core/src/datastore/models.rs
+++ b/aggregator_core/src/datastore/models.rs
@@ -5,9 +5,10 @@ use base64::{display::Base64Display, engine::general_purpose::URL_SAFE_NO_PAD};
 use chrono::NaiveDateTime;
 use derivative::Derivative;
 use janus_core::{
+    auth_tokens::AuthenticationToken,
     hpke::HpkeKeypair,
     report_id::ReportIdChecksumExt,
-    task::{AuthenticationToken, VdafInstance},
+    task::VdafInstance,
     time::{DurationExt, IntervalExt, TimeExt},
 };
 use janus_messages::{
diff --git a/aggregator_core/src/task.rs b/aggregator_core/src/task.rs
index ff2230c33..07df2bd42 100644
--- a/aggregator_core/src/task.rs
+++ b/aggregator_core/src/task.rs
@@ -4,8 +4,9 @@ use crate::SecretBytes;
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use derivative::Derivative;
 use janus_core::{
+    auth_tokens::{AuthenticationToken, AuthenticationTokenHash},
     hpke::{generate_hpke_config_and_private_key, HpkeKeypair},
-    task::{url_ensure_trailing_slash, AuthenticationToken, VdafInstance},
+    task::{url_ensure_trailing_slash, VdafInstance},
     time::TimeExt,
 };
 use janus_messages::{
@@ -129,8 +130,11 @@ pub struct Task {
     tolerable_clock_skew: Duration,
     /// HPKE configuration for the collector.
     collector_hpke_config: Option<HpkeConfig>,
-    /// Token used to authenticate messages sent to or received from the other aggregator. Only set
-    /// if the task was not created via taskprov.
+    /// Token hash used to authenticate aggregation protocol messages received from the leader. Only
+    /// set if this aggregator is the leader and the task was not created via taskprov.
+    aggregator_auth_token_hash: Option<AuthenticationTokenHash>,
+    /// Token used to authenticate messages sent to the helper. Only set if this aggregator is the
+    /// leader and if the task was not created via taskprov.
     aggregator_auth_token: Option<AuthenticationToken>,
     /// Token used to authenticate messages sent to or received from the collector. Only set if this
     /// aggregator is the leader.
@@ -157,6 +161,7 @@ impl Task {
         time_precision: Duration,
         tolerable_clock_skew: Duration,
         collector_hpke_config: HpkeConfig,
+        aggregator_auth_token_hash: Option<AuthenticationTokenHash>,
         aggregator_auth_token: Option<AuthenticationToken>,
         collector_auth_token: Option<AuthenticationToken>,
         hpke_keys: I,
@@ -176,6 +181,7 @@ impl Task {
             time_precision,
             tolerable_clock_skew,
             Some(collector_hpke_config),
+            aggregator_auth_token_hash,
             aggregator_auth_token,
             collector_auth_token,
             hpke_keys,
@@ -202,6 +208,7 @@ impl Task {
         time_precision: Duration,
         tolerable_clock_skew: Duration,
         collector_hpke_config: Option<HpkeConfig>,
+        aggregator_auth_token_hash: Option<AuthenticationTokenHash>,
         aggregator_auth_token: Option<AuthenticationToken>,
         collector_auth_token: Option<AuthenticationToken>,
         hpke_keys: I,
@@ -230,6 +237,7 @@ impl Task {
             time_precision,
             tolerable_clock_skew,
             collector_hpke_config,
+            aggregator_auth_token_hash,
             aggregator_auth_token,
             collector_auth_token,
             hpke_keys,
@@ -266,11 +274,17 @@ impl Task {
 
     pub(crate) fn validate(&self) -> Result<(), Error> {
         self.validate_common()?;
-        if self.aggregator_auth_token.is_none() {
+
+        // Aggregator auth token is allowed and required iff this task is in the leader role
+        if (self.role == Role::Leader) == (self.aggregator_auth_token.is_none()) {
             return Err(Error::InvalidParameter("aggregator_auth_token"));
         }
+        // Aggregator auth token hash is allowed and required iff this task is in the helper role
+        if (self.role == Role::Helper) == (self.aggregator_auth_token_hash.is_none()) {
+            return Err(Error::InvalidParameter("aggregator_auth_token_hash"));
+        }
         if (self.role == Role::Leader) == (self.collector_auth_token.is_none()) {
-            // Collector auth tokens are allowed & required if and only if this task is in the
+            // Collector auth token is allowed & required if and only if this task is in the
             // leader role.
             return Err(Error::InvalidParameter("collector_auth_token"));
         }
@@ -359,7 +373,14 @@ impl Task {
         self.collector_hpke_config.as_ref()
     }
 
-    /// Retrieves the aggregator authentication token associated with this task.
+    /// Retrieves the aggregator authentication token hash associatd with this task for the helper,
+    /// or `None` for the leader.
+    pub fn aggregator_auth_token_hash(&self) -> Option<&AuthenticationTokenHash> {
+        self.aggregator_auth_token_hash.as_ref()
+    }
+
+    /// Retrieves the aggregator authentication token associated with this task for the leader, or
+    /// `None` for the helper.
     pub fn aggregator_auth_token(&self) -> Option<&AuthenticationToken> {
         self.aggregator_auth_token.as_ref()
     }
@@ -399,15 +420,6 @@ impl Task {
         }
     }
 
-    /// Checks if the given aggregator authentication token is valid (i.e. matches with an
-    /// authentication token recognized by this task).
-    pub fn check_aggregator_auth_token(&self, auth_token: &AuthenticationToken) -> bool {
-        match self.aggregator_auth_token {
-            Some(ref t) => t == auth_token,
-            None => false,
-        }
-    }
-
     /// Checks if the given collector authentication token is valid (i.e. matches with an
     /// authentication token recognized by this task).
     pub fn check_collector_auth_token(&self, auth_token: &AuthenticationToken) -> bool {
@@ -484,6 +496,7 @@ pub struct SerializedTask {
     time_precision: Duration,
     tolerable_clock_skew: Duration,
     collector_hpke_config: HpkeConfig,
+    aggregator_auth_token_hash: Option<AuthenticationTokenHash>,
     aggregator_auth_token: Option<AuthenticationToken>,
     collector_auth_token: Option<AuthenticationToken>,
     hpke_keys: Vec<HpkeKeypair>, // uses unpadded base64url
@@ -500,7 +513,6 @@ impl SerializedTask {
     ///
     /// - Task ID
     /// - VDAF verify keys (only one key is generated)
-    /// - Aggregator authentication tokens (only one token is generated)
     /// - Collector authentication tokens (only one token is generated and only if the task's role
     ///   is leader)
     /// - The aggregator's HPKE keypair (only one keypair is generated)
@@ -521,10 +533,6 @@ impl SerializedTask {
             self.vdaf_verify_key = Some(URL_SAFE_NO_PAD.encode(vdaf_verify_key.as_ref()));
         }
 
-        if self.aggregator_auth_token.is_none() {
-            self.aggregator_auth_token = Some(random());
-        }
-
         if self.collector_auth_token.is_none() && self.role == Role::Leader {
             self.collector_auth_token = Some(random());
         }
@@ -566,6 +574,7 @@ impl Serialize for Task {
                 .collector_hpke_config()
                 .expect("serializable tasks must have collector_hpke_config")
                 .clone(),
+            aggregator_auth_token_hash: self.aggregator_auth_token_hash.clone(),
             aggregator_auth_token: self.aggregator_auth_token.clone(),
             collector_auth_token: self.collector_auth_token.clone(),
             hpke_keys,
@@ -603,6 +612,7 @@ impl TryFrom<SerializedTask> for Task {
             serialized_task.time_precision,
             serialized_task.tolerable_clock_skew,
             serialized_task.collector_hpke_config,
+            serialized_task.aggregator_auth_token_hash,
             serialized_task.aggregator_auth_token,
             serialized_task.collector_auth_token,
             serialized_task.hpke_keys,
@@ -626,8 +636,9 @@ pub mod test_util {
         SecretBytes,
     };
     use janus_core::{
+        auth_tokens::{AuthenticationToken, AuthenticationTokenHash},
         hpke::{test_util::generate_test_hpke_config_and_private_key, HpkeKeypair},
-        task::{AuthenticationToken, VdafInstance, VERIFY_KEY_LENGTH},
+        task::{VdafInstance, VERIFY_KEY_LENGTH},
         time::DurationExt,
     };
     use janus_messages::{Duration, HpkeConfig, HpkeConfigId, Role, TaskId, Time};
@@ -649,7 +660,13 @@ pub mod test_util {
 
     /// TaskBuilder is a testing utility allowing tasks to be built based on a template.
     #[derive(Clone)]
-    pub struct TaskBuilder(Task);
+    pub struct TaskBuilder {
+        /// The task being built.
+        task: Task,
+        /// The aggregator auth token for the task. In the case where the task's role is helper, the
+        /// `Task` will only store an `AuthenticationTokenHash`, so we store the actual token here.
+        aggregator_auth_token: AuthenticationToken,
+    }
 
     impl TaskBuilder {
         /// Create a [`TaskBuilder`] from the provided values, with arbitrary values for the other
@@ -678,14 +695,26 @@ pub mod test_util {
                     .collect(),
             );
 
+            // Create an AuthenticationToken::Bearer by default
+            let aggregator_auth_token: AuthenticationToken = random();
+            let (task_aggregator_auth_token, task_aggregator_auth_token_hash) = match role {
+                Role::Leader => (Some(aggregator_auth_token.clone()), None),
+                Role::Helper => (
+                    None,
+                    Some(AuthenticationTokenHash::from(&aggregator_auth_token)),
+                ),
+                _ => panic!("illegal role in task"),
+            };
+
             let collector_auth_token = if role == Role::Leader {
-                Some(random()) // Create an AuthenticationToken::Bearer by default
+                // Create an AuthenticationToken::Bearer by default
+                Some(random())
             } else {
                 None
             };
 
-            Self(
-                Task::new(
+            Self {
+                task: Task::new(
                     task_id,
                     "https://leader.endpoint".parse().unwrap(),
                     "https://helper.endpoint".parse().unwrap(),
@@ -700,108 +729,155 @@ pub mod test_util {
                     Duration::from_hours(8).unwrap(),
                     Duration::from_minutes(10).unwrap(),
                     generate_test_hpke_config_and_private_key().config().clone(),
-                    Some(random()), // Create an AuthenticationToken::Bearer by default
+                    task_aggregator_auth_token_hash,
+                    task_aggregator_auth_token,
                     collector_auth_token,
                     Vec::from([aggregator_keypair_0, aggregator_keypair_1]),
                 )
                 .unwrap(),
-            )
+                aggregator_auth_token,
+            }
         }
 
         /// Gets the leader aggregator endpoint for the eventual task.
         pub fn leader_aggregator_endpoint(&self) -> &Url {
-            self.0.leader_aggregator_endpoint()
+            self.task.leader_aggregator_endpoint()
         }
 
         /// Gets the helper aggregator endpoint for the eventual task.
         pub fn helper_aggregator_endpoint(&self) -> &Url {
-            self.0.helper_aggregator_endpoint()
+            self.task.helper_aggregator_endpoint()
+        }
+
+        /// Gets the aggregator auth token for the eventual task.
+        pub fn aggregator_auth_token(&self) -> &AuthenticationToken {
+            &self.aggregator_auth_token
         }
 
         /// Associates the eventual task with the given task ID.
         pub fn with_id(self, task_id: TaskId) -> Self {
-            Self(Task { task_id, ..self.0 })
+            Self {
+                task: Task {
+                    task_id,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given aggregator endpoint for the Leader.
         pub fn with_leader_aggregator_endpoint(self, leader_aggregator_endpoint: Url) -> Self {
-            Self(Task {
-                leader_aggregator_endpoint,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    leader_aggregator_endpoint,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given aggregator endpoint for the Helper.
         pub fn with_helper_aggregator_endpoint(self, helper_aggregator_endpoint: Url) -> Self {
-            Self(Task {
-                helper_aggregator_endpoint,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    helper_aggregator_endpoint,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given aggregator role.
         pub fn with_role(self, role: Role) -> Self {
-            Self(Task { role, ..self.0 })
+            Self {
+                task: Task { role, ..self.task },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given VDAF verification key.
         pub fn with_vdaf_verify_key(self, vdaf_verify_key: SecretBytes) -> Self {
-            Self(Task {
-                vdaf_verify_key,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    vdaf_verify_key,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given max batch query count parameter.
         pub fn with_max_batch_query_count(self, max_batch_query_count: u64) -> Self {
-            Self(Task {
-                max_batch_query_count,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    max_batch_query_count,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given min batch size parameter.
         pub fn with_min_batch_size(self, min_batch_size: u64) -> Self {
-            Self(Task {
-                min_batch_size,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    min_batch_size,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given time precision parameter.
         pub fn with_time_precision(self, time_precision: Duration) -> Self {
-            Self(Task {
-                time_precision,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    time_precision,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given collector HPKE config.
         pub fn with_collector_hpke_config(self, collector_hpke_config: HpkeConfig) -> Self {
-            Self(Task {
-                collector_hpke_config: Some(collector_hpke_config),
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    collector_hpke_config: Some(collector_hpke_config),
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with the given aggregator authentication token.
         pub fn with_aggregator_auth_token(
             self,
-            aggregator_auth_token: Option<AuthenticationToken>,
+            aggregator_auth_token: AuthenticationToken,
         ) -> Self {
-            Self(Task {
+            let task = match self.task.role {
+                Role::Leader => Task {
+                    aggregator_auth_token: Some(aggregator_auth_token.clone()),
+                    ..self.task
+                },
+                Role::Helper => Task {
+                    aggregator_auth_token_hash: Some(AuthenticationTokenHash::from(
+                        &aggregator_auth_token,
+                    )),
+                    ..self.task
+                },
+                _ => panic!("illegal role"),
+            };
+            Self {
+                task,
                 aggregator_auth_token,
-                ..self.0
-            })
+            }
         }
 
         /// Associates the eventual task with a random [`AuthenticationToken::DapAuth`] aggregator
         /// auth token.
         pub fn with_dap_auth_aggregator_token(self) -> Self {
-            Self(Task {
-                aggregator_auth_token: Some(AuthenticationToken::DapAuth(random())),
-                ..self.0
-            })
+            self.with_aggregator_auth_token(AuthenticationToken::DapAuth(random()))
         }
 
         /// Associates the eventual task with the given collector authentication token.
@@ -809,35 +885,41 @@ pub mod test_util {
             self,
             collector_auth_token: Option<AuthenticationToken>,
         ) -> Self {
-            Self(Task {
-                collector_auth_token,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    collector_auth_token,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Associates the eventual task with a random [`AuthenticationToken::DapAuth`] collector
         /// auth token.
         pub fn with_dap_auth_collector_token(self) -> Self {
-            Self(Task {
-                collector_auth_token: Some(AuthenticationToken::DapAuth(random())),
-                ..self.0
-            })
+            self.with_collector_auth_token(Some(AuthenticationToken::DapAuth(random())))
         }
 
         /// Sets the task expiration time.
         pub fn with_task_expiration(self, task_expiration: Option<Time>) -> Self {
-            Self(Task {
-                task_expiration,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    task_expiration,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Sets the report expiry age.
         pub fn with_report_expiry_age(self, report_expiry_age: Option<Duration>) -> Self {
-            Self(Task {
-                report_expiry_age,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    report_expiry_age,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Sets the task HPKE keys
@@ -846,24 +928,35 @@ pub mod test_util {
                 .into_iter()
                 .map(|hpke_keypair| (*hpke_keypair.config().id(), hpke_keypair))
                 .collect();
-            Self(Task {
-                hpke_keys,
-                ..self.0
-            })
+            Self {
+                task: Task {
+                    hpke_keys,
+                    ..self.task
+                },
+                ..self
+            }
         }
 
         /// Consumes this task builder & produces a [`Task`] with the given specifications.
         pub fn build(self) -> Task {
-            self.0.validate().unwrap();
-            self.0
+            self.build_yielding_aggregator_auth_token().0
         }
-    }
 
-    impl From<Task> for TaskBuilder {
-        fn from(task: Task) -> Self {
-            Self(task)
+        /// Consumes this task builder & produces a [`Task`] with the given specifications, as well
+        /// as the aggregator authentication token for the task.
+        pub fn build_yielding_aggregator_auth_token(self) -> (Task, AuthenticationToken) {
+            self.task.validate().unwrap();
+            (self.task, self.aggregator_auth_token)
         }
     }
+
+    // TODO(timg): this can't be implemented anymore because a helper task won't have the unhashed agg
+    // auth token in it
+    // impl From<Task> for TaskBuilder {
+    //     fn from(task: Task) -> Self {
+    //         Self(task)
+    //     }
+    // }
 }
 
 #[cfg(test)]
@@ -874,8 +967,9 @@ mod tests {
     };
     use assert_matches::assert_matches;
     use janus_core::{
+        auth_tokens::{AuthenticationToken, AuthenticationTokenHash},
         hpke::{test_util::generate_test_hpke_config_and_private_key, HpkeKeypair, HpkePrivateKey},
-        task::{AuthenticationToken, VERIFY_KEY_LENGTH},
+        task::VERIFY_KEY_LENGTH,
         test_util::roundtrip_encoding,
         time::DurationExt,
     };
@@ -904,8 +998,92 @@ mod tests {
         serde_yaml::from_str::<Vec<Task>>(include_str!("../../docs/samples/tasks.yaml")).unwrap();
     }
 
+    #[test]
+    fn aggregator_auth_tokens_valid() {
+        let auth_token: AuthenticationToken = random();
+        for (role, aggregator_auth_token_hash, aggregator_auth_token) in [
+            (Role::Leader, None, Some(auth_token.clone())),
+            (
+                Role::Helper,
+                Some(AuthenticationTokenHash::from(&auth_token)),
+                None,
+            ),
+        ] {
+            println!("case");
+            Task::new(
+                random(),
+                "http://leader_endpoint".parse().unwrap(),
+                "http://helper_endpoint".parse().unwrap(),
+                QueryType::TimeInterval,
+                VdafInstance::Prio3Count,
+                role,
+                SecretBytes::new([0; VERIFY_KEY_LENGTH].into()),
+                0,
+                None,
+                None,
+                0,
+                Duration::from_hours(8).unwrap(),
+                Duration::from_minutes(10).unwrap(),
+                generate_test_hpke_config_and_private_key().config().clone(),
+                aggregator_auth_token_hash,
+                aggregator_auth_token,
+                if role == Role::Leader {
+                    Some(random())
+                } else {
+                    None
+                },
+                Vec::from([generate_test_hpke_config_and_private_key()]),
+            )
+            .unwrap();
+        }
+    }
+
+    #[test]
+    fn aggregator_auth_tokens_invalid() {
+        let auth_token: AuthenticationToken = random();
+        let auth_token_hash = AuthenticationTokenHash::from(&auth_token);
+        for (role, aggregator_auth_token_hash, aggregator_auth_token) in [
+            // Leader must provide aggregator auth token and may not have aggregator auth token hash
+            (Role::Leader, None, None),
+            (Role::Leader, Some(auth_token_hash.clone()), None),
+            (
+                Role::Leader,
+                Some(auth_token_hash.clone()),
+                Some(auth_token.clone()),
+            ),
+            // Helper must have aggregator auth token hash and may not have aggregator auth token
+            (Role::Helper, None, None),
+            (Role::Helper, None, Some(auth_token.clone())),
+            (Role::Helper, Some(auth_token_hash), Some(auth_token)),
+        ] {
+            Task::new(
+                random(),
+                "http://leader_endpoint".parse().unwrap(),
+                "http://helper_endpoint".parse().unwrap(),
+                QueryType::TimeInterval,
+                VdafInstance::Prio3Count,
+                role,
+                SecretBytes::new([0; VERIFY_KEY_LENGTH].into()),
+                0,
+                None,
+                None,
+                0,
+                Duration::from_hours(8).unwrap(),
+                Duration::from_minutes(10).unwrap(),
+                generate_test_hpke_config_and_private_key().config().clone(),
+                aggregator_auth_token_hash,
+                aggregator_auth_token,
+                if role == Role::Leader { random() } else { None },
+                Vec::from([generate_test_hpke_config_and_private_key()]),
+            )
+            .unwrap_err();
+        }
+    }
+
     #[test]
     fn collector_auth_tokens() {
+        let auth_token: AuthenticationToken = random();
+        let auth_token_hash = AuthenticationTokenHash::from(&auth_token);
         // As leader, we receive an error if no collector auth token is specified.
         Task::new(
             random(),
@@ -922,6 +1100,7 @@ mod tests {
             Duration::from_hours(8).unwrap(),
             Duration::from_minutes(10).unwrap(),
             generate_test_hpke_config_and_private_key().config().clone(),
+            None,
             Some(random()),
             None,
             Vec::from([generate_test_hpke_config_and_private_key()]),
@@ -944,6 +1123,7 @@ mod tests {
             Duration::from_hours(8).unwrap(),
             Duration::from_minutes(10).unwrap(),
             generate_test_hpke_config_and_private_key().config().clone(),
+            None,
             Some(random()),
             Some(random()),
             Vec::from([generate_test_hpke_config_and_private_key()]),
@@ -966,7 +1146,8 @@ mod tests {
             Duration::from_hours(8).unwrap(),
             Duration::from_minutes(10).unwrap(),
             generate_test_hpke_config_and_private_key().config().clone(),
-            Some(random()),
+            Some(auth_token_hash.clone()),
+            None,
             None,
             Vec::from([generate_test_hpke_config_and_private_key()]),
         )
@@ -988,7 +1169,8 @@ mod tests {
             Duration::from_hours(8).unwrap(),
             Duration::from_minutes(10).unwrap(),
             generate_test_hpke_config_and_private_key().config().clone(),
-            Some(random()),
+            Some(auth_token_hash),
+            None,
             Some(random()),
             Vec::from([generate_test_hpke_config_and_private_key()]),
         )
@@ -1012,6 +1194,7 @@ mod tests {
             Duration::from_hours(8).unwrap(),
             Duration::from_minutes(10).unwrap(),
             generate_test_hpke_config_and_private_key().config().clone(),
+            None,
             Some(random()),
             Some(random()),
             Vec::from([generate_test_hpke_config_and_private_key()]),
@@ -1095,6 +1278,7 @@ mod tests {
                     HpkeAeadId::Aes128Gcm,
                     HpkePublicKey::from(b"collector hpke public key".to_vec()),
                 ),
+                None,
                 Some(
                     AuthenticationToken::new_dap_auth_token_from_string("YWdncmVnYXRvciB0b2tlbg")
                         .unwrap(),
@@ -1118,7 +1302,7 @@ mod tests {
             &[
                 Token::Struct {
                     name: "SerializedTask",
-                    len: 17,
+                    len: 18,
                 },
                 Token::Str("task_id"),
                 Token::Some,
@@ -1187,6 +1371,8 @@ mod tests {
                 Token::Str("public_key"),
                 Token::Str("Y29sbGVjdG9yIGhwa2UgcHVibGljIGtleQ"),
                 Token::StructEnd,
+                Token::Str("aggregator_auth_token_hash"),
+                Token::None,
                 Token::Str("aggregator_auth_token"),
                 Token::Some,
                 Token::Struct {
@@ -1285,10 +1471,11 @@ mod tests {
                     HpkeAeadId::Aes128Gcm,
                     HpkePublicKey::from(b"collector hpke public key".to_vec()),
                 ),
-                Some(
-                    AuthenticationToken::new_bearer_token_from_string("YWdncmVnYXRvciB0b2tlbg")
+                Some(AuthenticationTokenHash::from(
+                    &AuthenticationToken::new_bearer_token_from_string("YWdncmVnYXRvciB0b2tlbg")
                         .unwrap(),
-                ),
+                )),
+                None,
                 None,
                 [HpkeKeypair::new(
                     HpkeConfig::new(
@@ -1305,7 +1492,7 @@ mod tests {
             &[
                 Token::Struct {
                     name: "SerializedTask",
-                    len: 17,
+                    len: 18,
                 },
                 Token::Str("task_id"),
                 Token::Some,
@@ -1388,20 +1575,22 @@ mod tests {
                 Token::Str("public_key"),
                 Token::Str("Y29sbGVjdG9yIGhwa2UgcHVibGljIGtleQ"),
                 Token::StructEnd,
-                Token::Str("aggregator_auth_token"),
+                Token::Str("aggregator_auth_token_hash"),
                 Token::Some,
                 Token::Struct {
-                    name: "AuthenticationToken",
+                    name: "AuthenticationTokenHash",
                     len: 2,
                 },
                 Token::Str("type"),
                 Token::UnitVariant {
-                    name: "AuthenticationToken",
+                    name: "AuthenticationTokenHash",
                     variant: "Bearer",
                 },
-                Token::Str("token"),
-                Token::Str("YWdncmVnYXRvciB0b2tlbg"),
+                Token::Str("hash"),
+                Token::Str("MJOoBO_ysLEuG_lv2C37eEOf1Ngetsr-Ers0ZYj4vdQ"),
                 Token::StructEnd,
+                Token::Str("aggregator_auth_token"),
+                Token::None,
                 Token::Str("collector_auth_token"),
                 Token::None,
                 Token::Str("hpke_keys"),
diff --git a/aggregator_core/src/taskprov.rs b/aggregator_core/src/taskprov.rs
index ce7c4cdee..a49b71169 100644
--- a/aggregator_core/src/taskprov.rs
+++ b/aggregator_core/src/taskprov.rs
@@ -4,7 +4,7 @@ use crate::{
 };
 use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use derivative::Derivative;
-use janus_core::task::{AuthenticationToken, VdafInstance};
+use janus_core::{auth_tokens::AuthenticationToken, task::VdafInstance};
 use janus_messages::{Duration, HpkeConfig, Role, TaskId, Time};
 use rand::{distributions::Standard, prelude::Distribution};
 use ring::hkdf::{KeyType, Salt, HKDF_SHA256};
@@ -304,6 +304,7 @@ impl Task {
             None,
             None,
             None,
+            None,
             Vec::new(),
         ));
         task.validate()?;
@@ -341,7 +342,8 @@ impl From<Task> for task::Task {
 #[cfg_attr(docsrs, doc(cfg(feature = "test-util")))]
 pub mod test_util {
     use janus_core::{
-        hpke::test_util::generate_test_hpke_config_and_private_key, task::AuthenticationToken,
+        auth_tokens::AuthenticationToken,
+        hpke::test_util::generate_test_hpke_config_and_private_key,
     };
     use janus_messages::{Duration, HpkeConfig, Role};
     use rand::random;
diff --git a/collector/src/lib.rs b/collector/src/lib.rs
index aad4399c2..484ab1d48 100644
--- a/collector/src/lib.rs
+++ b/collector/src/lib.rs
@@ -57,7 +57,7 @@ use backoff::{backoff::Backoff, ExponentialBackoff};
 use chrono::{DateTime, Duration, TimeZone, Utc};
 use derivative::Derivative;
 use http_api_problem::HttpApiProblem;
-pub use janus_core::task::AuthenticationToken;
+pub use janus_core::auth_tokens::AuthenticationToken;
 use janus_core::{
     hpke::{self, HpkeApplicationInfo, HpkePrivateKey},
     http::response_to_problem_details,
@@ -637,11 +637,11 @@ mod tests {
     #[cfg(feature = "fpvec_bounded_l2")]
     use fixed_macro::fixed;
     use janus_core::{
+        auth_tokens::AuthenticationToken,
         hpke::{
             self, test_util::generate_test_hpke_config_and_private_key, HpkeApplicationInfo, Label,
         },
         retries::test_http_request_exponential_backoff,
-        task::AuthenticationToken,
         test_util::{install_test_trace_subscriber, run_vdaf, VdafTranscript},
     };
     use janus_messages::{
diff --git a/core/src/auth_tokens.rs b/core/src/auth_tokens.rs
new file mode 100644
index 000000000..810f46521
--- /dev/null
+++ b/core/src/auth_tokens.rs
@@ -0,0 +1,289 @@
+use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
+use derivative::Derivative;
+use http::header::AUTHORIZATION;
+use rand::{distributions::Standard, prelude::Distribution};
+use ring::{
+    constant_time,
+    digest::{digest, SHA256, SHA256_OUTPUT_LEN},
+};
+use serde::{de::Error, Deserialize, Deserializer, Serialize, Serializer};
+use std::str;
+
+/// HTTP header where auth tokens are provided in messages between participants.
+pub const DAP_AUTH_HEADER: &str = "DAP-Auth-Token";
+
+/// Different modes of authentication supported by Janus for either sending requests (e.g., leader
+/// to helper) or receiving them (e.g., collector to leader).
+#[derive(Clone, Derivative, Serialize, Deserialize, PartialEq, Eq)]
+#[derivative(Debug)]
+#[serde(tag = "type", content = "token")]
+#[non_exhaustive]
+pub enum AuthenticationToken {
+    /// A bearer token, presented as the value of the "Authorization" HTTP header as specified in
+    /// [RFC 6750 section 2.1][1].
+    ///
+    /// The token is not necessarily an OAuth token.
+    ///
+    /// [1]: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+    Bearer(TokenInner),
+
+    /// Token presented as the value of the "DAP-Auth-Token" HTTP header. Conforms to
+    /// [draft-dcook-ppm-dap-interop-test-design-03][1], sections [4.3.3][2] and [4.4.2][3], and
+    /// [draft-ietf-dap-ppm-01 section 3.2][4].
+    ///
+    /// [1]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03
+    /// [2]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.3.3
+    /// [3]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.4.2
+    /// [4]: https://datatracker.ietf.org/doc/html/draft-ietf-ppm-dap-01#name-https-sender-authentication
+    DapAuth(TokenInner),
+}
+
+impl AuthenticationToken {
+    /// Attempts to create a new bearer token from the provided bytes.
+    pub fn new_bearer_token_from_bytes<T: AsRef<[u8]>>(bytes: T) -> Result<Self, anyhow::Error> {
+        TokenInner::try_from(bytes.as_ref().to_vec()).map(AuthenticationToken::Bearer)
+    }
+
+    /// Attempts to create a new bearer token from the provided string
+    pub fn new_bearer_token_from_string<T: Into<String>>(string: T) -> Result<Self, anyhow::Error> {
+        TokenInner::try_from_str(string.into()).map(AuthenticationToken::Bearer)
+    }
+
+    /// Attempts to create a new DAP auth token from the provided bytes.
+    pub fn new_dap_auth_token_from_bytes<T: AsRef<[u8]>>(bytes: T) -> Result<Self, anyhow::Error> {
+        TokenInner::try_from(bytes.as_ref().to_vec()).map(AuthenticationToken::DapAuth)
+    }
+
+    /// Attempts to create a new DAP auth token from the provided string.
+    pub fn new_dap_auth_token_from_string<T: Into<String>>(
+        string: T,
+    ) -> Result<Self, anyhow::Error> {
+        TokenInner::try_from_str(string.into()).map(AuthenticationToken::DapAuth)
+    }
+
+    /// Returns an HTTP header and value that should be used to authenticate an HTTP request with
+    /// this credential.
+    pub fn request_authentication(&self) -> (&'static str, String) {
+        match self {
+            Self::Bearer(token) => (AUTHORIZATION.as_str(), format!("Bearer {}", token.as_str())),
+            // Cloning is unfortunate but necessary since other arms must allocate.
+            Self::DapAuth(token) => (DAP_AUTH_HEADER, token.as_str().to_string()),
+        }
+    }
+
+    /// Returns the token as a string.
+    pub fn as_str(&self) -> &str {
+        match self {
+            Self::DapAuth(token) => token.as_str(),
+            Self::Bearer(token) => token.as_str(),
+        }
+    }
+}
+
+impl AsRef<[u8]> for AuthenticationToken {
+    fn as_ref(&self) -> &[u8] {
+        match self {
+            Self::DapAuth(token) => token.as_ref(),
+            Self::Bearer(token) => token.as_ref(),
+        }
+    }
+}
+
+impl Distribution<AuthenticationToken> for Standard {
+    fn sample<R: rand::Rng + ?Sized>(&self, rng: &mut R) -> AuthenticationToken {
+        AuthenticationToken::Bearer(Standard::sample(self, rng))
+    }
+}
+
+/// A token value used to authenticate HTTP requests.
+///
+/// The token is used directly in HTTP request headers without further encoding and so much be a
+/// legal HTTP header value. More specifically, the token is restricted to the unpadded, URL-safe
+/// Base64 alphabet, as specified in [RFC 4648 section 5][1]. The unpadded, URL-safe Base64 string
+/// is the canonical form of the token and is used in configuration files, Janus aggregator API
+/// requests and HTTP authentication headers.
+///
+/// This opaque type ensures it's impossible to construct an [`AuthenticationToken`] whose contents
+/// are invalid.
+///
+/// [1]: https://datatracker.ietf.org/doc/html/rfc4648#section-5
+#[derive(Clone, Derivative, Serialize)]
+#[derivative(Debug)]
+#[serde(transparent)]
+pub struct TokenInner(#[derivative(Debug = "ignore")] String);
+
+impl TokenInner {
+    /// Returns the token as a string.
+    pub fn as_str(&self) -> &str {
+        &self.0
+    }
+
+    fn try_from_str(value: String) -> Result<Self, anyhow::Error> {
+        // Verify that the string is legal unpadded, URL-safe Base64
+        URL_SAFE_NO_PAD.decode(&value)?;
+        Ok(Self(value))
+    }
+
+    fn try_from(value: Vec<u8>) -> Result<Self, anyhow::Error> {
+        Self::try_from_str(String::from_utf8(value)?)
+    }
+}
+
+impl AsRef<[u8]> for TokenInner {
+    fn as_ref(&self) -> &[u8] {
+        self.0.as_bytes()
+    }
+}
+
+impl<'de> Deserialize<'de> for TokenInner {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        String::deserialize(deserializer)
+            .and_then(|string| Self::try_from_str(string).map_err(D::Error::custom))
+    }
+}
+
+impl PartialEq for TokenInner {
+    fn eq(&self, other: &Self) -> bool {
+        // We attempt constant-time comparisons of the token data to mitigate timing attacks. Note
+        // that this function still eaks whether the lengths of the tokens are equal -- this is
+        // acceptable because we expec the content of the tokens to provide enough randomness that
+        // needs to be guessed even if the length is known.
+        constant_time::verify_slices_are_equal(self.0.as_bytes(), other.0.as_bytes()).is_ok()
+    }
+}
+
+impl Eq for TokenInner {}
+
+impl Distribution<TokenInner> for Standard {
+    fn sample<R: rand::Rng + ?Sized>(&self, rng: &mut R) -> TokenInner {
+        TokenInner(URL_SAFE_NO_PAD.encode(rng.gen::<[u8; 16]>()))
+    }
+}
+
+/// The hash of an authentication token, which may be used to validate tokens in incoming requests
+/// but not to authenticate outgoing requests.
+#[derive(Clone, Derivative, Deserialize, Serialize, Eq)]
+#[derivative(Debug)]
+#[serde(tag = "type", content = "hash")]
+pub enum AuthenticationTokenHash {
+    /// A bearer token, presented as the value of the "Authorization" HTTP header as specified in
+    /// [RFC 6750 section 2.1][1].
+    ///
+    /// The token is not necessarily an OAuth token.
+    ///
+    /// [1]: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
+    Bearer(
+        #[derivative(Debug = "ignore")]
+        #[serde(
+            serialize_with = "AuthenticationTokenHash::serialize_contents",
+            deserialize_with = "AuthenticationTokenHash::deserialize_contents"
+        )]
+        [u8; SHA256_OUTPUT_LEN],
+    ),
+
+    /// Token presented as the value of the "DAP-Auth-Token" HTTP header. Conforms to
+    /// [draft-dcook-ppm-dap-interop-test-design-03][1], sections [4.3.3][2] and [4.4.2][3], and
+    /// [draft-ietf-dap-ppm-01 section 3.2][4].
+    ///
+    /// [1]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03
+    /// [2]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.3.3
+    /// [3]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.4.2
+    /// [4]: https://datatracker.ietf.org/doc/html/draft-ietf-ppm-dap-01#name-https-sender-authentication
+    DapAuth(#[derivative(Debug = "ignore")] [u8; SHA256_OUTPUT_LEN]),
+}
+
+impl AuthenticationTokenHash {
+    /// Returns true if the incoming unhashed token matches this token hash, false otherwise.
+    pub fn validate(&self, incoming_token: &AuthenticationToken) -> bool {
+        &Self::from(incoming_token) == self
+    }
+
+    fn serialize_contents<S: Serializer>(
+        value: &[u8; SHA256_OUTPUT_LEN],
+        serializer: S,
+    ) -> Result<S::Ok, S::Error> {
+        serializer.serialize_str(&URL_SAFE_NO_PAD.encode(value))
+    }
+
+    fn deserialize_contents<'de, D>(deserializer: D) -> Result<[u8; SHA256_OUTPUT_LEN], D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        let b64_digest: String = Deserialize::deserialize(deserializer)?;
+        let decoded = URL_SAFE_NO_PAD
+            .decode(b64_digest)
+            .map_err(D::Error::custom)?;
+
+        decoded
+            .try_into()
+            .map_err(|_| D::Error::custom("digest has wrong length"))
+    }
+}
+
+impl From<&AuthenticationToken> for AuthenticationTokenHash {
+    fn from(value: &AuthenticationToken) -> Self {
+        // unwrap safety: try_into is converting from &[u8] to [u8; SHA256_OUTPUT_LEN]. SHA256
+        // output will always be that length, so this conversion should never fail.
+        let digest = digest(&SHA256, value.as_ref()).as_ref().try_into().unwrap();
+
+        match value {
+            AuthenticationToken::Bearer(_) => Self::Bearer(digest),
+            AuthenticationToken::DapAuth(_) => Self::DapAuth(digest),
+        }
+    }
+}
+
+impl PartialEq for AuthenticationTokenHash {
+    fn eq(&self, other: &Self) -> bool {
+        let (self_digest, other_digest) = match (self, other) {
+            (Self::Bearer(self_digest), Self::Bearer(other_digest)) => (self_digest, other_digest),
+            (Self::DapAuth(self_digest), Self::DapAuth(other_digest)) => {
+                (self_digest, other_digest)
+            }
+            _ => return false,
+        };
+
+        // We attempt constant-time comparisons of the token data to mitigate timing attacks.
+        constant_time::verify_slices_are_equal(self_digest.as_ref(), other_digest.as_ref()).is_ok()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::auth_tokens::{AuthenticationToken, AuthenticationTokenHash};
+    use rand::random;
+
+    #[rstest::rstest]
+    #[case::dap_auth("DapAuth")]
+    #[case::bearer("Bearer")]
+    #[test]
+    fn reject_invalid_auth_token(#[case] token_type: &str) {
+        serde_yaml::from_str::<AuthenticationToken>(&format!(
+            "{{type: \"{token_type}\", token: \"é\"}}"
+        ))
+        .unwrap_err();
+    }
+
+    #[test]
+    fn validate_token() {
+        let dap_auth_token_1 = AuthenticationToken::DapAuth(random());
+        let dap_auth_token_2 = AuthenticationToken::DapAuth(random());
+        let bearer_token_1 = AuthenticationToken::Bearer(random());
+        let bearer_token_2 = AuthenticationToken::Bearer(random());
+
+        assert_eq!(dap_auth_token_1, dap_auth_token_1);
+        assert_ne!(dap_auth_token_1, dap_auth_token_2);
+        assert_eq!(bearer_token_1, bearer_token_1);
+        assert_ne!(bearer_token_1, bearer_token_2);
+        assert_ne!(dap_auth_token_1, bearer_token_1);
+
+        assert!(AuthenticationTokenHash::from(&dap_auth_token_1).validate(&dap_auth_token_1));
+        assert!(!AuthenticationTokenHash::from(&dap_auth_token_1).validate(&dap_auth_token_2));
+        assert!(AuthenticationTokenHash::from(&bearer_token_1).validate(&bearer_token_1));
+        assert!(!AuthenticationTokenHash::from(&bearer_token_1).validate(&bearer_token_2));
+        assert!(!AuthenticationTokenHash::from(&dap_auth_token_1).validate(&bearer_token_1));
+    }
+}
diff --git a/core/src/http.rs b/core/src/http.rs
index bb7eca117..190c350ae 100644
--- a/core/src/http.rs
+++ b/core/src/http.rs
@@ -1,4 +1,4 @@
-use crate::task::AuthenticationToken;
+use crate::auth_tokens::AuthenticationToken;
 use anyhow::{anyhow, Context};
 use http_api_problem::{HttpApiProblem, PROBLEM_JSON_MEDIA_TYPE};
 use reqwest::{header::CONTENT_TYPE, Response};
diff --git a/core/src/lib.rs b/core/src/lib.rs
index c1a88a10c..345d5dfd7 100644
--- a/core/src/lib.rs
+++ b/core/src/lib.rs
@@ -3,6 +3,7 @@
 use std::future::Future;
 use tokio::task::JoinHandle;
 
+pub mod auth_tokens;
 pub mod hpke;
 pub mod http;
 pub mod report_id;
diff --git a/core/src/task.rs b/core/src/task.rs
index 24cf2eb92..1be0cb66d 100644
--- a/core/src/task.rs
+++ b/core/src/task.rs
@@ -1,16 +1,9 @@
-use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
 use derivative::Derivative;
-use http::header::AUTHORIZATION;
 use janus_messages::taskprov;
-use rand::{distributions::Standard, prelude::Distribution};
-use ring::constant_time;
-use serde::{de::Error, Deserialize, Deserializer, Serialize};
+use serde::{Deserialize, Serialize};
 use std::str;
 use url::Url;
 
-/// HTTP header where auth tokens are provided in messages between participants.
-pub const DAP_AUTH_HEADER: &str = "DAP-Auth-Token";
-
 /// The length of the verify key parameter for Prio3 & Poplar1 VDAF instantiations.
 pub const VERIFY_KEY_LENGTH: usize = 16;
 
@@ -607,157 +600,6 @@ macro_rules! vdaf_dispatch {
     };
 }
 
-/// Different modes of authentication supported by Janus for either sending requests (e.g., leader
-/// to helper) or receiving them (e.g., collector to leader).
-#[derive(Clone, Derivative, Serialize, Deserialize, PartialEq, Eq)]
-#[derivative(Debug)]
-#[serde(tag = "type", content = "token")]
-#[non_exhaustive]
-pub enum AuthenticationToken {
-    /// A bearer token, presented as the value of the "Authorization" HTTP header as specified in
-    /// [RFC 6750 section 2.1][1].
-    ///
-    /// The token is not necessarily an OAuth token.
-    ///
-    /// [1]: https://datatracker.ietf.org/doc/html/rfc6750#section-2.1
-    Bearer(TokenInner),
-
-    /// Token presented as the value of the "DAP-Auth-Token" HTTP header. Conforms to
-    /// [draft-dcook-ppm-dap-interop-test-design-03][1], sections [4.3.3][2] and [4.4.2][3], and
-    /// [draft-ietf-dap-ppm-01 section 3.2][4].
-    ///
-    /// [1]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03
-    /// [2]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.3.3
-    /// [3]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.4.2
-    /// [4]: https://datatracker.ietf.org/doc/html/draft-ietf-ppm-dap-01#name-https-sender-authentication
-    DapAuth(TokenInner),
-}
-
-impl AuthenticationToken {
-    /// Attempts to create a new bearer token from the provided bytes.
-    pub fn new_bearer_token_from_bytes<T: AsRef<[u8]>>(bytes: T) -> Result<Self, anyhow::Error> {
-        TokenInner::try_from(bytes.as_ref().to_vec()).map(AuthenticationToken::Bearer)
-    }
-
-    /// Attempts to create a new bearer token from the provided string
-    pub fn new_bearer_token_from_string<T: Into<String>>(string: T) -> Result<Self, anyhow::Error> {
-        TokenInner::try_from_str(string.into()).map(AuthenticationToken::Bearer)
-    }
-
-    /// Attempts to create a new DAP auth token from the provided bytes.
-    pub fn new_dap_auth_token_from_bytes<T: AsRef<[u8]>>(bytes: T) -> Result<Self, anyhow::Error> {
-        TokenInner::try_from(bytes.as_ref().to_vec()).map(AuthenticationToken::DapAuth)
-    }
-
-    /// Attempts to create a new DAP auth token from the provided string.
-    pub fn new_dap_auth_token_from_string<T: Into<String>>(
-        string: T,
-    ) -> Result<Self, anyhow::Error> {
-        TokenInner::try_from_str(string.into()).map(AuthenticationToken::DapAuth)
-    }
-
-    /// Returns an HTTP header and value that should be used to authenticate an HTTP request with
-    /// this credential.
-    pub fn request_authentication(&self) -> (&'static str, String) {
-        match self {
-            Self::Bearer(token) => (AUTHORIZATION.as_str(), format!("Bearer {}", token.as_str())),
-            // Cloning is unfortunate but necessary since other arms must allocate.
-            Self::DapAuth(token) => (DAP_AUTH_HEADER, token.as_str().to_string()),
-        }
-    }
-
-    /// Returns the token as a string.
-    pub fn as_str(&self) -> &str {
-        match self {
-            Self::DapAuth(token) => token.as_str(),
-            Self::Bearer(token) => token.as_str(),
-        }
-    }
-}
-
-impl AsRef<[u8]> for AuthenticationToken {
-    fn as_ref(&self) -> &[u8] {
-        match self {
-            Self::DapAuth(token) => token.as_ref(),
-            Self::Bearer(token) => token.as_ref(),
-        }
-    }
-}
-
-impl Distribution<AuthenticationToken> for Standard {
-    fn sample<R: rand::Rng + ?Sized>(&self, rng: &mut R) -> AuthenticationToken {
-        AuthenticationToken::Bearer(Standard::sample(self, rng))
-    }
-}
-
-/// A token value used to authenticate HTTP requests.
-///
-/// The token is used directly in HTTP request headers without further encoding and so much be a
-/// legal HTTP header value. More specifically, the token is restricted to the unpadded, URL-safe
-/// Base64 alphabet, as specified in [RFC 4648 section 5][1]. The unpadded, URL-safe Base64 string
-/// is the canonical form of the token and is used in configuration files, Janus aggregator API
-/// requests and HTTP authentication headers.
-///
-/// This opaque type ensures it's impossible to construct an [`AuthenticationToken`] whose contents
-/// are invalid.
-///
-/// [1]: https://datatracker.ietf.org/doc/html/rfc4648#section-5
-#[derive(Clone, Derivative, Serialize)]
-#[derivative(Debug)]
-#[serde(transparent)]
-pub struct TokenInner(#[derivative(Debug = "ignore")] String);
-
-impl TokenInner {
-    /// Returns the token as a string.
-    pub fn as_str(&self) -> &str {
-        &self.0
-    }
-
-    fn try_from_str(value: String) -> Result<Self, anyhow::Error> {
-        // Verify that the string is legal unpadded, URL-safe Base64
-        URL_SAFE_NO_PAD.decode(&value)?;
-        Ok(Self(value))
-    }
-
-    fn try_from(value: Vec<u8>) -> Result<Self, anyhow::Error> {
-        Self::try_from_str(String::from_utf8(value)?)
-    }
-}
-
-impl AsRef<[u8]> for TokenInner {
-    fn as_ref(&self) -> &[u8] {
-        self.0.as_bytes()
-    }
-}
-
-impl<'de> Deserialize<'de> for TokenInner {
-    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
-    where
-        D: Deserializer<'de>,
-    {
-        String::deserialize(deserializer)
-            .and_then(|string| Self::try_from_str(string).map_err(D::Error::custom))
-    }
-}
-
-impl PartialEq for TokenInner {
-    fn eq(&self, other: &Self) -> bool {
-        // We attempt constant-time comparisons of the token data to mitigate timing attacks. Note
-        // that this function still eaks whether the lengths of the tokens are equal -- this is
-        // acceptable because we expec the content of the tokens to provide enough randomness that
-        // needs to be guessed even if the length is known.
-        constant_time::verify_slices_are_equal(self.0.as_bytes(), other.0.as_bytes()).is_ok()
-    }
-}
-
-impl Eq for TokenInner {}
-
-impl Distribution<TokenInner> for Standard {
-    fn sample<R: rand::Rng + ?Sized>(&self, rng: &mut R) -> TokenInner {
-        TokenInner(URL_SAFE_NO_PAD.encode(rng.gen::<[u8; 16]>()))
-    }
-}
-
 /// Returns the given [`Url`], possibly modified to end with a slash.
 ///
 /// Aggregator endpoint URLs should end with a slash if they will be used with [`Url::join`],
@@ -772,7 +614,7 @@ pub fn url_ensure_trailing_slash(mut url: Url) -> Url {
 
 #[cfg(test)]
 mod tests {
-    use super::{AuthenticationToken, VdafInstance};
+    use super::VdafInstance;
     use serde_test::{assert_tokens, Token};
 
     #[test]
@@ -870,15 +712,4 @@ mod tests {
             }],
         );
     }
-
-    #[rstest::rstest]
-    #[case::dap_auth("DapAuth")]
-    #[case::bearer("Bearer")]
-    #[test]
-    fn reject_invalid_auth_token(#[case] token_type: &str) {
-        serde_yaml::from_str::<AuthenticationToken>(&format!(
-            "{{type: \"{token_type}\", token: \"é\"}}"
-        ))
-        .unwrap_err();
-    }
 }
diff --git a/docs/samples/tasks.yaml b/docs/samples/tasks.yaml
index 88d94a05a..9a77df236 100644
--- a/docs/samples/tasks.yaml
+++ b/docs/samples/tasks.yaml
@@ -59,14 +59,10 @@
     aead_id: Aes128Gcm
     public_key: 4qiv6IY5jrjCV3xbaQXULmPIpvoIml1oJmeXm-yOuAo
 
-  # Authentication token shared beteween the aggregators, and used to
-  # authenticate leader-to-helper requests. In the case of a leader-role task,
-  # the leader will include the token in a header when making requests to the
-  # helper. In the case of a helper-role task, the helper will accept requests
-  # requests with  authentication tokens.
+  # Authentication token used by the leader to authenticate requests made to the
+  # helper. This value should only be included in leader-role tasks.
   #
-  # Each token's `type` governs how it is inserted into HTTP requests if used by
-  # the leader to authenticate a request to the helper.
+  # Each token's `type` governs how it is inserted into HTTP requests.
   aggregator_auth_token:
     # DAP-Auth-Token values are encoded in unpadded base64url, and the decoded
     # value is sent in an HTTP header. For example, this token's value decodes
@@ -120,9 +116,13 @@
     kdf_id: HkdfSha256
     aead_id: Aes128Gcm
     public_key: KHRLcWgfWxli8cdOLPsgsZPttHXh0ho3vLVLrW-63lE
-  aggregator_auth_token:
+  # Authentication token hash used by the helper to authenticate requests
+  # received from the leader. This value should only be included in helper-role
+  # tasjs.
+  # Token hashes are encoded in unpadded base64url.
+  aggregator_auth_token_hash:
     type: "Bearer"
-    token: "YWdncmVnYXRvci1jZmE4NDMyZjdkMzllMjZiYjU3OGUzMzY5Mzk1MWQzNQ"
+    hash: "MJOoBO_ysLEuG_lv2C37eEOf1Ngetsr-Ers0ZYj4vdQ"
   # Note that this task does not have a collector authentication token, since
   # it is a helper role task.
   collector_auth_token:
diff --git a/integration_tests/tests/in_cluster.rs b/integration_tests/tests/in_cluster.rs
index 23a8dbd39..1a3a1af13 100644
--- a/integration_tests/tests/in_cluster.rs
+++ b/integration_tests/tests/in_cluster.rs
@@ -6,7 +6,7 @@ use divviup_client::{
 };
 use janus_aggregator_core::task::QueryType;
 use janus_core::{
-    task::AuthenticationToken,
+    auth_tokens::AuthenticationToken,
     task::VdafInstance,
     test_util::{
         install_test_trace_subscriber,
diff --git a/interop_binaries/src/bin/janus_interop_aggregator.rs b/interop_binaries/src/bin/janus_interop_aggregator.rs
index b038a00bb..2785abfbd 100644
--- a/interop_binaries/src/bin/janus_interop_aggregator.rs
+++ b/interop_binaries/src/bin/janus_interop_aggregator.rs
@@ -11,7 +11,7 @@ use janus_aggregator_core::{
     task::{self, Task},
     SecretBytes,
 };
-use janus_core::{task::AuthenticationToken, time::RealClock};
+use janus_core::{auth_tokens::AuthenticationToken, time::RealClock};
 use janus_interop_binaries::{
     status::{ERROR, SUCCESS},
     AddTaskResponse, AggregatorAddTaskRequest, AggregatorRole, HpkeConfigRegistry, Keyring,
diff --git a/interop_binaries/src/bin/janus_interop_collector.rs b/interop_binaries/src/bin/janus_interop_collector.rs
index e7b971f97..3f0e18a55 100644
--- a/interop_binaries/src/bin/janus_interop_collector.rs
+++ b/interop_binaries/src/bin/janus_interop_collector.rs
@@ -7,15 +7,12 @@ use fixed::types::extra::{U15, U31, U63};
 #[cfg(feature = "fpvec_bounded_l2")]
 use fixed::{FixedI16, FixedI32, FixedI64};
 use janus_collector::{Collector, CollectorParameters};
-use janus_core::{
-    hpke::HpkeKeypair,
-    task::{AuthenticationToken, VdafInstance},
-};
-use janus_interop_binaries::Keyring;
+use janus_core::{auth_tokens::AuthenticationToken, hpke::HpkeKeypair, task::VdafInstance};
+
 use janus_interop_binaries::{
     install_tracing_subscriber,
     status::{COMPLETE, ERROR, IN_PROGRESS, SUCCESS},
-    ErrorHandler, HpkeConfigRegistry, NumberAsString, VdafObject,
+    ErrorHandler, HpkeConfigRegistry, Keyring, NumberAsString, VdafObject,
 };
 use janus_messages::{
     query_type::QueryType, BatchId, Duration, FixedSizeQuery, HpkeConfig, Interval,
@@ -40,6 +37,7 @@ use tokio::{sync::Mutex, task::JoinHandle};
 use trillium::{Conn, Handler};
 use trillium_api::{api, Json, State};
 use trillium_router::Router;
+
 #[derive(Debug, Deserialize)]
 struct AddTaskRequest {
     task_id: String,
diff --git a/tools/src/bin/collect.rs b/tools/src/bin/collect.rs
index 2c397276f..4eeda92e4 100644
--- a/tools/src/bin/collect.rs
+++ b/tools/src/bin/collect.rs
@@ -602,11 +602,11 @@ mod tests {
     use base64::{engine::general_purpose::URL_SAFE_NO_PAD, Engine};
     use clap::{error::ErrorKind, CommandFactory, Parser};
     use janus_core::{
+        auth_tokens::TokenInner,
         hpke::{
             test_util::{generate_test_hpke_config_and_private_key, SAMPLE_DIVVIUP_HPKE_CONFIG},
             DivviUpHpkeConfig, HpkeKeypair,
         },
-        task::TokenInner,
     };
     use janus_messages::{BatchId, TaskId};
     use prio::codec::Encode;

From d82b9b52364275e95e7198f11801fedfee43863e Mon Sep 17 00:00:00 2001
From: Tim Geoghegan <timg@divviup.org>
Date: Fri, 22 Sep 2023 09:02:15 -0700
Subject: [PATCH 2/6] wip

---
 aggregator_core/src/datastore.rs        |  8 ++++++--
 core/src/auth_tokens.rs                 | 18 +++++++++++++++++-
 db/00000000000001_initial_schema.up.sql | 13 ++++++++++---
 3 files changed, 33 insertions(+), 6 deletions(-)

diff --git a/aggregator_core/src/datastore.rs b/aggregator_core/src/datastore.rs
index 315727a6b..72532ab86 100644
--- a/aggregator_core/src/datastore.rs
+++ b/aggregator_core/src/datastore.rs
@@ -535,8 +535,8 @@ impl<C: Clock> Transaction<'_, C> {
                     helper_aggregator_endpoint, query_type, vdaf, max_batch_query_count,
                     task_expiration, report_expiry_age, min_batch_size, time_precision,
                     tolerable_clock_skew, collector_hpke_config, vdaf_verify_key,
-                    aggregator_auth_token_type, aggregator_auth_token, collector_auth_token_type,
-                    collector_auth_token)
+                    aggregator_auth_token_type, aggregator_auth_token, aggregator_auth_token_hash,
+                    collector_auth_token_type, collector_auth_token)
                 VALUES (
                     $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18
                 )
@@ -600,6 +600,10 @@ impl<C: Clock> Transaction<'_, C> {
                             )
                         })
                         .transpose()?,
+                    /* aggregator_auth_token_hash */
+                    &task
+                        .aggregator_auth_token_hash()
+                        .map(|token_hash| token_hash.as_ref()),
                     /* collector_auth_token_type */
                     &task
                         .collector_auth_token()
diff --git a/core/src/auth_tokens.rs b/core/src/auth_tokens.rs
index 810f46521..8983e15e5 100644
--- a/core/src/auth_tokens.rs
+++ b/core/src/auth_tokens.rs
@@ -192,7 +192,14 @@ pub enum AuthenticationTokenHash {
     /// [2]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.3.3
     /// [3]: https://datatracker.ietf.org/doc/html/draft-dcook-ppm-dap-interop-test-design-03#section-4.4.2
     /// [4]: https://datatracker.ietf.org/doc/html/draft-ietf-ppm-dap-01#name-https-sender-authentication
-    DapAuth(#[derivative(Debug = "ignore")] [u8; SHA256_OUTPUT_LEN]),
+    DapAuth(
+        #[derivative(Debug = "ignore")]
+        #[serde(
+            serialize_with = "AuthenticationTokenHash::serialize_contents",
+            deserialize_with = "AuthenticationTokenHash::deserialize_contents"
+        )]
+        [u8; SHA256_OUTPUT_LEN],
+    ),
 }
 
 impl AuthenticationTokenHash {
@@ -251,6 +258,15 @@ impl PartialEq for AuthenticationTokenHash {
     }
 }
 
+impl AsRef<[u8]> for AuthenticationTokenHash {
+    fn as_ref(&self) -> &[u8] {
+        match self {
+            Self::Bearer(inner) => inner.as_slice(),
+            Self::DapAuth(inner) => inner.as_slice(),
+        }
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use crate::auth_tokens::{AuthenticationToken, AuthenticationTokenHash};
diff --git a/db/00000000000001_initial_schema.up.sql b/db/00000000000001_initial_schema.up.sql
index cffe33b79..2336c0b80 100644
--- a/db/00000000000001_initial_schema.up.sql
+++ b/db/00000000000001_initial_schema.up.sql
@@ -94,9 +94,16 @@ CREATE TABLE tasks(
     -- Authentication token used to authenticate messages to/from the other aggregator.
     -- These columns are NULL if the task was provisioned by taskprov.
     aggregator_auth_token_type  AUTH_TOKEN_TYPE,    -- the type of the authentication token
-    aggregator_auth_token       BYTEA,              -- encrypted bearer token
-    -- The aggregator_auth_token columns must either both be NULL or both be non-NULL
-    CONSTRAINT aggregator_auth_token_null CHECK ((aggregator_auth_token_type IS NULL) = (aggregator_auth_token IS NULL)),
+    aggregator_auth_token       BYTEA,              -- encrypted bearer token (only set for leader)
+    aggregator_auth_token_hash  BYTEA,              -- hash of the token (only set for helper)
+    CONSTRAINT aggregator_auth_token_null CHECK (
+        -- If aggregator_auth_token_type is not NULL, then exactly one of aggregator_auth_token or
+        -- aggregator_auth_token_hash must be not NULL.
+        ((aggregator_auth_token_type IS NOT NULL) AND (aggregator_auth_token IS NULL) != (aggregator_auth_token_hash IS NULL)))
+        -- If aggregator_auth_token_type is NULL, then both aggregator_auth_token and
+        -- aggregator_auth_token_hash must be NULL
+        OR ((aggregator_auth_token_type IS NULL) AND (aggregator_auth_token IS NULL) AND (aggregator_auth_token_hash IS NULL))
+    ),
 
     -- Authentication token used to authenticate messages to the leader from the collector. These
     -- columns are NULL if the task was provisioned by taskprov or if the task's role is helper.

From 8355c468f9dfc60df41731c1f71e607853f69082 Mon Sep 17 00:00:00 2001
From: Tim Geoghegan <timg@divviup.org>
Date: Fri, 22 Sep 2023 14:21:59 -0700
Subject: [PATCH 3/6] works through persistence and aggregator API

---
 aggregator_api/src/models.rs            | 25 ++++++-----
 aggregator_api/src/routes.rs            | 27 ++++++++----
 aggregator_api/src/tests.rs             | 56 ++++++++++++++++++++++---
 aggregator_core/src/datastore.rs        | 27 +++++++++---
 aggregator_core/src/datastore/models.rs | 25 ++++++++++-
 aggregator_core/src/datastore/tests.rs  |  1 +
 core/src/auth_tokens.rs                 |  1 +
 db/00000000000001_initial_schema.up.sql |  2 +-
 8 files changed, 133 insertions(+), 31 deletions(-)

diff --git a/aggregator_api/src/models.rs b/aggregator_api/src/models.rs
index c3faf14b9..dd301160b 100644
--- a/aggregator_api/src/models.rs
+++ b/aggregator_api/src/models.rs
@@ -108,11 +108,9 @@ pub(crate) struct TaskResp {
     /// How much clock skew to allow between client and aggregator. Reports from
     /// farther than this duration into the future will be rejected.
     pub(crate) tolerable_clock_skew: Duration,
-    /// The authentication token for inter-aggregator communication in this task. If `role` is
-    /// Helper, this token is used by the aggregator to authenticate requests from the Leader. Not
-    /// set if `role` is Leader..
-    // TODO(#1509): This field will have to change as Janus helpers will only store a salted
-    // hash of aggregator auth tokens.
+    /// The authentication token for inter-aggregator communication in this task. Will only be set
+    /// if `role` is Leader, or in the response to `POST /tasks/` for the Helper, as the Helper does
+    /// not store the unhashed authentication token.
     pub(crate) aggregator_auth_token: Option<AuthenticationToken>,
     /// The authentication token used by the task's Collector to authenticate to the Leader.
     /// `Some` if `role` is Leader, `None` otherwise.
@@ -125,10 +123,11 @@ pub(crate) struct TaskResp {
     pub(crate) aggregator_hpke_configs: Vec<HpkeConfig>,
 }
 
-impl TryFrom<&Task> for TaskResp {
-    type Error = &'static str;
-
-    fn try_from(task: &Task) -> Result<Self, Self::Error> {
+impl TaskResp {
+    pub(crate) fn try_from_task(
+        task: &Task,
+        aggregator_auth_token: Option<&AuthenticationToken>,
+    ) -> Result<Self, &'static str> {
         // We have to resolve impedance mismatches between the aggregator API's view of a task
         // and `aggregator_core::task::Task`. For now, we deal with this in code, but someday
         // the two representations will be harmonized.
@@ -162,7 +161,13 @@ impl TryFrom<&Task> for TaskResp {
             min_batch_size: task.min_batch_size(),
             time_precision: *task.time_precision(),
             tolerable_clock_skew: *task.tolerable_clock_skew(),
-            aggregator_auth_token: task.aggregator_auth_token().cloned(),
+            // The helper task does not contain the unhashed aggregator auth token, but the response
+            // to the task creation request must so that the token can be provided to the leader.
+            aggregator_auth_token: if task.role() == &Role::Helper {
+                aggregator_auth_token.cloned()
+            } else {
+                task.aggregator_auth_token().cloned()
+            },
             collector_auth_token: task.collector_auth_token().cloned(),
             collector_hpke_config: task
                 .collector_hpke_config()
diff --git a/aggregator_api/src/routes.rs b/aggregator_api/src/routes.rs
index 0d93586be..7abb5f8f2 100644
--- a/aggregator_api/src/routes.rs
+++ b/aggregator_api/src/routes.rs
@@ -14,7 +14,9 @@ use janus_aggregator_core::{
     taskprov::PeerAggregator,
     SecretBytes,
 };
-use janus_core::{hpke::generate_hpke_config_and_private_key, time::Clock};
+use janus_core::{
+    auth_tokens::AuthenticationTokenHash, hpke::generate_hpke_config_and_private_key, time::Clock,
+};
 use janus_messages::HpkeConfigId;
 use janus_messages::{
     query_type::Code as SupportedQueryType, Duration, HpkeAeadId, HpkeKdfId, HpkeKemId, Role,
@@ -129,7 +131,7 @@ pub(super) async fn post_task<C: Clock>(
                         .to_string(),
                 )
             })?;
-            (Some(aggregator_auth_token), Some(random()))
+            (aggregator_auth_token, Some(random()))
         }
 
         Role::Helper => {
@@ -139,8 +141,7 @@ pub(super) async fn post_task<C: Clock>(
                         .to_string(),
                 ));
             }
-
-            (Some(random()), None)
+            (random(), None)
         }
 
         _ => unreachable!(),
@@ -173,7 +174,18 @@ pub(super) async fn post_task<C: Clock>(
             /* tolerable_clock_skew */
             Duration::from_seconds(60), // 1 minute,
             /* collector_hpke_config */ req.collector_hpke_config,
-            aggregator_auth_token,
+            /* aggregator_auth_token_hash */
+            if req.role == Role::Helper {
+                Some(AuthenticationTokenHash::from(&aggregator_auth_token))
+            } else {
+                None
+            },
+            /* aggregator_auth_token */
+            if req.role == Role::Leader {
+                Some(aggregator_auth_token.clone())
+            } else {
+                None
+            },
             collector_auth_token,
             hpke_keys,
         )
@@ -212,7 +224,8 @@ pub(super) async fn post_task<C: Clock>(
     .await?;
 
     Ok(Json(
-        TaskResp::try_from(task.as_ref()).map_err(|err| Error::Internal(err.to_string()))?,
+        TaskResp::try_from_task(task.as_ref(), Some(&aggregator_auth_token))
+            .map_err(|err| Error::Internal(err.to_string()))?,
     ))
 }
 
@@ -230,7 +243,7 @@ pub(super) async fn get_task<C: Clock>(
         .ok_or(Error::NotFound)?;
 
     Ok(Json(
-        TaskResp::try_from(&task).map_err(|err| Error::Internal(err.to_string()))?,
+        TaskResp::try_from_task(&task, None).map_err(|err| Error::Internal(err.to_string()))?,
     ))
 }
 
diff --git a/aggregator_api/src/tests.rs b/aggregator_api/src/tests.rs
index 6ecfe88e6..f781ea12f 100644
--- a/aggregator_api/src/tests.rs
+++ b/aggregator_api/src/tests.rs
@@ -335,7 +335,7 @@ async fn post_task_helper_no_optional_fields() {
     assert_eq!(req.task_expiration.as_ref(), got_task.task_expiration());
     assert_eq!(req.min_batch_size, got_task.min_batch_size());
     assert_eq!(&req.time_precision, got_task.time_precision());
-    assert!(got_task.aggregator_auth_token().is_some());
+    assert!(got_task.aggregator_auth_token_hash().is_some());
     assert!(got_task.collector_auth_token().is_none());
     assert_eq!(
         &req.collector_hpke_config,
@@ -343,7 +343,10 @@ async fn post_task_helper_no_optional_fields() {
     );
 
     // ...and the response.
-    assert_eq!(got_task_resp, TaskResp::try_from(&got_task).unwrap());
+    assert_eq!(
+        got_task_resp,
+        TaskResp::try_from_task(&got_task, got_task_resp.aggregator_auth_token.as_ref()).unwrap()
+    );
 }
 
 #[tokio::test]
@@ -552,7 +555,10 @@ async fn post_task_leader_all_optional_fields() {
     assert!(got_task.collector_auth_token().is_some());
 
     // ...and the response.
-    assert_eq!(got_task_resp, TaskResp::try_from(&got_task).unwrap());
+    assert_eq!(
+        got_task_resp,
+        TaskResp::try_from_task(&got_task, Some(&aggregator_auth_token)).unwrap()
+    );
 }
 
 /// Test the POST /tasks endpoint, with a leader task with all of the optional fields provided.
@@ -599,7 +605,7 @@ async fn post_task_leader_no_aggregator_auth_token() {
 }
 
 #[tokio::test]
-async fn get_task() {
+async fn get_task_leader() {
     // Setup: write a task to the datastore.
     let (handler, _ephemeral_datastore, ds) = setup_api_test().await;
 
@@ -616,7 +622,7 @@ async fn get_task() {
     .unwrap();
 
     // Verify: getting the task returns the expected result.
-    let want_task_resp = TaskResp::try_from(&task).unwrap();
+    let want_task_resp = TaskResp::try_from_task(&task, task.aggregator_auth_token()).unwrap();
     let mut conn = get(&format!("/tasks/{}", task.id()))
         .with_request_header("Authorization", format!("Bearer {AUTH_TOKEN}"))
         .with_request_header("Accept", CONTENT_TYPE)
@@ -656,6 +662,43 @@ async fn get_task() {
     );
 }
 
+#[tokio::test]
+async fn get_task_helper() {
+    // Setup: write a task to the datastore.
+    let (handler, _ephemeral_datastore, ds) = setup_api_test().await;
+
+    let task = TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper).build();
+
+    ds.run_tx(|tx| {
+        let task = task.clone();
+        Box::pin(async move {
+            tx.put_task(&task).await?;
+            Ok(())
+        })
+    })
+    .await
+    .unwrap();
+
+    // Verify: getting the task returns the expected result.
+    let want_task_resp = TaskResp::try_from_task(&task, None).unwrap();
+    let mut conn = get(&format!("/tasks/{}", task.id()))
+        .with_request_header("Authorization", format!("Bearer {AUTH_TOKEN}"))
+        .with_request_header("Accept", CONTENT_TYPE)
+        .run_async(&handler)
+        .await;
+    assert_status!(conn, Status::Ok);
+    let got_task_resp = serde_json::from_slice(
+        &conn
+            .take_response_body()
+            .unwrap()
+            .into_bytes()
+            .await
+            .unwrap(),
+    )
+    .unwrap();
+    assert_eq!(want_task_resp, got_task_resp);
+}
+
 #[tokio::test]
 async fn delete_task() {
     // Setup: write a task to the datastore.
@@ -1769,6 +1812,7 @@ fn task_resp_serialization() {
             HpkeAeadId::Aes128Gcm,
             HpkePublicKey::from([0u8; 32].to_vec()),
         ),
+        None,
         Some(
             AuthenticationToken::new_dap_auth_token_from_string("Y29sbGVjdG9yLWFiY2RlZjAw")
                 .unwrap(),
@@ -1790,7 +1834,7 @@ fn task_resp_serialization() {
     )
     .unwrap();
     assert_tokens(
-        &TaskResp::try_from(&task).unwrap(),
+        &TaskResp::try_from_task(&task, task.aggregator_auth_token()).unwrap(),
         &[
             Token::Struct {
                 name: "TaskResp",
diff --git a/aggregator_core/src/datastore.rs b/aggregator_core/src/datastore.rs
index 72532ab86..bf0fd0287 100644
--- a/aggregator_core/src/datastore.rs
+++ b/aggregator_core/src/datastore.rs
@@ -538,7 +538,8 @@ impl<C: Clock> Transaction<'_, C> {
                     aggregator_auth_token_type, aggregator_auth_token, aggregator_auth_token_hash,
                     collector_auth_token_type, collector_auth_token)
                 VALUES (
-                    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18
+                    $1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17, $18,
+                    $19
                 )
                 ON CONFLICT DO NOTHING",
             )
@@ -587,7 +588,11 @@ impl<C: Clock> Transaction<'_, C> {
                     /* aggregator_auth_token_type */
                     &task
                         .aggregator_auth_token()
-                        .map(AuthenticationTokenType::from),
+                        .map(AuthenticationTokenType::from)
+                        .or_else(|| {
+                            task.aggregator_auth_token_hash()
+                                .map(AuthenticationTokenType::from)
+                        }),
                     /* aggregator_auth_token */
                     &task
                         .aggregator_auth_token()
@@ -690,7 +695,7 @@ impl<C: Clock> Transaction<'_, C> {
                     query_type, vdaf, max_batch_query_count, task_expiration, report_expiry_age,
                     min_batch_size, time_precision, tolerable_clock_skew, collector_hpke_config,
                     vdaf_verify_key, aggregator_auth_token_type, aggregator_auth_token,
-                    collector_auth_token_type, collector_auth_token
+                    aggregator_auth_token_hash, collector_auth_token_type, collector_auth_token
                 FROM tasks WHERE task_id = $1",
             )
             .await?;
@@ -719,8 +724,8 @@ impl<C: Clock> Transaction<'_, C> {
                     helper_aggregator_endpoint, query_type, vdaf, max_batch_query_count,
                     task_expiration, report_expiry_age, min_batch_size, time_precision,
                     tolerable_clock_skew, collector_hpke_config, vdaf_verify_key,
-                    aggregator_auth_token_type, aggregator_auth_token, collector_auth_token_type,
-                    collector_auth_token
+                    aggregator_auth_token_type, aggregator_auth_token, aggregator_auth_token_hash,
+                    collector_auth_token_type, collector_auth_token
                 FROM tasks",
             )
             .await?;
@@ -808,9 +813,12 @@ impl<C: Clock> Transaction<'_, C> {
             )
             .map(SecretBytes::new)?;
 
+        let aggregator_auth_token_type =
+            row.try_get::<_, Option<AuthenticationTokenType>>("aggregator_auth_token_type")?;
+
         let aggregator_auth_token = row
             .try_get::<_, Option<Vec<u8>>>("aggregator_auth_token")?
-            .zip(row.try_get::<_, Option<AuthenticationTokenType>>("aggregator_auth_token_type")?)
+            .zip(aggregator_auth_token_type)
             .map(|(encrypted_token, token_type)| {
                 token_type.as_authentication(&self.crypter.decrypt(
                     "tasks",
@@ -821,6 +829,12 @@ impl<C: Clock> Transaction<'_, C> {
             })
             .transpose()?;
 
+        let aggregator_auth_token_hash = row
+            .try_get::<_, Option<Vec<u8>>>("aggregator_auth_token_hash")?
+            .zip(aggregator_auth_token_type)
+            .map(|(token_hash, token_type)| token_type.as_authentication_token_hash(&token_hash))
+            .transpose()?;
+
         let collector_auth_token = row
             .try_get::<_, Option<Vec<u8>>>("collector_auth_token")?
             .zip(row.try_get::<_, Option<AuthenticationTokenType>>("collector_auth_token_type")?)
@@ -870,6 +884,7 @@ impl<C: Clock> Transaction<'_, C> {
             time_precision,
             tolerable_clock_skew,
             collector_hpke_config,
+            aggregator_auth_token_hash,
             aggregator_auth_token,
             collector_auth_token,
             hpke_keypairs,
diff --git a/aggregator_core/src/datastore/models.rs b/aggregator_core/src/datastore/models.rs
index f31f0e703..e2c993cd2 100644
--- a/aggregator_core/src/datastore/models.rs
+++ b/aggregator_core/src/datastore/models.rs
@@ -5,7 +5,7 @@ use base64::{display::Base64Display, engine::general_purpose::URL_SAFE_NO_PAD};
 use chrono::NaiveDateTime;
 use derivative::Derivative;
 use janus_core::{
-    auth_tokens::AuthenticationToken,
+    auth_tokens::{AuthenticationToken, AuthenticationTokenHash},
     hpke::HpkeKeypair,
     report_id::ReportIdChecksumExt,
     task::VdafInstance,
@@ -59,6 +59,19 @@ impl AuthenticationTokenType {
         }
         .map_err(|e| Error::DbState(format!("invalid DAP auth token in database: {e:?}")))
     }
+
+    pub fn as_authentication_token_hash(
+        &self,
+        hash_bytes: &[u8],
+    ) -> Result<AuthenticationTokenHash, Error> {
+        let hash_array = hash_bytes
+            .try_into()
+            .map_err(|e| Error::DbState(format!("invalid auth token hash in database: {e:?}")))?;
+        Ok(match self {
+            Self::DapAuthToken => AuthenticationTokenHash::DapAuth(hash_array),
+            Self::AuthorizationBearerToken => AuthenticationTokenHash::Bearer(hash_array),
+        })
+    }
 }
 
 impl From<&AuthenticationToken> for AuthenticationTokenType {
@@ -71,6 +84,16 @@ impl From<&AuthenticationToken> for AuthenticationTokenType {
     }
 }
 
+impl From<&AuthenticationTokenHash> for AuthenticationTokenType {
+    fn from(value: &AuthenticationTokenHash) -> Self {
+        match value {
+            AuthenticationTokenHash::DapAuth(_) => Self::DapAuthToken,
+            AuthenticationTokenHash::Bearer(_) => Self::AuthorizationBearerToken,
+            _ => unreachable!(),
+        }
+    }
+}
+
 /// Represents a report as it is stored in the leader's database, corresponding to a row in
 /// `client_reports`, where `leader_input_share` and `helper_encrypted_input_share` are required
 /// to be populated.
diff --git a/aggregator_core/src/datastore/tests.rs b/aggregator_core/src/datastore/tests.rs
index bcd88abef..d5fc897ca 100644
--- a/aggregator_core/src/datastore/tests.rs
+++ b/aggregator_core/src/datastore/tests.rs
@@ -166,6 +166,7 @@ async fn roundtrip_task(ephemeral_datastore: EphemeralDatastore) {
             .unwrap();
         assert_eq!(None, retrieved_task);
 
+        println!("test case {task:?}");
         ds.put_task(&task).await.unwrap();
 
         let retrieved_task = ds
diff --git a/core/src/auth_tokens.rs b/core/src/auth_tokens.rs
index 8983e15e5..716c119fe 100644
--- a/core/src/auth_tokens.rs
+++ b/core/src/auth_tokens.rs
@@ -168,6 +168,7 @@ impl Distribution<TokenInner> for Standard {
 #[derive(Clone, Derivative, Deserialize, Serialize, Eq)]
 #[derivative(Debug)]
 #[serde(tag = "type", content = "hash")]
+#[non_exhaustive]
 pub enum AuthenticationTokenHash {
     /// A bearer token, presented as the value of the "Authorization" HTTP header as specified in
     /// [RFC 6750 section 2.1][1].
diff --git a/db/00000000000001_initial_schema.up.sql b/db/00000000000001_initial_schema.up.sql
index 2336c0b80..1196293a1 100644
--- a/db/00000000000001_initial_schema.up.sql
+++ b/db/00000000000001_initial_schema.up.sql
@@ -99,7 +99,7 @@ CREATE TABLE tasks(
     CONSTRAINT aggregator_auth_token_null CHECK (
         -- If aggregator_auth_token_type is not NULL, then exactly one of aggregator_auth_token or
         -- aggregator_auth_token_hash must be not NULL.
-        ((aggregator_auth_token_type IS NOT NULL) AND (aggregator_auth_token IS NULL) != (aggregator_auth_token_hash IS NULL)))
+        ((aggregator_auth_token_type IS NOT NULL) AND (aggregator_auth_token IS NULL) != (aggregator_auth_token_hash IS NULL))
         -- If aggregator_auth_token_type is NULL, then both aggregator_auth_token and
         -- aggregator_auth_token_hash must be NULL
         OR ((aggregator_auth_token_type IS NULL) AND (aggregator_auth_token IS NULL) AND (aggregator_auth_token_hash IS NULL))

From c59de8f24c790fd12a58a9df2016b943efc1c82a Mon Sep 17 00:00:00 2001
From: Tim Geoghegan <timg@divviup.org>
Date: Fri, 22 Sep 2023 15:24:17 -0700
Subject: [PATCH 4/6] works through janus_aggregator

---
 aggregator/src/aggregator.rs                  |  25 +-
 .../src/aggregator/aggregate_init_tests.rs    |  36 ++-
 .../aggregator/aggregation_job_continue.rs    |  42 +++-
 aggregator/src/aggregator/http_handlers.rs    | 230 +++++++++++-------
 aggregator/src/bin/janus_cli.rs               |   6 +-
 aggregator_core/src/task.rs                   |  12 +
 integration_tests/src/daphne.rs               |  16 +-
 .../src/bin/janus_interop_aggregator.rs       |  21 +-
 8 files changed, 243 insertions(+), 145 deletions(-)

diff --git a/aggregator/src/aggregator.rs b/aggregator/src/aggregator.rs
index 0597483ed..116a89a8e 100644
--- a/aggregator/src/aggregator.rs
+++ b/aggregator/src/aggregator.rs
@@ -355,15 +355,16 @@ impl<C: Clock> Aggregator<C> {
     ) -> Result<AggregationJobResp, Error> {
         let task_aggregator = match self.task_aggregator_for(task_id).await? {
             Some(task_aggregator) => {
-                if !auth_token
-                    .map(|t| task_aggregator.task.check_aggregator_auth_token(&t))
-                    .unwrap_or(false)
-                {
-                    return Err(Error::UnauthorizedRequest(*task_id));
-                }
                 if task_aggregator.task.role() != &Role::Helper {
                     return Err(Error::UnrecognizedTask(*task_id));
                 }
+
+                if !task_aggregator
+                    .task
+                    .check_aggregator_auth_token(auth_token.as_ref())
+                {
+                    return Err(Error::UnauthorizedRequest(*task_id));
+                }
                 task_aggregator
             }
             None if self.cfg.taskprov_config.enabled && taskprov_task_config.is_some() => {
@@ -426,9 +427,9 @@ impl<C: Clock> Aggregator<C> {
                 auth_token.as_ref(),
             )
             .await?;
-        } else if !auth_token
-            .map(|t| task_aggregator.task.check_aggregator_auth_token(&t))
-            .unwrap_or(false)
+        } else if !task_aggregator
+            .task
+            .check_aggregator_auth_token(auth_token.as_ref())
         {
             return Err(Error::UnauthorizedRequest(*task_id));
         }
@@ -566,9 +567,9 @@ impl<C: Clock> Aggregator<C> {
 
                 peer_aggregator.collector_hpke_config()
             } else {
-                if !auth_token
-                    .map(|t| task_aggregator.task.check_aggregator_auth_token(&t))
-                    .unwrap_or(false)
+                if !task_aggregator
+                    .task
+                    .check_aggregator_auth_token(auth_token.as_ref())
                 {
                     return Err(Error::UnauthorizedRequest(*task_id));
                 }
diff --git a/aggregator/src/aggregator/aggregate_init_tests.rs b/aggregator/src/aggregator/aggregate_init_tests.rs
index e1a73d5f7..c5c2dd22d 100644
--- a/aggregator/src/aggregator/aggregate_init_tests.rs
+++ b/aggregator/src/aggregator/aggregate_init_tests.rs
@@ -121,6 +121,7 @@ pub(super) struct AggregationJobInitTestCase<
 > {
     pub(super) clock: MockClock,
     pub(super) task: Task,
+    pub(super) aggregator_auth_token: AuthenticationToken,
     pub(super) prepare_init_generator: PrepareInitGenerator<VERIFY_KEY_SIZE, V>,
     pub(super) prepare_inits: Vec<PrepareInit>,
     pub(super) aggregation_job_id: AggregationJobId,
@@ -176,6 +177,7 @@ async fn setup_aggregate_init_test_for_vdaf<
 
     let mut response = put_aggregation_job(
         &test_case.task,
+        &test_case.aggregator_auth_token,
         &test_case.aggregation_job_id,
         &test_case.aggregation_job_init_req,
         &test_case.handler,
@@ -205,12 +207,12 @@ async fn setup_aggregate_init_test_without_sending_request<
     vdaf_instance: VdafInstance,
     aggregation_param: V::AggregationParam,
     measurement: V::Measurement,
-    auth_token: AuthenticationToken,
+    aggregator_auth_token: AuthenticationToken,
 ) -> AggregationJobInitTestCase<VERIFY_KEY_SIZE, V> {
     install_test_trace_subscriber();
 
     let task = TaskBuilder::new(QueryType::TimeInterval, vdaf_instance, Role::Helper)
-        .with_aggregator_auth_token(auth_token)
+        .with_aggregator_auth_token(aggregator_auth_token.clone())
         .build();
     let clock = MockClock::default();
     let ephemeral_datastore = ephemeral_datastore().await;
@@ -245,6 +247,7 @@ async fn setup_aggregate_init_test_without_sending_request<
     AggregationJobInitTestCase {
         clock,
         task,
+        aggregator_auth_token,
         prepare_inits,
         prepare_init_generator,
         aggregation_job_id,
@@ -259,14 +262,12 @@ async fn setup_aggregate_init_test_without_sending_request<
 
 pub(crate) async fn put_aggregation_job(
     task: &Task,
+    aggregator_auth_token: &AuthenticationToken,
     aggregation_job_id: &AggregationJobId,
     aggregation_job: &AggregationJobInitializeReq<TimeInterval>,
     handler: &impl Handler,
 ) -> TestConn {
-    let (header, value) = task
-        .aggregator_auth_token()
-        .unwrap()
-        .request_authentication();
+    let (header, value) = aggregator_auth_token.request_authentication();
     put(task.aggregation_job_uri(aggregation_job_id).unwrap().path())
         .with_request_header(header, value)
         .with_request_header(
@@ -289,11 +290,7 @@ async fn aggregation_job_init_authorization_dap_auth_token() {
     )
     .await;
 
-    let (auth_header, auth_value) = test_case
-        .task
-        .aggregator_auth_token()
-        .unwrap()
-        .request_authentication();
+    let (auth_header, auth_value) = test_case.aggregator_auth_token.request_authentication();
 
     let response = put(test_case
         .task
@@ -337,12 +334,7 @@ async fn aggregation_job_init_malformed_authorization_header(#[case] header_valu
     .with_request_header(KnownHeaderName::Authorization, header_value.to_string())
     .with_request_header(
         DAP_AUTH_HEADER,
-        test_case
-            .task
-            .aggregator_auth_token()
-            .unwrap()
-            .as_ref()
-            .to_owned(),
+        test_case.aggregator_auth_token.as_ref().to_owned(),
     )
     .with_request_header(
         KnownHeaderName::ContentType,
@@ -368,6 +360,7 @@ async fn aggregation_job_mutation_aggregation_job() {
 
     let response = put_aggregation_job(
         &test_case.task,
+        &test_case.aggregator_auth_token,
         &test_case.aggregation_job_id,
         &mutated_aggregation_job_init_req,
         &test_case.handler,
@@ -407,6 +400,7 @@ async fn aggregation_job_mutation_report_shares() {
         );
         let response = put_aggregation_job(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &mutated_aggregation_job_init_req,
             &test_case.handler,
@@ -446,6 +440,7 @@ async fn aggregation_job_mutation_report_aggregations() {
 
     let response = put_aggregation_job(
         &test_case.task,
+        &test_case.aggregator_auth_token,
         &test_case.aggregation_job_id,
         &mutated_aggregation_job_init_req,
         &test_case.handler,
@@ -462,6 +457,7 @@ async fn aggregation_job_init_two_step_vdaf_idempotence() {
     // Send the aggregation job init request again. We should get an identical response back.
     let mut response = put_aggregation_job(
         &test_case.task,
+        &test_case.aggregator_auth_token,
         &test_case.aggregation_job_id,
         &test_case.aggregation_job_init_req,
         &test_case.handler,
@@ -487,11 +483,7 @@ async fn aggregation_job_init_wrong_query() {
         test_case.prepare_inits,
     );
 
-    let (header, value) = test_case
-        .task
-        .aggregator_auth_token()
-        .unwrap()
-        .request_authentication();
+    let (header, value) = test_case.aggregator_auth_token.request_authentication();
 
     let mut response = put(test_case
         .task
diff --git a/aggregator/src/aggregator/aggregation_job_continue.rs b/aggregator/src/aggregator/aggregation_job_continue.rs
index aff1a5e5c..88421b526 100644
--- a/aggregator/src/aggregator/aggregation_job_continue.rs
+++ b/aggregator/src/aggregator/aggregation_job_continue.rs
@@ -290,6 +290,7 @@ impl VdafOps {
 pub mod test_util {
     use crate::aggregator::http_handlers::test_util::{decode_response_body, take_problem_details};
     use janus_aggregator_core::task::Task;
+    use janus_core::auth_tokens::AuthenticationToken;
     use janus_messages::{AggregationJobContinueReq, AggregationJobId, AggregationJobResp};
     use prio::codec::Encode;
     use serde_json::json;
@@ -298,14 +299,12 @@ pub mod test_util {
 
     async fn post_aggregation_job(
         task: &Task,
+        aggregator_auth_token: &AuthenticationToken,
         aggregation_job_id: &AggregationJobId,
         request: &AggregationJobContinueReq,
         handler: &impl Handler,
     ) -> TestConn {
-        let (header, value) = task
-            .aggregator_auth_token()
-            .unwrap()
-            .request_authentication();
+        let (header, value) = aggregator_auth_token.request_authentication();
         post(task.aggregation_job_uri(aggregation_job_id).unwrap().path())
             .with_request_header(header, value)
             .with_request_header(
@@ -319,11 +318,19 @@ pub mod test_util {
 
     pub async fn post_aggregation_job_and_decode(
         task: &Task,
+        aggregator_auth_token: &AuthenticationToken,
         aggregation_job_id: &AggregationJobId,
         request: &AggregationJobContinueReq,
         handler: &impl Handler,
     ) -> AggregationJobResp {
-        let mut test_conn = post_aggregation_job(task, aggregation_job_id, request, handler).await;
+        let mut test_conn = post_aggregation_job(
+            task,
+            aggregator_auth_token,
+            aggregation_job_id,
+            request,
+            handler,
+        )
+        .await;
 
         assert_eq!(test_conn.status(), Some(Status::Ok));
         assert_headers!(&test_conn, "content-type" => (AggregationJobResp::MEDIA_TYPE));
@@ -332,12 +339,20 @@ pub mod test_util {
 
     pub async fn post_aggregation_job_expecting_status(
         task: &Task,
+        aggregator_auth_token: &AuthenticationToken,
         aggregation_job_id: &AggregationJobId,
         request: &AggregationJobContinueReq,
         handler: &impl Handler,
         want_status: Status,
     ) -> TestConn {
-        let test_conn = post_aggregation_job(task, aggregation_job_id, request, handler).await;
+        let test_conn = post_aggregation_job(
+            task,
+            aggregator_auth_token,
+            aggregation_job_id,
+            request,
+            handler,
+        )
+        .await;
 
         assert_eq!(want_status, test_conn.status().unwrap());
 
@@ -346,6 +361,7 @@ pub mod test_util {
 
     pub async fn post_aggregation_job_expecting_error(
         task: &Task,
+        aggregator_auth_token: &AuthenticationToken,
         aggregation_job_id: &AggregationJobId,
         request: &AggregationJobContinueReq,
         handler: &impl Handler,
@@ -355,6 +371,7 @@ pub mod test_util {
     ) {
         let mut test_conn = post_aggregation_job_expecting_status(
             task,
+            aggregator_auth_token,
             aggregation_job_id,
             request,
             handler,
@@ -397,6 +414,7 @@ mod tests {
         test_util::noop_meter,
     };
     use janus_core::{
+        auth_tokens::AuthenticationToken,
         task::{VdafInstance, VERIFY_KEY_LENGTH},
         test_util::install_test_trace_subscriber,
         time::{IntervalExt, MockClock},
@@ -422,6 +440,7 @@ mod tests {
         V: Aggregator<VERIFY_KEY_LENGTH, 16>,
     > {
         task: Task,
+        aggregator_auth_token: AuthenticationToken,
         datastore: Arc<Datastore<MockClock>>,
         prepare_init_generator: PrepareInitGenerator<VERIFY_KEY_LENGTH, V>,
         aggregation_job_id: AggregationJobId,
@@ -439,12 +458,12 @@ mod tests {
         install_test_trace_subscriber();
 
         let aggregation_job_id = random();
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let clock = MockClock::default();
         let ephemeral_datastore = ephemeral_datastore().await;
         let meter = noop_meter();
@@ -539,6 +558,7 @@ mod tests {
 
         AggregationJobContinueTestCase {
             task,
+            aggregator_auth_token,
             datastore,
             prepare_init_generator,
             aggregation_job_id,
@@ -557,6 +577,7 @@ mod tests {
 
         let first_continue_response = post_aggregation_job_and_decode(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &test_case.first_continue_request,
             &test_case.handler,
@@ -593,6 +614,7 @@ mod tests {
 
         post_aggregation_job_expecting_error(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &step_zero_request,
             &test_case.handler,
@@ -611,6 +633,7 @@ mod tests {
         // helper should send back the exact same response.
         let second_continue_resp = post_aggregation_job_and_decode(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &test_case.first_continue_request,
             &test_case.handler,
@@ -682,6 +705,7 @@ mod tests {
 
         let _ = post_aggregation_job_expecting_status(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &modified_request,
             &test_case.handler,
@@ -764,6 +788,7 @@ mod tests {
 
         post_aggregation_job_expecting_error(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &past_step_request,
             &test_case.handler,
@@ -787,6 +812,7 @@ mod tests {
 
         post_aggregation_job_expecting_error(
             &test_case.task,
+            &test_case.aggregator_auth_token,
             &test_case.aggregation_job_id,
             &future_step_request,
             &test_case.handler,
diff --git a/aggregator/src/aggregator/http_handlers.rs b/aggregator/src/aggregator/http_handlers.rs
index 647eac5ef..37d3d7e54 100644
--- a/aggregator/src/aggregator/http_handlers.rs
+++ b/aggregator/src/aggregator/http_handlers.rs
@@ -1385,8 +1385,14 @@ mod tests {
         );
         let aggregation_job_id: AggregationJobId = random();
 
-        let mut test_conn =
-            put_aggregation_job(&task, &aggregation_job_id, &request, &handler).await;
+        let mut test_conn = put_aggregation_job(
+            &task,
+            task.aggregator_auth_token().unwrap(),
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
         assert!(!test_conn.status().unwrap().is_success());
 
         let problem_details = take_problem_details(&mut test_conn).await;
@@ -1500,8 +1506,9 @@ mod tests {
     async fn aggregate_init() {
         let (clock, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
-        let task =
-            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper).build();
+        let (task, aggregator_auth_token) =
+            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
+                .build_yielding_aggregator_auth_token();
 
         let vdaf = dummy_vdaf::Vdaf::new();
         let verify_key: VerifyKey<0> = task.vdaf_verify_key().unwrap();
@@ -1799,8 +1806,14 @@ mod tests {
         // Send request, parse response. Do this twice to prove that the request is idempotent.
         let aggregation_job_id: AggregationJobId = random();
         for _ in 0..2 {
-            let mut test_conn =
-                put_aggregation_job(&task, &aggregation_job_id, &request, &handler).await;
+            let mut test_conn = put_aggregation_job(
+                &task,
+                &aggregator_auth_token,
+                &aggregation_job_id,
+                &request,
+                &handler,
+            )
+            .await;
             assert_eq!(test_conn.status(), Some(Status::Ok));
             assert_headers!(
                 &test_conn,
@@ -1944,8 +1957,9 @@ mod tests {
     async fn aggregate_init_with_reports_encrypted_by_global_key() {
         let (clock, _ephemeral_datastore, datastore, _) = setup_http_handler_test().await;
 
-        let task =
-            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper).build();
+        let (task, aggregator_auth_token) =
+            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
+                .build_yielding_aggregator_auth_token();
         datastore.put_task(&task).await.unwrap();
         let vdaf = dummy_vdaf::Vdaf::new();
         let aggregation_param = dummy_vdaf::AggregationParam(0);
@@ -2114,8 +2128,14 @@ mod tests {
             ]),
         );
 
-        let mut test_conn =
-            put_aggregation_job(&task, &aggregation_job_id, &request, &handler).await;
+        let mut test_conn = put_aggregation_job(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
         assert_eq!(test_conn.status(), Some(Status::Ok));
         let aggregate_resp: AggregationJobResp = decode_response_body(&mut test_conn).await;
 
@@ -2199,8 +2219,14 @@ mod tests {
             Vec::from([mutated_timestamp_prepare_init.clone()]),
         );
 
-        let mut test_conn =
-            put_aggregation_job(&test_case.task, &random(), &request, &test_case.handler).await;
+        let mut test_conn = put_aggregation_job(
+            &test_case.task,
+            &test_case.aggregator_auth_token,
+            &random(),
+            &request,
+            &test_case.handler,
+        )
+        .await;
         assert_eq!(test_conn.status(), Some(Status::Ok));
         let aggregate_resp: AggregationJobResp = decode_response_body(&mut test_conn).await;
 
@@ -2248,12 +2274,12 @@ mod tests {
     async fn aggregate_init_prep_init_failed() {
         let (clock, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::FakeFailsPrepInit,
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let prep_init_generator = PrepareInitGenerator::new(
             clock.clone(),
             task.clone(),
@@ -2272,8 +2298,14 @@ mod tests {
 
         // Send request, and parse response.
         let aggregation_job_id: AggregationJobId = random();
-        let mut test_conn =
-            put_aggregation_job(&task, &aggregation_job_id, &request, &handler).await;
+        let mut test_conn = put_aggregation_job(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
         assert_eq!(test_conn.status(), Some(Status::Ok));
         assert_headers!(
             &test_conn,
@@ -2299,12 +2331,12 @@ mod tests {
     async fn aggregate_init_prep_step_failed() {
         let (clock, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::FakeFailsPrepStep,
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let prep_init_generator = PrepareInitGenerator::new(
             clock.clone(),
             task.clone(),
@@ -2322,8 +2354,14 @@ mod tests {
         );
 
         let aggregation_job_id: AggregationJobId = random();
-        let mut test_conn =
-            put_aggregation_job(&task, &aggregation_job_id, &request, &handler).await;
+        let mut test_conn = put_aggregation_job(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
         assert_eq!(test_conn.status(), Some(Status::Ok));
         assert_headers!(
             &test_conn,
@@ -2349,8 +2387,9 @@ mod tests {
     async fn aggregate_init_duplicated_report_id() {
         let (clock, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
-        let task =
-            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper).build();
+        let (task, aggregator_auth_token) =
+            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
+                .build_yielding_aggregator_auth_token();
         let prep_init_generator = PrepareInitGenerator::new(
             clock.clone(),
             task.clone(),
@@ -2369,8 +2408,14 @@ mod tests {
         );
         let aggregation_job_id: AggregationJobId = random();
 
-        let mut test_conn =
-            put_aggregation_job(&task, &aggregation_job_id, &request, &handler).await;
+        let mut test_conn = put_aggregation_job(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
 
         let want_status = 400;
         assert_eq!(
@@ -2390,12 +2435,12 @@ mod tests {
         let (clock, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         let aggregation_job_id = random();
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
 
         let vdaf = Arc::new(Poplar1::<XofShake128, 16>::new(1));
         let verify_key: VerifyKey<VERIFY_KEY_LENGTH> = task.vdaf_verify_key().unwrap();
@@ -2595,8 +2640,14 @@ mod tests {
         );
 
         // Send request, and parse response.
-        let aggregate_resp =
-            post_aggregation_job_and_decode(&task, &aggregation_job_id, &request, &handler).await;
+        let aggregate_resp = post_aggregation_job_and_decode(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
 
         // Validate response.
         assert_eq!(
@@ -2696,12 +2747,12 @@ mod tests {
     async fn aggregate_continue_accumulate_batch_aggregation() {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let aggregation_job_id_0 = random();
         let aggregation_job_id_1 = random();
         let first_batch_interval_clock = MockClock::default();
@@ -2950,8 +3001,14 @@ mod tests {
         );
 
         // Send request, and parse response.
-        let _ =
-            post_aggregation_job_and_decode(&task, &aggregation_job_id_0, &request, &handler).await;
+        let _ = post_aggregation_job_and_decode(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id_0,
+            &request,
+            &handler,
+        )
+        .await;
 
         // Map the batch aggregation ordinal value to 0, as it may vary due to sharding.
         let first_batch_got_batch_aggregations: Vec<_> = datastore
@@ -3251,8 +3308,14 @@ mod tests {
             ]),
         );
 
-        let _ =
-            post_aggregation_job_and_decode(&task, &aggregation_job_id_1, &request, &handler).await;
+        let _ = post_aggregation_job_and_decode(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id_1,
+            &request,
+            &handler,
+        )
+        .await;
 
         // Map the batch aggregation ordinal value to 0, as it may vary due to sharding, and merge
         // batch aggregations over the same interval. (the task & aggregation parameter will always
@@ -3387,12 +3450,12 @@ mod tests {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         // Prepare parameters.
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let report_id = random();
         let aggregation_param = Poplar1AggregationParam::try_from_prefixes(Vec::from([
             IdpfInput::from_bools(&[false]),
@@ -3484,8 +3547,14 @@ mod tests {
             )]),
         );
 
-        let resp =
-            post_aggregation_job_and_decode(&task, &aggregation_job_id, &request, &handler).await;
+        let resp = post_aggregation_job_and_decode(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
         assert_eq!(resp.prepare_resps().len(), 1);
         assert_eq!(
             resp.prepare_resps()[0],
@@ -3501,12 +3570,12 @@ mod tests {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         // Prepare parameters.
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let vdaf = Poplar1::new_shake128(1);
         let report_id = random();
         let aggregation_param = Poplar1AggregationParam::try_from_prefixes(Vec::from([
@@ -3593,8 +3662,14 @@ mod tests {
             )]),
         );
 
-        let aggregate_resp =
-            post_aggregation_job_and_decode(&task, &aggregation_job_id, &request, &handler).await;
+        let aggregate_resp = post_aggregation_job_and_decode(
+            &task,
+            &aggregator_auth_token,
+            &aggregation_job_id,
+            &request,
+            &handler,
+        )
+        .await;
         assert_eq!(
             aggregate_resp,
             AggregationJobResp::new(Vec::from([PrepareResp::new(
@@ -3671,12 +3746,12 @@ mod tests {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         // Prepare parameters.
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let report_id = random();
         let aggregation_param = Poplar1AggregationParam::try_from_prefixes(Vec::from([
             IdpfInput::from_bools(&[false]),
@@ -3769,6 +3844,7 @@ mod tests {
 
         post_aggregation_job_expecting_error(
             &task,
+            &aggregator_auth_token,
             &aggregation_job_id,
             &request,
             &handler,
@@ -3784,12 +3860,12 @@ mod tests {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         // Prepare parameters.
-        let task = TaskBuilder::new(
+        let (task, aggregator_auth_token) = TaskBuilder::new(
             QueryType::TimeInterval,
             VdafInstance::Poplar1 { bits: 1 },
             Role::Helper,
         )
-        .build();
+        .build_yielding_aggregator_auth_token();
         let report_id_0 = random();
         let aggregation_param = Poplar1AggregationParam::try_from_prefixes(Vec::from([
             IdpfInput::from_bools(&[false]),
@@ -3941,6 +4017,7 @@ mod tests {
         );
         post_aggregation_job_expecting_error(
             &task,
+            &aggregator_auth_token,
             &aggregation_job_id,
             &request,
             &handler,
@@ -3956,8 +4033,9 @@ mod tests {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         // Prepare parameters.
-        let task =
-            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper).build();
+        let (task, aggregator_auth_token) =
+            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
+                .build_yielding_aggregator_auth_token();
         let aggregation_job_id = random();
         let report_metadata = ReportMetadata::new(
             ReportId::from([1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16]),
@@ -4027,6 +4105,7 @@ mod tests {
         );
         post_aggregation_job_expecting_error(
             &task,
+            &aggregator_auth_token,
             &aggregation_job_id,
             &request,
             &handler,
@@ -4793,9 +4872,10 @@ mod tests {
 
         // Prepare parameters.
         const REPORT_EXPIRY_AGE: Duration = Duration::from_seconds(3600);
-        let task = TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
-            .with_report_expiry_age(Some(REPORT_EXPIRY_AGE))
-            .build();
+        let (task, aggregator_auth_token) =
+            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
+                .with_report_expiry_age(Some(REPORT_EXPIRY_AGE))
+                .build_yielding_aggregator_auth_token();
         datastore.put_task(&task).await.unwrap();
 
         let request = AggregateShareReq::new(
@@ -4812,10 +4892,7 @@ mod tests {
             ReportIdChecksum::default(),
         );
 
-        let (header, value) = task
-            .aggregator_auth_token()
-            .unwrap()
-            .request_authentication();
+        let (header, value) = aggregator_auth_token.request_authentication();
 
         // Test that a request for an invalid batch fails. (Specifically, the batch interval is too
         // small.)
@@ -4870,12 +4947,13 @@ mod tests {
         let (_, _ephemeral_datastore, datastore, handler) = setup_http_handler_test().await;
 
         let collector_hpke_keypair = generate_test_hpke_config_and_private_key();
-        let task = TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
-            .with_max_batch_query_count(1)
-            .with_time_precision(Duration::from_seconds(500))
-            .with_min_batch_size(10)
-            .with_collector_hpke_config(collector_hpke_keypair.config().clone())
-            .build();
+        let (task, aggregator_auth_token) =
+            TaskBuilder::new(QueryType::TimeInterval, VdafInstance::Fake, Role::Helper)
+                .with_max_batch_query_count(1)
+                .with_time_precision(Duration::from_seconds(500))
+                .with_min_batch_size(10)
+                .with_collector_hpke_config(collector_hpke_keypair.config().clone())
+                .build_yielding_aggregator_auth_token();
         datastore.put_task(&task).await.unwrap();
 
         // There are no batch aggregations in the datastore yet
@@ -4888,10 +4966,7 @@ mod tests {
             ReportIdChecksum::default(),
         );
 
-        let (header, value) = task
-            .aggregator_auth_token()
-            .unwrap()
-            .request_authentication();
+        let (header, value) = aggregator_auth_token.request_authentication();
 
         let mut test_conn = post(task.aggregate_shares_uri().unwrap().path())
             .with_request_header(header, value)
@@ -5075,10 +5150,7 @@ mod tests {
             5,
             ReportIdChecksum::default(),
         );
-        let (header, value) = task
-            .aggregator_auth_token()
-            .unwrap()
-            .request_authentication();
+        let (header, value) = aggregator_auth_token.request_authentication();
         let mut test_conn = post(task.aggregate_shares_uri().unwrap().path())
             .with_request_header(header, value)
             .with_request_header(
@@ -5129,10 +5201,7 @@ mod tests {
                 ReportIdChecksum::get_decoded(&[4 ^ 8; 32]).unwrap(),
             ),
         ] {
-            let (header, value) = task
-                .aggregator_auth_token()
-                .unwrap()
-                .request_authentication();
+            let (header, value) = aggregator_auth_token.request_authentication();
             let mut test_conn = post(task.aggregate_shares_uri().unwrap().path())
                 .with_request_header(header, value)
                 .with_request_header(
@@ -5195,10 +5264,7 @@ mod tests {
             // Request the aggregate share multiple times. If the request parameters don't change,
             // then there is no query count violation and all requests should succeed.
             for iteration in 0..3 {
-                let (header, value) = task
-                    .aggregator_auth_token()
-                    .unwrap()
-                    .request_authentication();
+                let (header, value) = aggregator_auth_token.request_authentication();
                 let mut test_conn = post(task.aggregate_shares_uri().unwrap().path())
                     .with_request_header(header, value)
                     .with_request_header(
@@ -5263,10 +5329,7 @@ mod tests {
             20,
             ReportIdChecksum::get_decoded(&[8 ^ 4 ^ 3 ^ 2; 32]).unwrap(),
         );
-        let (header, value) = task
-            .aggregator_auth_token()
-            .unwrap()
-            .request_authentication();
+        let (header, value) = aggregator_auth_token.request_authentication();
         let mut test_conn = post(task.aggregate_shares_uri().unwrap().path())
             .with_request_header(header, value)
             .with_request_header(
@@ -5315,10 +5378,7 @@ mod tests {
                 ReportIdChecksum::get_decoded(&[4 ^ 8; 32]).unwrap(),
             ),
         ] {
-            let (header, value) = task
-                .aggregator_auth_token()
-                .unwrap()
-                .request_authentication();
+            let (header, value) = aggregator_auth_token.request_authentication();
             let mut test_conn = post(task.aggregate_shares_uri().unwrap().path())
                 .with_request_header(header, value)
                 .with_request_header(
diff --git a/aggregator/src/bin/janus_cli.rs b/aggregator/src/bin/janus_cli.rs
index f69597d8b..81d0975c9 100644
--- a/aggregator/src/bin/janus_cli.rs
+++ b/aggregator/src/bin/janus_cli.rs
@@ -735,6 +735,8 @@ mod tests {
     aead_id: Aes128Gcm
     public_key: 8lAqZ7OfNV2Gi_9cNE6J9WRmPbO-k1UPtu2Bztd0-yc
   aggregator_auth_token:
+    type: "DapAuth"
+    token: "YWdncmVnYXRvci0yMzUyNDJmOTk0MDZjNGZkMjhiODIwYzMyZWFiMGY2OA"
   collector_auth_token:
   hpke_keys: []
 - leader_aggregator_endpoint: https://leader
@@ -756,7 +758,9 @@ mod tests {
     kdf_id: HkdfSha256
     aead_id: Aes128Gcm
     public_key: 8lAqZ7OfNV2Gi_9cNE6J9WRmPbO-k1UPtu2Bztd0-yc
-  aggregator_auth_token:
+  aggregator_auth_token_hash:
+    type: "Bearer"
+    hash: "MJOoBO_ysLEuG_lv2C37eEOf1Ngetsr-Ers0ZYj4vdQ"
   collector_auth_token:
   hpke_keys: []
 "#;
diff --git a/aggregator_core/src/task.rs b/aggregator_core/src/task.rs
index 07df2bd42..11ae18c4e 100644
--- a/aggregator_core/src/task.rs
+++ b/aggregator_core/src/task.rs
@@ -420,6 +420,18 @@ impl Task {
         }
     }
 
+    /// Checks if the given collector authentication token is valid (i.e. its hash is equal to this
+    /// task's aggregator auth token hash).
+    pub fn check_aggregator_auth_token(&self, auth_token: Option<&AuthenticationToken>) -> bool {
+        // Technically we _could_ validate incoming auth tokens against self.aggregator_auth_token,
+        // but that value is only set for leader tasks, and the leader should never receive
+        // aggregation protocol requests, only make them.
+        match (auth_token, self.aggregator_auth_token_hash()) {
+            (Some(auth_token), Some(token_hash)) => token_hash.validate(auth_token),
+            _ => false,
+        }
+    }
+
     /// Checks if the given collector authentication token is valid (i.e. matches with an
     /// authentication token recognized by this task).
     pub fn check_collector_auth_token(&self, auth_token: &AuthenticationToken) -> bool {
diff --git a/integration_tests/src/daphne.rs b/integration_tests/src/daphne.rs
index 98688dca6..82bbb956e 100644
--- a/integration_tests/src/daphne.rs
+++ b/integration_tests/src/daphne.rs
@@ -1,11 +1,11 @@
 //! Functionality for tests interacting with Daphne (<https://github.com/cloudflare/daphne>).
 
 use crate::interop_api;
-use janus_aggregator_core::task::{test_util::TaskBuilder, Task};
+use janus_aggregator_core::task::Task;
 use janus_interop_binaries::{
     test_util::await_http_server, ContainerLogsDropGuard, ContainerLogsSource,
 };
-use janus_messages::{Role, Time};
+use janus_messages::Role;
 use testcontainers::{clients::Cli, images::generic::GenericImage, RunnableImage};
 
 const DAPHNE_HELPER_IMAGE_NAME_AND_TAG: &str = "cloudflare/daphne-worker-helper:sha-f6b3ef1";
@@ -44,18 +44,8 @@ impl<'a> Daphne<'a> {
         // Wait for Daphne container to begin listening on the port.
         await_http_server(port).await;
 
-        // Daphne does not support unset task expiration values. Work around this by specifying an
-        // arbitrary, far-future task expiration time, instead.
-        let task = if task.task_expiration().is_none() {
-            TaskBuilder::from(task.clone())
-                .with_task_expiration(Some(Time::from_seconds_since_epoch(2000000000)))
-                .build()
-        } else {
-            task.clone()
-        };
-
         // Write the given task to the Daphne instance we started.
-        interop_api::aggregator_add_task(port, task).await;
+        interop_api::aggregator_add_task(port, task.clone()).await;
 
         Self { daphne_container }
     }
diff --git a/interop_binaries/src/bin/janus_interop_aggregator.rs b/interop_binaries/src/bin/janus_interop_aggregator.rs
index 2785abfbd..4f3f5b28a 100644
--- a/interop_binaries/src/bin/janus_interop_aggregator.rs
+++ b/interop_binaries/src/bin/janus_interop_aggregator.rs
@@ -11,12 +11,15 @@ use janus_aggregator_core::{
     task::{self, Task},
     SecretBytes,
 };
-use janus_core::{auth_tokens::AuthenticationToken, time::RealClock};
+use janus_core::{
+    auth_tokens::{AuthenticationToken, AuthenticationTokenHash},
+    time::RealClock,
+};
 use janus_interop_binaries::{
     status::{ERROR, SUCCESS},
     AddTaskResponse, AggregatorAddTaskRequest, AggregatorRole, HpkeConfigRegistry, Keyring,
 };
-use janus_messages::{Duration, HpkeConfig, Time};
+use janus_messages::{Duration, HpkeConfig, Role, Time};
 use opentelemetry::metrics::Meter;
 use prio::codec::Decode;
 use serde::{Deserialize, Serialize};
@@ -38,6 +41,7 @@ async fn handle_add_task(
     keyring: &Mutex<HpkeConfigRegistry>,
     request: AggregatorAddTaskRequest,
 ) -> anyhow::Result<()> {
+    let role = request.role.into();
     let vdaf = request.vdaf.into();
     let leader_authentication_token =
         AuthenticationToken::new_dap_auth_token_from_string(request.leader_authentication_token)
@@ -90,7 +94,7 @@ async fn handle_add_task(
         request.helper,
         query_type,
         vdaf,
-        request.role.into(),
+        role,
         vdaf_verify_key,
         request.max_batch_query_count,
         request.task_expiration.map(Time::from_seconds_since_epoch),
@@ -101,7 +105,16 @@ async fn handle_add_task(
         // other aggregators running on the same host.
         Duration::from_seconds(1),
         collector_hpke_config,
-        Some(leader_authentication_token),
+        if role == Role::Leader {
+            None
+        } else {
+            Some(AuthenticationTokenHash::from(&leader_authentication_token))
+        },
+        if role == Role::Leader {
+            Some(leader_authentication_token)
+        } else {
+            None
+        },
         collector_authentication_token,
         [hpke_keypair],
     )

From b135a4aa864e5f005cc3fcac4945c12ebb7e8a66 Mon Sep 17 00:00:00 2001
From: Tim Geoghegan <timg@divviup.org>
Date: Mon, 25 Sep 2023 09:38:36 -0700
Subject: [PATCH 5/6] wip

---
 aggregator_core/src/task.rs           | 28 +++++++++++++++++----------
 integration_tests/src/janus.rs        |  1 +
 integration_tests/tests/common/mod.rs |  3 +++
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/aggregator_core/src/task.rs b/aggregator_core/src/task.rs
index 11ae18c4e..544fb47b0 100644
--- a/aggregator_core/src/task.rs
+++ b/aggregator_core/src/task.rs
@@ -868,16 +868,24 @@ pub mod test_util {
             aggregator_auth_token: AuthenticationToken,
         ) -> Self {
             let task = match self.task.role {
-                Role::Leader => Task {
-                    aggregator_auth_token: Some(aggregator_auth_token.clone()),
-                    ..self.task
-                },
-                Role::Helper => Task {
-                    aggregator_auth_token_hash: Some(AuthenticationTokenHash::from(
-                        &aggregator_auth_token,
-                    )),
-                    ..self.task
-                },
+                Role::Leader => {
+                    println!("plugging in auth token as leader");
+                    Task {
+                        aggregator_auth_token: Some(aggregator_auth_token.clone()),
+                        aggregator_auth_token_hash: None,
+                        ..self.task
+                    }
+                }
+                Role::Helper => {
+                    println!("plugging in auth token hash as helper");
+                    Task {
+                        aggregator_auth_token: None,
+                        aggregator_auth_token_hash: Some(AuthenticationTokenHash::from(
+                            &aggregator_auth_token,
+                        )),
+                        ..self.task
+                    }
+                }
                 _ => panic!("illegal role"),
             };
             Self {
diff --git a/integration_tests/src/janus.rs b/integration_tests/src/janus.rs
index b9677e8e1..5757d9ab1 100644
--- a/integration_tests/src/janus.rs
+++ b/integration_tests/src/janus.rs
@@ -35,6 +35,7 @@ impl<'a> Janus<'a> {
         // Wait for the container to start listening on its port.
         await_http_server(port).await;
 
+        println!("starting {} aggregator", task.role());
         // Write the given task to the Janus instance we started.
         interop_api::aggregator_add_task(port, task.clone()).await;
 
diff --git a/integration_tests/tests/common/mod.rs b/integration_tests/tests/common/mod.rs
index a4a8b63c2..623e72594 100644
--- a/integration_tests/tests/common/mod.rs
+++ b/integration_tests/tests/common/mod.rs
@@ -52,6 +52,9 @@ pub fn test_task_builders(
     let helper_task = leader_task
         .clone()
         .with_role(Role::Helper)
+        // Reset the aggregator auth token after changing the role so that the
+        // token _hash_ will be stored.
+        .with_aggregator_auth_token(leader_task.aggregator_auth_token().clone())
         .with_collector_auth_token(None);
     let temporary_task = leader_task.clone().build();
     let task_parameters = TaskParameters {

From 5157617596207d105d2155eb144fd1b094a1f4fc Mon Sep 17 00:00:00 2001
From: Tim Geoghegan <timg@divviup.org>
Date: Mon, 25 Sep 2023 10:00:42 -0700
Subject: [PATCH 6/6] rm printlns

---
 aggregator_core/src/datastore/tests.rs | 1 -
 integration_tests/src/janus.rs         | 1 -
 2 files changed, 2 deletions(-)

diff --git a/aggregator_core/src/datastore/tests.rs b/aggregator_core/src/datastore/tests.rs
index d5fc897ca..bcd88abef 100644
--- a/aggregator_core/src/datastore/tests.rs
+++ b/aggregator_core/src/datastore/tests.rs
@@ -166,7 +166,6 @@ async fn roundtrip_task(ephemeral_datastore: EphemeralDatastore) {
             .unwrap();
         assert_eq!(None, retrieved_task);
 
-        println!("test case {task:?}");
         ds.put_task(&task).await.unwrap();
 
         let retrieved_task = ds
diff --git a/integration_tests/src/janus.rs b/integration_tests/src/janus.rs
index 5757d9ab1..b9677e8e1 100644
--- a/integration_tests/src/janus.rs
+++ b/integration_tests/src/janus.rs
@@ -35,7 +35,6 @@ impl<'a> Janus<'a> {
         // Wait for the container to start listening on its port.
         await_http_server(port).await;
 
-        println!("starting {} aggregator", task.role());
         // Write the given task to the Janus instance we started.
         interop_api::aggregator_add_task(port, task.clone()).await;