pub struct AuthenticatedCaller {
pub key_id: String,
pub scopes: Vec<Scope>,
pub tenant: Tenant,
}Expand description
Populated by the FromRequestParts implementation, which validates
either an API key (aa_…) or a JWT bearer token.
Fields§
§key_id: StringThe API key ID or JWT subject that identifies this caller.
scopes: Vec<Scope>Scopes granted to this caller.
tenant: TenantThe tenant this caller is confined to for per-tenant data (AAASM-3139).
Implementations§
Source§impl AuthenticatedCaller
impl AuthenticatedCaller
Sourcepub fn can_access_team(&self, team: &str) -> bool
pub fn can_access_team(&self, team: &str) -> bool
Whether this caller may see data for team without a separate admin gate.
AAASM-3139: an admin sees every tenant; a tenant-scoped caller sees only its own team. A caller with no team scope (and no admin) sees no per-tenant data.
Sourcepub fn can_access_org(&self, org: &str) -> bool
pub fn can_access_org(&self, org: &str) -> bool
Whether this caller may see data for org without a separate admin gate.
AAASM-3483: the org-tier analogue of Self::can_access_team, used by
the topology and audit-log surfaces. An admin sees every org; a
tenant-scoped caller sees only its own org. A caller with no org scope
(and no admin) sees no per-org data.
Sourcepub fn storage_tenant_org(&self) -> Option<&str>
pub fn storage_tenant_org(&self) -> Option<&str>
The verified tenant org that scopes this caller’s storage access, if any.
AAASM-3596: this is the single, honest source for the app.tenant_id GUC
the storage layer’s Row-Level Security filters on (AAASM-3595). It is
taken only from Self::tenant — the verified JWT org_id claim or
the authenticated API-key entry — and never from a request Query,
header, or body. A client cannot redirect it by sending a different
?org_id / X-Org-Id, because nothing here reads request input.
Returns None for a caller with no tenant scope (an admin / cross-tenant
caller). Such a caller must run the storage connection with NO
app.tenant_id GUC — i.e. via a dedicated RLS-bypass admin DB role — and
must never synthesize a tenant from a client-chosen value. Feeding a
None here into the GUC seam yields a fail-closed (zero-row) connection,
not a full-table read.
Trait Implementations§
Source§impl Clone for AuthenticatedCaller
impl Clone for AuthenticatedCaller
Source§fn clone(&self) -> AuthenticatedCaller
fn clone(&self) -> AuthenticatedCaller
1.0.0 (const: unstable) · Source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more