Skip to main content

Module extract

Module extract 

Source
Expand description

The single credential-extraction pipeline shared by every request boundary.

Order of precedence:

  1. Authorization: Bearer <token> header (decoded as an access JWT).
  2. HMAC-signed JWT cookie (CookieService) — same decode_access path, so the security properties are identical to the Bearer path.
  3. Server-side session (SessionManager) — loaded independently of claims; a request can carry both a JWT identity and a mutable session.

WebSocket handshakes add one more source after the header and cookie — ?access_token=<jwt> (extract_claims_ws) — because the browser WebSocket API cannot send headers. It is not offered to the HTTP boundary, where URL-borne tokens would leak into logs.

HTTP boundary, plugin routes, and the WebSocket handshake all call into this module, so a security fix or a new credential source lands everywhere at once — there is deliberately no second copy of this logic anywhere.

Structs§

AuthExtraction
Everything the boundaries need to authenticate one request.

Functions§

extract_auth
Extract claims and load the server-side session.
extract_claims
Extract JWT claims only (Bearer → signed-cookie fallback).
extract_claims_ws
Extract claims at a WebSocket handshake: the same Bearer → signed-cookie chain as everywhere else, plus ?access_token=<jwt> as a last resort.