Expand description
HTTP cookie signing and extraction via HMAC-SHA256.
CookieService signs cookie values as {value}.{base64_hmac} so that a
tampered cookie is rejected before the JWT inside it is decoded. A signed
cookie that carries a JWT access token lets browser clients authenticate
without storing tokens in localStorage.
§Usage
ⓘ
ctx.provide(CookieService::new(CookieConfig {
name: "arcly_auth",
secret: env_or("COOKIE_SECRET", "change-in-prod"),
max_age_secs: 900,
secure: true,
http_only: true,
same_site: SameSite::Lax,
..Default::default()
}));Once provided, the HTTP boundary automatically tries to decode a JWT from
the named cookie if no Authorization: Bearer header is present.
Structs§
- Cookie
Config - Configuration for
CookieService. Build once at startup. - Cookie
Service - Signs and verifies HTTP cookie values.