Expand description
Identity & Access — JWT, signed cookies, server-side sessions, OAuth2, guards.
| Submodule | Responsibility |
|---|---|
jwt | Sign / decode / validate JSON Web Tokens (JwtService) |
cookie | HMAC-SHA256 signed cookies (CookieService) |
session | Server-side session store abstraction (SessionManager) |
oauth | OAuth2 Authorization Code + PKCE provider trait |
guards | Request guards (JwtAuthGuard, RoleGuard, …) |
extract | The single credential-extraction pipeline used by every |
| request boundary (HTTP, plugin routes, WebSocket handshake) |
Modules§
- cookie
- HTTP cookie signing and extraction via HMAC-SHA256.
- extract
- The single credential-extraction pipeline shared by every request boundary.
- guards
- Request guards — composable preconditions evaluated before a handler runs.
- jwt
- JWT authentication service — sign, decode, and validate JSON Web Tokens.
- oauth
- OAuth 2.0 provider abstraction.
- policy
- Attribute-Based Access Control (ABAC) policy engine — hot-reloadable, default-deny, zero locks on the request path.
- secrets
- Hot-rotating secrets without restarts and without locks.
- session
- Server-side session store abstraction.
Structs§
- Cnf
- The
cnf(confirmation) claim body — currently only the JWK thumbprint. - JwtConfig
- JwtService
- Signs and validates JWTs. Provide this into the DI container so the framework
boundaries (
boundary.rs,ws.rs) can auto-populateRequestContext::claims()on every incoming request. - JwtSign
Error - Configuration for
JwtService. Build once at startup and provide via DI. Token signing failed — malformed key material (typically a bad rotation payload). Map to a 500 at the route; the process must keep serving.
Functions§
- decode_
bearer_ token - Extract and decode an access Bearer token from request headers.