Expand description
The single credential-extraction pipeline shared by every request boundary.
Order of precedence:
Authorization: Bearer <token>header (decoded as an access JWT).- HMAC-signed JWT cookie (
CookieService) — samedecode_accesspath, so the security properties are identical to the Bearer path. - Server-side session (
SessionManager) — loaded independently of claims; a request can carry both a JWT identity and a mutable session.
WebSocket handshakes add one more source after the header and cookie —
?access_token=<jwt> (extract_claims_ws) — because the browser
WebSocket API cannot send headers. It is not offered to the HTTP boundary,
where URL-borne tokens would leak into logs.
HTTP boundary, plugin routes, and the WebSocket handshake all call into this module, so a security fix or a new credential source lands everywhere at once — there is deliberately no second copy of this logic anywhere.
Structs§
- Auth
Extraction - Everything the boundaries need to authenticate one request.
Functions§
- extract_
auth - Extract claims and load the server-side session.
- extract_
claims - Extract JWT claims only (Bearer → signed-cookie fallback).
- extract_
claims_ ws - Extract claims at a WebSocket handshake: the same Bearer → signed-cookie
chain as everywhere else, plus
?access_token=<jwt>as a last resort.