Module extract 

The single credential-extraction pipeline shared by every request boundary.

Order of precedence:

1. Authorization: Bearer <token> header (decoded as an access JWT).
2. HMAC-signed JWT cookie (CookieService) — same decode_access path, so the security properties are identical to the Bearer path.
3. Server-side session (SessionManager) — loaded independently of claims; a request can carry both a JWT identity and a mutable session.

HTTP boundary, plugin routes, and the WebSocket handshake all call into this module, so a security fix or a new credential source lands everywhere at once — there is deliberately no second copy of this logic anywhere.

Structs

AuthExtraction

Everything the boundaries need to authenticate one request.

Functions

extract_auth

Extract claims and load the server-side session.

extract_claims

Extract JWT claims only (Bearer → signed-cookie fallback).