pub fn decode_bearer_token(
headers: &HeaderMap,
container: &FrozenDiContainer,
) -> Option<Arc<Map<String, Value>>>Expand description
Extract and decode an access Bearer token from request headers.
Shared by all three request boundaries (HTTP macro routes, plugin routes, WebSocket handshake) so a security fix here applies everywhere at once.
Returns None when:
- No
JwtServiceis registered in the container. - The
Authorizationheader is absent or not valid UTF-8. - The token is missing, expired, or has an invalid signature.
- The token
"type"claim is not"access"(i.e. refresh tokens are rejected).