Struct SecureJwtValidator 

pub struct SecureJwtValidator { /* private fields */ }

Implementations

impl SecureJwtValidator

pub fn new(config: SecureJwtConfig) -> Result<Self>

pub fn set_on_revoke<F>(&self, callback: F)

where F: Fn(&str) + Send + Sync + 'static,

Register an optional callback that is invoked with the JTI every time [revoke_token] is called.

This allows callers to persist revocations to durable storage (database, KV store, etc.) without changing the existing validation or revocation API.

Example

validator.set_on_revoke(|jti| {
    // Persist to your storage backend
    storage.insert_revoked_jti(jti);
});

pub fn get_decoding_key(&self) -> DecodingKey

Get HMAC decoding key for backward-compatible call sites.

Prefer validate which handles key selection automatically.

pub fn get_encoding_key(&self) -> EncodingKey

Get HMAC encoding key for signing JWTs.

pub fn validate(&self, token: &str) -> Result<SecureJwtClaims>

Validate a JWT, automatically selecting the key based on the token header algorithm.

This is the preferred entry point. It:

1. Decodes the JWT header to determine the claimed algorithm.
2. Rejects the token immediately if the algorithm is not in allowed_algorithms.
3. Selects the correct decoding key for the algorithm family.
4. Validates the signature and all standard claims (exp, nbf, iss, aud).
5. Performs additional checks: revocation, max lifetime, JTI presence, token type.

pub fn validate_token( &self, token: &str, decoding_key: &DecodingKey, ) -> Result<SecureJwtClaims>

Legacy validation entry point that accepts a caller-supplied decoding key.

Prefer [validate] which handles algorithm checking and key selection internally. This method still enforces the full allow-list and all claim checks.

pub fn is_token_revoked(&self, jti: &str) -> Result<bool>

Check whether jti appears in the in-memory revocation list.

This only consults the local cache. For a complete revocation check that also queries durable storage, combine this with the storage-backed lookup in the API layer (src/api/auth.rs).

pub fn revoke_token(&self, jti: &str) -> Result<()>

Revoke a token by its JTI.

The JTI is inserted into the in-memory revocation map. If an on_revoke callback has been registered, it is invoked with the JTI after the in-memory insertion, allowing durable persistence without changing this method’s signature.

Note: Without a registered on_revoke callback, revocations are volatile and will be lost on process restart.

pub fn cleanup_revoked_tokens(&self, expired_cutoff: SystemTime) -> Result<()>

Remove revoked token entries that are older than expired_cutoff.

This prevents unbounded memory growth in long-running deployments. Callers should pass a cutoff equal to now − max_token_lifetime so that every entry that could still be used by a live token is preserved, while entries that can only correspond to already-expired tokens are discarded.

An additional size cap (10,000 entries) is enforced after time-based eviction: if the map still exceeds the cap the oldest 25 % of entries are removed.

Trait Implementations

impl Debug for SecureJwtValidator

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.