Module auth 

Mandatory authentication middleware

All endpoints except /health require a valid Bearer token. Auth cannot be disabled. If no CODETETHER_AUTH_TOKEN is set the server generates a secure random token at startup and prints it to stderr so the operator can copy it — but the gates never open without a token.

JWT support: If the Bearer token is a JWT, topic claims are extracted and stored in request extensions for use by the bus stream endpoint.

Structs

AuthState

Shared auth state.

JwtAppState

Application state that includes JWT claims for extraction in handlers.

JwtClaims

JWT claims extracted from the Bearer token for topic filtering.

JwtClaimsKey

Request extension key for JWT claims.

Functions

extract_jwt_claims

Parse a JWT token and extract claims from the payload. Returns None if the token is not a valid JWT (e.g., it’s a static token).

require_auth

Axum middleware layer that enforces Bearer token auth on every request except public paths.