Enum TokenSubject 

pub enum TokenSubject {
    Anonymous,
    Authenticated(SubjectId),
    Flow(CodeId),
}

The subject binding for a form token (RFC-007 §13.3).

Explicit variants prevent the “empty string for anonymous” anti-pattern identified in RFC-007 §13.3. Bindings are persisted as part of the token record and checked on consume.

Variants

Anonymous

Token issued before authentication (e.g. a join form).

Authenticated(SubjectId)

Token issued for an authenticated subject.

Flow(CodeId)

Token bound to a transient flow ID (e.g. a multi-step join ticket).

Intended pattern for two-step join flows

The host generates a random flow ID at the start of the flow and stores it in a short-lived bearer cookie (the “join ticket”):

// Step 1 — POST /join: validate the invite code, issue a join ticket.
let flow_id = CodeId::new(generate_random_hex(&mut rng));
// Set `__join_ticket` cookie to flow_id.expose() (the plaintext).
// The cookie is HttpOnly, Secure, SameSite=Strict, short TTL.

// Also issue a CSRF form token bound to this flow:
let token = form_token_mgr.issue(
    &mut rng,
    TokenSubject::Flow(flow_id.clone()),
    "join_profile",          // purpose
    None,                    // bound_resource (or Some(community_id))
).await?;
// Embed token.expose() in the profile form as a hidden field.

// Step 2 — POST /join/profile: consume the form token.
// Read flow_id from the `__join_ticket` cookie.
let flow_id = CodeId::new(join_ticket_cookie_value.into());
let result = form_token_mgr.consume(
    raw_form_token,
    &TokenSubject::Flow(flow_id),
    "join_profile",
    None,
).await?;
// Ok(None) → Proceed; Ok(Some(_)) → Replay; Err → Invalid/expired.

SecretDomain::FlowTicket is used when the host wants to hash the join-ticket cookie value itself (making it a codlet-managed HMAC lookup rather than a raw random string). This is optional — the host may manage the ticket cookie independently and use TokenSubject::Flow only for the CSRF form token layer.

Implementations

impl TokenSubject

pub fn as_binding_str(&self) -> String

A stable string representation persisted in the store. This is not a security boundary on its own; the store’s consume WHERE clause enforces the binding.

Trait Implementations

impl Clone for TokenSubject

fn clone(&self) -> TokenSubject

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for TokenSubject

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Eq for TokenSubject

impl PartialEq for TokenSubject

fn eq(&self, other: &TokenSubject) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl StructuralPartialEq for TokenSubject