helios-auth 0.2.0

Authentication and authorization for the Helios FHIR Server
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

pub mod memory;
#[cfg(feature = "redis")]
pub mod redis;

use async_trait::async_trait;
use chrono::{DateTime, Utc};

use crate::error::AuthError;

/// Trait for JWT ID (jti) replay prevention.
///
/// Implementations store seen JTI values with TTLs matching
/// the token's expiration time.
#[async_trait]
pub trait JtiCache: Send + Sync + 'static {
    /// Check if a JTI has been seen before, and store it if not.
    ///
    /// Returns `true` if the JTI was already seen (replay detected).
    /// Returns `false` if the JTI is new (stored successfully).
    async fn check_and_store(
        &self,
        jti: &str,
        expires_at: DateTime<Utc>,
    ) -> Result<bool, AuthError>;
}

/// JTI cache implementation which never treats tokens as replays.
///
/// This is intended for deployments where JWT IDs identify reusable bearer
/// access tokens rather than one-time client assertions.
#[derive(Debug, Clone, Copy, Default)]
pub struct DisabledJtiCache;

#[async_trait]
impl JtiCache for DisabledJtiCache {
    async fn check_and_store(
        &self,
        _jti: &str,
        _expires_at: DateTime<Utc>,
    ) -> Result<bool, AuthError> {
        Ok(false)
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn disabled_cache_never_reports_replay() {
        let cache = DisabledJtiCache;
        let expires = Utc::now();

        assert!(!cache.check_and_store("same-jti", expires).await.unwrap());
        assert!(!cache.check_and_store("same-jti", expires).await.unwrap());
    }
}