pub struct Validation {
    pub required_spec_claims: HashSet<String>,
    pub leeway: u64,
    pub reject_tokens_expiring_in_less_than: u64,
    pub validate_exp: bool,
    pub validate_nbf: bool,
    pub validate_aud: bool,
    pub aud: Option<HashSet<String>>,
    pub iss: Option<HashSet<String>>,
    pub sub: Option<String>,
    pub algorithms: Vec<Algorithm>,
    /* private fields */
}
Expand description

Contains the various validations that are applied after decoding a JWT.

All time validation happen on UTC timestamps as seconds.

use jsonwebtoken::{Validation, Algorithm};

let mut validation = Validation::new(Algorithm::HS256);
validation.leeway = 5;
// Setting audience
validation.set_audience(&["Me"]); // a single string
validation.set_audience(&["Me", "You"]); // array of strings
// or issuer
validation.set_issuer(&["Me"]); // a single string
validation.set_issuer(&["Me", "You"]); // array of strings

Fields§

§required_spec_claims: HashSet<String>

Which claims are required to be present before starting the validation. This does not interact with the various validate_*. If you remove exp from that list, you still need to set validate_exp to false. The only value that will be used are “exp”, “nbf”, “aud”, “iss”, “sub”. Anything else will be ignored.

Defaults to {"exp"}

§leeway: u64

Add some leeway (in seconds) to the exp and nbf validation to account for clock skew.

Defaults to 60.

§reject_tokens_expiring_in_less_than: u64

Reject a token some time (in seconds) before the exp to prevent expiration in transit over the network.

The value is the inverse of leeway, subtracting from the validation time.

Defaults to 0.

§validate_exp: bool

Whether to validate the exp field.

It will return an error if the time in the exp field is past.

Defaults to true.

§validate_nbf: bool

Whether to validate the nbf field.

It will return an error if the current timestamp is before the time in the nbf field.

Defaults to false.

§validate_aud: bool

Whether to validate the aud field.

It will return an error if the aud field is not a member of the audience provided.

Defaults to true. Very insecure to turn this off. Only do this if you know what you are doing.

§aud: Option<HashSet<String>>

Validation will check that the aud field is a member of the audience provided and will error otherwise. Use set_audience to set it

Defaults to None.

§iss: Option<HashSet<String>>

If it contains a value, the validation will check that the iss field is a member of the iss provided and will error otherwise. Use set_issuer to set it

Defaults to None.

§sub: Option<String>

If it contains a value, the validation will check that the sub field is the same as the one provided and will error otherwise.

Defaults to None.

§algorithms: Vec<Algorithm>

The validation will check that the alg of the header is contained in the ones provided and will error otherwise. Will error if it is empty.

Defaults to vec![Algorithm::HS256].

Implementations§

source§

impl Validation

source

pub fn new(alg: Algorithm) -> Validation

Create a default validation setup allowing the given alg

source

pub fn set_audience<T: ToString>(&mut self, items: &[T])

aud is a collection of one or more acceptable audience members The simple usage is set_audience(&["some aud name"])

source

pub fn set_issuer<T: ToString>(&mut self, items: &[T])

iss is a collection of one or more acceptable issuers members The simple usage is set_issuer(&["some iss name"])

source

pub fn set_required_spec_claims<T: ToString>(&mut self, items: &[T])

Which claims are required to be present for this JWT to be considered valid. The only values that will be considered are “exp”, “nbf”, “aud”, “iss”, “sub”. The simple usage is set_required_spec_claims(&["exp", "nbf"]). If you want to have an empty set, do not use this function - set an empty set on the struct param directly.

source

pub fn insecure_disable_signature_validation(&mut self)

Whether to validate the JWT cryptographic signature. Disabling validation is dangerous, only do it if you know what you’re doing. With validation disabled you should not trust any of the values of the claims.

Trait Implementations§

source§

impl Clone for Validation

source§

fn clone(&self) -> Validation

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for Validation

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
source§

impl Default for Validation

source§

fn default() -> Self

Returns the “default value” for a type. Read more
source§

impl PartialEq for Validation

source§

fn eq(&self, other: &Validation) -> bool

This method tests for self and other values to be equal, and is used by ==.
1.0.0 · source§

fn ne(&self, other: &Rhs) -> bool

This method tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
source§

impl Eq for Validation

source§

impl StructuralPartialEq for Validation

Auto Trait Implementations§

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.