Skip to main content

modo/auth/jwt/
revocation.rs

1use std::pin::Pin;
2
3use crate::Result;
4
5/// Optional trait for JWT token revocation checks.
6///
7/// Implement this against your storage backend (DB, Redis, `LruCache`, etc.).
8/// Register with [`JwtLayer::with_revocation()`](super::middleware::JwtLayer::with_revocation) —
9/// the middleware skips the check when no backend is registered.
10///
11/// # Behavior
12///
13/// - Only called when a revocation backend is registered AND the token has a `jti` claim.
14/// - Token without `jti` + registered backend: accepted without calling `is_revoked`.
15/// - `Ok(true)`: token rejected with `jwt:revoked`.
16/// - `Ok(false)`: token accepted.
17/// - `Err(_)`: token rejected with `jwt:revocation_check_failed` (fail-closed).
18pub trait Revocation: Send + Sync {
19    /// Returns `Ok(true)` if the token identified by `jti` has been revoked.
20    ///
21    /// # Errors
22    ///
23    /// Returning `Err` causes the middleware to reject the request with
24    /// `jwt:revocation_check_failed` (fail-closed behavior).
25    fn is_revoked(&self, jti: &str) -> Pin<Box<dyn Future<Output = Result<bool>> + Send + '_>>;
26}