modo/auth/jwt/validation.rs
1use std::time::Duration;
2
3/// Policy-level validation rules applied to every `decode()` call.
4///
5/// `exp` is always enforced (not configurable). These fields control
6/// additional checks for `iss`, `aud`, and clock skew tolerance.
7///
8/// Built automatically from [`JwtConfig`](super::config::JwtConfig) by
9/// `JwtEncoder::from_config()` and `JwtDecoder::from_config()`.
10#[non_exhaustive]
11#[derive(Debug, Clone)]
12pub struct ValidationConfig {
13 /// Allowed clock skew applied to `exp` and `nbf` checks.
14 /// Defaults to `Duration::ZERO`.
15 pub leeway: Duration,
16 /// When `Some`, `decode()` rejects tokens whose `iss` does not match.
17 pub require_issuer: Option<String>,
18 /// When `Some`, `decode()` rejects tokens whose `aud` does not match.
19 pub require_audience: Option<String>,
20}
21
22impl Default for ValidationConfig {
23 fn default() -> Self {
24 Self {
25 leeway: Duration::ZERO,
26 require_issuer: None,
27 require_audience: None,
28 }
29 }
30}
31
32#[cfg(test)]
33mod tests {
34 use super::*;
35
36 #[test]
37 fn default_has_zero_leeway_and_no_requirements() {
38 let config = ValidationConfig::default();
39 assert_eq!(config.leeway, Duration::ZERO);
40 assert!(config.require_issuer.is_none());
41 assert!(config.require_audience.is_none());
42 }
43}