rusty_paseto 0.10.0

A type-driven, ergonomic alternative to JWT for secure stateless PASETO tokens.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220

export const metadata = {
  title: 'Custom Claims',
  description:
    'Learn how to add custom claims to your PASETO tokens for application-specific data.',
}

# Custom Claims

Beyond the seven standard claims, you can add any custom data to your tokens using `CustomClaim`. {{ className: 'lead' }}

## Basic Custom Claims

Create custom claims with `CustomClaim::new()`:

```rust
use rusty_paseto::prelude::*;

let token = PasetoBuilder::<V4, Local>::default()
    .set_claim(CustomClaim::new("role", "admin")?)
    .set_claim(CustomClaim::new("department", "engineering")?)
    .set_claim(CustomClaim::new("employee_id", 12345)?)
    .build(&key)?;
```

---

## Supported Value Types

`CustomClaim` accepts any value that implements `serde::Serialize`:

```rust
use rusty_paseto::prelude::*;

// Strings
CustomClaim::new("name", "Alice")?;

// Numbers
CustomClaim::new("level", 42)?;
CustomClaim::new("score", 98.5)?;

// Booleans
CustomClaim::new("verified", true)?;

// Arrays
CustomClaim::new("roles", vec!["admin", "user"])?;
CustomClaim::new("ids", vec![1, 2, 3])?;

// Objects (via serde_json)
use serde_json::json;
CustomClaim::new("metadata", json!({
    "created_by": "system",
    "version": 2
}))?;
```

---

## Reserved Claim Keys

You cannot use reserved PASETO claim keys for custom claims:

```rust
use rusty_paseto::prelude::*;

// These will return an error
let result = CustomClaim::new("iss", "value");  // Reserved
let result = CustomClaim::new("sub", "value");  // Reserved
let result = CustomClaim::new("aud", "value");  // Reserved
let result = CustomClaim::new("exp", "value");  // Reserved
let result = CustomClaim::new("nbf", "value");  // Reserved
let result = CustomClaim::new("iat", "value");  // Reserved
let result = CustomClaim::new("jti", "value");  // Reserved
```

Use the dedicated claim types for reserved keys instead:

```rust
// Correct - use the dedicated type
.set_claim(SubjectClaim::from("user_123"))

// Wrong - will error
.set_claim(CustomClaim::new("sub", "user_123")?)
```

---

## Validating Custom Claims

Use `check_claim` to validate custom claims when parsing:

```rust
use rusty_paseto::prelude::*;

let payload = PasetoParser::<V4, Local>::default()
    .check_claim(CustomClaim::new("role", "admin")?)
    .check_claim(CustomClaim::new("department", "engineering")?)
    .parse(&token, &key)?;
```

If the claim value doesn't match, parsing returns `Error::InvalidClaimValue`.

---

## Custom Validation Functions

For complex validation logic, use `validate_claim`:

```rust
use rusty_paseto::prelude::*;

let payload = PasetoParser::<V4, Local>::default()
    .validate_claim(
        "level",
        |value| {
            // value is a serde_json::Value
            value.as_i64()
                .map(|level| level >= 5)
                .unwrap_or(false)
        }
    )
    .parse(&token, &key)?;
```

---

## Accessing Custom Claims in Payload

After parsing, access custom claims from the JSON payload:

```rust
use rusty_paseto::prelude::*;

let payload = PasetoParser::<V4, Local>::default()
    .parse(&token, &key)?;

// Parse the JSON payload
let claims: serde_json::Value = serde_json::from_str(&payload)?;

// Access custom claims
let role = claims["role"].as_str().unwrap_or("unknown");
let level = claims["level"].as_i64().unwrap_or(0);
```

### Typed Parsing

For type-safe access, parse into a struct:

```rust
use rusty_paseto::prelude::*;
use serde::Deserialize;

#[derive(Deserialize)]
struct MyClaims {
    sub: String,
    role: String,
    level: i32,
    #[serde(default)]
    permissions: Vec<String>,
}

let claims: MyClaims = PasetoParser::<V4, Local>::default()
    .parse_into(&token, &key)?;

println!("User {} has role {}", claims.sub, claims.role);
```

---

## Example: Role-Based Access Control

<Row>
  <Col>

    A complete example implementing role-based access control with custom claims:

  </Col>
  <Col>

    ```rust
    use rusty_paseto::prelude::*;
    use serde::{Deserialize, Serialize};

    #[derive(Serialize)]
    struct TokenData {
        role: String,
        permissions: Vec<String>,
        tenant_id: String,
    }

    fn create_token(
        user_id: &str,
        data: &TokenData,
        key: &PasetoSymmetricKey<V4, Local>,
    ) -> Result<String, Box<dyn std::error::Error>> {
        let token = PasetoBuilder::<V4, Local>::default()
            .subject(user_id)
            .set_claim(CustomClaim::new("role", &data.role)?)
            .set_claim(CustomClaim::new("permissions", &data.permissions)?)
            .set_claim(CustomClaim::new("tenant_id", &data.tenant_id)?)
            .build(key)?;

        Ok(token)
    }

    fn verify_admin(
        token: &str,
        tenant: &str,
        key: &PasetoSymmetricKey<V4, Local>,
    ) -> Result<String, Box<dyn std::error::Error>> {
        let payload = PasetoParser::<V4, Local>::default()
            .check_claim(CustomClaim::new("role", "admin")?)
            .check_claim(CustomClaim::new("tenant_id", tenant)?)
            .parse(token, key)?;

        Ok(payload)
    }
    ```

  </Col>
</Row>