rusty_paseto 0.10.0

A type-driven, ergonomic alternative to JWT for secure stateless PASETO tokens.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191

export const metadata = {
  title: 'Expiration',
  description:
    'Learn how to handle token expiration and create non-expiring tokens when needed.',
}

# Expiration

Token expiration is a critical security feature. rusty_paseto provides automatic expiration validation and flexible options for setting token lifetimes. {{ className: 'lead' }}

## Setting Expiration

Set token expiration with an RFC3339 timestamp:

```rust
use rusty_paseto::prelude::*;

let token = PasetoBuilder::<V4, Local>::default()
    .set_claim(ExpirationClaim::try_from("2025-06-15T12:00:00Z")?)
    .build(&key)?;
```

### Using the Fluent Method

```rust
let token = PasetoBuilder::<V4, Local>::default()
    .expiration("2025-06-15T12:00:00Z")?
    .build(&key)?;
```

---

## Dynamic Expiration

Calculate expiration based on current time:

```rust
use rusty_paseto::prelude::*;
use time::{Duration, OffsetDateTime};

// Token expires in 1 hour
let exp = OffsetDateTime::now_utc() + Duration::hours(1);
let exp_str = exp.format(&time::format_description::well_known::Rfc3339)?;

let token = PasetoBuilder::<V4, Local>::default()
    .set_claim(ExpirationClaim::try_from(exp_str.as_str())?)
    .build(&key)?;
```

### Common Expiration Durations

```rust
use time::Duration;

// Short-lived tokens (API requests)
let exp = OffsetDateTime::now_utc() + Duration::minutes(15);

// Session tokens
let exp = OffsetDateTime::now_utc() + Duration::hours(24);

// Refresh tokens
let exp = OffsetDateTime::now_utc() + Duration::days(30);

// Long-lived API keys
let exp = OffsetDateTime::now_utc() + Duration::days(365);
```

---

## Automatic Validation

`PasetoParser` automatically validates expiration:

```rust
use rusty_paseto::prelude::*;

// This will fail if the token is expired
let result = PasetoParser::<V4, Local>::default()
    .parse(&token, &key);

match result {
    Ok(payload) => println!("Token valid: {}", payload),
    Err(Error::Expired) => println!("Token has expired!"),
    Err(e) => println!("Other error: {}", e),
}
```

---

## Not Before (nbf)

Use `NotBeforeClaim` for tokens that shouldn't be used until a specific time:

```rust
use rusty_paseto::prelude::*;
use time::{Duration, OffsetDateTime};

// Token valid starting in 1 hour, expires in 2 hours
let nbf = OffsetDateTime::now_utc() + Duration::hours(1);
let exp = OffsetDateTime::now_utc() + Duration::hours(2);

let nbf_str = nbf.format(&time::format_description::well_known::Rfc3339)?;
let exp_str = exp.format(&time::format_description::well_known::Rfc3339)?;

let token = PasetoBuilder::<V4, Local>::default()
    .set_claim(NotBeforeClaim::try_from(nbf_str.as_str())?)
    .set_claim(ExpirationClaim::try_from(exp_str.as_str())?)
    .build(&key)?;
```

Attempting to use the token before `nbf` returns `Error::NotYetValid`.

---

## Non-Expiring Tokens

<Note>
  Non-expiring tokens are a security risk. Only use them when you have other
  mechanisms for token rotation or revocation.
</Note>

To create a token without expiration:

```rust
use rusty_paseto::prelude::*;

let token = PasetoBuilder::<V4, Local>::default()
    .set_claim(SubjectClaim::from("service-account"))
    .set_no_expiration_danger_acknowledged()
    .build(&key)?;
```

### When Non-Expiring Tokens Are Acceptable

- Service-to-service authentication with key rotation
- Tokens stored in secure vaults with rotation policies
- Development/testing environments

### Better Alternatives

Instead of non-expiring tokens, consider:

1. **Long expiration with refresh:** 30-day tokens with a refresh mechanism
2. **Key rotation:** Rotate signing keys periodically
3. **Revocation lists:** Maintain a list of revoked token IDs

---

## Token Refresh Pattern

Implement a refresh token pattern for long sessions:

<Row>
  <Col>

    ```rust
    use rusty_paseto::prelude::*;
    use time::{Duration, OffsetDateTime};

    fn create_token_pair(
        user_id: &str,
        key: &PasetoSymmetricKey<V4, Local>,
    ) -> Result<(String, String), Box<dyn std::error::Error>> {
        let now = OffsetDateTime::now_utc();

        // Access token: short-lived (15 min)
        let access_exp = (now + Duration::minutes(15))
            .format(&time::format_description::well_known::Rfc3339)?;

        let access_token = PasetoBuilder::<V4, Local>::default()
            .subject(user_id)
            .set_claim(CustomClaim::new("type", "access")?)
            .expiration(&access_exp)?
            .build(key)?;

        // Refresh token: longer-lived (7 days)
        let refresh_exp = (now + Duration::days(7))
            .format(&time::format_description::well_known::Rfc3339)?;

        let refresh_token = PasetoBuilder::<V4, Local>::default()
            .subject(user_id)
            .set_claim(CustomClaim::new("type", "refresh")?)
            .expiration(&refresh_exp)?
            .build(key)?;

        Ok((access_token, refresh_token))
    }
    ```

  </Col>
</Row>