Struct Auth 

pub struct Auth {
    pub sub: String,
    pub preferred_username: Option<String>,
    pub name: Option<String>,
    pub email: Option<String>,
    pub realm_roles: Vec<String>,
    pub claims: HashMap<String, Value>,
    pub permissions: Vec<String>,
    pub role_names: Vec<String>,
    pub is_service_account: bool,
}

Authenticated user context, validated by the Cufflink platform.

The platform validates the JWT token (via Keycloak) and extracts claims before passing them to your handler. You never need to validate tokens yourself — the auth field is only present when the token is valid.

handler!(protected, |req: Request| {
    let auth = match req.require_auth() {
        Ok(auth) => auth,
        Err(resp) => return resp,
    };
    if !auth.has_role("admin") {
        return Response::error("Forbidden");
    }
    Response::json(&json!({"user": auth.sub}))
});

Fields

sub: String

Keycloak subject ID (unique user identifier).

preferred_username: Option<String>

Preferred username from Keycloak.

name: Option<String>

Display name.

email: Option<String>

Email address.

realm_roles: Vec<String>

Realm roles assigned to the user in Keycloak.

claims: HashMap<String, Value>

All other JWT claims (custom Keycloak mappers, resource_access, etc.).

permissions: Vec<String>

Cufflink permissions resolved from the service’s tenant roles (e.g., ["staff:create", "items:*"]).

role_names: Vec<String>

Cufflink role names assigned to the user (e.g., ["admin", "manager"]).

is_service_account: bool

Whether this is a Keycloak service account (client credentials grant). Service accounts bypass permission checks at the platform level.

Implementations

impl Auth

pub fn has_role(&self, role: &str) -> bool

Check if the user has a specific Keycloak realm role.

pub fn can(&self, area: &str, operation: &str) -> bool

Check if the user has a specific Cufflink permission.

Supports wildcards: "staff:*" matches any operation in the “staff” area, and "*" matches everything.

if !auth.can("staff", "create") {
    return Response::error("Forbidden: missing staff:create permission");
}

pub fn has_cufflink_role(&self, role: &str) -> bool

Check if the user has a specific Cufflink role (by name).

pub fn claim(&self, key: &str) -> Option<&Value>

Get a specific claim value by key.

Trait Implementations

impl Clone for Auth

fn clone(&self) -> Auth

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for Auth

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.