Expand description
JWT authentication module
Handles the full JWT authentication lifecycle for every HTTP request:
- Token extraction — parses the
Authorization: Bearer <token>header. - Validation — verifies the signature and standard claims (
exp,nbf,iat,aud) with a 30-second clock-skew tolerance. - Role resolution — extracts the database role from the JWT claims using the configured JSPath, falling back to the anonymous role.
- Caching — stores validated results in a lock-free Moka cache
keyed by the raw token string. Cache size is bounded and entries
expire based on the token’s
expclaim (capped at 1 hour).
§Supported Algorithms
HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384.
§Secret Formats
- Plain UTF-8 string
- Base64-encoded string (
jwt_secret_is_base64 = true) - JWKS (JSON Web Key Set) — automatically detected when the secret
starts with
{.
§Error Codes
| Code | Meaning |
|---|---|
| DBRST300 | Server lacks JWT secret |
| DBRST301 | Token decode / signature error |
| DBRST302 | Token required (no anonymous role) |
| DBRST303 | Claims validation failed |
Re-exports§
pub use cache::JwtCache;pub use error::JwtError;pub use middleware::AuthState;pub use middleware::auth_middleware;pub use types::AuthResult;
Modules§
- cache
- JWT validation result cache
- error
- JWT-specific error types
- jwt
- JWT token parsing, validation, and role extraction
- middleware
- Axum auth middleware
- types
- Authentication result types