dbrest_core/auth/mod.rs
1//! JWT authentication module
2//!
3//! Handles the full JWT authentication lifecycle for every HTTP request:
4//!
5//! 1. **Token extraction** — parses the `Authorization: Bearer <token>` header.
6//! 2. **Validation** — verifies the signature and standard claims (`exp`,
7//! `nbf`, `iat`, `aud`) with a 30-second clock-skew tolerance.
8//! 3. **Role resolution** — extracts the database role from the JWT claims
9//! using the configured JSPath, falling back to the anonymous role.
10//! 4. **Caching** — stores validated results in a lock-free Moka cache
11//! keyed by the raw token string. Cache size is bounded and entries
12//! expire based on the token's `exp` claim (capped at 1 hour).
13//!
14//! # Supported Algorithms
15//!
16//! HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384.
17//!
18//! # Secret Formats
19//!
20//! - Plain UTF-8 string
21//! - Base64-encoded string (`jwt_secret_is_base64 = true`)
22//! - JWKS (JSON Web Key Set) — automatically detected when the secret
23//! starts with `{`.
24//!
25//! # Error Codes
26//!
27//! | Code | Meaning |
28//! |------|---------|
29//! | DBRST300 | Server lacks JWT secret |
30//! | DBRST301 | Token decode / signature error |
31//! | DBRST302 | Token required (no anonymous role) |
32//! | DBRST303 | Claims validation failed |
33
34pub mod cache;
35pub mod error;
36pub mod jwt;
37pub mod middleware;
38pub mod types;
39
40// Re-exports for convenience
41pub use cache::JwtCache;
42pub use error::JwtError;
43pub use middleware::{AuthState, auth_middleware};
44pub use types::AuthResult;