Struct Tokens 

pub struct Tokens { /* private fields */ }

The in-memory token table. Keys are either an opaque bearer token or a dummy AWS access key id; both map to (policy, expiry, optional secret).

Implementations

impl Tokens

pub fn new() -> Self

pub fn mint( &self, policy: Policy, ttl_seconds: u64, now_ms: u64, ) -> MintResponse

Mint a fresh token bound to policy, valid for ttl_seconds from now_ms.

pub fn mint_sigv4( &self, policy: Policy, ttl_seconds: u64, now_ms: u64, ) -> SigV4Mint

Mint a dummy AWS SigV4 credential bound to policy. The access key id is the lookup key; the secret is stored to verify inbound signatures.

pub fn resolve_sigv4( &self, access_key_id: &str, now_ms: u64, ) -> Option<(Policy, String)>

Resolve a dummy AWS access key id to its bound policy and dummy secret, or None if unknown, expired, or not a SigV4 credential.

pub fn resolve(&self, token: &str, now_ms: u64) -> Option<Policy>

Resolve a token to its bound policy, or None if unknown or expired at now_ms.

pub fn resolve_full(&self, token: &str, now_ms: u64) -> Option<(Policy, u64)>

Resolve a token to its bound policy and absolute expiry, or None if unknown or expired at now_ms. Used by the provision projection.

pub fn revoke(&self, token: &str) -> bool

Revoke a token immediately. Returns whether a token was removed.

pub fn sweep(&self, now_ms: u64) -> usize

Evict every entry expired at now_ms, returning how many were removed. resolve already refuses expired entries, but without this the table only grows — every SigV4 /provision mints a dummy credential that would otherwise never be reclaimed. A background sweeper calls this periodically.

pub fn len(&self) -> usize

The number of live (un-swept) entries. For metrics/tests.

pub fn is_empty(&self) -> bool

Whether the token table is empty.

Trait Implementations

impl Default for Tokens

fn default() -> Tokens

Returns the “default value” for a type.