Crate nats_io_jwt

Crate nats_io_jwt 

Source
Expand description

Generate JWTs signed using NKEYs for use with NATS

NOTE - This is still a work in progress and will be published to crates.io once it’s ready.

Supports generating JWTs for Operator, Account, User and Activation claims.

§Example

use nats_io_jwt::{KeyPair, Token, Account, User, Permission, SigningKeys};

// You would probably load the operator's seed via a config and use KeyPair::from_seed
let operator_signing_key = KeyPair::new_operator();

let account_keypair = KeyPair::new_account();
let account_signing_key = KeyPair::new_account();
let account: Account = Account::builder()
    .signing_keys(SigningKeys::from(&account_signing_key))
    .try_into()
    .expect("Account to be valid");
let account_token = Token::new(account_keypair.public_key())
    .name("My Account")
    .claims(account)
    .sign(&operator_signing_key);
println!("account_token: {}", account_token);

let user_keypair = KeyPair::new_user();
let user: User = User::builder()
   .pub_(Permission::from("service.hello.world"))
   .sub(Permission::from("_INBOX."))
   .subs(10)
   .payload(1024 * 1024) // 1MiB
   .bearer_token(true)
   .try_into()
   .expect("Account to be valid");
let user_token = Token::new(user_keypair.public_key())
    .name("My User")
    .claims(user)
    .sign(&account_signing_key);
println!("user_token: {}", user_token);

§License

Some parts taken from https://github.com/AircastDev/nats-jwt

Licensed under

Modules§

builder
Types for composing complex structures.
defaults
Generation of default values for serde.
error
Error types.

Structs§

Account
Represents the core configuration of an account, including imports, exports, limits, signing keys, default permissions, mappings, external auth, and more.
AccountLimits
Represents all operator-imposed limits on an account, including NATS limits, account limits, and JetStream limits.
AccountServerUrl
AccountServerURL is a partial URL like ‘https://host.domain.org:/jwt/v1’ tools will use the prefix and build queries by appending /accounts/<account_id> or /operator to the path provided. Note this assumes that the account server can handle requests in a nats-account-server compatible way. See https://github.com/nats-io/nats-account-server.
Activation
Defines the custom parts of an activation claim, including the imported subject and its type (stream/service).
AssertServerVersion
Min Server version.
CidrList
A list of CIDR-notation addresses for restricting access based on IP ranges.
Export
Represents an export that allows other accounts to import subjects from this account, possibly requiring tokens.
Exports
A list of exports defining subjects that this account makes available to other accounts.
ExternalAuthorization
Configures external authorization for accounts, specifying which users and accounts are involved and optional encryption keys.
GenericFields
Generic fields shared by multiple kinds of claims.
Import
Represents a mapping (import) from another account’s subject space into this account.
Imports
A list of imports, each defining an external subject mapped into this account.
Info
Generic extra Info.
JetStreamLimits
Defines JetStream resource limits for memory, disk, streams, consumers, and other constraints.
JetStreamTieredLimits
A map of tier names to JetStreamLimits, allowing tiered resource allocations for accounts.
Jwt
The Claims portion of a NATS JWT authorization token.
KeyPair
Re-export some KeyPair things from the nkeys crate. The main interface used for reading and writing nkey-encoded key pairs, including seeds and public keys.
Limits
The limits for Users including generic NatsLimits and User specific UserLimits
Mapping
A mapping from a subject to one or more weighted mappings, allowing splitting or routing messages.
MappingKey
MappingKey
MsgTrace
Configures distributed message tracing for an account, specifying the destination subject and sampling rate.
NatsLimits
Represents NATS server limits.
Operator
Represents operator-specific configuration, including permissions, limits, and optional bearer tokens.
OperatorLimits
Represents all operator-imposed limits on an account, including NATS limits, account limits, and JetStream limits.
OperatorServiceUrLs
A list of NATS urls (tls://host:port) where tools can connect to the server using proper credentials.
Permission
Defines per-subject publish or subscribe permissions with allow and deny lists.
Permissions
Represents a set of permissions controlling what subjects can be published or subscribed to, and optional response permissions.
RenamingSubject
Represents a subject used for renaming imported subjects. Can contain $ references to wildcard tokens in the original subject.
ResponsePermission
Specifies how response permissions are handled for a user or account, limiting the number of responses and their TTL.
RevocationList
A mapping of public keys or ‘*’ to revocation timestamps (Unix time). Entries here revoke previously issued JWTs.
RevocationListKey
RevocationListKey
ServiceLatency
Configures latency sampling and results reporting for exported services.
SigningKeys
Represents a list of signing keys that may be simply strings (for signing keys) or objects (for scoped keys like user_scope).
StrictSigningKeyUsage
Signing of subordinate objects will require signing keys.
StringList
A list of arbitrary strings.
Subject
Represents a NATS subject, a hierarchical string separated by dots, with optional wildcards (‘*’ or ‘>’).
SystemAccount
Identity of the system account.
TagList
A list of tags (strings) that are unique and lowercase. Used to categorize or label entities.
TimeRange
Represents a daily time range with a start and end time in HH:MM:SS format.
Token
JWT token builder.
User
Represents user-specific configuration, including permissions, limits, issuer account, and optional bearer tokens.
UserLimits
UserLimits are the limits specific to Users.
UserPermissionLimits
Represents the combined permissions and limits assigned to a user, including bearer token and allowed connection types.
UserScope
Represents a scoped signing key that can only sign user JWTs with certain predefined permission templates.
WeightedMapping
Defines a single weighted mapping target with a subject, optional weight, and optional cluster.

Enums§

AccountType
AccountType
ActivationType
ActivationType
Claims
Configuration and permission Claims.
ClaimsType
The type of the claims.
ClusterTraffic
Represents how cluster traffic should be handled. Allowed values are empty (no special handling), ‘system’ (use system accounts), or ‘owner’ (use owner accounts).
ConnectionType
Represents a connection type used by a user, indicating how the client connects to the server.
ExportType
Represents the type of an export, determining if the export is a stream or a service.
KeyPairType
Re-export some KeyPair things from the nkeys crate. The authoritative list of valid key pair types that are used for cryptographically secure identities
OperatorType
OperatorType
ResponseType
Represents the response pattern for a service export: either a ‘Singleton’ (one response), ‘Stream’ (multiple responses), or ‘Chunked’ (one response in chunks).
SamplingRate
Represents the sampling rate for collecting latency metrics. May be ‘headers’ or an integer between 1 and 100.
SamplingRateVariant0
Indicates headers-based sampling (‘headers’). If set to ‘headers’, the NATS server uses request headers for sampling decisions.
ScopeType
Represents the kind of scope for a signing key, currently supporting a ‘user_scope’.
SigningKeysItem
SigningKeysItem
UserType
UserType

Functions§

decode_seed
Re-export some KeyPair things from the nkeys crate. Attempts to decode the provided base32 encoded string into a valid prefix byte and the private key seed bytes. NOTE: This is considered an advanced use case, it’s generally recommended to stick with KeyPair::from_seed instead.
from_public_key
Re-export some KeyPair things from the nkeys crate. Returns the prefix byte and the underlying public key bytes NOTE: This is considered an advanced use case, it’s generally recommended to stick with KeyPair::from_public_key instead.