Module session_version

Expand description

Break-glass sv claim validation (#005 spec).

Consumers who accept Human-entity access tokens should validate the sv claim against the PAS source of truth to enforce break-glass revocation. Without this check, a token stolen before break-glass would remain valid until its 1-hour TTL expiry.

Architecture (cache-then-fetch, matches paseto-sv-claim.md §R5):

Validator gets token_sv from VerifiedClaims::session_version().
If None (legacy token, AI agent, delegated) → admit (R6 bypass).
Look up sv:{ppnum_id} in a pluggable SessionVersionCache — default is the in-memory MemorySessionVersionCache (60 s TTL); consumers that already run KVRocks/Redis can plug in an adapter.
Cache miss → SessionVersionFetcher does an HTTP GET on PAS /oauth/userinfo with the caller’s own bearer token. Default implementation: HttpUserInfoFetcher.
Compare: token_sv < fresh_sv → reject with ValidateSvError::Stale; equal or greater → admit.

Fail-closed on fetch failure: a transient DB / network outage surfaces as ValidateSvError::Transient and the caller rejects the request. Silent admit on transient would defeat break-glass because an attacker could force cache eviction + DB blip to stall validation.

Structs§

FetchError
HttpUserInfoFetcher: SessionVersionFetcher backed by an AuthClient’s userinfo call.
MemorySessionVersionCache: In-memory SessionVersionCache. Default choice for SDK consumers.

Enums§

ValidateSvError

Constants§

SV_CACHE_KEY_PREFIX: Namespace prefix for cache keys. Matches chat-auth and is_admin caches.
SV_CACHE_TTL: TTL per paseto-sv-claim.md §R5. 60 s, non-configurable by design.

Traits§

SessionVersionCache: Cache abstraction for sv:{ppnum_id} lookups.
SessionVersionFetcher: Fresh-read source for the cache-miss path.

Functions§

validate_sv: Validates a token’s sv claim against the cached / fresh current value.