Skip to main content

SessionValidator

plexus_substrate::plexus

Trait SessionValidator 

Source 
pub trait SessionValidator:
    Send
    + Sync
    + 'static {
    // Required method
    fn validate<'life0, 'life1, 'async_trait>(
        &'life0 self,
        cookie_value: &'life1 str,
    ) -> Pin<Box<dyn Future<Output = Option<AuthContext>> + Send + 'async_trait>>
       where 'life0: 'async_trait,
             'life1: 'async_trait,
             Self: 'async_trait;
}
Expand description

Backends implement this trait to validate cookies/tokens during WS upgrade.

This trait is designed to be object-safe and work with async/await, allowing backends to use any authentication mechanism:

  • JWT validation (e.g., Keycloak tokens)
  • Database session lookups
  • Redis session stores
  • OAuth token introspection

§Example: Keycloak JWT Validation

use plexus_core::plexus::{AuthContext, SessionValidator};
use async_trait::async_trait;

struct KeycloakValidator {
    jwks_client: JwksClient,
    realm: String,
}

#[async_trait]
impl SessionValidator for KeycloakValidator {
    async fn validate(&self, cookie_value: &str) -> Option<AuthContext> {
        // Parse JWT from cookie
        let token = parse_jwt_from_cookie(cookie_value)?;

        // Validate signature and claims
        let claims = self.jwks_client.verify(&token).await.ok()?;

        // Extract user info and tenant from JWT claims
        Some(AuthContext {
            user_id: claims.sub,
            session_id: claims.sid.unwrap_or_default(),
            roles: claims.realm_access.roles,
            metadata: serde_json::json!({
                "realm": self.realm,
                "tenant_id": claims.get("tenant_id"),
                "email": claims.email,
            }),
        })
    }
}

Required Methods§

Source

fn validate<'life0, 'life1, 'async_trait>( &'life0 self, cookie_value: &'life1 str, ) -> Pin<Box<dyn Future<Output = Option<AuthContext>> + Send + 'async_trait>>
where 'life0: 'async_trait, 'life1: 'async_trait, Self: 'async_trait,

Validate a cookie header value and return an AuthContext if valid.

§Arguments
  • cookie_value - The raw Cookie header value (e.g., “session=abc123; path=/”)
§Returns
  • Some(AuthContext) if the cookie is valid and represents an authenticated session
  • None if the cookie is invalid, expired, or represents an anonymous session
§Implementation Notes
  • This is called during the WebSocket handshake (HTTP upgrade)
  • Validation should be fast to avoid blocking the connection
  • For JWT: verify signature, check expiration, extract claims
  • For session-based auth: lookup session in DB/Redis
  • Return None for invalid/expired credentials (connection proceeds as anonymous)

Implementors§