Struct JwtPlugin 

pub struct JwtPlugin { /* private fields */ }

A minimal JWT implementation using HMAC-SHA256 (HS256).

For production, consider a full JWT library. This implementation uses real cryptographic primitives (HMAC-SHA256 via the hmac and sha2 crates).

Implementations

impl JwtPlugin

pub fn new(secret: &str, expiry_secs: u64) -> Self

pub fn issue(&self, user_id: &str) -> String

Issue a short-lived access JWT for a user ID.

pub fn issue_with_kind( &self, user_id: &str, kind: &str, expiry_secs: u64, ) -> String

Issue a JWT with an explicit kind and expiry.

pub fn issue_pair(&self, user_id: &str, refresh_expiry_secs: u64) -> TokenPair

Issue a token pair: a short-lived access token and a long-lived refresh token. The access token uses the plugin’s configured expiry; the refresh token uses the provided refresh_expiry_secs.

pub fn refresh(&self, refresh_token: &str) -> Result<TokenPair, String>

Consume a refresh token and issue a new token pair.

Order of operations matters for security:

1. Cryptographically verify the token FIRST. If we inserted into the replay cache before verification, an attacker could pollute the cache by posting random garbage, growing it unbounded. Worse, a real token presented alongside that garbage would get “burned” before we knew whether it was even valid.
2. Then check the replay cache and atomically insert.

The window between verify() and insert() is a TOCTOU where two concurrent refreshes of the same token could both succeed. The Mutex around used_refresh_tokens is the serialization point — the check + insert happens under the same lock.

pub fn verify(&self, token: &str) -> Result<Claims, String>

Verify and decode a JWT. Returns claims if valid and not expired. Uses constant-time comparison for the signature to prevent timing attacks.

pub fn resolve_user(&self, token: &str) -> Option<String>

Resolve a JWT to a user ID. Returns None if invalid.

Trait Implementations

impl Plugin for JwtPlugin

fn name(&self) -> &str

Unique name for this plugin.

fn on_init(&self, _ctx: &PluginContext)

Called once when the plugin is registered.

fn routes(&self) -> Vec<PluginRoute>

Custom API routes this plugin handles.

fn before_insert( &self, _entity: &str, _data: &mut Value, _auth: &AuthContext, ) -> Result<(), PluginError>

Called before an entity insert. Return Err to reject.

fn after_insert( &self, _entity: &str, _id: &str, _data: &Value, _auth: &AuthContext, )

Called after a successful insert.

fn before_update( &self, _entity: &str, _id: &str, _data: &mut Value, _auth: &AuthContext, ) -> Result<(), PluginError>

Called before an entity update. Return Err to reject.

fn after_update( &self, _entity: &str, _id: &str, _data: &Value, _auth: &AuthContext, )

Called after a successful update.

fn before_delete( &self, _entity: &str, _id: &str, _auth: &AuthContext, ) -> Result<(), PluginError>

Called before an entity delete. Return Err to reject.

fn after_delete(&self, _entity: &str, _id: &str, _auth: &AuthContext)

Called after a successful delete.

fn on_request( &self, _method: &str, _path: &str, _auth: &AuthContext, ) -> Result<(), PluginError>

Called on every incoming request (middleware).

fn on_request_with_meta( &self, method: &str, path: &str, auth: &AuthContext, _meta: &RequestMeta<'_>, ) -> Result<(), PluginError>

Richer variant of [on_request] that also receives per-request metadata (peer IP today; more fields may be added later). The default implementation delegates to on_request so existing plugins keep working without changes. Plugins that care about IP — notably rate limiting — override this hook.

fn on_session_create(&self, _user_id: &str, _token: &str)

Called when a new session is created.

fn entities(&self) -> Vec<ManifestEntity>

Additional manifest entities this plugin contributes.