pub trait AuthLifecycleHook: Send + Sync {
// Provided methods
fn name(&self) -> &'static str { ... }
fn on_login<'life0, 'life1, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait { ... }
fn on_logout<'life0, 'life1, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait { ... }
fn on_token_refresh<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
_token: &'life2 LifecycleToken,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>
where Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait { ... }
}Expand description
Auth lifecycle hook — fires on login, logout, and token refresh of the legacy static auth path (Basic / JWT / OAuth session).
This is the successor to the deleted AuthHook::on_resolve_role
trait (removed in ADR-006, which moved role resolution to the
tower::Service<ResolveRequest> plugin surface). Role resolution
is intentionally NOT part of this trait — that concern already has
a home. What had no home was the request to observe the
authentication events themselves (on_login, on_logout,
on_token_refresh); this trait fills exactly that gap.
All methods default to no-ops so implementors override only what they care about. Hooks are observational: they cannot deny a login (the auth posture is decided before they run) — returning is the only contract. They run after the security decision, never as part of it, so a buggy or slow hook can never weaken authentication.
Provided Methods§
Sourcefn on_login<'life0, 'life1, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
fn on_login<'life0, 'life1, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
Fired after a user successfully authenticates and a session / token is issued. Default no-op.
Sourcefn on_logout<'life0, 'life1, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
fn on_logout<'life0, 'life1, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
Fired after a user’s session / token is invalidated. Default no-op.
Sourcefn on_token_refresh<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
_token: &'life2 LifecycleToken,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
fn on_token_refresh<'life0, 'life1, 'life2, 'async_trait>(
&'life0 self,
_user: &'life1 LifecycleUser,
_token: &'life2 LifecycleToken,
) -> Pin<Box<dyn Future<Output = ()> + Send + 'async_trait>>where
Self: 'async_trait,
'life0: 'async_trait,
'life1: 'async_trait,
'life2: 'async_trait,
Fired after an OAuth access token is proactively or explicitly refreshed. Default no-op.
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".