Pulse entry
JWT handling
2025-12-28
What “good” JWT handling means in RustGrid
JWT is not “auth done”. It’s a transport for claims. The server is still responsible for:
- strict parsing (
Authorization: Bearer <token>) - signature verification (HS256 secret)
- claim validation (
exp,nbf, issuer/audience if used) - fresh authorization (permissions + membership loaded from DB)
- attaching a request context (
tenant_id,user_id,role,request_id) for logs/traces
Rule: don’t trust the token for permissions
The token proves identity and session validity. Permissions can change anytime.
RustGrid treats JWT claims as identity, but authorization is enforced using fresh DB reads per request (with caching later if needed).
Middleware shape
- Parse header
- Verify token
- Resolve membership in DB
- Compute effective permissions
- Inject
RequestContextinto request extensions - Downstream handlers read context, never re-parse JWT
Next hardening steps
- rotate secrets without mass logout (kid + keyring)
- add audience/issuer pinning for multi-client support
- emit
auth.*spans with request_id + tenant_id for traceability