Atex.ServiceAuth.JTICache behaviour
(atex v0.9.1)
View Source
Behaviour and compile-time dispatch for tracking used jti (JWT ID) nonces
from service auth tokens, preventing replay attacks.
Implementations are responsible for:
- Storing a
jtialongside its expiry so that entries can be evicted once the corresponding token has naturally expired (avoiding unbounded growth). - Returning
:seenwhen ajtihas already been recorded, and:okwhen it is new (and recording it atomically).
Configuration
The active implementation is resolved at compile time:
config :atex, :jti_cache, Atex.ServiceAuth.JTICache.ETSDefaults to Atex.ServiceAuth.JTICache.ETS when not configured.
Summary
Callbacks
Get the child specification for starting the cache in a supervision tree.
Check whether a jti has already been seen without modifying the cache.
Record a jti as seen. The implementation must store it until at least
expires_at (a Unix timestamp integer) so that expired tokens cannot be
replayed before the entry is evicted.
Callbacks
@callback child_spec(any()) :: Supervisor.child_spec()
Get the child specification for starting the cache in a supervision tree.
@callback get(jti :: String.t()) :: :ok | :seen
Check whether a jti has already been seen without modifying the cache.
Returns :ok if unseen, :seen if already present.
Record a jti as seen. The implementation must store it until at least
expires_at (a Unix timestamp integer) so that expired tokens cannot be
replayed before the entry is evicted.
Returns :ok if this is the first time the jti has been seen, or :seen
if it was already present.