Class: JwtValidator
Class: JwtValidator
Defined in: auth-server-ts/src/tokens/jwt-validator.ts:70
Local HS256 access-token validator.
Validation order (mirroring auth-server/internal/auth/jwt/service.go
ValidateAccessToken):
-
Decode JWT with active secret.
- On signature-mismatch + previous-slot configured, retry once
with the previous secret. Any other failure is final (parity
with
parseWithRotation). - Audience + issuer enforced by
jsonwebtoken.
- On signature-mismatch + previous-slot configured, retry once
with the previous secret. Any other failure is final (parity
with
-
Reject refresh tokens — they MUST NOT authenticate requests (TokenValidatorService:58-60 in the old client).
-
Optional revocation gate (when a
RevocationCacheis wired):- jti blacklist →
TokenRevokedException - per-user token-version (tv) < current →
TokenRevokedExceptionBoth fail-open on backend errors (matches Go server NoOpTokenCache).
- jti blacklist →
-
Build typed Principal:
token_type === 'service'→ServicePrincipal- else →
AuthenticatedUser
Implements
Constructors
Constructor
new JwtValidator(
opts):JwtValidator
Defined in: auth-server-ts/src/tokens/jwt-validator.ts:81
Parameters
opts
Returns
JwtValidator
Methods
validate()
validate(
token):Promise<AuthPrincipal>
Defined in: auth-server-ts/src/tokens/jwt-validator.ts:96
Parameters
token
string
Returns
Promise<AuthPrincipal>