feat: enforce jwt allowed connection types with go-compatible semantics

This commit is contained in:
Joseph Doherty
2026-02-23 05:43:46 -05:00
parent e562077e4c
commit 4a242f614f
4 changed files with 56 additions and 1 deletions

View File

@@ -95,6 +95,24 @@ public sealed class JwtAuthenticator : IAuthenticator
}
}
// 7b. Check allowed connection types
var (allowedTypes, hasUnknown) = JwtConnectionTypes.Convert(userClaims.Nats?.AllowedConnectionTypes);
if (allowedTypes.Count == 0)
{
if (hasUnknown)
return null; // unknown-only list should reject
}
else
{
var connType = string.IsNullOrWhiteSpace(context.ConnectionType)
? JwtConnectionTypes.Standard
: context.ConnectionType.ToUpperInvariant();
if (!allowedTypes.Contains(connType))
return null;
}
// 8. Build permissions from JWT claims
Permissions? permissions = null;
var nats = userClaims.Nats;