natsdotnet/src/NATS.Server/Auth/IAuthenticator.cs

using System.Security.Cryptography.X509Certificates;
using NATS.Server.Auth.Jwt;
using NATS.Server.Protocol;

namespace NATS.Server.Auth;

public interface IAuthenticator
{
    AuthResult? Authenticate(ClientAuthContext context);
}

public sealed class ClientAuthContext
{
    public required ClientOptions Opts { get; init; }
    public required byte[] Nonce { get; init; }
    public X509Certificate2? ClientCertificate { get; init; }

    /// <summary>
    /// The type of connection (e.g., "STANDARD", "WEBSOCKET", "MQTT", "LEAFNODE").
    /// Used by JWT authenticator to enforce allowed_connection_types claims.
    /// Defaults to "STANDARD" for regular NATS client connections.
    /// </summary>
    public string ConnectionType { get; init; } = JwtConnectionTypes.Standard;
}