# Session 06: Authentication & JWT

## Summary

Authentication handlers (user/pass, token, NKey, TLS cert), auth callout (external auth service), JWT processing, and cipher suite definitions.

## Scope

| Go File | Features | Feature IDs | Go LOC |
|---------|----------|-------------|--------|
| server/auth.go | 31 | 350–380 | 1,498 |
| server/auth_callout.go | 3 | 381–383 | 456 |
| server/jwt.go | 6 | 1973–1978 | 205 |
| server/ciphersuites.go | 3 | 384–386 | 37 |
| **Total** | **43** | | **2,196** |

## .NET Classes

- `AuthHandler` — authentication dispatch and credential checking
- `AuthCallout` — external auth callout service
- `JwtProcessor` — NATS JWT validation and claims extraction
- `CipherSuites` — TLS cipher suite definitions

## Test Files

| Test File | Tests | Test IDs |
|-----------|-------|----------|
| server/auth_test.go | 12 | 142–153 |
| server/auth_callout_test.go | 31 | 111–141 |
| server/jwt_test.go | 88 | 1809–1896 |
| **Total** | **131** | |

## Dependencies

- Session 01 (Foundation Types — errors, constants)
- Session 03 (Configuration — ServerOptions for auth config)

## .NET Target Location

- `dotnet/src/ZB.MOM.NatsNet.Server/Auth/`

## Notes

- Auth is already partially scaffolded from leaf modules (certidp, certstore, tpm)
- JWT test file is large (88 tests) — may need careful batching within the session