|
DeterministicESPAsyncWebServer v6.27.1
Zero-allocation, bounded-execution async HTTP server for ESP32
|
Zero-heap JWT (JSON Web Token) bearer-auth verification, HS256. More...
Go to the source code of this file.
Zero-heap JWT (JSON Web Token) bearer-auth verification, HS256.
Stateless request authentication: a client presents Authorization: Bearer <jwt> and the server verifies the token's HMAC-SHA-256 signature against a shared secret (reusing the SSH crypto layer's HMAC). No sessions, no per-client state, no heap - all work happens in fixed stack/BSS buffers and the whole core is host-testable (env:native_jwt).
Only HS256 (HMAC-SHA-256) is supported - the deterministic, allocation-free choice for a constrained device sharing a secret with its issuer. RS256/ES256 (asymmetric) are out of scope. Signature verification is constant-time.
The base verifier (jwt_verify_hs256 / jwt_bearer_valid) checks only the signature. The *_at variants additionally enforce the RFC 7519 time claims (exp §4.1.4 and nbf §4.1.5) against a caller-supplied wall-clock epoch, with a skew leeway - pass now=0 on a clockless device to skip the time checks (the signature still gates). iat (§4.1.6) is informational; read it with jwt_claim_int() if you want it.
Definition in file jwt.h.