feat: add JWT authentication and flexible auth modes with configurable login responses

infra/Cargo.toml

@@ -20,6 +20,7 @@ postgres = [
 broker-nats = ["dep:futures-util", "k-core/broker-nats"]
 auth-axum-login = ["dep:axum-login", "dep:password-auth"]
 auth-oidc = ["dep:openidconnect", "dep:url"]
+auth-jwt = ["dep:jsonwebtoken"]
 
 [dependencies]
 k-core = { git = "https://git.gabrielkaszewski.dev/GKaszewski/k-core", features = [
@@ -50,4 +51,5 @@ axum-login = { version = "0.18", optional = true }
 password-auth = { version = "1.0", optional = true }
 openidconnect = { version = "4.0.1", optional = true }
 url = { version = "2.5.8", optional = true }
+jsonwebtoken = { version = "9.3", optional = true }
 # reqwest = { version = "0.13.1", features = ["blocking", "json"], optional = true }

infra/src/auth/jwt.rs

@@ -0,0 +1,278 @@
+//! JWT Authentication Infrastructure
+//!
+//! Provides JWT token creation and validation using HS256 (secret-based).
+//! For OIDC/JWKS validation, see the `oidc` module.
+
+use domain::User;
+use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode};
+use serde::{Deserialize, Serialize};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+/// Minimum secret length for production (256 bits = 32 bytes)
+const MIN_SECRET_LENGTH: usize = 32;
+
+/// JWT configuration
+#[derive(Debug, Clone)]
+pub struct JwtConfig {
+    /// Secret key for HS256 signing/verification
+    pub secret: String,
+    /// Expected issuer (for validation)
+    pub issuer: Option<String>,
+    /// Expected audience (for validation)
+    pub audience: Option<String>,
+    /// Token expiry in hours (default: 24)
+    pub expiry_hours: u64,
+}
+
+impl JwtConfig {
+    /// Create a new JWT config with validation
+    ///
+    /// In production mode, this will reject weak secrets.
+    pub fn new(
+        secret: String,
+        issuer: Option<String>,
+        audience: Option<String>,
+        expiry_hours: Option<u64>,
+        is_production: bool,
+    ) -> Result<Self, JwtError> {
+        // Validate secret strength in production
+        if is_production && secret.len() < MIN_SECRET_LENGTH {
+            return Err(JwtError::WeakSecret {
+                min_length: MIN_SECRET_LENGTH,
+                actual_length: secret.len(),
+            });
+        }
+
+        Ok(Self {
+            secret,
+            issuer,
+            audience,
+            expiry_hours: expiry_hours.unwrap_or(24),
+        })
+    }
+
+    /// Create config without validation (for testing)
+    pub fn new_unchecked(secret: String) -> Self {
+        Self {
+            secret,
+            issuer: None,
+            audience: None,
+            expiry_hours: 24,
+        }
+    }
+}
+
+/// JWT claims structure
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct JwtClaims {
+    /// Subject - the user's unique identifier (user ID as string)
+    pub sub: String,
+    /// User's email address
+    pub email: String,
+    /// Expiry timestamp (seconds since UNIX epoch)
+    pub exp: usize,
+    /// Issued at timestamp (seconds since UNIX epoch)
+    pub iat: usize,
+    /// Issuer
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub iss: Option<String>,
+    /// Audience
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub aud: Option<String>,
+}
+
+/// JWT-related errors
+#[derive(Debug, thiserror::Error)]
+pub enum JwtError {
+    #[error("JWT secret is too weak: minimum {min_length} bytes required, got {actual_length}")]
+    WeakSecret {
+        min_length: usize,
+        actual_length: usize,
+    },
+
+    #[error("Token creation failed: {0}")]
+    CreationFailed(#[from] jsonwebtoken::errors::Error),
+
+    #[error("Token validation failed: {0}")]
+    ValidationFailed(String),
+
+    #[error("Token expired")]
+    Expired,
+
+    #[error("Invalid token format")]
+    InvalidFormat,
+
+    #[error("Missing configuration")]
+    MissingConfig,
+}
+
+/// JWT token validator and generator
+#[derive(Clone)]
+pub struct JwtValidator {
+    config: JwtConfig,
+    encoding_key: EncodingKey,
+    decoding_key: DecodingKey,
+    validation: Validation,
+}
+
+impl JwtValidator {
+    /// Create a new JWT validator with the given configuration
+    pub fn new(config: JwtConfig) -> Self {
+        let encoding_key = EncodingKey::from_secret(config.secret.as_bytes());
+        let decoding_key = DecodingKey::from_secret(config.secret.as_bytes());
+
+        let mut validation = Validation::new(Algorithm::HS256);
+
+        // Configure issuer validation if set
+        if let Some(ref issuer) = config.issuer {
+            validation.set_issuer(&[issuer]);
+        }
+
+        // Configure audience validation if set
+        if let Some(ref audience) = config.audience {
+            validation.set_audience(&[audience]);
+        }
+
+        Self {
+            config,
+            encoding_key,
+            decoding_key,
+            validation,
+        }
+    }
+
+    /// Create a JWT token for the given user
+    pub fn create_token(&self, user: &User) -> Result<String, JwtError> {
+        let now = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .expect("Time went backwards")
+            .as_secs() as usize;
+
+        let expiry = now + (self.config.expiry_hours as usize * 3600);
+
+        let claims = JwtClaims {
+            sub: user.id.to_string(),
+            email: user.email.as_ref().to_string(),
+            exp: expiry,
+            iat: now,
+            iss: self.config.issuer.clone(),
+            aud: self.config.audience.clone(),
+        };
+
+        let header = Header::new(Algorithm::HS256);
+        encode(&header, &claims, &self.encoding_key).map_err(JwtError::CreationFailed)
+    }
+
+    /// Validate a JWT token and return the claims
+    pub fn validate_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
+        let token_data = decode::<JwtClaims>(token, &self.decoding_key, &self.validation).map_err(
+            |e| match e.kind() {
+                jsonwebtoken::errors::ErrorKind::ExpiredSignature => JwtError::Expired,
+                jsonwebtoken::errors::ErrorKind::InvalidToken => JwtError::InvalidFormat,
+                _ => JwtError::ValidationFailed(e.to_string()),
+            },
+        )?;
+
+        Ok(token_data.claims)
+    }
+
+    /// Get the user ID (subject) from a token without full validation
+    /// Useful for logging/debugging, but should not be trusted for auth
+    pub fn decode_unverified(&self, token: &str) -> Result<JwtClaims, JwtError> {
+        let mut validation = Validation::new(Algorithm::HS256);
+        validation.insecure_disable_signature_validation();
+        validation.validate_exp = false;
+
+        let token_data = decode::<JwtClaims>(token, &self.decoding_key, &validation)
+            .map_err(|_| JwtError::InvalidFormat)?;
+
+        Ok(token_data.claims)
+    }
+}
+
+impl std::fmt::Debug for JwtValidator {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_struct("JwtValidator")
+            .field("issuer", &self.config.issuer)
+            .field("audience", &self.config.audience)
+            .field("expiry_hours", &self.config.expiry_hours)
+            .finish_non_exhaustive()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use domain::Email;
+
+    fn create_test_user() -> User {
+        let email = Email::try_from("test@example.com").unwrap();
+        User::new("test-subject", email)
+    }
+
+    #[test]
+    fn test_create_and_validate_token() {
+        let config = JwtConfig::new_unchecked("test-secret-key-that-is-long-enough".to_string());
+        let validator = JwtValidator::new(config);
+        let user = create_test_user();
+
+        let token = validator.create_token(&user).expect("Should create token");
+        let claims = validator
+            .validate_token(&token)
+            .expect("Should validate token");
+
+        assert_eq!(claims.sub, user.id.to_string());
+        assert_eq!(claims.email, "test@example.com");
+    }
+
+    #[test]
+    fn test_weak_secret_rejected_in_production() {
+        let result = JwtConfig::new(
+            "short".to_string(), // Too short
+            None,
+            None,
+            None,
+            true, // Production mode
+        );
+
+        assert!(matches!(result, Err(JwtError::WeakSecret { .. })));
+    }
+
+    #[test]
+    fn test_weak_secret_allowed_in_development() {
+        let result = JwtConfig::new(
+            "short".to_string(), // Too short but OK in dev
+            None,
+            None,
+            None,
+            false, // Development mode
+        );
+
+        assert!(result.is_ok());
+    }
+
+    #[test]
+    fn test_invalid_token_rejected() {
+        let config = JwtConfig::new_unchecked("test-secret-key-that-is-long-enough".to_string());
+        let validator = JwtValidator::new(config);
+
+        let result = validator.validate_token("invalid.token.here");
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_wrong_secret_rejected() {
+        let config1 = JwtConfig::new_unchecked("secret-one-that-is-long-enough".to_string());
+        let config2 = JwtConfig::new_unchecked("secret-two-that-is-long-enough".to_string());
+
+        let validator1 = JwtValidator::new(config1);
+        let validator2 = JwtValidator::new(config2);
+
+        let user = create_test_user();
+        let token = validator1.create_token(&user).unwrap();
+
+        // Token from validator1 should fail on validator2
+        let result = validator2.validate_token(&token);
+        assert!(result.is_err());
+    }
+}

infra/src/auth/mod.rs

@@ -118,3 +118,6 @@ pub mod backend {
 
 #[cfg(feature = "auth-oidc")]
 pub mod oidc;
+
+#[cfg(feature = "auth-jwt")]
+pub mod jwt;

infra/src/auth/oidc.rs

@@ -3,7 +3,7 @@ use openidconnect::{
     AccessTokenHash, AuthorizationCode, Client, ClientId, ClientSecret, CsrfToken,
     EmptyAdditionalClaims, EndpointMaybeSet, EndpointNotSet, EndpointSet, IssuerUrl, Nonce,
     OAuth2TokenResponse, PkceCodeChallenge, PkceCodeVerifier, RedirectUrl, Scope,
-    StandardErrorResponse, TokenResponse,
+    StandardErrorResponse, TokenResponse, UserInfoClaims,
     core::{
         CoreAuthDisplay, CoreAuthPrompt, CoreAuthenticationFlow, CoreClient, CoreErrorResponseType,
         CoreGenderClaim, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm, CoreProviderMetadata,
@@ -36,6 +36,7 @@ pub type OidcClient = Client<
 #[derive(Clone)]
 pub struct OidcService {
     client: OidcClient,
+    resource_id: Option<String>,
 }
 
 #[derive(Debug)]
@@ -51,7 +52,31 @@ impl OidcService {
         client_id: String,
         client_secret: String,
         redirect_url: String,
+        resource_id: Option<String>,
     ) -> anyhow::Result<Self> {
+        let client_id = client_id.trim().to_string();
+        let redirect_url = redirect_url.trim().to_string();
+        let issuer = issuer.trim().to_string();
+
+        // 2. Handle Empty Secret (For PKCE/Public Clients)
+        let client_secret_clean = client_secret.trim();
+        let client_secret_opt = if client_secret_clean.is_empty() {
+            None
+        } else {
+            Some(ClientSecret::new(client_secret_clean.to_string()))
+        };
+
+        tracing::debug!("🔵 OIDC Setup: Client ID = '{}'", client_id);
+        tracing::debug!("🔵 OIDC Setup: Redirect  = '{}'", redirect_url);
+        tracing::debug!(
+            "🔵 OIDC Setup: Secret    = {:?}",
+            if client_secret_opt.is_some() {
+                "SET"
+            } else {
+                "NONE"
+            }
+        );
+
         let http_client = reqwest::ClientBuilder::new()
             .redirect(reqwest::redirect::Policy::none())
             .build()?;
@@ -62,11 +87,14 @@ impl OidcService {
         let client = CoreClient::from_provider_metadata(
             provider_metadata,
             ClientId::new(client_id),
-            Some(ClientSecret::new(client_secret)),
+            client_secret_opt,
         )
         .set_redirect_uri(RedirectUrl::new(redirect_url)?);
 
-        Ok(Self { client })
+        Ok(Self {
+            client,
+            resource_id,
+        })
     }
 
     // todo: replace this tuple with newtype
@@ -118,7 +146,15 @@ impl OidcService {
             .id_token()
             .ok_or_else(|| anyhow!("Server did not return an ID token"))?;
 
-        let id_token_verifier = self.client.id_token_verifier();
+        let mut id_token_verifier = self.client.id_token_verifier().clone();
+
+        let trusted_resource_id = self.resource_id.clone();
+
+        if let Some(resource_id) = trusted_resource_id {
+            id_token_verifier = id_token_verifier
+                .set_other_audience_verifier_fn(move |aud| aud.as_str() == resource_id);
+        }
+
         let claims = id_token.claims(&id_token_verifier, &nonce)?;
 
         if let Some(expected_access_token_hash) = claims.access_token_hash() {
@@ -133,13 +169,28 @@ impl OidcService {
             }
         }
 
+        let email = if let Some(email) = claims.email() {
+            Some(email.as_str().to_string())
+        } else {
+            // Fallback: Call UserInfo Endpoint using the Access Token
+            tracing::debug!("🔵 Email missing in ID Token, fetching UserInfo...");
+
+            let user_info: UserInfoClaims<EmptyAdditionalClaims, CoreGenderClaim> = self
+                .client
+                .user_info(token_response.access_token().clone(), None)?
+                .request_async(&http_client)
+                .await?;
+
+            user_info.email().map(|e| e.as_str().to_string())
+        };
+
+        // If email is still missing, we must error out because your app requires valid emails
+        let email =
+            email.ok_or_else(|| anyhow!("User has no verified email address in ZITADEL"))?;
+
         Ok(OidcUser {
             subject: claims.subject().to_string(),
-            email: claims
-                .email()
-                .map(|email| email.as_str())
-                .unwrap_or("<not provided>")
-                .to_string(),
+            email,
         })
     }
 }