331 lines
10 KiB
Rust
331 lines
10 KiB
Rust
//! JWT Authentication Infrastructure
|
|
//!
|
|
//! Provides JWT token creation and validation using HS256 (secret-based).
|
|
//! For OIDC/JWKS validation, see the `oidc` module.
|
|
|
|
use domain::User;
|
|
use jsonwebtoken::{Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode};
|
|
use serde::{Deserialize, Serialize};
|
|
use std::time::{SystemTime, UNIX_EPOCH};
|
|
|
|
/// Minimum secret length for production (256 bits = 32 bytes)
|
|
const MIN_SECRET_LENGTH: usize = 32;
|
|
|
|
/// JWT configuration
|
|
#[derive(Debug, Clone)]
|
|
pub struct JwtConfig {
|
|
/// Secret key for HS256 signing/verification
|
|
pub secret: String,
|
|
/// Expected issuer (for validation)
|
|
pub issuer: Option<String>,
|
|
/// Expected audience (for validation)
|
|
pub audience: Option<String>,
|
|
/// Access token expiry in hours (default: 24)
|
|
pub expiry_hours: u64,
|
|
/// Refresh token expiry in days (default: 30)
|
|
pub refresh_expiry_days: u64,
|
|
}
|
|
|
|
impl JwtConfig {
|
|
/// Create a new JWT config with validation
|
|
///
|
|
/// In production mode, this will reject weak secrets.
|
|
pub fn new(
|
|
secret: String,
|
|
issuer: Option<String>,
|
|
audience: Option<String>,
|
|
expiry_hours: Option<u64>,
|
|
refresh_expiry_days: Option<u64>,
|
|
is_production: bool,
|
|
) -> Result<Self, JwtError> {
|
|
// Validate secret strength in production
|
|
if is_production && secret.len() < MIN_SECRET_LENGTH {
|
|
return Err(JwtError::WeakSecret {
|
|
min_length: MIN_SECRET_LENGTH,
|
|
actual_length: secret.len(),
|
|
});
|
|
}
|
|
|
|
Ok(Self {
|
|
secret,
|
|
issuer,
|
|
audience,
|
|
expiry_hours: expiry_hours.unwrap_or(24),
|
|
refresh_expiry_days: refresh_expiry_days.unwrap_or(30),
|
|
})
|
|
}
|
|
|
|
/// Create config without validation (for testing)
|
|
pub fn new_unchecked(secret: String) -> Self {
|
|
Self {
|
|
secret,
|
|
issuer: None,
|
|
audience: None,
|
|
expiry_hours: 24,
|
|
refresh_expiry_days: 30,
|
|
}
|
|
}
|
|
}
|
|
|
|
fn default_token_type() -> String {
|
|
"access".to_string()
|
|
}
|
|
|
|
/// JWT claims structure
|
|
#[derive(Debug, Serialize, Deserialize, Clone)]
|
|
pub struct JwtClaims {
|
|
/// Subject - the user's unique identifier (user ID as string)
|
|
pub sub: String,
|
|
/// User's email address
|
|
pub email: String,
|
|
/// Expiry timestamp (seconds since UNIX epoch)
|
|
pub exp: usize,
|
|
/// Issued at timestamp (seconds since UNIX epoch)
|
|
pub iat: usize,
|
|
/// Issuer
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
pub iss: Option<String>,
|
|
/// Audience
|
|
#[serde(skip_serializing_if = "Option::is_none")]
|
|
pub aud: Option<String>,
|
|
/// Token type: "access" or "refresh". Defaults to "access" for backward compat.
|
|
#[serde(default = "default_token_type")]
|
|
pub token_type: String,
|
|
}
|
|
|
|
/// JWT-related errors
|
|
#[derive(Debug, thiserror::Error)]
|
|
pub enum JwtError {
|
|
#[error("JWT secret is too weak: minimum {min_length} bytes required, got {actual_length}")]
|
|
WeakSecret {
|
|
min_length: usize,
|
|
actual_length: usize,
|
|
},
|
|
|
|
#[error("Token creation failed: {0}")]
|
|
CreationFailed(#[from] jsonwebtoken::errors::Error),
|
|
|
|
#[error("Token validation failed: {0}")]
|
|
ValidationFailed(String),
|
|
|
|
#[error("Token expired")]
|
|
Expired,
|
|
|
|
#[error("Invalid token format")]
|
|
InvalidFormat,
|
|
|
|
#[error("Missing configuration")]
|
|
MissingConfig,
|
|
}
|
|
|
|
/// JWT token validator and generator
|
|
#[derive(Clone)]
|
|
pub struct JwtValidator {
|
|
config: JwtConfig,
|
|
encoding_key: EncodingKey,
|
|
decoding_key: DecodingKey,
|
|
validation: Validation,
|
|
}
|
|
|
|
impl JwtValidator {
|
|
/// Create a new JWT validator with the given configuration
|
|
pub fn new(config: JwtConfig) -> Self {
|
|
let encoding_key = EncodingKey::from_secret(config.secret.as_bytes());
|
|
let decoding_key = DecodingKey::from_secret(config.secret.as_bytes());
|
|
|
|
let mut validation = Validation::new(Algorithm::HS256);
|
|
|
|
// Configure issuer validation if set
|
|
if let Some(ref issuer) = config.issuer {
|
|
validation.set_issuer(&[issuer]);
|
|
}
|
|
|
|
// Configure audience validation if set
|
|
if let Some(ref audience) = config.audience {
|
|
validation.set_audience(&[audience]);
|
|
}
|
|
|
|
Self {
|
|
config,
|
|
encoding_key,
|
|
decoding_key,
|
|
validation,
|
|
}
|
|
}
|
|
|
|
/// Create an access JWT token for the given user
|
|
pub fn create_token(&self, user: &User) -> Result<String, JwtError> {
|
|
let now = SystemTime::now()
|
|
.duration_since(UNIX_EPOCH)
|
|
.expect("Time went backwards")
|
|
.as_secs() as usize;
|
|
|
|
let expiry = now + (self.config.expiry_hours as usize * 3600);
|
|
|
|
let claims = JwtClaims {
|
|
sub: user.id.to_string(),
|
|
email: user.email.as_ref().to_string(),
|
|
exp: expiry,
|
|
iat: now,
|
|
iss: self.config.issuer.clone(),
|
|
aud: self.config.audience.clone(),
|
|
token_type: "access".to_string(),
|
|
};
|
|
|
|
let header = Header::new(Algorithm::HS256);
|
|
encode(&header, &claims, &self.encoding_key).map_err(JwtError::CreationFailed)
|
|
}
|
|
|
|
/// Create a refresh JWT token for the given user (longer-lived)
|
|
pub fn create_refresh_token(&self, user: &User) -> Result<String, JwtError> {
|
|
let now = SystemTime::now()
|
|
.duration_since(UNIX_EPOCH)
|
|
.expect("Time went backwards")
|
|
.as_secs() as usize;
|
|
|
|
let expiry = now + (self.config.refresh_expiry_days as usize * 86400);
|
|
|
|
let claims = JwtClaims {
|
|
sub: user.id.to_string(),
|
|
email: user.email.as_ref().to_string(),
|
|
exp: expiry,
|
|
iat: now,
|
|
iss: self.config.issuer.clone(),
|
|
aud: self.config.audience.clone(),
|
|
token_type: "refresh".to_string(),
|
|
};
|
|
|
|
let header = Header::new(Algorithm::HS256);
|
|
encode(&header, &claims, &self.encoding_key).map_err(JwtError::CreationFailed)
|
|
}
|
|
|
|
/// Validate a JWT token and return the claims
|
|
pub fn validate_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
|
|
let token_data = decode::<JwtClaims>(token, &self.decoding_key, &self.validation).map_err(
|
|
|e| match e.kind() {
|
|
jsonwebtoken::errors::ErrorKind::ExpiredSignature => JwtError::Expired,
|
|
jsonwebtoken::errors::ErrorKind::InvalidToken => JwtError::InvalidFormat,
|
|
_ => JwtError::ValidationFailed(e.to_string()),
|
|
},
|
|
)?;
|
|
|
|
Ok(token_data.claims)
|
|
}
|
|
|
|
/// Validate an access token — rejects refresh tokens
|
|
pub fn validate_access_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
|
|
let claims = self.validate_token(token)?;
|
|
if claims.token_type != "access" {
|
|
return Err(JwtError::ValidationFailed("Not an access token".to_string()));
|
|
}
|
|
Ok(claims)
|
|
}
|
|
|
|
/// Validate a refresh token — rejects access tokens
|
|
pub fn validate_refresh_token(&self, token: &str) -> Result<JwtClaims, JwtError> {
|
|
let claims = self.validate_token(token)?;
|
|
if claims.token_type != "refresh" {
|
|
return Err(JwtError::ValidationFailed("Not a refresh token".to_string()));
|
|
}
|
|
Ok(claims)
|
|
}
|
|
|
|
/// Get the user ID (subject) from a token without full validation
|
|
/// Useful for logging/debugging, but should not be trusted for auth
|
|
pub fn decode_unverified(&self, token: &str) -> Result<JwtClaims, JwtError> {
|
|
let token_data = jsonwebtoken::dangerous::insecure_decode::<JwtClaims>(token)
|
|
.map_err(|_| JwtError::InvalidFormat)?;
|
|
|
|
Ok(token_data.claims)
|
|
}
|
|
}
|
|
|
|
impl std::fmt::Debug for JwtValidator {
|
|
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
|
|
f.debug_struct("JwtValidator")
|
|
.field("issuer", &self.config.issuer)
|
|
.field("audience", &self.config.audience)
|
|
.field("expiry_hours", &self.config.expiry_hours)
|
|
.finish_non_exhaustive()
|
|
}
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
use domain::Email;
|
|
|
|
fn create_test_user() -> User {
|
|
let email = Email::try_from("test@example.com").unwrap();
|
|
User::new("test-subject", email)
|
|
}
|
|
|
|
#[test]
|
|
fn test_create_and_validate_token() {
|
|
let config = JwtConfig::new_unchecked("test-secret-key-that-is-long-enough".to_string());
|
|
let validator = JwtValidator::new(config);
|
|
let user = create_test_user();
|
|
|
|
let token = validator.create_token(&user).expect("Should create token");
|
|
let claims = validator
|
|
.validate_token(&token)
|
|
.expect("Should validate token");
|
|
|
|
assert_eq!(claims.sub, user.id.to_string());
|
|
assert_eq!(claims.email, "test@example.com");
|
|
}
|
|
|
|
#[test]
|
|
fn test_weak_secret_rejected_in_production() {
|
|
let result = JwtConfig::new(
|
|
"short".to_string(), // Too short
|
|
None,
|
|
None,
|
|
None,
|
|
None,
|
|
true, // Production mode
|
|
);
|
|
|
|
assert!(matches!(result, Err(JwtError::WeakSecret { .. })));
|
|
}
|
|
|
|
#[test]
|
|
fn test_weak_secret_allowed_in_development() {
|
|
let result = JwtConfig::new(
|
|
"short".to_string(), // Too short but OK in dev
|
|
None,
|
|
None,
|
|
None,
|
|
None,
|
|
false, // Development mode
|
|
);
|
|
|
|
assert!(result.is_ok());
|
|
}
|
|
|
|
#[test]
|
|
fn test_invalid_token_rejected() {
|
|
let config = JwtConfig::new_unchecked("test-secret-key-that-is-long-enough".to_string());
|
|
let validator = JwtValidator::new(config);
|
|
|
|
let result = validator.validate_token("invalid.token.here");
|
|
assert!(result.is_err());
|
|
}
|
|
|
|
#[test]
|
|
fn test_wrong_secret_rejected() {
|
|
let config1 = JwtConfig::new_unchecked("secret-one-that-is-long-enough".to_string());
|
|
let config2 = JwtConfig::new_unchecked("secret-two-that-is-long-enough".to_string());
|
|
|
|
let validator1 = JwtValidator::new(config1);
|
|
let validator2 = JwtValidator::new(config2);
|
|
|
|
let user = create_test_user();
|
|
let token = validator1.create_token(&user).unwrap();
|
|
|
|
// Token from validator1 should fail on validator2
|
|
let result = validator2.validate_token(&token);
|
|
assert!(result.is_err());
|
|
}
|
|
}
|