Switch to better JWT crate

JWT -> jsonwebtoken

Author: janos-r

Cargo.lock

@@ -7,11 +7,10 @@ edition = "2021"
 async-graphql = "5.0.10"
 async-graphql-axum = "5.0.10"
 axum = "0.6"
-hmac = "0.12"
-jwt = "0.16"
+chrono = "0.4"
+jsonwebtoken = "8.3"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
-sha2 = "0.10"
 surrealdb = { git = "https://github.com/surrealdb/surrealdb.git", tag = "v1.0.0-beta.9", features = [
   "kv-mem"
 ] }

Cargo.toml

@@ -24,9 +24,11 @@ To use routes other than `/hello`, login with:
 ## Features implemented
 
 - Axum
-  - JWT, login with cookies
   - Query and Path get examples
   - REST CRUD with in-memory mock model
+- JWT
+  - login with expiration
+  - saved in cookies HttpOnly
 - Manual Error handling without 3rd party crates
   - Errors respond with request IDs
   - Debug and Display variants for server and client

README.md

@@ -4,3 +4,5 @@ graphiql
 surrealdb
 hmac
 Hmac
+jsonwebtoken
+chrono

assets/logo.png

@@ -20,7 +20,6 @@ pub enum Error {
     TicketDeleteFailIdNotFound { id: u64 },
     AuthFailNoJwtCookie,
     AuthFailJwtInvalid { source: String },
-    AuthFailJwtWithoutAuth,
     AuthFailCtxNotInRequestExt,
     Serde { source: String },
     SurrealDb { source: String },
@@ -64,8 +63,8 @@ impl fmt::Display for Error {
             Self::LoginFail => write!(f, "Login fail"),
             Self::TicketDeleteFailIdNotFound { id } => write!(f, "Ticket id {id} not found"),
             Self::AuthFailNoJwtCookie => write!(f, "You are not logged in"),
-            Self::AuthFailJwtInvalid { .. } | Self::AuthFailJwtWithoutAuth => {
-                write!(f, "Can't parse token, wrong format")
+            Self::AuthFailJwtInvalid { .. } => {
+                write!(f, "The provided JWT token is not valid")
             }
             Self::Serde { source } => write!(f, "Serde error - {source}"),
             Self::AuthFailCtxNotInRequestExt => write!(f, "{INTERNAL}"),
@@ -90,7 +89,6 @@ impl IntoResponse for ApiError {
             | Error::AuthFailNoJwtCookie
             | Error::AuthFailJwtInvalid { .. }
             | Error::AuthFailCtxNotInRequestExt
-            | Error::AuthFailJwtWithoutAuth
             | Error::SurrealDb { .. } => StatusCode::FORBIDDEN,
         };
         let body = Json(json!({
@@ -144,9 +142,8 @@ impl From<surrealdb::error::Db> for Error {
     }
 }
 
-impl From<jwt::error::Error> for Error {
-    fn from(value: jwt::error::Error) -> Self {
-        // TODO: handle better - tell on expiration etc
+impl From<jsonwebtoken::errors::Error> for Error {
+    fn from(value: jsonwebtoken::errors::Error) -> Self {
         Self::AuthFailJwtInvalid {
             source: value.to_string(),
         }

cspell-words.txt

@@ -17,11 +17,10 @@ use error::{ApiResult, Result};
 use graphql::{
     graphiql, graphql_handler, mutation_root::MutationRoot, query_root::QueryRoot, ApiSchema,
 };
-use hmac::{Hmac, Mac};
+use jsonwebtoken::{DecodingKey, EncodingKey};
 use mw_ctx::CtxState;
 use mw_req_logger::mw_req_logger;
 use service::ticket_no_db::ModelController;
-use sha2::Sha256;
 use std::net::{Ipv4Addr, SocketAddr};
 use surrealdb::{
     engine::local::{Db as LocalDb, Mem},
@@ -68,12 +67,14 @@ async fn main() -> Result<()> {
     let routes_tickets = web::routes_tickets::routes(DB.clone())
         .route_layer(middleware::from_fn(mw_ctx::mw_require_auth));
 
-    // Load salt and create secret key for JWT
-    let salt = "some-secret".as_bytes();
-    let key: Hmac<Sha256> = Hmac::new_from_slice(salt).unwrap();
+    // Load secret and create secret key for JWT
+    let secret = "some-secret".as_bytes();
+    let key_enc = EncodingKey::from_secret(secret);
+    let key_dec = DecodingKey::from_secret(secret);
     let ctx_state = CtxState {
         _db: DB.clone(),
-        key,
+        key_enc,
+        key_dec,
     };
 
     // Main router

src/error.rs

@@ -1,21 +1,24 @@
 use crate::{ctx::Ctx, error::Error, error::Result, ApiResult, Db};
 use axum::{extract::State, http::Request, middleware::Next, response::Response};
-use hmac::Hmac;
-use jwt::VerifyWithKey;
-use sha2::Sha256;
-use std::collections::BTreeMap;
+use jsonwebtoken::{decode, DecodingKey, EncodingKey, Validation};
+use serde::{Deserialize, Serialize};
 use tower_cookies::{Cookie, Cookies};
 use uuid::Uuid;
 
 #[derive(Clone)]
 pub struct CtxState {
     // NOTE: with DB, because a real login would check the DB
     pub _db: Db,
-    pub key: Hmac<Sha256>,
+    pub key_enc: EncodingKey,
+    pub key_dec: DecodingKey,
 }
 
 pub const JWT_KEY: &str = "jwt";
-pub const JWT_AUTH: &str = "auth";
+#[derive(Debug, Serialize, Deserialize)]
+pub struct Claims {
+    pub exp: usize,
+    pub auth: String,
+}
 
 pub async fn mw_require_auth<B>(ctx: Ctx, req: Request<B>, next: Next<B>) -> ApiResult<Response> {
     println!("->> {:<12} - mw_require_auth - {ctx:?}", "MIDDLEWARE");
@@ -24,15 +27,15 @@ pub async fn mw_require_auth<B>(ctx: Ctx, req: Request<B>, next: Next<B>) -> Api
 }
 
 pub async fn mw_ctx_constructor<B>(
-    State(CtxState { _db, key }): State<CtxState>,
+    State(CtxState { _db, key_dec, .. }): State<CtxState>,
     cookies: Cookies,
     mut req: Request<B>,
     next: Next<B>,
 ) -> Response {
     println!("->> {:<12} - mw_ctx_constructor", "MIDDLEWARE");
 
     let uuid = Uuid::new_v4();
-    let result_user_id: Result<String> = extract_token(key, &cookies).map_err(|err| {
+    let result_user_id: Result<String> = extract_token(key_dec, &cookies).map_err(|err| {
         // Remove an invalid cookie
         if let Error::AuthFailJwtInvalid { .. } = err {
             cookies.remove(Cookie::named(JWT_KEY))
@@ -48,14 +51,12 @@ pub async fn mw_ctx_constructor<B>(
     next.run(req).await
 }
 
-fn verify_token(key: Hmac<Sha256>, token: &str) -> Result<String> {
-    let claims: BTreeMap<String, String> = token.verify_with_key(&key)?;
-    claims
-        .get(JWT_AUTH)
-        .ok_or(Error::AuthFailJwtWithoutAuth)
-        .map(String::from)
+fn verify_token(key: DecodingKey, token: &str) -> Result<String> {
+    Ok(decode::<Claims>(token, &key, &Validation::default())?
+        .claims
+        .auth)
 }
-fn extract_token(key: Hmac<Sha256>, cookies: &Cookies) -> Result<String> {
+fn extract_token(key: DecodingKey, cookies: &Cookies) -> Result<String> {
     cookies
         .get(JWT_KEY)
         .ok_or(Error::AuthFailNoJwtCookie)
@@ -64,31 +65,78 @@ fn extract_token(key: Hmac<Sha256>, cookies: &Cookies) -> Result<String> {
 
 #[cfg(test)]
 mod tests {
-    use crate::mw_ctx::JWT_AUTH;
-    use hmac::{Hmac, Mac};
-    use jwt::SignWithKey;
-    use sha2::Sha256;
-    use std::collections::BTreeMap;
+    use crate::mw_ctx::Claims;
+    use chrono::{Duration, Utc};
+    use jsonwebtoken::{
+        decode, encode, errors::ErrorKind, DecodingKey, EncodingKey, Header, Validation,
+    };
 
     const SECRET: &[u8] = b"some-secret";
     const SOMEONE: &str = "someone";
-    const TOKEN: &str =
     // cspell:disable-next-line
-        "eyJhbGciOiJIUzI1NiJ9.eyJhdXRoIjoic29tZW9uZSJ9.1g78DkCARXRPLRlRbzv_nKZZuykVr5_nwPaifpVTvvM";
+    const TOKEN_EXPIRED: &str = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjEsImF1dGgiOiJzb21lb25lIn0.XXHVHu2IsUPA175aQ-noWbQK4Wu-2prk3qTXjwaWBvE";
+
+    #[test]
+    fn jwt_sign_expired() {
+        let my_claims = Claims {
+            exp: 1,
+            auth: SOMEONE.to_string(),
+        };
+        let token_str = encode(
+            &Header::default(),
+            &my_claims,
+            &EncodingKey::from_secret(SECRET),
+        )
+        .unwrap();
+        assert_eq!(token_str, TOKEN_EXPIRED);
+    }
+
+    #[test]
+    fn jwt_verify_expired_ignore() {
+        let mut validation = Validation::default();
+        validation.validate_exp = false;
+        let token = decode::<Claims>(
+            TOKEN_EXPIRED,
+            &DecodingKey::from_secret(SECRET),
+            &validation,
+        )
+        .unwrap();
+        assert_eq!(token.claims.auth, SOMEONE);
+    }
 
     #[test]
-    fn jwt_sign() {
-        let key: Hmac<Sha256> = Hmac::new_from_slice(SECRET).unwrap();
-        let mut claims = BTreeMap::new();
-        claims.insert(JWT_AUTH, SOMEONE);
-        let token_str = claims.sign_with_key(&key).unwrap();
-        assert_eq!(token_str, TOKEN);
+    fn jwt_verify_expired_fail() {
+        let token_result = decode::<Claims>(
+            TOKEN_EXPIRED,
+            &DecodingKey::from_secret(SECRET),
+            &Validation::default(),
+        );
+        assert!(token_result.is_err());
+        let kind = token_result.map_err(|e| e.into_kind()).err();
+        assert_eq!(kind, Some(ErrorKind::ExpiredSignature));
     }
 
     #[test]
-    fn jwt_verify() {
-        let key: Hmac<Sha256> = Hmac::new_from_slice(SECRET).unwrap();
-        let user_id = super::verify_token(key, TOKEN).unwrap();
-        assert_eq!(user_id, SOMEONE);
+    fn jwt_sign_and_verify_with_chrono() {
+        let exp = Utc::now() + Duration::minutes(1);
+        let my_claims = Claims {
+            exp: exp.timestamp() as usize,
+            auth: SOMEONE.to_string(),
+        };
+        // Sign
+        let token_str = encode(
+            &Header::default(),
+            &my_claims,
+            &EncodingKey::from_secret(SECRET),
+        )
+        .unwrap();
+        // Verify
+        let token_result = decode::<Claims>(
+            &token_str,
+            &DecodingKey::from_secret(SECRET),
+            &Validation::default(),
+        )
+        .unwrap();
+        assert_eq!(token_result.claims.auth, SOMEONE);
     }
 }

src/main.rs

@@ -1,10 +1,10 @@
-use crate::mw_ctx::{CtxState, JWT_AUTH, JWT_KEY};
+use crate::mw_ctx::{Claims, CtxState, JWT_KEY};
 use crate::{ctx::Ctx, error::ApiError, error::Error, ApiResult};
 use axum::extract::State;
 use axum::{routing::post, Json, Router};
-use jwt::SignWithKey;
+use chrono::{Duration, Utc};
+use jsonwebtoken::{encode, Header};
 use serde::{Deserialize, Serialize};
-use std::collections::BTreeMap;
 use tower_cookies::{Cookie, Cookies};
 
 pub fn routes(state: CtxState) -> Router {
@@ -28,7 +28,7 @@ struct LoginResult {
 }
 
 async fn api_login(
-    State(CtxState { _db, key }): State<CtxState>,
+    State(CtxState { _db, key_enc, .. }): State<CtxState>,
     cookies: Cookies,
     ctx: Ctx,
     payload: Json<LoginInput>,
@@ -53,15 +53,20 @@ async fn api_login(
         });
     };
 
-    let mut claims = BTreeMap::new();
-    claims.insert(JWT_AUTH, mock_user.email);
-    // TODO: don't know how to set expiration
-    let token_str = claims.sign_with_key(&key).unwrap();
+    // NOTE: set to a reasonable number after testing
+    // NOTE when testing: the default validation.leeway is 60s
+    let exp = Utc::now() + Duration::minutes(1);
+    let claims = Claims {
+        exp: exp.timestamp() as usize,
+        auth: mock_user.email,
+    };
+    let token_str = encode(&Header::default(), &claims, &key_enc).expect("JWT encode should work");
 
     cookies.add(
         Cookie::build(JWT_KEY, token_str)
             // if not set, the path defaults to the path from which it was called - prohibiting gql on root if login is on /api
             .path("/")
+            .http_only(true)
             .finish(),
     );