feat: adds support for jwks

2025-01-19 18:29:13 +01:00 · 2025-01-19 18:29:13 +01:00 · c74aef3eb0
commit c74aef3eb0
parent edf6e84a9a
5 changed files with 1159 additions and 38 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/casket-backend/Cargo.toml
+++ b/casket-backend/Cargo.toml
@ -7,6 +7,8 @@ repository = "https://git.nifni.eu/nif/casket"

 [dependencies]
 axum = { version = "0.8.1", features = ["multipart", "macros"] }
+axum-extra = { version = "0.10.0", features = ["typed-header"] }
+axum-jwks = "0.10.0"
 tokio = { version = "1.42.0", features = ["full"] }
 tokio-util = { version = "0.7.13", features = ["io"] }
 futures = "0.3"
--- a/casket-backend/src/auth.rs
+++ b/casket-backend/src/auth.rs
@ -0,0 +1,34 @@
+use axum::extract::{FromRef, Request, State};
+use axum::http::StatusCode;
+use axum::middleware::Next;
+use axum::response::{IntoResponse, Response};
+use axum_extra::headers::Authorization;
+use axum_extra::headers::authorization::Bearer;
+use axum_extra::TypedHeader;
+use axum_jwks::Jwks;
+use serde::{Deserialize, Serialize};
+use crate::AppState;
+
+#[derive(Deserialize, Serialize)]
+struct Claims {}
+
+impl FromRef<AppState> for Jwks {
+    fn from_ref(state: &AppState) -> Self {
+        state.jwks.clone()
+    }
+}
+
+pub async fn validate_token(
+    State(state): State<AppState>,
+    TypedHeader(Authorization(bearer)): TypedHeader<Authorization<Bearer>>,
+    request: Request,
+    next: Next,
+) -> Response {
+    let jwks = Jwks::from_ref(&state);
+
+    if jwks.validate_claims::<Claims>(bearer.token()).is_err() {
+        return StatusCode::UNAUTHORIZED.into_response();
+    }
+
+    next.run(request).await
+}
--- a/casket-backend/src/config.rs
+++ b/casket-backend/src/config.rs
@ -9,6 +9,7 @@ pub const CONFIG_LOCATIONS: [&str; 2] = ["casket-backend/casket.toml", "/config/
 pub struct Config {
    pub server: Server,
    pub files: Files,
+    pub oidc: Oidc
 }

 #[derive(Deserialize, Clone, Debug)]
@ -21,6 +22,11 @@ pub struct Files {
    pub directory: PathBuf,
 }

+#[derive(Deserialize, Clone, Debug)]
+pub struct Oidc {
+    pub oidc_endpoint: String
+}
+
 pub fn get_config() -> figment::Result<Config> {
    CONFIG_LOCATIONS
        .iter()
--- a/casket-backend/src/main.rs
+++ b/casket-backend/src/main.rs
@ -1,20 +1,23 @@
 #![warn(clippy::pedantic)]

+mod auth;
 mod config;
 mod errors;
+mod extractor_helper;
 mod files;
 mod routes;
-mod extractor_helper;

-use axum::Router;
+use axum::{middleware, Router};
+use axum_jwks::Jwks;
 use std::env;
 use std::process::exit;
 use std::str::FromStr;
 use tracing::{debug, error, info};

-#[derive(Clone, Debug)]
+#[derive(Clone)]
 pub struct AppState {
    config: config::Config,
+    pub jwks: Jwks,
 }

 #[tokio::main]
@ -26,10 +29,24 @@ async fn main() {
    match config {
        Ok(config) => {
            debug!("Config loaded {:?}", &config,);
+            let jwks = Jwks::from_oidc_url(
+                // The Authorization Server that signs the JWTs you want to consume.
+                &config.oidc.oidc_endpoint,
+                // The audience identifier for the application. This ensures that
+                // JWTs are intended for this application.
+                None,
+            )
+            .await
+            .unwrap();
            let bind = format!("{}:{}", &config.server.bind_address, &config.server.port);
+            let state = AppState { config, jwks };
            let app = Router::new()
                .merge(routes::routes())
-                .with_state(AppState { config });
+                .route_layer(middleware::from_fn_with_state(
+                    state.clone(),
+                    auth::validate_token,
+                ))
+                .with_state(state);

            let listener = tokio::net::TcpListener::bind(bind).await.unwrap();
            info!("listening on {}", listener.local_addr().unwrap());