actix-jwt 0.1.0

Full-featured JWT authentication middleware for actix-web: login, logout, refresh, token rotation, cookie management, RSA/HMAC, RBAC authorizer, pluggable token store
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223

//! JWT error types.
//!
//! All errors are represented by the [`JwtError`] enum which implements
//! [`std::error::Error`], [`std::fmt::Display`] and
//! [`actix_web::ResponseError`].  Error messages match the
//! [`echo-jwt`](https://github.com/LdDl/echo-jwt) (Go implementation) sentinel
//! errors for API-level compatibility.

use std::fmt;

use actix_web::HttpResponse;
use actix_web::http::StatusCode;

/// Unified error type for the JWT middleware.
///
/// Each variant maps to a specific HTTP status code via the
/// [`actix_web::ResponseError`] implementation.
///
/// # Examples
///
/// ```
/// use actix_jwt::JwtError;
///
/// let err = JwtError::ExpiredToken;
/// assert_eq!(err.to_string(), "token is expired");
/// ```
///
/// Variants that carry a message reproduce it verbatim:
///
/// ```
/// use actix_jwt::JwtError;
///
/// let err = JwtError::TokenParsing("invalid signature".into());
/// assert_eq!(err.to_string(), "invalid signature");
/// assert!(err.is_token_parsing());
/// ```
#[derive(Debug)]
pub enum JwtError {
    /// HMAC secret key was not provided.
    MissingSecretKey,
    /// The authorizer callback rejected the request.
    Forbidden,
    /// No authenticator callback was configured.
    MissingAuthenticator,
    /// The request body could not be parsed into login credentials.
    MissingLoginValues,
    /// The authenticator callback returned an error.
    FailedAuthentication,
    /// JWT signing or encoding failed.
    FailedTokenCreation,
    /// The access token's `exp` claim is in the past.
    ExpiredToken,
    /// The `Authorization` header is present but empty.
    EmptyAuthHeader,
    /// The `exp` claim is missing from the token.
    MissingExpField,
    /// The `exp` claim is not a numeric value.
    WrongFormatOfExp,
    /// The `Authorization` header does not match the expected format.
    InvalidAuthHeader,
    /// The query-string token source was empty.
    EmptyQueryToken,
    /// The cookie token source was empty.
    EmptyCookieToken,
    /// The path-parameter token source was empty.
    EmptyParamToken,
    /// The configured signing algorithm is not supported.
    InvalidSigningAlgorithm,
    /// The private key file could not be read.
    NoPrivKeyFile,
    /// The public key file could not be read.
    NoPubKeyFile,
    /// The private key could not be parsed.
    InvalidPrivKey,
    /// The public key could not be parsed.
    InvalidPubKey,
    /// No `refresh_token` was found in the request.
    MissingRefreshToken,
    /// The refresh token failed validation.
    InvalidRefreshToken,
    /// The refresh token was not found in the store.
    RefreshTokenNotFound,
    /// The refresh token has expired.
    RefreshTokenExpired,
    /// An empty token string was passed to a store method.
    TokenEmpty,
    /// The supplied expiry timestamp is in the past.
    ExpiryInPast,
    /// A token parsing / validation error with a free-form message.
    TokenParsing(String),
    /// A token extraction error with a free-form message.
    TokenExtraction(String),
    /// An internal / infrastructure error with a free-form message.
    Internal(String),
}

impl fmt::Display for JwtError {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::MissingSecretKey => write!(f, "secret key is required"),
            Self::Forbidden => {
                write!(f, "you don't have permission to access this resource")
            }
            Self::MissingAuthenticator => write!(f, "authenticator func is undefined"),
            Self::MissingLoginValues => write!(f, "missing Username or Password"),
            Self::FailedAuthentication => write!(f, "incorrect Username or Password"),
            Self::FailedTokenCreation => write!(f, "failed to create JWT Token"),
            Self::ExpiredToken => write!(f, "token is expired"),
            Self::EmptyAuthHeader => write!(f, "auth header is empty"),
            Self::MissingExpField => write!(f, "missing exp field"),
            Self::WrongFormatOfExp => write!(f, "exp must be float64 format"),
            Self::InvalidAuthHeader => write!(f, "auth header is invalid"),
            Self::EmptyQueryToken => write!(f, "query token is empty"),
            Self::EmptyCookieToken => write!(f, "cookie token is empty"),
            Self::EmptyParamToken => write!(f, "parameter token is empty"),
            Self::InvalidSigningAlgorithm => write!(f, "invalid signing algorithm"),
            Self::NoPrivKeyFile => write!(f, "private key file unreadable"),
            Self::NoPubKeyFile => write!(f, "public key file unreadable"),
            Self::InvalidPrivKey => write!(f, "private key invalid"),
            Self::InvalidPubKey => write!(f, "public key invalid"),
            Self::MissingRefreshToken => write!(f, "missing refresh_token parameter"),
            Self::InvalidRefreshToken => write!(f, "invalid or expired refresh token"),
            Self::RefreshTokenNotFound => write!(f, "refresh token not found"),
            Self::RefreshTokenExpired => write!(f, "refresh token expired"),
            Self::TokenEmpty => write!(f, "token cannot be empty"),
            Self::ExpiryInPast => write!(f, "token expiry time must be in the future"),
            Self::TokenParsing(msg) => write!(f, "{msg}"),
            Self::TokenExtraction(msg) => write!(f, "{msg}"),
            Self::Internal(msg) => write!(f, "{msg}"),
        }
    }
}

impl std::error::Error for JwtError {}

impl JwtError {
    /// Returns `true` for the [`TokenParsing`](Self::TokenParsing) variant.
    ///
    /// # Examples
    ///
    /// ```
    /// use actix_jwt::JwtError;
    ///
    /// assert!(JwtError::TokenParsing("bad".into()).is_token_parsing());
    /// assert!(!JwtError::Forbidden.is_token_parsing());
    /// ```
    pub fn is_token_parsing(&self) -> bool {
        matches!(self, Self::TokenParsing(_))
    }

    /// Returns `true` for the [`TokenExtraction`](Self::TokenExtraction) variant.
    ///
    /// # Examples
    ///
    /// ```
    /// use actix_jwt::JwtError;
    ///
    /// assert!(JwtError::TokenExtraction("empty".into()).is_token_extraction());
    /// assert!(!JwtError::ExpiredToken.is_token_extraction());
    /// ```
    pub fn is_token_extraction(&self) -> bool {
        matches!(self, Self::TokenExtraction(_))
    }

    /// Returns `true` for the [`Forbidden`](Self::Forbidden) variant.
    ///
    /// # Examples
    ///
    /// ```
    /// use actix_jwt::JwtError;
    ///
    /// assert!(JwtError::Forbidden.is_forbidden());
    /// assert!(!JwtError::ExpiredToken.is_forbidden());
    /// ```
    pub fn is_forbidden(&self) -> bool {
        matches!(self, Self::Forbidden)
    }
}

impl actix_web::ResponseError for JwtError {
    fn status_code(&self) -> StatusCode {
        match self {
            Self::Forbidden => StatusCode::FORBIDDEN,

            Self::MissingSecretKey
            | Self::MissingAuthenticator
            | Self::FailedTokenCreation
            | Self::Internal(_) => StatusCode::INTERNAL_SERVER_ERROR,

            Self::MissingLoginValues
            | Self::EmptyAuthHeader
            | Self::MissingExpField
            | Self::WrongFormatOfExp
            | Self::InvalidAuthHeader
            | Self::EmptyQueryToken
            | Self::EmptyCookieToken
            | Self::EmptyParamToken
            | Self::MissingRefreshToken
            | Self::TokenExtraction(_) => StatusCode::BAD_REQUEST,

            Self::FailedAuthentication
            | Self::ExpiredToken
            | Self::InvalidSigningAlgorithm
            | Self::NoPrivKeyFile
            | Self::NoPubKeyFile
            | Self::InvalidPrivKey
            | Self::InvalidPubKey
            | Self::InvalidRefreshToken
            | Self::RefreshTokenNotFound
            | Self::RefreshTokenExpired
            | Self::TokenEmpty
            | Self::ExpiryInPast
            | Self::TokenParsing(_) => StatusCode::UNAUTHORIZED,
        }
    }

    fn error_response(&self) -> HttpResponse {
        HttpResponse::build(self.status_code()).json(serde_json::json!({
            "code": self.status_code().as_u16(),
            "message": self.to_string(),
        }))
    }
}