aetheris-server 0.3.3

Authoritative heart and tick scheduler for the Aetheris multiplayer platform
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97

use openidconnect::core::{
    CoreClient, CoreIdTokenClaims, CoreIdTokenVerifier, CoreProviderMetadata,
};
use openidconnect::{
    ClientId, ClientSecret, EndpointMaybeSet, EndpointNotSet, EndpointSet, IssuerUrl, Nonce,
};
use std::str::FromStr;
use tonic::Status;

pub struct GoogleOidcClient {
    client: CoreClient<
        EndpointSet,
        EndpointNotSet,
        EndpointNotSet,
        EndpointNotSet,
        EndpointMaybeSet,
        EndpointMaybeSet,
    >,
}

impl GoogleOidcClient {
    /// Creates a new Google OIDC client by performing discovery.
    ///
    /// # Errors
    ///
    /// Returns an error if:
    /// - `GOOGLE_CLIENT_ID` or `GOOGLE_CLIENT_SECRET` environment variables are malformed.
    /// - The reqwest HTTP client cannot be initialized.
    /// - OIDC discovery fails (e.g., network issues, Google's discovery endpoint is unreachable).
    pub async fn new() -> Result<Self, Box<dyn std::error::Error>> {
        let client_id =
            std::env::var("GOOGLE_CLIENT_ID").map_err(|_| "GOOGLE_CLIENT_ID missing")?;
        let client_secret =
            std::env::var("GOOGLE_CLIENT_SECRET").map_err(|_| "GOOGLE_CLIENT_SECRET missing")?;

        let http_client = reqwest::Client::builder()
            .redirect(reqwest::redirect::Policy::none())
            .build()?;

        let provider_metadata = CoreProviderMetadata::discover_async(
            IssuerUrl::new("https://accounts.google.com".to_string())?,
            &|req: openidconnect::HttpRequest| {
                let client = http_client.clone();
                async move {
                    let resp = client
                        .execute(req.try_into().map_err(|e| {
                            openidconnect::HttpClientError::Other(format!("Reqwest error: {e}"))
                        })?)
                        .await
                        .map_err(|e| openidconnect::HttpClientError::Reqwest(Box::new(e)))?;

                    let status = resp.status();
                    let headers = resp.headers().clone();
                    let body = resp
                        .bytes()
                        .await
                        .map_err(|e| openidconnect::HttpClientError::Reqwest(Box::new(e)))?;

                    let mut http_resp = openidconnect::HttpResponse::new(body.to_vec());
                    *http_resp.status_mut() = status;
                    *http_resp.headers_mut() = headers;
                    Ok::<_, openidconnect::HttpClientError<reqwest::Error>>(http_resp)
                }
            },
        )
        .await?;

        let client = CoreClient::from_provider_metadata(
            provider_metadata,
            ClientId::new(client_id),
            Some(ClientSecret::new(client_secret)),
        );

        Ok(Self { client })
    }

    /// Verifies a Google ID token and returns its claims.
    ///
    /// # Errors
    ///
    /// Returns a `tonic::Status` with `Unauthenticated` if:
    /// - The ID token is malformed and cannot be parsed.
    /// - The ID token signature is invalid.
    /// - The ID token claims (issuer, audience, expiry) are invalid.
    pub fn verify_token(&self, id_token: &str, nonce: &str) -> Result<CoreIdTokenClaims, Status> {
        let id_token = openidconnect::core::CoreIdToken::from_str(id_token)
            .map_err(|e| Status::unauthenticated(format!("Malformed ID token: {e}")))?;

        let verifier: CoreIdTokenVerifier = self.client.id_token_verifier();

        let claims = id_token
            .claims(&verifier, &Nonce::new(nonce.to_string()))
            .map_err(|e| Status::unauthenticated(format!("Invalid ID token claims: {e}")))?;

        Ok(claims.clone())
    }
}