cedros-login-server 0.0.45

Authentication server for cedros-login with email/password, Google OAuth, and Solana wallet sign-in
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321

//! Token utilities for secure hashing and validation

use aes_gcm::aead::{Aead, KeyInit};
use aes_gcm::{Aes256Gcm, Nonce};
use base64::Engine as _;
use hmac::{Hmac, Mac};
use rand::rngs::OsRng;
use rand::RngCore;
use sha2::{Digest, Sha256};
use subtle::ConstantTimeEq;

use crate::errors::AppError;

/// HMAC key derivation info for refresh tokens (domain separation).
const REFRESH_TOKEN_HMAC_INFO: &[u8] = b"cedros:refresh_token_hash:v1";

/// HKDF info for TokenCipher encryption key derivation (domain separation).
const TOKEN_CIPHER_KEY_INFO: &[u8] = b"cedros:token_cipher_aes256:v1";

/// Hash a refresh token for secure storage using HMAC-SHA256.
///
/// # Security
///
/// Uses HMAC-SHA256 with a server secret for defense-in-depth. Even if the database
/// is compromised, an attacker cannot verify tokens without the server secret.
///
/// For refresh tokens with ~262 bits of entropy, brute-force attacks are infeasible
/// regardless of the hash function. HMAC provides an additional layer of protection.
///
/// # Arguments
///
/// * `token` - The plaintext refresh token to hash
/// * `secret` - The server secret (typically JWT secret, ≥32 bytes)
pub fn hash_refresh_token(token: &str, secret: &str) -> String {
    // Derive an HMAC key from the secret with domain separation
    let mut key_hasher = Sha256::new();
    key_hasher.update(secret.as_bytes());
    key_hasher.update(REFRESH_TOKEN_HMAC_INFO);
    let hmac_key = key_hasher.finalize();

    // Compute HMAC-SHA256
    let mut mac: Hmac<Sha256> =
        Mac::new_from_slice(&hmac_key).expect("HMAC can take key of any size");
    mac.update(token.as_bytes());
    let result = mac.finalize();
    hex::encode(result.into_bytes())
}

/// Verify a refresh token against a stored hash using constant-time comparison.
///
/// # Security
///
/// Uses constant-time comparison to prevent timing attacks.
///
/// # Arguments
///
/// * `token` - The plaintext refresh token to verify
/// * `secret` - The server secret (must match what was used for hashing)
/// * `stored_hash` - The stored HMAC hash to compare against
pub fn verify_refresh_token(token: &str, secret: &str, stored_hash: &str) -> bool {
    let computed_hash = hash_refresh_token(token, secret);
    // Constant-time comparison to prevent timing attacks
    computed_hash
        .as_bytes()
        .ct_eq(stored_hash.as_bytes())
        .into()
}

/// TokenCipher encrypts/decrypts sensitive tokens stored in the outbox payload.
#[derive(Clone, zeroize::Zeroize, zeroize::ZeroizeOnDrop)]
pub struct TokenCipher {
    /// New key derived with HMAC (S-05)
    key: [u8; 32],
    /// Legacy key derived with raw SHA-256 (for backwards compatibility)
    legacy_key: [u8; 32],
}

impl std::fmt::Debug for TokenCipher {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("TokenCipher")
            .field("key", &"[REDACTED]")
            .field("legacy_key", &"[REDACTED]")
            .finish()
    }
}

impl TokenCipher {
    /// Create a new TokenCipher with a secret.
    ///
    /// # Security (S-05)
    ///
    /// Uses HMAC-based key derivation with domain separation instead of raw SHA-256.
    /// This follows HKDF-Extract pattern: derive key material using HMAC with an
    /// info string to ensure keys derived for different purposes are independent.
    ///
    /// # Backwards Compatibility
    ///
    /// Maintains ability to decrypt data encrypted with the old SHA-256 key derivation.
    /// New encryptions always use the new HMAC-derived key.
    pub fn new(secret: &str) -> Self {
        // S-05: Use HMAC-based key derivation with domain separation.
        // Derive key material using a secret-keyed PRF:
        //   key = HMAC(secret, info)
        // This avoids using a public constant as the HMAC key.
        let mut mac: Hmac<Sha256> =
            Mac::new_from_slice(secret.as_bytes()).expect("HMAC can take key of any size");
        mac.update(TOKEN_CIPHER_KEY_INFO);
        let result = mac.finalize();

        let mut key = [0u8; 32];
        key.copy_from_slice(&result.into_bytes());

        // Legacy key for backwards compatibility (raw SHA-256)
        let legacy_digest = Sha256::digest(secret.as_bytes());
        let mut legacy_key = [0u8; 32];
        legacy_key.copy_from_slice(&legacy_digest);

        Self { key, legacy_key }
    }

    pub fn encrypt(&self, token: &str) -> Result<String, AppError> {
        // Always encrypt with new HMAC-derived key
        let cipher = Aes256Gcm::new_from_slice(&self.key)
            .expect("TokenCipher key length is fixed at 32 bytes");
        let mut nonce_bytes = [0u8; 12];
        OsRng.fill_bytes(&mut nonce_bytes);
        #[allow(deprecated)]
        let nonce = Nonce::from_slice(&nonce_bytes);

        let ciphertext = cipher
            .encrypt(nonce, token.as_bytes())
            .map_err(|_| AppError::Internal(anyhow::anyhow!("Failed to encrypt token")))?;

        let mut combined = Vec::with_capacity(nonce_bytes.len() + ciphertext.len());
        combined.extend_from_slice(&nonce_bytes);
        combined.extend_from_slice(&ciphertext);

        Ok(base64::engine::general_purpose::STANDARD.encode(combined))
    }

    pub fn decrypt(&self, encoded: &str) -> Result<String, AppError> {
        let decoded = base64::engine::general_purpose::STANDARD
            .decode(encoded)
            .map_err(|_| AppError::Internal(anyhow::anyhow!("Failed to decode token payload")))?;

        if decoded.len() < 12 {
            return Err(AppError::Internal(anyhow::anyhow!(
                "Invalid token payload length"
            )));
        }

        let (nonce_bytes, ciphertext) = decoded.split_at(12);

        // Try new key first
        let cipher = Aes256Gcm::new_from_slice(&self.key)
            .expect("TokenCipher key length is fixed at 32 bytes");
        #[allow(deprecated)]
        let nonce = Nonce::from_slice(nonce_bytes);

        if let Ok(plaintext) = cipher.decrypt(nonce, ciphertext) {
            return String::from_utf8(plaintext).map_err(|_| {
                AppError::Internal(anyhow::anyhow!("Invalid token payload encoding"))
            });
        }

        // Fallback to legacy key for backwards compatibility
        let legacy_cipher = Aes256Gcm::new_from_slice(&self.legacy_key)
            .expect("TokenCipher legacy key length is fixed at 32 bytes");
        let plaintext = legacy_cipher
            .decrypt(nonce, ciphertext)
            .map_err(|_| AppError::Internal(anyhow::anyhow!("Failed to decrypt token")))?;

        String::from_utf8(plaintext)
            .map_err(|_| AppError::Internal(anyhow::anyhow!("Invalid token payload encoding")))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    const TEST_SECRET: &str = "test-secret-key-for-hmac-operations";

    #[test]
    fn test_hash_refresh_token_deterministic() {
        let token = "test-refresh-token-123";
        let hash1 = hash_refresh_token(token, TEST_SECRET);
        let hash2 = hash_refresh_token(token, TEST_SECRET);
        assert_eq!(hash1, hash2);
    }

    #[test]
    fn test_hash_refresh_token_different_inputs() {
        let hash1 = hash_refresh_token("token1", TEST_SECRET);
        let hash2 = hash_refresh_token("token2", TEST_SECRET);
        assert_ne!(hash1, hash2);
    }

    #[test]
    fn test_hash_refresh_token_different_secrets() {
        let token = "same-token";
        let hash1 = hash_refresh_token(token, "secret1");
        let hash2 = hash_refresh_token(token, "secret2");
        assert_ne!(
            hash1, hash2,
            "Different secrets should produce different hashes"
        );
    }

    #[test]
    fn test_hash_refresh_token_length() {
        // HMAC-SHA256 produces 64 hex characters (32 bytes)
        let hash = hash_refresh_token("any-token", TEST_SECRET);
        assert_eq!(hash.len(), 64);
    }

    #[test]
    fn test_hash_refresh_token_hex_format() {
        let hash = hash_refresh_token("test", TEST_SECRET);
        // Should only contain hex characters
        assert!(hash.chars().all(|c| c.is_ascii_hexdigit()));
    }

    #[test]
    fn test_verify_refresh_token_valid() {
        let token = "my-refresh-token";
        let hash = hash_refresh_token(token, TEST_SECRET);
        assert!(verify_refresh_token(token, TEST_SECRET, &hash));
    }

    #[test]
    fn test_verify_refresh_token_invalid_token() {
        let token = "my-refresh-token";
        let hash = hash_refresh_token(token, TEST_SECRET);
        assert!(!verify_refresh_token("wrong-token", TEST_SECRET, &hash));
    }

    #[test]
    fn test_verify_refresh_token_invalid_secret() {
        let token = "my-refresh-token";
        let hash = hash_refresh_token(token, TEST_SECRET);
        assert!(!verify_refresh_token(token, "wrong-secret", &hash));
    }

    #[test]
    fn test_verify_refresh_token_invalid_hash() {
        let token = "my-refresh-token";
        assert!(!verify_refresh_token(token, TEST_SECRET, "invalid-hash"));
    }

    #[test]
    fn test_token_cipher_roundtrip() {
        let cipher = TokenCipher::new("test-secret");
        let token = "token-value-123";
        let encrypted = cipher.encrypt(token).unwrap();
        let decrypted = cipher.decrypt(&encrypted).unwrap();
        assert_eq!(decrypted, token);
    }

    #[test]
    fn test_token_cipher_rejects_invalid_payload() {
        let cipher = TokenCipher::new("test-secret");
        let result = cipher.decrypt("not-base64");
        assert!(result.is_err());
    }

    #[test]
    fn test_token_cipher_legacy_decryption() {
        // S-05: Test backwards compatibility with legacy SHA-256 key derivation
        // Simulate encrypting with old method (raw SHA-256)
        let secret = "test-secret";
        let token = "legacy-token-123";

        // Encrypt using legacy key derivation (raw SHA-256)
        let legacy_digest = Sha256::digest(secret.as_bytes());
        let legacy_cipher =
            Aes256Gcm::new_from_slice(&legacy_digest).expect("SHA-256 digest is 32 bytes");
        let mut nonce_bytes = [0u8; 12];
        OsRng.fill_bytes(&mut nonce_bytes);
        #[allow(deprecated)]
        let nonce = Nonce::from_slice(&nonce_bytes);

        let ciphertext = legacy_cipher.encrypt(nonce, token.as_bytes()).unwrap();

        let mut combined = Vec::with_capacity(nonce_bytes.len() + ciphertext.len());
        combined.extend_from_slice(&nonce_bytes);
        combined.extend_from_slice(&ciphertext);
        let legacy_encrypted = base64::engine::general_purpose::STANDARD.encode(combined);

        // New cipher should be able to decrypt legacy data
        let cipher = TokenCipher::new(secret);
        let decrypted = cipher.decrypt(&legacy_encrypted).unwrap();
        assert_eq!(decrypted, token);
    }

    #[test]
    fn test_token_cipher_uses_new_key_for_encryption() {
        // Verify new encryptions use the HMAC-derived key (not the legacy one)
        let cipher = TokenCipher::new("test-secret");
        let token = "new-token-123";
        let encrypted = cipher.encrypt(token).unwrap();

        // New encryption should work with the new key
        let decrypted = cipher.decrypt(&encrypted).unwrap();
        assert_eq!(decrypted, token);
    }

    #[test]
    fn test_token_cipher_key_depends_on_secret() {
        // Regression test: key derivation must be secret-keyed.
        // If we accidentally key the HMAC with a public constant, this would still
        // "work" functionally but is a crypto footgun.
        let a = TokenCipher::new("secret-a");
        let b = TokenCipher::new("secret-b");
        assert_ne!(
            a.encrypt("token").unwrap(),
            b.encrypt("token").unwrap(),
            "Different secrets should produce different ciphertexts"
        );
    }
}