common-access-token 0.2.7

Implementation of the Common Access Token (CAT) specification
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237

use common_access_token::{
    cat_keys, catm, catr, catreplay, catu, current_timestamp, uri_components, Algorithm, KeyId,
    RegisteredClaims, TokenBuilder, VerificationOptions,
};
use std::collections::BTreeMap;

fn main() {
    // Create a key for signing and verification
    let key = b"my-secret-key-for-hmac-sha256";
    let now = current_timestamp() as i64;

    // Create a token with multiple CAT-specific claims
    let token = create_token_with_cat_claims(key, now);

    // Encode token to bytes
    let token_bytes = token.to_bytes().expect("Failed to encode token");
    println!(
        "Token with CAT claims encoded to {} bytes",
        token_bytes.len()
    );

    // Decode the token
    let decoded_token =
        common_access_token::Token::from_bytes(&token_bytes).expect("Failed to decode token");

    // Verify signature
    decoded_token
        .verify(key)
        .expect("Failed to verify signature");

    // Demonstrate different CAT-specific claim validations
    validate_catu_claim(&decoded_token);
    validate_catm_claim(&decoded_token);
    validate_catreplay_claim(&decoded_token);
}

/// Create a token with multiple CAT-specific claims
fn create_token_with_cat_claims(key: &[u8], now: i64) -> common_access_token::Token {
    println!("Creating token with CAT-specific claims...");

    // 1. Create a CATU claim (Common Access Token URI)
    let mut catu_components = BTreeMap::new();

    // Restrict to https scheme
    catu_components.insert(uri_components::SCHEME, catu::exact_match("https"));

    // Restrict to example.com host
    catu_components.insert(uri_components::HOST, catu::suffix_match(".example.com"));

    // Restrict to paths starting with /api
    catu_components.insert(uri_components::PATH, catu::prefix_match("/api"));

    // Restrict to .json extension
    catu_components.insert(uri_components::EXTENSION, catu::exact_match(".json"));

    println!("  Added CATU claim with URI restrictions");

    // 2. Create a CATM claim (Common Access Token Methods)
    let allowed_methods = vec!["GET", "HEAD", "OPTIONS"];
    println!("  Added CATM claim allowing methods: {:?}", allowed_methods);

    // 3. Create a CATR claim (Common Access Token Renewal)
    let renewal_params = catr::automatic_renewal(3600, Some(now + 3000));
    println!("  Added CATR claim with automatic renewal");

    // 4. Create a CATREPLAY claim (prohibit token replay)
    println!("  Added CATREPLAY claim prohibiting token replay");

    // Build the token with all CAT-specific claims
    TokenBuilder::new()
        .algorithm(Algorithm::HmacSha256)
        .protected_key_id(KeyId::string("example-key-id"))
        .registered_claims(
            RegisteredClaims::new()
                .with_issuer("example-issuer")
                .with_subject("example-subject")
                .with_audience("example-audience")
                .with_expiration(now as u64 + 3600) // 1 hour from now
                .with_not_before(now as u64)
                .with_issued_at(now as u64)
                .with_cti(b"token-id-1234".to_vec()),
        )
        // Add CAT-specific claims
        .custom_cbor(cat_keys::CATU, catu::create(catu_components))
        .custom_cbor(cat_keys::CATR, catr::create(renewal_params))
        .custom_cbor(cat_keys::CATREPLAY, catreplay::prohibited())
        .custom_array(cat_keys::CATM, catm::create(allowed_methods))
        .sign(key)
        .expect("Failed to sign token")
}

/// Validate the CATU claim against different URIs
fn validate_catu_claim(token: &common_access_token::Token) {
    println!("\nValidating CATU (URI) claim:");

    // Define URIs to test
    let valid_uri = "https://api.example.com/api/users.json";
    let invalid_scheme_uri = "http://api.example.com/api/users.json";
    let invalid_host_uri = "https://api.other-site.com/api/users.json";
    let invalid_path_uri = "https://api.example.com/users.json";
    let invalid_extension_uri = "https://api.example.com/api/users.xml";

    // Test valid URI
    let options = VerificationOptions::new().verify_catu(true).uri(valid_uri);

    match token.verify_claims(&options) {
        Ok(_) => println!("  VALID URI: {}", valid_uri),
        Err(e) => println!(
            "  ERROR: {} should be valid, but got error: {}",
            valid_uri, e
        ),
    }

    // Test invalid scheme
    let invalid_scheme_options = VerificationOptions::new()
        .verify_catu(true)
        .uri(invalid_scheme_uri);

    match token.verify_claims(&invalid_scheme_options) {
        Ok(_) => println!(
            "  ERROR: {} should be invalid (wrong scheme)",
            invalid_scheme_uri
        ),
        Err(e) => println!(
            "  INVALID URI (as expected): {} - Error: {}",
            invalid_scheme_uri, e
        ),
    }

    // Test invalid host
    let invalid_host_options = VerificationOptions::new()
        .verify_catu(true)
        .uri(invalid_host_uri);

    match token.verify_claims(&invalid_host_options) {
        Ok(_) => println!(
            "  ERROR: {} should be invalid (wrong host)",
            invalid_host_uri
        ),
        Err(e) => println!(
            "  INVALID URI (as expected): {} - Error: {}",
            invalid_host_uri, e
        ),
    }

    // Test invalid path
    let invalid_path_options = VerificationOptions::new()
        .verify_catu(true)
        .uri(invalid_path_uri);

    match token.verify_claims(&invalid_path_options) {
        Ok(_) => println!(
            "  ERROR: {} should be invalid (wrong path)",
            invalid_path_uri
        ),
        Err(e) => println!(
            "  INVALID URI (as expected): {} - Error: {}",
            invalid_path_uri, e
        ),
    }

    // Test invalid extension
    let invalid_extension_options = VerificationOptions::new()
        .verify_catu(true)
        .uri(invalid_extension_uri);

    match token.verify_claims(&invalid_extension_options) {
        Ok(_) => println!(
            "  ERROR: {} should be invalid (wrong extension)",
            invalid_extension_uri
        ),
        Err(e) => println!(
            "  INVALID URI (as expected): {} - Error: {}",
            invalid_extension_uri, e
        ),
    }
}

/// Validate the CATM claim against different HTTP methods
fn validate_catm_claim(token: &common_access_token::Token) {
    println!("\nValidating CATM (HTTP Methods) claim:");

    // Test allowed methods
    for method in &["GET", "HEAD", "OPTIONS"] {
        let options = VerificationOptions::new()
            .verify_catm(true)
            .http_method(*method);

        match token.verify_claims(&options) {
            Ok(_) => println!("  VALID METHOD: {}", method),
            Err(e) => println!("  ERROR: {} should be valid, but got error: {}", method, e),
        }
    }

    // Test disallowed methods
    for method in &["POST", "PUT", "DELETE", "PATCH"] {
        let options = VerificationOptions::new()
            .verify_catm(true)
            .http_method(*method);

        match token.verify_claims(&options) {
            Ok(_) => println!("  ERROR: {} should be invalid method", method),
            Err(e) => println!("  INVALID METHOD (as expected): {} - Error: {}", method, e),
        }
    }
}

/// Validate the CATREPLAY claim
fn validate_catreplay_claim(token: &common_access_token::Token) {
    println!("\nValidating CATREPLAY claim:");

    // Test with token not seen before (should pass)
    let options_not_seen = VerificationOptions::new()
        .verify_catreplay(true)
        .token_seen_before(false);

    match token.verify_claims(&options_not_seen) {
        Ok(_) => println!("  VALID: Token not seen before is accepted (as expected)"),
        Err(e) => println!(
            "  ERROR: Token not seen before should be valid, but got error: {}",
            e
        ),
    }

    // Test with token seen before (should fail with replay prohibited)
    let options_seen = VerificationOptions::new()
        .verify_catreplay(true)
        .token_seen_before(true);

    match token.verify_claims(&options_seen) {
        Ok(_) => println!("  ERROR: Token seen before should be rejected"),
        Err(e) => println!(
            "  INVALID (as expected): Token seen before is rejected - Error: {}",
            e
        ),
    }
}