hs256-bin 0.1.0

Minimal token implementation that uses byte values
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

use base64ct::{Base64UrlUnpadded, Encoding};
use ring::hmac::{self, HMAC_SHA256};

#[derive(Debug)]
pub enum DecodeError {
    InvalidToken,
    InvalidSignature,
}

impl From<base64ct::Error> for DecodeError {
    fn from(_: base64ct::Error) -> Self {
        Self::InvalidToken
    }
}

/// Tokens interface for creating and validating tokens
pub struct Tokens {
    key: hmac::Key,
}

impl Tokens {
    /// Creates a new tokens interface from the provided
    /// secret key
    ///
    /// `secret` The secret key
    pub fn new(secret: &[u8]) -> Self {
        // Create a new HMAC key using the provided secret
        let key = hmac::Key::new(HMAC_SHA256, secret);
        Self { key }
    }

    /// Encodes the value by base64 encoding the value and a
    /// signature for the value then joining them
    ///
    /// `value` The data to encode as the token value
    pub fn encode(&self, value: &[u8]) -> String {
        // Encode the message
        let msg = Base64UrlUnpadded::encode_string(value);

        // Create a signature from the raw message bytes
        let sig = hmac::sign(&self.key, value);
        let sig = Base64UrlUnpadded::encode_string(sig.as_ref());

        // Join the message and signature to create the token
        [msg, sig].join(".")
    }

    /// Decodes a token claims from the provided token string
    ///
    /// `token` The token to decode
    pub fn decode(&self, token: &str) -> Result<Vec<u8>, DecodeError> {
        // Split the token parts
        let (msg, sig) = match token.split_once('.') {
            Some(value) => value,
            None => return Err(DecodeError::InvalidToken),
        };

        // Decode the message signature
        let msg: Vec<u8> = Base64UrlUnpadded::decode_vec(msg)?;
        let sig: Vec<u8> = Base64UrlUnpadded::decode_vec(sig)?;

        // Verify the signature
        if hmac::verify(&self.key, &msg, &sig).is_err() {
            return Err(DecodeError::InvalidSignature);
        }

        // Decode the verified token claims
        Ok(msg)
    }
}