ncryptf-rs 0.5.7

Secure API authentication and end to end encryption.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122

use chrono::Utc;
use dryoc::constants::{
    CRYPTO_SIGN_PUBLICKEYBYTES,
    CRYPTO_SIGN_SECRETKEYBYTES
};
use dryoc::sign::SigningKeyPair;
use base64::{Engine as _, engine::general_purpose};

use crate::error::NcryptfError as Error;
use serde::{Deserialize, Serialize};

/// Authorization token data to be either stored locally, or server side in a cache.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Token {
    pub access_token: String,
    pub refresh_token: String,
    pub ikm: Vec<u8>,
    pub signature: Vec<u8>,
    pub expires_at: i64,
}

impl Token {
    /// Creates a new token with a given lifetime
    pub fn new(lifetime: i64) -> Token {
        let now = Utc::now().timestamp();
        let expires_at: i64;
        if lifetime >= 0 {
            expires_at = now + lifetime;
        } else {
            expires_at = now;
        }

        return Self {
            access_token: general_purpose::URL_SAFE.encode(crate::util::randombytes_buf(48)),
            refresh_token: general_purpose::URL_SAFE.encode(crate::util::randombytes_buf(64)),
            ikm: crate::util::randombytes_buf(32),
            signature: crate::util::randombytes_buf(64),
            expires_at: expires_at,
        };
    }

    /// Creates a new token from the provided values
    pub fn from(
        access_token: String,
        refresh_token: String,
        ikm: Vec<u8>,
        signature: Vec<u8>,
        expires_at: i64,
    ) -> Result<Token, Error> {
        if ikm.len() != 32 {
            return Err(Error::InvalidArgument(format!(
                "Initial key material should be {} bytes",
                32
            )));
        }

        if signature.len() != 64 {
            return Err(Error::InvalidArgument(format!(
                "Signature secret key should be {} bytes",
                64
            )));
        }

        return Ok(Self {
            access_token,
            refresh_token,
            ikm,
            signature,
            expires_at,
        });
    }

    /// Given a serde_json::Value, will attempt to return a token
    pub fn from_json(json: serde_json::Value) -> Result<Self, Error> {
        if json.get("access_token").is_none()
            || json.get("refresh_token").is_none()
            || json.get("ikm").is_none()
            || json.get("signing").is_none()
            || json.get("expires_at").is_none()
        {
            return Err(Error::InvalidArgument(format!(
                "The provided JSON object is not valid for tokenization."
            )));
        }

        return match Token::from(
            json.get("access_token").unwrap().to_string(),
            json.get("refresh_token").unwrap().to_string(),
            general_purpose::STANDARD.decode(json.get("ikm").unwrap().as_str().unwrap()).unwrap(),
            general_purpose::STANDARD.decode(json.get("signing").unwrap().as_str().unwrap()).unwrap(),
            json.get("expires_at").unwrap().as_i64().unwrap(),
        ) {
            Ok(token) => return Ok(token),
            Err(_error) => Err(_error),
        };
    }

    /// Returns true of the token is expired
    /// If the token is expired, it should be discarded
    pub fn is_expired(&self) -> bool {
        let now = Utc::now().timestamp();
        return now > self.expires_at;
    }

    /// Returns the public key for the signature
    pub fn get_signature_public_key(&self) -> Result<Vec<u8>, Error> {
        if self.signature.len() != CRYPTO_SIGN_SECRETKEYBYTES {
            return Err(Error::TokenSignatureSize(format!(
                "Signature secret key should be {} bytes",
                CRYPTO_SIGN_SECRETKEYBYTES
            )));
        }

        // Convert Vec<u8> to fixed-size array
        let mut secret_key_bytes = [0u8; CRYPTO_SIGN_SECRETKEYBYTES];
        secret_key_bytes.copy_from_slice(&self.signature);

        let keypair: SigningKeyPair<[u8; CRYPTO_SIGN_PUBLICKEYBYTES], [u8; CRYPTO_SIGN_SECRETKEYBYTES]> = SigningKeyPair::from_secret_key(secret_key_bytes);

        return Ok(keypair.public_key.to_vec());
    }
}