oxillama-server 0.1.3

OpenAI-compatible HTTP API server for OxiLLaMa
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71

//! Axum middleware that verifies JWT tokens and enforces scope requirements.

use std::sync::Arc;

use axum::{
    extract::Request,
    http::StatusCode,
    middleware::Next,
    response::{IntoResponse, Response},
};

use super::verifier::JwtVerifier;

/// Axum middleware function that:
/// 1. Extracts `Authorization: Bearer <token>` from the request.
/// 2. Verifies the JWT using the shared [`JwtVerifier`].
/// 3. Checks that the claims carry all scopes required for the request path.
///
/// On success, the request is forwarded to the next handler unchanged.
/// On failure, a `401 Unauthorized` or `403 Forbidden` response is returned
/// immediately with a human-readable message (no OpenAI error envelope here —
/// auth errors should be explicit).
pub async fn jwt_auth_middleware(
    axum::extract::State(verifier): axum::extract::State<Arc<JwtVerifier>>,
    req: Request,
    next: Next,
) -> Response {
    let path = req.uri().path().to_string();

    // Extract Bearer token from the Authorization header.
    let token = match req
        .headers()
        .get("authorization")
        .and_then(|v| v.to_str().ok())
        .and_then(|v| v.strip_prefix("Bearer "))
    {
        Some(t) => t.to_string(),
        None => {
            return (
                StatusCode::UNAUTHORIZED,
                "Missing or malformed Authorization header (expected: Bearer <token>)",
            )
                .into_response();
        }
    };

    // Verify the JWT.
    let claims = match verifier.verify(&token) {
        Ok(c) => c,
        Err(e) => {
            return (StatusCode::UNAUTHORIZED, e.to_string()).into_response();
        }
    };

    // Check scope requirements for this path.
    let required = verifier.required_scopes_for_path(&path);
    if !required.is_empty() {
        let user_scopes = verifier.scopes_from_claims(&claims);
        for req_scope in required {
            if !user_scopes.contains(req_scope) {
                return (
                    StatusCode::FORBIDDEN,
                    format!("Insufficient scope: missing {}", req_scope.as_str()),
                )
                    .into_response();
            }
        }
    }

    next.run(req).await
}