pasque 0.3.0

UDP and IP over HTTP/3
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136

use chrono::{Utc, Duration};
use jsonwebtoken::{
    decode,
    encode,
    Algorithm,
    DecodingKey,
    EncodingKey,
    Header,
    TokenData,
    Validation,
};
use serde::{Deserialize, Serialize};

use crate::PsqError;


/// Claims and functions to operate a JSON Web Tokens in Pasque.
#[derive(Debug, Serialize, Deserialize)]
pub struct Jwt {
    sub: String,
    exp: usize,
    iat: usize,
    permissions: Vec<String>,
}

impl Jwt {

    /// Create a JSON web token.
    /// 
    /// `sub` is the JWT subject, typically a user ID. `duration` defines when
    /// the token expires. Expiry time is "now" + `duration`. `permissions` tell
    /// what the token is good for: each Pasque endpoint may define a permission
    /// string that is required in the client token to allow a stream to the
    /// endpoint. `secret` is the shared secret used to encode and decode the
    /// token.
    /// 
    /// Returns the token that can be included in the HTTP Authorization header.
    pub fn create_token(
        sub: String,
        lifetime: Duration,
        permissions: Vec<String>,
        secret: &[u8],
    ) -> Result<String, PsqError> {
        let now = Utc::now();
        let claims = Jwt {
            sub,
            exp: (now + lifetime).timestamp() as usize,
            iat: now.timestamp() as usize,
            permissions,
        };
        let token = encode(
            &Header::default(),
            &claims,
            &EncodingKey::from_secret(secret),
        )?;
        Ok(token)
    }


    /// Verify a JSON web token.
    /// 
    /// `secret` is the shared secret used to verify the token. Also expiry time
    /// is verified. Returns the claims in the token, if verification succeeds. 
    pub fn verify_token(token: &str, secret: &[u8]) -> Result<TokenData<Jwt>, PsqError> {
        let validation = Validation::new(Algorithm::HS256);
        let token_data = decode::<Jwt>(
            token,
            &DecodingKey::from_secret(secret),
            &validation,
        )?;
        Ok(token_data)
    }

    /// `true` if claims contain the given permission string.
    pub fn has_permission(&self, permission: &String) -> bool {
        self.permissions.contains(permission)
    }
}


#[cfg(test)]
mod tests {
    use super::*;
    use chrono::Duration;

    const SECRET: &[u8] = b"test-secret";

    #[test]
    fn valid_token() {
        let token = Jwt::create_token(
            "user1".to_string(),
            Duration::seconds(120),
            vec!["read".to_string()],
            SECRET,
        ).expect("failed to create token");

        let result = Jwt::verify_token(&token, SECRET);
        let claims = result.unwrap().claims;
        assert_eq!(claims.sub, "user1");
        assert!(claims.has_permission(&"read".to_string()));
    }

    #[test]
    fn expired_token() {
        let token = Jwt::create_token(
            "user2".to_string(),
            Duration::seconds(-120),
            vec!["write".to_string()],
            SECRET,
        ).expect("failed to create token");

        let result = Jwt::verify_token(&token, SECRET);
        assert!(result.is_err(), "Expected token to be expired");
        let err = result.unwrap_err().to_string();
        assert!(
            err.contains("ExpiredSignature"),
            "Expected ExpiredSignature error, got: {}",
            err
        );
    }

    #[test]
    fn invalid_permission() {
        let token = Jwt::create_token(
            "user1".to_string(),
            Duration::seconds(120),
            vec!["invalid".to_string(), "other".to_string()],
            SECRET,
        ).expect("failed to create token");

        let result = Jwt::verify_token(&token, SECRET);
        let claims = result.unwrap().claims;
        assert_eq!(claims.sub, "user1");
        assert!(!claims.has_permission(&"read".to_string()));
    }
}