re_auth 0.31.1

Authentication helpers for Rerun
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259

use base64::Engine as _;
use base64::prelude::BASE64_URL_SAFE_NO_PAD;
use jsonwebtoken::decode_header;

#[derive(Debug, thiserror::Error)]
pub enum TokenError {
    #[error("token does not seem to be a valid JWT token: {0}")]
    MalformedToken(#[source] jsonwebtoken::errors::Error),
}

/// Default `allowed_hosts` pattern for tokens that have no `allowed_hosts` claim.
pub const DEFAULT_ALLOWED_HOSTS: &str = ".cloud.rerun.io";

/// Environment variable to bypass the host check entirely.
pub const INSECURE_SKIP_HOST_CHECK_ENV: &str = "RERUN_INSECURE_SKIP_HOST_CHECK";

#[derive(Debug, thiserror::Error)]
#[error(
    "token is not allowed for host '{host}'; \
     set {INSECURE_SKIP_HOST_CHECK_ENV}=1 to override"
)]
pub struct HostMismatchError {
    pub host: String,
}

/// A JWT that is used to authenticate the client.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
#[repr(transparent)]
pub struct Jwt(pub(crate) String);

/// Error from decoding a JWT payload.
#[derive(Debug, thiserror::Error)]
pub enum JwtDecodeError {
    #[error("missing `.` separator between header and payload")]
    MissingHeaderPayloadSeparator,

    #[error("missing `.` separator between payload and signature")]
    MissingPayloadSignatureSeparator,

    #[error("failed to decode base64 payload: {0}")]
    Base64(#[from] base64::DecodeError),

    #[error("failed to deserialize payload: {0}")]
    Serde(#[from] serde_json::Error),
}

impl Jwt {
    pub fn as_str(&self) -> &str {
        &self.0
    }

    /// Decode the JWT payload into any deserializable type without verifying
    /// the signature.
    pub fn decode_claims<T: serde::de::DeserializeOwned>(&self) -> Result<T, JwtDecodeError> {
        let (_header, rest) = self
            .0
            .split_once('.')
            .ok_or(JwtDecodeError::MissingHeaderPayloadSeparator)?;
        let (payload, _signature) = rest
            .split_once('.')
            .ok_or(JwtDecodeError::MissingPayloadSignatureSeparator)?;
        let payload = BASE64_URL_SAFE_NO_PAD.decode(payload)?;
        Ok(serde_json::from_slice(&payload)?)
    }

    /// Returns the token string only if its `allowed_hosts` claim permits `host`.
    ///
    /// Use this whenever sending a token to a remote server to prevent
    /// accidentally leaking tokens to unintended recipients.
    pub fn for_host(&self, host: &str) -> Result<&str, HostMismatchError> {
        if token_allowed_for_host(self, host) {
            Ok(&self.0)
        } else {
            Err(HostMismatchError {
                host: host.to_owned(),
            })
        }
    }
}

impl TryFrom<String> for Jwt {
    type Error = TokenError;

    fn try_from(token: String) -> Result<Self, Self::Error> {
        // We first check if the general structure of the token is correct.
        let token = token.trim();
        let _ = decode_header(token).map_err(Self::Error::MalformedToken)?;
        Ok(Self(token.to_owned()))
    }
}

impl std::fmt::Display for Jwt {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}", self.0)
    }
}

// --- Host checking ---

/// Check if a hostname matches a host pattern.
///
/// Uses RFC 6265 (cookie) domain matching semantics:
/// - A leading `.` means "this domain and all subdomains":
///   `.cloud.rerun.io` matches `api.acme.cloud.rerun.io` and
///   `acme.cloud.rerun.io`, but not `cloud.rerun.io` itself
///   or `mycloud.rerun.io`.
/// - Without a leading `.`, an exact match is required.
///
/// Both sides are normalized via [`url::Host::parse`] (IDNA / lowercase / punycode)
/// before comparison, so `API.Acme.Cloud.Rerun.IO` matches `.cloud.rerun.io`.
pub fn host_matches_pattern(pattern: &str, host: &str) -> bool {
    // Normalize the host through url::Host::parse (IDNA lowercasing + punycode).
    // If parsing fails (e.g. empty string), fall back to the raw input.
    let host_normalized = url::Host::parse(host)
        .map(|h| h.to_string())
        .unwrap_or_else(|_| host.to_owned());

    if let Some(suffix) = pattern.strip_prefix('.') {
        let suffix_normalized = url::Host::parse(suffix)
            .map(|h| h.to_string())
            .unwrap_or_else(|_| suffix.to_owned());

        // Work at the DNS label level to avoid partial-label matches.
        let suffix_labels: Vec<&str> = suffix_normalized.split('.').collect();
        let host_labels: Vec<&str> = host_normalized.split('.').collect();
        // The host must have strictly more labels than the suffix
        // (i.e. at least one subdomain label).
        host_labels.len() > suffix_labels.len() && host_labels.ends_with(&suffix_labels)
    } else {
        let pattern_normalized = url::Host::parse(pattern)
            .map(|h| h.to_string())
            .unwrap_or_else(|_| pattern.to_owned());
        host_normalized == pattern_normalized
    }
}

/// Extract the `allowed_hosts` claim from a JWT without verifying its signature.
///
/// Handles both single-string and array-of-strings representations.
fn extract_allowed_hosts_from_jwt(jwt: &Jwt) -> Result<Vec<String>, JwtDecodeError> {
    #[derive(serde::Deserialize)]
    #[serde(untagged)]
    enum StringOrVec {
        One(String),
        Many(Vec<String>),
    }

    #[derive(serde::Deserialize)]
    struct AllowedHostsOnly {
        #[serde(default)]
        allowed_hosts: Option<StringOrVec>,
    }

    let parsed: AllowedHostsOnly = jwt.decode_claims()?;

    Ok(match parsed.allowed_hosts {
        Some(StringOrVec::One(s)) => vec![s],
        Some(StringOrVec::Many(v)) => v,
        None => vec![],
    })
}

/// Check if a token's `allowed_hosts` claim permits the given host.
///
/// Works for both Rerun Cloud tokens (RS256, from `WorkOS`) and Redap
/// machine tokens (HS256, from `generate-token`).
///
/// Returns `true` if:
/// - The `RERUN_INSECURE_SKIP_HOST_CHECK` env var is set to `"1"`
/// - Any of the token's `allowed_hosts` values matches the host
///   (or [`DEFAULT_ALLOWED_HOSTS`] if no `allowed_hosts` claim is present)
///
/// Returns `false` if no pattern matches, meaning the token
/// should NOT be sent to this host.
pub fn token_allowed_for_host(jwt: &Jwt, host: &str) -> bool {
    if std::env::var(INSECURE_SKIP_HOST_CHECK_ENV).ok().as_deref() == Some("1") {
        re_log::debug!("{INSECURE_SKIP_HOST_CHECK_ENV} is set, skipping host check");
        return true;
    }

    let allowed_hosts = match extract_allowed_hosts_from_jwt(jwt) {
        Ok(hosts) => hosts,
        Err(err) => {
            re_log::debug!("failed to parse token for host check: {err}");
            return true;
        }
    };

    // If no allowed_hosts claim, fall back to the default.
    if allowed_hosts.is_empty() {
        return host_matches_pattern(DEFAULT_ALLOWED_HOSTS, host);
    }

    allowed_hosts
        .iter()
        .any(|pattern| host_matches_pattern(pattern, host))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_host_pattern_domain_match() {
        // Typical customer deployments
        assert!(host_matches_pattern(
            ".cloud.rerun.io",
            "api.acme.cloud.rerun.io"
        ));
        assert!(host_matches_pattern(
            ".cloud.rerun.io",
            "api.bigcorp.cloud.rerun.io"
        ));
        // Dev environments
        assert!(host_matches_pattern(
            ".dev.rerun.io",
            "api.jleibs.dev.rerun.io"
        ));
    }

    #[test]
    fn test_host_pattern_domain_no_match() {
        // The domain itself should not match (need at least one subdomain)
        assert!(!host_matches_pattern(".cloud.rerun.io", "cloud.rerun.io"));
        // Partial label overlap must not match
        assert!(!host_matches_pattern(".cloud.rerun.io", "mycloud.rerun.io"));
        // Completely different host
        assert!(!host_matches_pattern(".cloud.rerun.io", "evil.com"));
        assert!(!host_matches_pattern(".cloud.rerun.io", "localhost"));
    }

    #[test]
    fn test_host_pattern_exact_match() {
        assert!(host_matches_pattern(
            "api.acme.cloud.rerun.io",
            "api.acme.cloud.rerun.io"
        ));
        assert!(!host_matches_pattern(
            "api.acme.cloud.rerun.io",
            "api.bigcorp.cloud.rerun.io"
        ));
    }

    #[test]
    fn test_host_pattern_case_insensitive() {
        assert!(host_matches_pattern(
            ".cloud.rerun.io",
            "API.Acme.Cloud.Rerun.IO"
        ));
        assert!(host_matches_pattern(
            ".CLOUD.RERUN.IO",
            "api.acme.cloud.rerun.io"
        ));
        assert!(host_matches_pattern(
            "API.ACME.CLOUD.RERUN.IO",
            "api.acme.cloud.rerun.io"
        ));
    }
}