wepub-core 0.2.0

Library for publishing browser extensions to Chrome Web Store and Firefox AMO
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101

use std::time::{SystemTime, UNIX_EPOCH};

use jsonwebtoken::{Algorithm, EncodingKey, Header, encode};
use serde::Serialize;
use uuid::Uuid;

use crate::{Result, WepubError};

const TOKEN_LIFETIME_SECS: u64 = 60;

#[derive(Debug, Serialize)]
struct Claims {
    iss: String,
    jti: String,
    iat: u64,
    exp: u64,
}

pub(crate) fn generate_jwt(issuer: &str, secret: &str) -> Result<String> {
    let now = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .map_err(|e| WepubError::Internal(format!("system clock before UNIX epoch: {e}")))?
        .as_secs();

    let claims = Claims {
        iss: issuer.to_string(),
        jti: Uuid::new_v4().to_string(),
        iat: now,
        exp: now + TOKEN_LIFETIME_SECS,
    };

    encode(
        &Header::new(Algorithm::HS256),
        &claims,
        &EncodingKey::from_secret(secret.as_bytes()),
    )
    .map_err(|e| WepubError::Internal(format!("failed to encode JWT: {e}")))
}

#[cfg(test)]
mod tests {
    use super::*;
    use jsonwebtoken::{DecodingKey, Validation, decode};
    use serde::Deserialize;

    #[derive(Debug, Deserialize)]
    struct DecodedClaims {
        iss: String,
        jti: String,
        iat: u64,
        exp: u64,
    }

    #[test]
    fn jwt_payload_matches_amo_spec() {
        let token = generate_jwt("user:123:456", "secret-key").unwrap();

        let mut validation = Validation::new(Algorithm::HS256);
        validation.validate_exp = false;
        validation.required_spec_claims.clear();

        let decoded = decode::<DecodedClaims>(
            &token,
            &DecodingKey::from_secret(b"secret-key"),
            &validation,
        )
        .unwrap();

        assert_eq!(decoded.claims.iss, "user:123:456");
        assert_eq!(decoded.claims.exp - decoded.claims.iat, TOKEN_LIFETIME_SECS);
        assert_eq!(decoded.claims.jti.len(), 36); // UUID v4 string length
    }

    #[test]
    fn jwt_rejects_wrong_secret() {
        let token = generate_jwt("issuer", "correct-secret").unwrap();

        let mut validation = Validation::new(Algorithm::HS256);
        validation.validate_exp = false;
        validation.required_spec_claims.clear();

        let err = decode::<DecodedClaims>(
            &token,
            &DecodingKey::from_secret(b"wrong-secret"),
            &validation,
        )
        .unwrap_err();

        assert!(matches!(
            err.kind(),
            jsonwebtoken::errors::ErrorKind::InvalidSignature
        ));
    }

    #[test]
    fn each_call_generates_unique_jti() {
        let t1 = generate_jwt("issuer", "secret").unwrap();
        let t2 = generate_jwt("issuer", "secret").unwrap();
        assert_ne!(t1, t2, "jti should be unique per call");
    }
}