1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
use axum::{
body::{self, BoxBody, Empty},
http::StatusCode,
response::{IntoResponse, Response},
};
use http::header;
use jsonwebtoken::Algorithm;
use thiserror::Error;
use tracing::debug;
#[derive(Debug, Error)]
pub enum InitError {
#[error("Builder Error {0}")]
BuilderError(String),
#[error(transparent)]
KeyFileError(#[from] std::io::Error),
#[error(transparent)]
KeyFileDecodingError(#[from] jsonwebtoken::errors::Error),
}
#[derive(Debug, Error)]
pub enum AuthError {
#[error(transparent)]
JwksSerialisationError(#[from] serde_json::Error),
#[error(transparent)]
JwksRefreshError(#[from] reqwest::Error),
#[error("InvalidKey {0}")]
InvalidKey(String),
#[error("Invalid Kid {0}")]
InvalidKid(String),
#[error("Invalid Key Algorithm {0:?}")]
InvalidKeyAlg(Algorithm),
#[error("Missing Token")]
MissingToken(),
#[error(transparent)]
InvalidToken(#[from] jsonwebtoken::errors::Error),
#[error("Invalid Claim")]
InvalidClaims(),
}
fn response_wwwauth(status: StatusCode, bearer: &str) -> Response<BoxBody> {
let mut res = Response::new(body::boxed(Empty::new()));
*res.status_mut() = status;
let h = if bearer.is_empty() {
"Bearer".to_owned()
} else {
format!("Bearer {}", bearer)
};
res.headers_mut().insert(header::WWW_AUTHENTICATE, h.parse().unwrap());
res
}
fn response_500() -> Response<BoxBody> {
let mut res = Response::new(body::boxed(Empty::new()));
*res.status_mut() = StatusCode::INTERNAL_SERVER_ERROR;
res
}
impl IntoResponse for AuthError {
fn into_response(self) -> Response {
let resp = match self {
AuthError::JwksRefreshError(err) => {
tracing::error!("AuthErrors::JwksRefreshError: {}", err);
response_500()
}
AuthError::InvalidKey(err) => {
tracing::error!("AuthErrors::InvalidKey: {}", err);
response_500()
}
AuthError::JwksSerialisationError(err) => {
tracing::error!("AuthErrors::JwksSerialisationError: {}", err);
response_500()
}
AuthError::InvalidKeyAlg(err) => {
debug!("AuthErrors::InvalidKeyAlg: {:?}", err);
response_wwwauth(
StatusCode::UNAUTHORIZED,
"error=\"invalid_token\", error_description=\"invalid key algorithm\"",
)
}
AuthError::InvalidKid(err) => {
debug!("AuthErrors::InvalidKid: {}", err);
response_wwwauth(
StatusCode::UNAUTHORIZED,
"error=\"invalid_token\", error_description=\"invalid kid\"",
)
}
AuthError::InvalidToken(err) => {
debug!("AuthErrors::InvalidToken: {}", err);
response_wwwauth(StatusCode::UNAUTHORIZED, "error=\"invalid_token\"")
}
AuthError::MissingToken() => {
debug!("AuthErrors::MissingToken");
response_wwwauth(StatusCode::UNAUTHORIZED, "")
}
AuthError::InvalidClaims() => {
debug!("AuthErrors::InvalidClaims");
response_wwwauth(StatusCode::FORBIDDEN, "error=\"insufficient_scope\"")
}
};
resp
}
}