kontext_dev_sdk/

verify.rs

use std::collections::HashSet;

use jsonwebtoken::Algorithm;
use jsonwebtoken::DecodingKey;
use jsonwebtoken::Validation;
use serde::{Deserialize, Serialize};

#[derive(Clone, Debug)]
pub struct KontextTokenVerifierConfig {
    pub jwks_url: String,
    pub issuer: String,
    pub audience: String,
    pub required_scopes: Vec<String>,
}

#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct VerifiedTokenClaims {
    pub subject: Option<String>,
    pub issuer: Option<String>,
    pub audience: Vec<String>,
    pub scope: Option<String>,
    pub client_id: Option<String>,
    pub expires_at: Option<u64>,
    pub raw: serde_json::Value,
}

#[derive(Clone, Debug, Deserialize, Serialize, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum TokenVerificationErrorCode {
    MissingKid,
    JwksFetchFailed,
    SigningKeyNotFound,
    UnsupportedKey,
    InvalidToken,
    MissingScope,
}

#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct TokenVerificationError {
    pub code: TokenVerificationErrorCode,
    pub message: String,
}

#[derive(Clone, Debug, Deserialize, Serialize)]
#[serde(rename_all = "camelCase")]
pub struct VerifyResult {
    pub success: bool,
    pub claims: Option<VerifiedTokenClaims>,
    pub error: Option<TokenVerificationError>,
}

#[derive(Clone, Debug)]
pub struct JwksClient {
    jwks_url: String,
    http: reqwest::Client,
}

impl JwksClient {
    pub fn new(jwks_url: impl Into<String>) -> Self {
        Self {
            jwks_url: jwks_url.into(),
            http: reqwest::Client::new(),
        }
    }

    async fn fetch(&self) -> Result<JwkSet, TokenVerificationError> {
        let response = self
            .http
            .get(self.jwks_url.as_str())
            .send()
            .await
            .map_err(|err| TokenVerificationError {
                code: TokenVerificationErrorCode::JwksFetchFailed,
                message: err.to_string(),
            })?;

        if !response.status().is_success() {
            let status = response.status();
            let body = response.text().await.unwrap_or_default();
            return Err(TokenVerificationError {
                code: TokenVerificationErrorCode::JwksFetchFailed,
                message: format!("{status}: {body}"),
            });
        }

        response
            .json::<JwkSet>()
            .await
            .map_err(|err| TokenVerificationError {
                code: TokenVerificationErrorCode::JwksFetchFailed,
                message: err.to_string(),
            })
    }
}

#[derive(Clone, Debug)]
pub struct KontextTokenVerifier {
    config: KontextTokenVerifierConfig,
    jwks_client: JwksClient,
}

impl KontextTokenVerifier {
    pub fn new(config: KontextTokenVerifierConfig) -> Self {
        let jwks_client = JwksClient::new(config.jwks_url.clone());
        Self {
            config,
            jwks_client,
        }
    }

    pub async fn verify(&self, token: &str) -> VerifyResult {
        match self.verify_inner(token).await {
            Ok(claims) => VerifyResult {
                success: true,
                claims: Some(claims),
                error: None,
            },
            Err(error) => VerifyResult {
                success: false,
                claims: None,
                error: Some(error),
            },
        }
    }

    async fn verify_inner(
        &self,
        token: &str,
    ) -> Result<VerifiedTokenClaims, TokenVerificationError> {
        let header = jsonwebtoken::decode_header(token).map_err(|err| TokenVerificationError {
            code: TokenVerificationErrorCode::InvalidToken,
            message: err.to_string(),
        })?;

        let kid = header.kid.ok_or(TokenVerificationError {
            code: TokenVerificationErrorCode::MissingKid,
            message: "token header is missing kid".to_string(),
        })?;

        let jwk_set = self.jwks_client.fetch().await?;
        let jwk = jwk_set
            .keys
            .iter()
            .find(|k| k.kid.as_deref() == Some(kid.as_str()))
            .ok_or(TokenVerificationError {
                code: TokenVerificationErrorCode::SigningKeyNotFound,
                message: format!("no signing key found for kid={kid}"),
            })?;

        let decoding_key = jwk.decoding_key()?;

        let mut validation = Validation::new(Algorithm::RS256);
        validation.validate_exp = true;
        validation.set_audience(&[self.config.audience.clone()]);
        validation.set_issuer(&[self.config.issuer.clone()]);

        let payload = jsonwebtoken::decode::<serde_json::Value>(token, &decoding_key, &validation)
            .map_err(|err| TokenVerificationError {
                code: TokenVerificationErrorCode::InvalidToken,
                message: err.to_string(),
            })?;

        let claims = payload.claims;
        let token_scopes = claims
            .get("scope")
            .and_then(|value| value.as_str())
            .unwrap_or_default();

        let available_scopes: HashSet<&str> = token_scopes
            .split_whitespace()
            .filter(|scope| !scope.is_empty())
            .collect();

        for required_scope in &self.config.required_scopes {
            if !available_scopes.contains(required_scope.as_str()) {
                return Err(TokenVerificationError {
                    code: TokenVerificationErrorCode::MissingScope,
                    message: format!("missing required scope `{required_scope}`"),
                });
            }
        }

        let audience = match claims.get("aud") {
            Some(serde_json::Value::Array(values)) => values
                .iter()
                .filter_map(|value| value.as_str().map(ToString::to_string))
                .collect(),
            Some(serde_json::Value::String(value)) => vec![value.to_string()],
            _ => Vec::new(),
        };

        Ok(VerifiedTokenClaims {
            subject: claims
                .get("sub")
                .and_then(|value| value.as_str())
                .map(ToString::to_string),
            issuer: claims
                .get("iss")
                .and_then(|value| value.as_str())
                .map(ToString::to_string),
            audience,
            scope: claims
                .get("scope")
                .and_then(|value| value.as_str())
                .map(ToString::to_string),
            client_id: claims
                .get("client_id")
                .and_then(|value| value.as_str())
                .map(ToString::to_string),
            expires_at: claims.get("exp").and_then(|value| value.as_u64()),
            raw: claims,
        })
    }
}

#[derive(Clone, Debug, Deserialize)]
struct JwkSet {
    keys: Vec<Jwk>,
}

#[derive(Clone, Debug, Deserialize)]
struct Jwk {
    kty: String,
    #[allow(dead_code)]
    alg: Option<String>,
    kid: Option<String>,
    n: Option<String>,
    e: Option<String>,
}

impl Jwk {
    fn decoding_key(&self) -> Result<DecodingKey, TokenVerificationError> {
        if self.kty != "RSA" {
            return Err(TokenVerificationError {
                code: TokenVerificationErrorCode::UnsupportedKey,
                message: format!("unsupported key type `{}`", self.kty),
            });
        }

        let n = self.n.as_deref().ok_or(TokenVerificationError {
            code: TokenVerificationErrorCode::UnsupportedKey,
            message: "RSA key missing modulus".to_string(),
        })?;

        let e = self.e.as_deref().ok_or(TokenVerificationError {
            code: TokenVerificationErrorCode::UnsupportedKey,
            message: "RSA key missing exponent".to_string(),
        })?;

        DecodingKey::from_rsa_components(n, e).map_err(|err| TokenVerificationError {
            code: TokenVerificationErrorCode::UnsupportedKey,
            message: err.to_string(),
        })
    }
}