tower_oauth2_resource_server/
jwt_resolver.rs

1use http::Request;
2
3use crate::{error::AuthError, jwt_unverified::UnverifiedJwt};
4
5/// Trait for resolving bearer tokens (JWT) from HTTP requests.
6///
7/// The trait accepts a reference to the request (without the body) to allow
8/// implementations to extract tokens from headers, query parameters, or other
9/// parts of the request.
10pub trait BearerTokenResolver {
11    fn resolve(&self, request: &Request<()>) -> Result<UnverifiedJwt, AuthError>;
12}
13
14/// Default implementation that extracts bearer tokens from the Authorization header.
15pub struct DefaultBearerTokenResolver;
16
17impl BearerTokenResolver for DefaultBearerTokenResolver {
18    fn resolve(&self, request: &Request<()>) -> Result<UnverifiedJwt, AuthError> {
19        Ok(UnverifiedJwt::new(
20            request
21                .headers()
22                .get(http::header::AUTHORIZATION)
23                .ok_or(AuthError::MissingAuthorizationHeader)?
24                .to_str()
25                .map_err(|_| AuthError::InvalidAuthorizationHeader)?
26                .strip_prefix("Bearer ")
27                .ok_or(AuthError::InvalidAuthorizationHeader)?
28                .to_owned(),
29        ))
30    }
31}
32
33pub(crate) fn request_ref<Body>(request: &Request<Body>) -> Request<()> {
34    let mut builder = Request::builder()
35        .method(request.method())
36        .uri(request.uri())
37        .version(request.version());
38
39    if let Some(headers) = builder.headers_mut() {
40        *headers = request.headers().clone();
41    }
42
43    builder.body(()).expect("Failed to build request reference")
44}
45
46#[cfg(test)]
47mod tests {
48    use super::*;
49
50    #[test]
51    fn test_missing_authorization() {
52        let request = Request::builder().body(()).unwrap();
53        let result = DefaultBearerTokenResolver {}.resolve(&request);
54
55        assert!(result.is_err());
56        assert_eq!(result.unwrap_err(), AuthError::MissingAuthorizationHeader);
57    }
58
59    #[test]
60    fn test_missing_bearer_prefix() {
61        let request = Request::builder()
62            .header("Authorization", "Boarer XXX")
63            .body(())
64            .unwrap();
65        let result = DefaultBearerTokenResolver {}.resolve(&request);
66
67        assert!(result.is_err());
68        assert_eq!(result.unwrap_err(), AuthError::InvalidAuthorizationHeader);
69    }
70
71    #[test]
72    fn test_ok() {
73        let request = Request::builder()
74            .header("Authorization", "Bearer XXX")
75            .body(())
76            .unwrap();
77        let result = DefaultBearerTokenResolver {}.resolve(&request);
78
79        assert!(result.is_ok());
80    }
81}