Moved JWT config to config file

develop
Jef Roosens 2021-08-30 15:28:01 +02:00
parent 3cf7661faf
commit 2cc4d53961
Signed by untrusted user: Jef Roosens
GPG Key ID: B580B976584B5F30
4 changed files with 58 additions and 23 deletions

View File

@ -12,7 +12,11 @@ debug:
admin_user: "admin"
admin_pass: "password"
jwt_key: "secret"
jwt:
key: "secret"
refresh_token_size: 64
# Just 5 seconds for debugging
refresh_token_expire: 5
databases:
postgres_rb:

View File

@ -11,6 +11,7 @@ use crate::{
db::{tokens::NewRefreshToken, users::User},
errors::{RbError, RbResult},
schema::{refresh_tokens::dsl as refresh_tokens, users::dsl as users},
RbJwtConf,
};
#[derive(Serialize)]
@ -30,10 +31,13 @@ pub struct Claims
pub exp: i64,
}
pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> RbResult<JWTResponse>
pub fn generate_jwt_token(
conn: &PgConnection,
jwt: &RbJwtConf,
user: &User,
) -> RbResult<JWTResponse>
{
let secret = std::env::var("JWT_KEY").map_err(|_| RbError::Custom("Missing JWT key."))?;
let key: Hmac<Sha256> = Hmac::new_from_slice(secret.as_bytes())
let key: Hmac<Sha256> = Hmac::new_from_slice(jwt.key.as_bytes())
.map_err(|_| RbError::Custom("Couldn't create Hmac key."))?;
let current_time = Utc::now();
@ -43,7 +47,7 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> RbResult<JWTRespo
id: user.id,
username: user.username.clone(),
admin: user.admin,
exp: current_time.timestamp() + crate::JWT_EXP_SECONDS,
exp: current_time.timestamp() + jwt.refresh_token_expire,
};
// Sign the claims into a new token
@ -52,11 +56,11 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> RbResult<JWTRespo
.map_err(|_| RbError::Custom("Couldn't sign JWT."))?;
// Generate a random refresh token
let mut refresh_token = [0u8; crate::REFRESH_TOKEN_N_BYTES];
let mut refresh_token = vec![0u8; jwt.refresh_token_size];
thread_rng().fill(&mut refresh_token[..]);
let refresh_expire =
(current_time + chrono::Duration::seconds(crate::REFRESH_TOKEN_EXP_SECONDS)).naive_utc();
(current_time + chrono::Duration::seconds(jwt.refresh_token_expire)).naive_utc();
// Store refresh token in database
db::tokens::create(
@ -74,7 +78,11 @@ pub fn generate_jwt_token(conn: &PgConnection, user: &User) -> RbResult<JWTRespo
})
}
pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> RbResult<JWTResponse>
pub fn refresh_token(
conn: &PgConnection,
jwt: &RbJwtConf,
refresh_token: &str,
) -> RbResult<JWTResponse>
{
let token_bytes =
base64::decode(refresh_token).map_err(|_| RbError::AuthInvalidRefreshToken)?;
@ -108,5 +116,5 @@ pub fn refresh_token(conn: &PgConnection, refresh_token: &str) -> RbResult<JWTRe
.execute(conn)
.map_err(|_| RbError::Custom("Couldn't update last used time."))?;
generate_jwt_token(conn, &user)
generate_jwt_token(conn, jwt, &user)
}

View File

@ -1,11 +1,11 @@
use rocket::serde::json::Json;
use rocket::{serde::json::Json, State};
use serde::Deserialize;
use self::{
jwt::{generate_jwt_token, JWTResponse},
pass::verify_user,
};
use crate::{errors::RbResult, guards::User, RbDbConn};
use crate::{errors::RbResult, guards::User, RbConfig, RbDbConn, RbJwtConf};
pub mod jwt;
pub mod pass;
@ -24,16 +24,24 @@ pub async fn already_logged_in(_user: User) -> String
}
#[post("/login", data = "<credentials>", rank = 2)]
pub async fn login(conn: RbDbConn, credentials: Json<Credentials>) -> RbResult<Json<JWTResponse>>
pub async fn login(
conn: RbDbConn,
conf: &State<RbConfig>,
credentials: Json<Credentials>,
) -> RbResult<Json<JWTResponse>>
{
let credentials = credentials.into_inner();
let jwt = conf.jwt.clone();
// Get the user, if credentials are valid
let user = conn
.run(move |c| verify_user(c, &credentials.username, &credentials.password))
.await?;
Ok(Json(conn.run(move |c| generate_jwt_token(c, &user)).await?))
Ok(Json(
conn.run(move |c| generate_jwt_token(c, &jwt, &user))
.await?,
))
}
#[derive(Deserialize)]
@ -46,13 +54,15 @@ pub struct RefreshTokenRequest
#[post("/refresh", data = "<refresh_token_request>")]
pub async fn refresh_token(
conn: RbDbConn,
conf: &State<RbConfig>,
refresh_token_request: Json<RefreshTokenRequest>,
) -> RbResult<Json<JWTResponse>>
{
let refresh_token = refresh_token_request.into_inner().refresh_token;
let jwt = conf.jwt.clone();
Ok(Json(
conn.run(move |c| crate::auth::jwt::refresh_token(c, &refresh_token))
conn.run(move |c| crate::auth::jwt::refresh_token(c, &jwt, &refresh_token))
.await?,
))
}

View File

@ -8,9 +8,13 @@ extern crate diesel_migrations;
#[macro_use]
extern crate diesel;
use figment::{
providers::{Env, Format, Yaml},
Figment,
};
use rocket::{fairing::AdHoc, Build, Rocket};
use rocket_sync_db_pools::database;
use figment::{Figment, providers::Env, providers::Yaml, providers::Format};
use serde::{Deserialize, Serialize};
mod admin;
pub mod auth;
@ -19,14 +23,6 @@ pub mod errors;
pub mod guards;
pub(crate) mod schema;
// Any import defaults are defined here
/// Expire time for the JWT tokens in seconds.
const JWT_EXP_SECONDS: i64 = 600;
/// Amount of bytes the refresh tokens should consist of
const REFRESH_TOKEN_N_BYTES: usize = 64;
/// Expire time for refresh tokens; here: one week
const REFRESH_TOKEN_EXP_SECONDS: i64 = 604800;
#[database("postgres_rb")]
pub struct RbDbConn(diesel::PgConnection);
@ -61,6 +57,22 @@ async fn create_admin_user(rocket: Rocket<Build>) -> Result<Rocket<Build>, Rocke
Ok(rocket)
}
#[derive(Debug, Deserialize, Serialize, Clone)]
pub struct RbJwtConf
{
key: String,
refresh_token_size: usize,
refresh_token_expire: i64,
}
#[derive(Debug, Deserialize, Serialize)]
pub struct RbConfig
{
admin_user: String,
admin_pass: String,
jwt: RbJwtConf,
}
#[launch]
fn rocket() -> _
{
@ -75,6 +87,7 @@ fn rocket() -> _
run_db_migrations,
))
.attach(AdHoc::try_on_ignite("Create admin user", create_admin_user))
.attach(AdHoc::config::<RbConfig>())
.mount(
"/api/auth",
routes![auth::already_logged_in, auth::login, auth::refresh_token,],