nekomimi.pet / microcosm-rs
forked from microcosm.blue/microcosm-rs
Constellation, Spacedust, Slingshot, UFOs: atproto crates and services for microcosm
fork atom

serve jwks for token validation

bad-example.com bf9a8fe5 65d7a109

options
unified split
Changed files
+58 -17
who-am-i
.gitignore
src
jwt.rs
main.rs
server.rs
+2 -1
who-am-i/.gitignore
··· 1 - jwt-key.pem 1 + *.pem 2 + jwks.json
+28 -9
who-am-i/src/jwt.rs
··· 3 3 use std::fs; 4 4 use std::io::Error as IOError; 5 5 use std::path::Path; 6 + use std::string::FromUtf8Error; 6 7 use std::time::{Duration, SystemTime, UNIX_EPOCH}; 7 8 use thiserror::Error; 8 9 9 10 #[derive(Debug, Error)] 10 11 pub enum TokensSetupError { 11 - #[error(transparent)] 12 - Io(#[from] IOError), 13 - #[error("failed to retrieve ec key: {0}")] 14 - FromEc(JWTError), 12 + #[error("failed to read private key")] 13 + ReadPrivateKey(IOError), 14 + #[error("failed to retrieve private key: {0}")] 15 + PrivateKey(JWTError), 16 + #[error("failed to read private key")] 17 + ReadJwks(IOError), 18 + #[error("failed to retrieve jwks: {0}")] 19 + DecodeJwks(FromUtf8Error), 15 20 } 16 21 17 22 #[derive(Debug, Error)] 18 23 pub enum TokenMintingError { 19 24 #[error("failed to mint: {0}")] 20 - FromEc(#[from] JWTError), 25 + EncodingError(#[from] JWTError), 21 26 } 22 27 23 28 pub struct Tokens { 24 29 encoding_key: EncodingKey, 30 + jwks: String, 25 31 } 26 32 27 33 impl Tokens { 28 - pub fn from_file(f: impl AsRef<Path>) -> Result<Self, TokensSetupError> { 29 - let data: Vec<u8> = fs::read(f)?; 30 - let encoding_key = EncodingKey::from_ec_pem(&data).map_err(TokensSetupError::FromEc)?; 31 - Ok(Self { encoding_key }) 34 + pub fn from_files( 35 + priv_f: impl AsRef<Path>, 36 + jwks_f: impl AsRef<Path>, 37 + ) -> Result<Self, TokensSetupError> { 38 + let private_key_data: Vec<u8> = 39 + fs::read(priv_f).map_err(TokensSetupError::ReadPrivateKey)?; 40 + let encoding_key = 41 + EncodingKey::from_ec_pem(&private_key_data).map_err(TokensSetupError::PrivateKey)?; 42 + 43 + let jwks_data: Vec<u8> = fs::read(jwks_f).map_err(TokensSetupError::ReadJwks)?; 44 + let jwks = String::from_utf8(jwks_data).map_err(TokensSetupError::DecodeJwks)?; 45 + 46 + Ok(Self { encoding_key, jwks }) 32 47 } 33 48 34 49 pub fn mint(&self, t: impl ToString) -> Result<String, TokenMintingError> { ··· 45 60 &Claims { sub, exp }, 46 61 &self.encoding_key, 47 62 )?) 63 + } 64 + 65 + pub fn jwks(&self) -> String { 66 + self.jwks.clone() 48 67 } 49 68 } 50 69
+19 -7
who-am-i/src/main.rs
··· 15 15 /// eg: `cat /dev/urandom | head -c 64 | base64` 16 16 #[arg(long, env)] 17 17 app_secret: String, 18 - /// path to jwt key (PEM format) 18 + /// path to jwt private key (PEM pk8 format) 19 19 /// 20 20 /// generate with: 21 - /// ```bash 22 - /// openssl ecparam -genkey -noout -name prime256v1 \ 23 - /// | openssl pkcs8 -topk8 -nocrypt -out <PATH-TO-JWT-KEY>.pem 24 - /// ``` 21 + /// 22 + /// openssl ecparam -genkey -noout -name prime256v1 \ 23 + /// | openssl pkcs8 -topk8 -nocrypt -out <PATH-TO-PRIV-KEY>.pem 25 24 #[arg(long)] 26 - jwt_key: PathBuf, 25 + jwt_private_key: PathBuf, 26 + /// path to pubkeys file (jwks format) 27 + /// 28 + /// get pem of pubkey from private key with: 29 + /// 30 + /// openssl ec -in <PATH-TO-PRIV-KEY>.pem -pubout 31 + /// 32 + /// then convert to a jwk, probably with something less sketchy than an [online tool](https://jwkset.com/generate) 33 + /// 34 + /// wrap the jwk in an array, then in an object under "keys": 35 + /// 36 + /// { "keys": [<JWK obj>] } 37 + #[arg(long)] 38 + jwks: PathBuf, 27 39 /// Enable dev mode 28 40 /// 29 41 /// enables automatic template reloading ··· 54 66 println!(" - {host}"); 55 67 } 56 68 57 - let tokens = Tokens::from_file(args.jwt_key).unwrap(); 69 + let tokens = Tokens::from_files(args.jwt_private_key, args.jwks).unwrap(); 58 70 59 71 if let Err(e) = install_metrics_server() { 60 72 eprintln!("failed to install metrics server: {e:?}");
+9
who-am-i/src/server.rs
··· 91 91 .route("/auth", get(start_oauth)) 92 92 .route("/authorized", get(complete_oauth)) 93 93 .route("/disconnect", post(disconnect)) 94 + .route("/.well-known/jwks.json", get(jwks)) 94 95 .with_state(state); 95 96 96 97 let listener = TcpListener::bind("0.0.0.0:9997") ··· 437 438 let jar = jar.remove(DID_COOKIE_KEY); 438 439 (jar, Json(json!({ "ok": true }))) 439 440 } 441 + 442 + async fn jwks(State(AppState { tokens, .. }): State<AppState>) -> impl IntoResponse { 443 + let headers = [ 444 + (CONTENT_TYPE, "application/json"), 445 + // (CACHE_CONTROL, "") // TODO 446 + ]; 447 + (headers, tokens.jwks()) 448 + }