auth: Initial JWT implementation

We'll use a JWT in the `Authorization` request header to identify the
user saving a page.  The token will need to be set in the _authorization
token_ field in the SingleFile configuration so it will be included when
uploading.

.gitignore

@@ -1,3 +1,4 @@
 /target
 /Rocket.toml
+/jwt.secret
 /meilisearch.token

Cargo.lock

@@ -1786,6 +1786,7 @@ version = "0.1.0"
 dependencies = [
  "chrono",
  "html5ever",
+ "jsonwebtoken",
  "markup5ever_rcdom",
  "meilisearch-sdk",
  "rand 0.9.0",

Cargo.toml

@@ -6,6 +6,7 @@ edition = "2021"
 [dependencies]
 chrono = { version = "0.4.40", default-features = false, features = ["std", "clock", "serde"] }
 html5ever = "0.27.0"
+jsonwebtoken = { version = "9.3.1", default-features = false }
 markup5ever_rcdom = "0.3.0"
 meilisearch-sdk = "0.28.0"
 rand = "0.9.0"

examples/make-token.rs

@@ -0,0 +1,37 @@
+use std::io::Read;
+use std::time::SystemTime;
+
+use jsonwebtoken::{encode, EncodingKey, Header};
+use serde::Serialize;
+
+#[derive(Debug, Serialize)]
+struct UserClaims {
+    aud: String,
+    exp: u64,
+    iat: u64,
+    iss: String,
+    nbf: u64,
+    sub: String,
+}
+
+fn main() {
+    let args: Vec<_> = std::env::args().collect();
+    let mut secret = vec![];
+    let mut f = std::fs::File::open(&args[1]).unwrap();
+    f.read_to_end(&mut secret).unwrap();
+    let k = EncodingKey::from_secret(&secret);
+    let now = SystemTime::now()
+        .duration_since(SystemTime::UNIX_EPOCH)
+        .unwrap()
+        .as_secs();
+    let claims = UserClaims {
+        aud: env!("CARGO_PKG_NAME").into(),
+        exp: now + 604800,
+        iat: now,
+        iss: env!("CARGO_PKG_NAME").into(),
+        nbf: now - 60,
+        sub: args[2].to_string(),
+    };
+    let jwt = encode(&Header::default(), &claims, &k).unwrap();
+    println!("{}", jwt);
+}

src/auth.rs

@@ -0,0 +1,201 @@
+use std::io::Read;
+
+use jsonwebtoken::{decode, Algorithm, DecodingKey, TokenData, Validation};
+use rocket::http::Status;
+use rocket::request::{FromRequest, Outcome, Request};
+use serde::{Deserialize, Serialize};
+use tracing::error;
+
+use crate::config::Config;
+use crate::Context;
+
+#[derive(Debug, PartialEq, Serialize, Deserialize)]
+pub struct UserClaims {
+    pub aud: String,
+    pub exp: u64,
+    pub iat: u64,
+    pub iss: String,
+    pub nbf: u64,
+    pub sub: String,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for UserClaims {
+    type Error = &'static str;
+
+    async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        let secret = &req.rocket().state::<Context>().unwrap().jwt_secret;
+        match req.headers().get_one("Authorization") {
+            Some(s) => match extract_token(secret, s) {
+                Ok(d) => Outcome::Success(d.claims),
+                Err(e) => Outcome::Error((Status::Unauthorized, e)),
+            },
+            None => Outcome::Error((Status::Unauthorized, "Unauthorized")),
+        }
+    }
+}
+
+/// Load the JWT secret from the path specified in the configuration
+pub fn load_secret(config: &Config) -> Result<Vec<u8>, std::io::Error> {
+    let mut secret = vec![];
+    let mut f = std::fs::File::open(&config.auth.jwt_secret)?;
+    f.read_to_end(&mut secret)?;
+    Ok(secret)
+}
+
+fn extract_token(
+    secret: &[u8],
+    header: &str,
+) -> Result<TokenData<UserClaims>, &'static str> {
+    let mut iter = header.split_ascii_whitespace();
+    let scheme = iter.next();
+    let token = iter.next();
+    if token.is_some() && Some("Bearer") != scheme {
+        return Err("Unsupported authorization scheme");
+    }
+    if let Some(token) = token {
+        let mut v = Validation::new(Algorithm::HS256);
+        v.validate_nbf = true;
+        v.set_issuer(&[env!("CARGO_PKG_NAME")]);
+        v.set_audience(&[env!("CARGO_PKG_NAME")]);
+        let k = DecodingKey::from_secret(secret);
+        match decode(token, &k, &v) {
+            Ok(d) => Ok(d),
+            Err(e) => {
+                error!("Failed to decode auth token: {}", e);
+                Err("Invalid token")
+            },
+        }
+    } else {
+        Err("Invalid Authorization header")
+    }
+}
+
+#[cfg(test)]
+mod test {
+    use super::*;
+    use jsonwebtoken::{encode, EncodingKey, Header};
+    use std::time::SystemTime;
+
+    static SECRET: &[u8; 32] = b"6gmrLQ4PGjeUpT3Xs48thx9Cu6XE5pgD";
+
+    fn now() -> u64 {
+        SystemTime::now()
+            .duration_since(SystemTime::UNIX_EPOCH)
+            .unwrap()
+            .as_secs()
+    }
+
+    fn make_token(claims: &UserClaims) -> String {
+        let k = EncodingKey::from_secret(SECRET);
+        encode(&Header::default(), claims, &k).unwrap()
+    }
+
+    #[test]
+    fn test_extract_token() {
+        let now = now();
+        let claims = UserClaims {
+            aud: env!("CARGO_PKG_NAME").into(),
+            exp: now + 60,
+            iat: now,
+            iss: env!("CARGO_PKG_NAME").into(),
+            nbf: now - 60,
+            sub: "test1".into(),
+        };
+        let jwt = make_token(&claims);
+        let header = format!("Bearer {}", jwt);
+        let data = extract_token(SECRET, &header).unwrap();
+        assert_eq!(claims, data.claims);
+    }
+
+    #[test]
+    fn test_extract_token_expired() {
+        let now = now() - 600;
+        let claims = UserClaims {
+            aud: env!("CARGO_PKG_NAME").into(),
+            exp: now + 60,
+            iat: now,
+            iss: env!("CARGO_PKG_NAME").into(),
+            nbf: now - 60,
+            sub: "test1".into(),
+        };
+        let jwt = make_token(&claims);
+        let header = format!("Bearer {}", jwt);
+        let err = extract_token(SECRET, &header).unwrap_err();
+        assert_eq!(err, "Invalid token");
+    }
+
+    #[test]
+    fn test_extract_token_future() {
+        let now = now() + 600;
+        let claims = UserClaims {
+            aud: env!("CARGO_PKG_NAME").into(),
+            exp: now + 60,
+            iat: now,
+            iss: env!("CARGO_PKG_NAME").into(),
+            nbf: now - 60,
+            sub: "test1".into(),
+        };
+        let jwt = make_token(&claims);
+        let header = format!("Bearer {}", jwt);
+        let err = extract_token(SECRET, &header).unwrap_err();
+        assert_eq!(err, "Invalid token");
+    }
+
+    #[test]
+    fn test_extract_token_bad_issuer() {
+        let now = now();
+        let claims = UserClaims {
+            aud: env!("CARGO_PKG_NAME").into(),
+            exp: now + 60,
+            iat: now,
+            iss: "mallory".into(),
+            nbf: now - 60,
+            sub: "test1".into(),
+        };
+        let jwt = make_token(&claims);
+        let header = format!("Bearer {}", jwt);
+        let err = extract_token(SECRET, &header).unwrap_err();
+        assert_eq!(err, "Invalid token");
+    }
+
+    #[test]
+    fn test_extract_token_bad_aud() {
+        let now = now();
+        let claims = UserClaims {
+            aud: "mallory".into(),
+            exp: now + 60,
+            iat: now,
+            iss: env!("CARGO_PKG_NAME").into(),
+            nbf: now - 60,
+            sub: "test1".into(),
+        };
+        let jwt = make_token(&claims);
+        let header = format!("Bearer {}", jwt);
+        let err = extract_token(SECRET, &header).unwrap_err();
+        assert_eq!(err, "Invalid token");
+    }
+
+    #[test]
+    fn test_malformed_header() {
+        let now = now();
+        let claims = UserClaims {
+            aud: "mallory".into(),
+            exp: now + 60,
+            iat: now,
+            iss: env!("CARGO_PKG_NAME").into(),
+            nbf: now - 60,
+            sub: "test1".into(),
+        };
+        let jwt = make_token(&claims);
+        let err = extract_token(SECRET, &jwt).unwrap_err();
+        assert_eq!(err, "Invalid Authorization header");
+    }
+
+    #[test]
+    fn test_unsupported_auth_scheme() {
+        let header = "Basic dXNlcm5hbWU6cGFzc3dvcmQ=";
+        let err = extract_token(SECRET, header).unwrap_err();
+        assert_eq!(err, "Unsupported authorization scheme");
+    }
+}

src/config.rs

@@ -1,3 +1,5 @@
+use std::path::PathBuf;
+
 use serde::Deserialize;
 
 #[derive(Debug, Deserialize)]
@@ -9,8 +11,14 @@ pub struct MeilisearchConfig {
     pub index: String,
 }
 
+#[derive(Debug, Deserialize)]
+pub struct AuthConfig {
+    pub jwt_secret: PathBuf,
+}
+
 #[derive(Debug, Deserialize)]
 pub struct Config {
+    pub auth: AuthConfig,
     pub meilisearch: MeilisearchConfig,
 }
 

src/main.rs

@@ -1,3 +1,4 @@
+mod auth;
 mod config;
 mod meilisearch;
 mod page;
@@ -15,18 +16,27 @@ struct Context {
     #[allow(dead_code)]
     config: Config,
     client: MeilisearchClient,
+    jwt_secret: Vec<u8>,
 }
 
 #[derive(Debug, thiserror::Error)]
 enum InitError {
     #[error("Meilisearch error: {0}")]
     Meilisearch(#[from] meilisearch::Error),
+    #[error("Failed to load JWT secret: {0}")]
+    LoadSecret(std::io::Error),
 }
 
 impl Context {
     pub fn init(config: Config) -> Result<Self, InitError> {
         let client = MeilisearchClient::try_from(&config)?;
-        Ok(Self { config, client })
+        let jwt_secret =
+            auth::load_secret(&config).map_err(InitError::LoadSecret)?;
+        Ok(Self {
+            config,
+            client,
+            jwt_secret,
+        })
     }
 }
 
@@ -42,10 +52,11 @@ pub struct SavePageForm {
 /// Save a visited page in SingleFile format
 #[rocket::post("/save", data = "<form>")]
 async fn save_page(
+    user: auth::UserClaims,
     form: Form<SavePageForm>,
     ctx: &State<Context>,
 ) -> Result<Json<page::Page>, String> {
-    match page::save_page(&form.url, &form.data, ctx).await {
+    match page::save_page(&form.url, &form.data, ctx, &user).await {
         Ok(p) => Ok(Json(p)),
         Err(e) => {
             error!("Failed to save page: {}", e);

src/page.rs

@@ -7,6 +7,7 @@ use rand::Rng;
 use serde::Serialize;
 use tracing::{debug, event, span, Level};
 
+use crate::auth::UserClaims;
 use crate::Context;
 
 static ID_CHARSET: &[u8] = b"0123456789abcdefghijklmnopqrstuvwxyz";
@@ -16,6 +17,8 @@ static ID_CHARSET: &[u8] = b"0123456789abcdefghijklmnopqrstuvwxyz";
 pub struct Page {
     /// Unique saved page ID
     id: String,
+    /// User ID of page owner
+    user_id: String,
     /// Visit timestamp
     timestamp: DateTime<Utc>,
     /// Page URL
@@ -31,14 +34,16 @@ pub async fn save_page(
     url: &str,
     data: &str,
     ctx: &Context,
+    user: &UserClaims,
 ) -> Result<Page, Error> {
-    let span = span!(Level::INFO, "save_page", url = url);
+    let span = span!(Level::INFO, "save_page", url = url, user = user.sub);
     let _guard = span.enter();
     let index_name = &ctx.config.meilisearch.index;
     debug!("Saving page in Meilisearch index {}", index_name);
     let index = ctx.client.get_index(index_name).await?;
     let doc = Page {
         id: gen_id(),
+        user_id: user.sub.clone(),
         timestamp: Utc::now(),
         url: url.into(),
         title: extract_title(data),