schnabu/server
1
0
Fork 0
Code Issues 2 Pull requests Projects 1 Releases Packages Wiki Activity Actions

Add JWT verification to protect routes

Browse source
This commit is contained in:
GHOSCHT 2024-05-19 13:09:59 +02:00
parent 0120de27bf
commit 07c1051cde
Signed by: ghoscht
GPG key ID: 2C2C1C62A5388E82
4 changed files with 1596 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1490
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

8
Cargo.toml
View file

@ -6,7 +6,15 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies] [dependencies]
aliri = "0.6.3"
aliri_axum = "0.4.0"
aliri_oauth2 = { version = "0.10.1", features = ["default-tls"] }
aliri_tower = "0.6.0"
anyhow = "1.0.86"
axum = "0.7.5"
diesel = { version = "2.1.6", features = ["postgres"] } diesel = { version = "2.1.6", features = ["postgres"] }
diesel-derive-enum = { version = "2.1.0", features = ["postgres"] } diesel-derive-enum = { version = "2.1.0", features = ["postgres"] }
dotenvy = "0.15.7" dotenvy = "0.15.7"
http = "1.1.0"
postgis_diesel = "2.3.1" postgis_diesel = "2.3.1"
tokio = {version = "1.37.0", features = ["full"]}

105
flake.nix
View file

@ -9,64 +9,67 @@
}; };
outputs = inputs: outputs = inputs:
inputs.flake-parts.lib.mkFlake {inherit inputs;} { inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = import inputs.systems; systems = import inputs.systems;
imports = [ imports = [
inputs.treefmt-nix.flakeModule inputs.treefmt-nix.flakeModule
]; ];
perSystem = { perSystem =
config, { config
pkgs, , pkgs
... , ...
}: let }:
cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml); let
nonRustDeps = with pkgs; [ cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
libiconv nonRustDeps = with pkgs; [
libudev-zero libiconv
pkg-config libudev-zero
postgresql pkg-config
]; postgresql
rust-toolchain = pkgs.symlinkJoin { openssl
name = "rust-toolchain";
paths = with pkgs; [rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc];
};
udev-rule = builtins.readFile ./heliox.udev;
in {
# Rust package
packages.default = pkgs.rustPlatform.buildRustPackage {
inherit (cargoToml.package) name version;
src = ./.;
cargoLock.lockFile = ./Cargo.lock;
nativeBuildInputs = with pkgs; [pkg-config udev libudev-zero libpqxx];
buildInputs = with pkgs; [udev libudev-zero libpqxx];
postInstall = ''
mkdir -p $out/etc/udev/rules.d
echo '${udev-rule}' > $out/etc/udev/rules.d/70-heliox.rules
'';
};
# Rust dev environment
devShells.default = pkgs.mkShell {
inputsFrom = [
config.treefmt.build.devShell
]; ];
buildInputs = nonRustDeps; rust-toolchain = pkgs.symlinkJoin {
nativeBuildInputs = with pkgs; name = "rust-toolchain";
[ paths = with pkgs; [ rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc ];
rust-toolchain };
diesel-cli udev-rule = builtins.readFile ./heliox.udev;
] in
++ nonRustDeps; {
RUST_BACKTRACE = 1; # Rust package
}; packages.default = pkgs.rustPlatform.buildRustPackage {
inherit (cargoToml.package) name version;
src = ./.;
cargoLock.lockFile = ./Cargo.lock;
nativeBuildInputs = with pkgs; [ pkg-config udev libudev-zero libpqxx openssl ];
buildInputs = with pkgs; [ udev libudev-zero libpqxx openssl ];
postInstall = ''
mkdir -p $out/etc/udev/rules.d
echo '${udev-rule}' > $out/etc/udev/rules.d/70-heliox.rules
'';
};
treefmt.config = { # Rust dev environment
projectRootFile = "flake.nix"; devShells.default = pkgs.mkShell {
programs = { inputsFrom = [
nixpkgs-fmt.enable = true; config.treefmt.build.devShell
rustfmt.enable = true; ];
buildInputs = nonRustDeps;
nativeBuildInputs = with pkgs;
[
rust-toolchain
diesel-cli
]
++ nonRustDeps;
RUST_BACKTRACE = 1;
};
treefmt.config = {
projectRootFile = "flake.nix";
programs = {
nixpkgs-fmt.enable = true;
rustfmt.enable = true;
};
}; };
}; };
};
}; };
} }

49
src/main.rs
View file

@ -6,9 +6,48 @@ mod models;
mod ops; mod ops;
mod schema; mod schema;
fn main() { use std::time::Duration;
ops::node_ops::create_node();
ops::restaurant_ops::create_restaurant(); use aliri::{error::JwtVerifyError, jwa, jwt};
// ops::node_ops::update_node(); use aliri_oauth2::{Authority, HasScope, Scope};
ops::node_ops::show_nodes(); use aliri_tower::Oauth2Authorizer;
use axum::{
extract::Path,
response::IntoResponse,
routing::{get, post},
Extension, Router,
};
use http::{request::Parts, Response};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let authority = construct_authority().await?;
let authorizer = Oauth2Authorizer::new().with_verbose_error_handler();
let unauthed_routes = Router::new().route("/public", get(|| async { "Hello, public world!" }));
let authed_routes = Router::new()
.route("/secured", get(|| async { "Hello, secure world!" }))
.layer(authorizer.jwt_layer(authority))
.layer(Extension(aliri_axum::VerboseAuthxErrors));
let app = authed_routes.merge(unauthed_routes);
let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await?;
axum::serve(listener, app).await?;
Ok(())
}
const OIDC_ISSUER_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/";
const OIDC_JWKS_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/jwks/";
async fn construct_authority() -> anyhow::Result<Authority> {
let validator = jwt::CoreValidator::default()
.add_approved_algorithm(jwa::Algorithm::RS256)
.require_issuer(jwt::Issuer::from_static(OIDC_ISSUER_URL));
let authority = Authority::new_from_url(OIDC_JWKS_URL.to_string(), validator).await?;
Ok(authority)
} }