Add JWT verification to protect routes

Cargo.toml

@@ -6,7 +6,15 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
+aliri = "0.6.3"
+aliri_axum = "0.4.0"
+aliri_oauth2 = { version = "0.10.1", features = ["default-tls"] }
+aliri_tower = "0.6.0"
+anyhow = "1.0.86"
+axum = "0.7.5"
 diesel = { version = "2.1.6", features = ["postgres"] }
 diesel-derive-enum = { version = "2.1.0", features = ["postgres"] }
 dotenvy = "0.15.7"
+http = "1.1.0"
 postgis_diesel =  "2.3.1"
+tokio = {version = "1.37.0", features = ["full"]}

flake.nix

@@ -14,31 +14,34 @@
       imports = [
         inputs.treefmt-nix.flakeModule
       ];
-      perSystem = {
-        config,
-        pkgs,
-        ...
-      }: let
+      perSystem =
+        { config
+        , pkgs
+        , ...
+        }:
+        let
           cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
           nonRustDeps = with pkgs; [
             libiconv
             libudev-zero
             pkg-config
             postgresql
+            openssl
           ];
           rust-toolchain = pkgs.symlinkJoin {
             name = "rust-toolchain";
             paths = with pkgs; [ rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc ];
           };
           udev-rule = builtins.readFile ./heliox.udev;
-      in {
+        in
+        {
           # Rust package
           packages.default = pkgs.rustPlatform.buildRustPackage {
             inherit (cargoToml.package) name version;
             src = ./.;
             cargoLock.lockFile = ./Cargo.lock;
-          nativeBuildInputs = with pkgs; [pkg-config udev libudev-zero libpqxx];
-          buildInputs = with pkgs; [udev libudev-zero libpqxx];
+            nativeBuildInputs = with pkgs; [ pkg-config udev libudev-zero libpqxx openssl ];
+            buildInputs = with pkgs; [ udev libudev-zero libpqxx openssl ];
             postInstall = ''
               mkdir -p $out/etc/udev/rules.d
               echo '${udev-rule}' > $out/etc/udev/rules.d/70-heliox.rules

src/main.rs

@@ -6,9 +6,48 @@ mod models;
 mod ops;
 mod schema;
 
-fn main() {
-    ops::node_ops::create_node();
-    ops::restaurant_ops::create_restaurant();
-    // ops::node_ops::update_node();
-    ops::node_ops::show_nodes();
+use std::time::Duration;
+
+use aliri::{error::JwtVerifyError, jwa, jwt};
+use aliri_oauth2::{Authority, HasScope, Scope};
+use aliri_tower::Oauth2Authorizer;
+use axum::{
+    extract::Path,
+    response::IntoResponse,
+    routing::{get, post},
+    Extension, Router,
+};
+use http::{request::Parts, Response};
+
+#[tokio::main]
+async fn main() -> anyhow::Result<()> {
+    let authority = construct_authority().await?;
+    let authorizer = Oauth2Authorizer::new().with_verbose_error_handler();
+
+    let unauthed_routes = Router::new().route("/public", get(|| async { "Hello, public world!" }));
+
+    let authed_routes = Router::new()
+        .route("/secured", get(|| async { "Hello, secure world!" }))
+        .layer(authorizer.jwt_layer(authority))
+        .layer(Extension(aliri_axum::VerboseAuthxErrors));
+
+    let app = authed_routes.merge(unauthed_routes);
+
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await?;
+    axum::serve(listener, app).await?;
+
+    Ok(())
+}
+
+const OIDC_ISSUER_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/";
+const OIDC_JWKS_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/jwks/";
+
+async fn construct_authority() -> anyhow::Result<Authority> {
+    let validator = jwt::CoreValidator::default()
+        .add_approved_algorithm(jwa::Algorithm::RS256)
+        .require_issuer(jwt::Issuer::from_static(OIDC_ISSUER_URL));
+
+    let authority = Authority::new_from_url(OIDC_JWKS_URL.to_string(), validator).await?;
+
+    Ok(authority)
 }