Add JWT verification to protect routes

This commit is contained in:
GHOSCHT 2024-05-19 13:09:59 +02:00
parent 0120de27bf
commit 07c1051cde
Signed by: ghoscht
GPG key ID: 2C2C1C62A5388E82
4 changed files with 1596 additions and 56 deletions

1490
Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -6,7 +6,15 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
aliri = "0.6.3"
aliri_axum = "0.4.0"
aliri_oauth2 = { version = "0.10.1", features = ["default-tls"] }
aliri_tower = "0.6.0"
anyhow = "1.0.86"
axum = "0.7.5"
diesel = { version = "2.1.6", features = ["postgres"] }
diesel-derive-enum = { version = "2.1.0", features = ["postgres"] }
dotenvy = "0.15.7"
http = "1.1.0"
postgis_diesel = "2.3.1"
tokio = {version = "1.37.0", features = ["full"]}

View file

@ -9,36 +9,39 @@
};
outputs = inputs:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = import inputs.systems;
imports = [
inputs.treefmt-nix.flakeModule
];
perSystem = {
config,
pkgs,
...
}: let
perSystem =
{ config
, pkgs
, ...
}:
let
cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
nonRustDeps = with pkgs; [
libiconv
libudev-zero
pkg-config
postgresql
openssl
];
rust-toolchain = pkgs.symlinkJoin {
name = "rust-toolchain";
paths = with pkgs; [rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc];
paths = with pkgs; [ rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc ];
};
udev-rule = builtins.readFile ./heliox.udev;
in {
in
{
# Rust package
packages.default = pkgs.rustPlatform.buildRustPackage {
inherit (cargoToml.package) name version;
src = ./.;
cargoLock.lockFile = ./Cargo.lock;
nativeBuildInputs = with pkgs; [pkg-config udev libudev-zero libpqxx];
buildInputs = with pkgs; [udev libudev-zero libpqxx];
nativeBuildInputs = with pkgs; [ pkg-config udev libudev-zero libpqxx openssl ];
buildInputs = with pkgs; [ udev libudev-zero libpqxx openssl ];
postInstall = ''
mkdir -p $out/etc/udev/rules.d
echo '${udev-rule}' > $out/etc/udev/rules.d/70-heliox.rules

View file

@ -6,9 +6,48 @@ mod models;
mod ops;
mod schema;
fn main() {
ops::node_ops::create_node();
ops::restaurant_ops::create_restaurant();
// ops::node_ops::update_node();
ops::node_ops::show_nodes();
use std::time::Duration;
use aliri::{error::JwtVerifyError, jwa, jwt};
use aliri_oauth2::{Authority, HasScope, Scope};
use aliri_tower::Oauth2Authorizer;
use axum::{
extract::Path,
response::IntoResponse,
routing::{get, post},
Extension, Router,
};
use http::{request::Parts, Response};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let authority = construct_authority().await?;
let authorizer = Oauth2Authorizer::new().with_verbose_error_handler();
let unauthed_routes = Router::new().route("/public", get(|| async { "Hello, public world!" }));
let authed_routes = Router::new()
.route("/secured", get(|| async { "Hello, secure world!" }))
.layer(authorizer.jwt_layer(authority))
.layer(Extension(aliri_axum::VerboseAuthxErrors));
let app = authed_routes.merge(unauthed_routes);
let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await?;
axum::serve(listener, app).await?;
Ok(())
}
const OIDC_ISSUER_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/";
const OIDC_JWKS_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/jwks/";
async fn construct_authority() -> anyhow::Result<Authority> {
let validator = jwt::CoreValidator::default()
.add_approved_algorithm(jwa::Algorithm::RS256)
.require_issuer(jwt::Issuer::from_static(OIDC_ISSUER_URL));
let authority = Authority::new_from_url(OIDC_JWKS_URL.to_string(), validator).await?;
Ok(authority)
}