schnabu/server
1
0
Fork 0
Code Issues 2 Pull requests Projects 1 Releases Packages Wiki Activity Actions

Add JWT verification to protect routes

Browse source
This commit is contained in:
GHOSCHT 2024-05-19 13:09:59 +02:00
parent 0120de27bf
commit 07c1051cde
Signed by: ghoscht
GPG key ID: 2C2C1C62A5388E82
4 changed files with 1596 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1490
Cargo.lock generated
View file

File diff suppressed because it is too large Load diff

8
Cargo.toml
View file

@ -6,7 +6,15 @@ edition = "2021"
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
aliri = "0.6.3"
aliri_axum = "0.4.0"
aliri_oauth2 = { version = "0.10.1", features = ["default-tls"] }
aliri_tower = "0.6.0"
anyhow = "1.0.86"
axum = "0.7.5"
diesel = { version = "2.1.6", features = ["postgres"] }
diesel-derive-enum = { version = "2.1.0", features = ["postgres"] }
dotenvy = "0.15.7"
http = "1.1.0"
postgis_diesel = "2.3.1"
tokio = {version = "1.37.0", features = ["full"]}

23
flake.nix
View file

@ -9,36 +9,39 @@
};
outputs = inputs:
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
systems = import inputs.systems;
imports = [
inputs.treefmt-nix.flakeModule
];
perSystem = {
config,
pkgs,
...
}: let
perSystem =
{ config
, pkgs
, ...
}:
let
cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
nonRustDeps = with pkgs; [
libiconv
libudev-zero
pkg-config
postgresql
openssl
];
rust-toolchain = pkgs.symlinkJoin {
name = "rust-toolchain";
paths = with pkgs; [rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc];
paths = with pkgs; [ rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc ];
};
udev-rule = builtins.readFile ./heliox.udev;
in {
in
{
# Rust package
packages.default = pkgs.rustPlatform.buildRustPackage {
inherit (cargoToml.package) name version;
src = ./.;
cargoLock.lockFile = ./Cargo.lock;
nativeBuildInputs = with pkgs; [pkg-config udev libudev-zero libpqxx];
buildInputs = with pkgs; [udev libudev-zero libpqxx];
nativeBuildInputs = with pkgs; [ pkg-config udev libudev-zero libpqxx openssl ];
buildInputs = with pkgs; [ udev libudev-zero libpqxx openssl ];
postInstall = ''
mkdir -p $out/etc/udev/rules.d
echo '${udev-rule}' > $out/etc/udev/rules.d/70-heliox.rules

49
src/main.rs
View file

@ -6,9 +6,48 @@ mod models;
mod ops;
mod schema;
fn main() {
ops::node_ops::create_node();
ops::restaurant_ops::create_restaurant();
// ops::node_ops::update_node();
ops::node_ops::show_nodes();
use std::time::Duration;
use aliri::{error::JwtVerifyError, jwa, jwt};
use aliri_oauth2::{Authority, HasScope, Scope};
use aliri_tower::Oauth2Authorizer;
use axum::{
extract::Path,
response::IntoResponse,
routing::{get, post},
Extension, Router,
};
use http::{request::Parts, Response};
#[tokio::main]
async fn main() -> anyhow::Result<()> {
let authority = construct_authority().await?;
let authorizer = Oauth2Authorizer::new().with_verbose_error_handler();
let unauthed_routes = Router::new().route("/public", get(|| async { "Hello, public world!" }));
let authed_routes = Router::new()
.route("/secured", get(|| async { "Hello, secure world!" }))
.layer(authorizer.jwt_layer(authority))
.layer(Extension(aliri_axum::VerboseAuthxErrors));
let app = authed_routes.merge(unauthed_routes);
let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await?;
axum::serve(listener, app).await?;
Ok(())
}
const OIDC_ISSUER_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/";
const OIDC_JWKS_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/jwks/";
async fn construct_authority() -> anyhow::Result<Authority> {
let validator = jwt::CoreValidator::default()
.add_approved_algorithm(jwa::Algorithm::RS256)
.require_issuer(jwt::Issuer::from_static(OIDC_ISSUER_URL));
let authority = Authority::new_from_url(OIDC_JWKS_URL.to_string(), validator).await?;
Ok(authority)
}