Add JWT verification to protect routes
This commit is contained in:
parent
0120de27bf
commit
07c1051cde
4 changed files with 1596 additions and 56 deletions
1490
Cargo.lock
generated
1490
Cargo.lock
generated
File diff suppressed because it is too large
Load diff
|
@ -6,7 +6,15 @@ edition = "2021"
|
|||
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
|
||||
|
||||
[dependencies]
|
||||
aliri = "0.6.3"
|
||||
aliri_axum = "0.4.0"
|
||||
aliri_oauth2 = { version = "0.10.1", features = ["default-tls"] }
|
||||
aliri_tower = "0.6.0"
|
||||
anyhow = "1.0.86"
|
||||
axum = "0.7.5"
|
||||
diesel = { version = "2.1.6", features = ["postgres"] }
|
||||
diesel-derive-enum = { version = "2.1.0", features = ["postgres"] }
|
||||
dotenvy = "0.15.7"
|
||||
http = "1.1.0"
|
||||
postgis_diesel = "2.3.1"
|
||||
tokio = {version = "1.37.0", features = ["full"]}
|
||||
|
|
23
flake.nix
23
flake.nix
|
@ -9,36 +9,39 @@
|
|||
};
|
||||
|
||||
outputs = inputs:
|
||||
inputs.flake-parts.lib.mkFlake {inherit inputs;} {
|
||||
inputs.flake-parts.lib.mkFlake { inherit inputs; } {
|
||||
systems = import inputs.systems;
|
||||
imports = [
|
||||
inputs.treefmt-nix.flakeModule
|
||||
];
|
||||
perSystem = {
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
perSystem =
|
||||
{ config
|
||||
, pkgs
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
cargoToml = builtins.fromTOML (builtins.readFile ./Cargo.toml);
|
||||
nonRustDeps = with pkgs; [
|
||||
libiconv
|
||||
libudev-zero
|
||||
pkg-config
|
||||
postgresql
|
||||
openssl
|
||||
];
|
||||
rust-toolchain = pkgs.symlinkJoin {
|
||||
name = "rust-toolchain";
|
||||
paths = with pkgs; [rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc];
|
||||
paths = with pkgs; [ rustc cargo cargo-watch rust-analyzer rustPlatform.rustcSrc ];
|
||||
};
|
||||
udev-rule = builtins.readFile ./heliox.udev;
|
||||
in {
|
||||
in
|
||||
{
|
||||
# Rust package
|
||||
packages.default = pkgs.rustPlatform.buildRustPackage {
|
||||
inherit (cargoToml.package) name version;
|
||||
src = ./.;
|
||||
cargoLock.lockFile = ./Cargo.lock;
|
||||
nativeBuildInputs = with pkgs; [pkg-config udev libudev-zero libpqxx];
|
||||
buildInputs = with pkgs; [udev libudev-zero libpqxx];
|
||||
nativeBuildInputs = with pkgs; [ pkg-config udev libudev-zero libpqxx openssl ];
|
||||
buildInputs = with pkgs; [ udev libudev-zero libpqxx openssl ];
|
||||
postInstall = ''
|
||||
mkdir -p $out/etc/udev/rules.d
|
||||
echo '${udev-rule}' > $out/etc/udev/rules.d/70-heliox.rules
|
||||
|
|
49
src/main.rs
49
src/main.rs
|
@ -6,9 +6,48 @@ mod models;
|
|||
mod ops;
|
||||
mod schema;
|
||||
|
||||
fn main() {
|
||||
ops::node_ops::create_node();
|
||||
ops::restaurant_ops::create_restaurant();
|
||||
// ops::node_ops::update_node();
|
||||
ops::node_ops::show_nodes();
|
||||
use std::time::Duration;
|
||||
|
||||
use aliri::{error::JwtVerifyError, jwa, jwt};
|
||||
use aliri_oauth2::{Authority, HasScope, Scope};
|
||||
use aliri_tower::Oauth2Authorizer;
|
||||
use axum::{
|
||||
extract::Path,
|
||||
response::IntoResponse,
|
||||
routing::{get, post},
|
||||
Extension, Router,
|
||||
};
|
||||
use http::{request::Parts, Response};
|
||||
|
||||
#[tokio::main]
|
||||
async fn main() -> anyhow::Result<()> {
|
||||
let authority = construct_authority().await?;
|
||||
let authorizer = Oauth2Authorizer::new().with_verbose_error_handler();
|
||||
|
||||
let unauthed_routes = Router::new().route("/public", get(|| async { "Hello, public world!" }));
|
||||
|
||||
let authed_routes = Router::new()
|
||||
.route("/secured", get(|| async { "Hello, secure world!" }))
|
||||
.layer(authorizer.jwt_layer(authority))
|
||||
.layer(Extension(aliri_axum::VerboseAuthxErrors));
|
||||
|
||||
let app = authed_routes.merge(unauthed_routes);
|
||||
|
||||
let listener = tokio::net::TcpListener::bind("127.0.0.1:8080").await?;
|
||||
axum::serve(listener, app).await?;
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
const OIDC_ISSUER_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/";
|
||||
const OIDC_JWKS_URL: &str = "https://auth.ghoscht.com/application/o/schnabu/jwks/";
|
||||
|
||||
async fn construct_authority() -> anyhow::Result<Authority> {
|
||||
let validator = jwt::CoreValidator::default()
|
||||
.add_approved_algorithm(jwa::Algorithm::RS256)
|
||||
.require_issuer(jwt::Issuer::from_static(OIDC_ISSUER_URL));
|
||||
|
||||
let authority = Authority::new_from_url(OIDC_JWKS_URL.to_string(), validator).await?;
|
||||
|
||||
Ok(authority)
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue