Complete protection of /hello endpoint

Signed-off-by: Federico Busetti <[email protected]>

Author: febus982

local.env

@@ -1,2 +1,3 @@
+AUTH__JWKS_URL: "http://oathkeeper:4456/.well-known/jwks.json"
 DRAMATIQ__REDIS_URL: "redis://redis:6379/0"
 OTEL_EXPORTER_OTLP_ENDPOINT: "http://otel-collector:4317"

pyproject.toml

@@ -32,6 +32,7 @@ dependencies = [
 
 [dependency-groups]
 http = [
+    "cryptography>=44.0.0",
     "fastapi>=0.99.0",
     "jinja2<4.0.0,>=3.1.2",
     # We use the generic ASGI instrumentation, so that if we decide to change

src/common/config.py

@@ -13,7 +13,7 @@ class DramatiqConfig(BaseModel):
 
 
 class AuthConfig(BaseModel):
-    JWT_ALGORITHM: str = "HS256"
+    JWT_ALGORITHM: str = "RS256"
     JWKS_URL: Optional[str] = None
 
 

src/http_app/jinja_templates/hello.html

@@ -4,5 +4,7 @@
 </head>
 <body>
     <h1>Hello world</h1>
+    <p>Your JWT token payload:</p>
+    <pre>{{ token_payload | tojson(4) }}</pre>
 </body>
 </html>

src/http_app/routes/auth.py

@@ -1,9 +1,8 @@
-import time
 from typing import Annotated, Any, Optional
 
 import jwt
 from fastapi import Depends, HTTPException, Request, status
-from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer, SecurityScopes
 
 from common import AppConfig
 from http_app.dependencies import app_config
@@ -35,35 +34,21 @@ def _jwks_client(config: Annotated[AppConfig, Depends(app_config)]) -> jwt.PyJWK
     return jwt.PyJWKClient(config.AUTH.JWKS_URL)
 
 
-class JWTBearer(HTTPBearer):
-    async def __call__(
-        self,
-        request: Request,
-    ) -> Optional[HTTPAuthorizationCredentials]:
-        credentials = await super(JWTBearer, self).__call__(request)
-
-        await self.decode(request)
+class JWTDecoder:
+    """Does all the token verification using PyJWT"""
 
-        return credentials
-
-    async def decode(
+    async def __call__(
         self,
-        request: Request,
-        jwks_client: jwt.PyJWKClient = Depends(_jwks_client),
+        security_scopes: SecurityScopes,
         config: AppConfig = Depends(app_config),
-    ) -> dict[str, Any]:
-        credentials = await super(JWTBearer, self).__call__(request)
-
-        if not credentials:
+        jwks_client: jwt.PyJWKClient = Depends(_jwks_client),
+        token: Optional[HTTPAuthorizationCredentials] = Depends(HTTPBearer()),
+    ):
+        if token is None:
             raise UnauthenticatedException()
 
-        if not credentials.scheme == "Bearer":
-            raise UnauthorizedException("Invalid authentication scheme.")
-
         try:
-            signing_key = jwks_client.get_signing_key_from_jwt(
-                credentials.credentials
-            ).key
+            signing_key = jwks_client.get_signing_key_from_jwt(token.credentials).key
         except jwt.exceptions.PyJWKClientError as error:
             raise UnauthorizedException(str(error))
         except jwt.exceptions.DecodeError as error:
@@ -73,7 +58,7 @@ async def decode(
             # TODO: Review decode setup and verifications
             #       https://pyjwt.readthedocs.io/en/stable/api.html#jwt.decode
             payload = jwt.decode(
-                jwt=credentials.credentials,
+                jwt=token.credentials,
                 key=signing_key,
                 algorithms=[config.AUTH.JWT_ALGORITHM],
             )

src/http_app/routes/hello.py

@@ -1,11 +1,15 @@
-from fastapi import APIRouter, Request
+from fastapi import APIRouter, Request, Security
 from fastapi.responses import HTMLResponse
 
 from http_app.templates import templates
 
+from .auth import JWTDecoder
+
 router = APIRouter(prefix="/hello")
 
 
-@router.get("/", response_class=HTMLResponse, include_in_schema=False)
-async def hello(request: Request):
-    return templates.TemplateResponse("hello.html", {"request": request})
+@router.get("/", response_class=HTMLResponse, include_in_schema=True)
+async def hello(request: Request, jwt_token=Security(JWTDecoder())):
+    return templates.TemplateResponse(
+        "hello.html", {"request": request, "token_payload": jwt_token}
+    )