feat(auth): implement JWT auth token service

fulleni · fulleni · commit 159be74ed7be · 2025-05-05T17:35:00.000+01:00
- Replaces simple token service
- Uses dart_jsonwebtoken package
- Adds JWT generation and validation
- Improves security and scalability
diff --git a/lib/src/services/auth_token_service.dart b/lib/src/services/auth_token_service.dart
@@ -26,52 +26,3 @@ abstract class AuthTokenService {
   // Potential future methods:
   // Future<void> invalidateToken(String token); // For token blacklisting
 }
-
-/// A basic implementation of [AuthTokenService].
-///
-/// **Note:** This is a placeholder and **not secure** for production.
-/// It does not perform real cryptographic signing or validation.
-/// Replace with a proper JWT implementation (e.g., using `dart_jsonwebtoken`).
-class SimpleAuthTokenService implements AuthTokenService {
-  /// {@macro simple_auth_token_service}
-  const SimpleAuthTokenService({
-    // In a real implementation, you'd inject a secret key here.
-    String secretKey = 'very-secret-key-replace-me',
-  }) : _secretKey = secretKey;
-
-  //
-  // ignore: unused_field
-  final String _secretKey;
-
-  // Placeholder for storing "valid" tokens in this insecure example.
-  // A real implementation validates cryptographically.
-  static final Map<String, User> _validTokens = {};
-
-  @override
-  Future<String> generateToken(User user) async {
-    // Insecure placeholder: Generate a simple token string.
-    // A real implementation would create a JWT with claims and sign it.
-    final token =
-        'token_for_${user.id}_${DateTime.now().millisecondsSinceEpoch}';
-    _validTokens[token] = user; // Store for simple validation
-    print('Generated token (INSECURE): $token for user ${user.id}');
-    await Future<void>.delayed(Duration.zero); // Simulate async
-    return token;
-  }
-
-  @override
-  Future<User?> validateToken(String token) async {
-    // Insecure placeholder: Check if the token exists in our map.
-    // A real implementation would verify JWT signature, expiry, issuer, etc.
-    print('Validating token (INSECURE): $token');
-    final user = _validTokens[token];
-    await Future<void>.delayed(Duration.zero); // Simulate async
-    if (user != null) {
-      print('Token valid for user ${user.id}');
-      return user;
-    } else {
-      print('Token invalid');
-      return null;
-    }
-  }
-}
diff --git a/lib/src/services/jwt_auth_token_service.dart b/lib/src/services/jwt_auth_token_service.dart
@@ -0,0 +1,128 @@
+import 'package:dart_jsonwebtoken/dart_jsonwebtoken.dart';
+import 'package:ht_api/src/services/auth_token_service.dart';
+import 'package:ht_data_repository/ht_data_repository.dart';
+import 'package:ht_shared/ht_shared.dart';
+import 'package:uuid/uuid.dart';
+
+/// {@template jwt_auth_token_service}
+/// An implementation of [AuthTokenService] using JSON Web Tokens (JWT).
+///
+/// Handles the creation (signing) and validation (verification) of JWTs
+/// for user authentication.
+/// {@endtemplate}
+class JwtAuthTokenService implements AuthTokenService {
+  /// {@macro jwt_auth_token_service}
+  ///
+  /// Requires an [HtDataRepository<User>] to fetch user details after
+  /// validating the token's subject claim.
+  /// Also requires a [Uuid] generator for creating unique JWT IDs (jti).
+  const JwtAuthTokenService({
+    required HtDataRepository<User> userRepository,
+    required Uuid uuidGenerator,
+  })  : _userRepository = userRepository,
+        _uuid = uuidGenerator;
+
+  final HtDataRepository<User> _userRepository;
+  final Uuid _uuid;
+
+  // --- Configuration ---
+
+  // WARNING: Hardcoding secrets is insecure. Use environment variables
+  // or a proper secrets management solution in production.
+  static const String _secretKey =
+      'your-very-hardcoded-super-secret-key-replace-this-in-prod';
+
+  // Define token issuer and default expiry duration
+  static const String _issuer = 'https://your-api-domain.com'; // Replace
+  static const Duration _tokenExpiryDuration = Duration(hours: 1);
+
+  // --- Interface Implementation ---
+
+  @override
+  Future<String> generateToken(User user) async {
+    try {
+      final now = DateTime.now();
+      final expiry = now.add(_tokenExpiryDuration);
+
+      final jwt = JWT(
+        {
+          // Standard claims
+          'sub': user.id, // Subject (user ID) - REQUIRED
+          'exp': expiry.millisecondsSinceEpoch ~/ 1000, // Expiration Time
+          'iat': now.millisecondsSinceEpoch ~/ 1000, // Issued At
+          'iss': _issuer, // Issuer
+          'jti': _uuid.v4(), // JWT ID (for potential blacklisting)
+
+          // Custom claims (optional, include what's useful)
+          'email': user.email,
+          'isAnonymous': user.isAnonymous,
+        },
+        issuer: _issuer,
+        subject: user.id,
+        jwtId: _uuid.v4(), // Re-setting jti here for clarity if needed
+      );
+
+      // Sign the token using HMAC-SHA256
+      final token = jwt.sign(
+        SecretKey(_secretKey),
+        algorithm: JWTAlgorithm.HS256,
+        expiresIn: _tokenExpiryDuration, // Redundant but safe
+      );
+
+      print('Generated JWT for user ${user.id}');
+      return token;
+    } catch (e) {
+      print('Error generating JWT for user ${user.id}: $e');
+      // Map to a standard exception
+      throw OperationFailedException(
+        'Failed to generate authentication token: ${e.toString()}',
+      );
+    }
+  }
+
+  @override
+  Future<User?> validateToken(String token) async {
+    try {
+      // Verify the token's signature and expiry
+      final jwt = JWT.verify(token, SecretKey(_secretKey));
+
+      // Extract user ID from the subject claim
+      final userId = jwt.payload['sub'] as String?;
+      if (userId == null) {
+        print('Token validation failed: Missing "sub" claim.');
+        // Throw specific exception for malformed token
+        throw const BadRequestException('Malformed token: Missing subject claim.');
+      }
+
+      // Fetch the full user object from the repository
+      // This ensures the user still exists and is valid
+      final user = await _userRepository.read(userId);
+      print('Token validated successfully for user ${user.id}');
+      return user;
+    } on JWTExpiredException {
+      print('Token validation failed: Token expired.');
+      // Throw specific exception for expired token
+      throw const UnauthorizedException('Token expired.');
+    } on JWTInvalidException catch (e) {
+      print('Token validation failed: Invalid token. Reason: ${e.message}');
+      // Throw specific exception for invalid token signature/format
+      throw UnauthorizedException('Invalid token: ${e.message}');
+    } on JWTException catch (e) { // Use JWTException as the general catch-all
+      print('Token validation failed: JWT Exception. Reason: ${e.message}');
+      // Treat other JWT exceptions as invalid tokens
+      throw UnauthorizedException('Invalid token: ${e.message}');
+    } on HtHttpException catch (e) {
+      // Handle errors from the user repository (e.g., user not found)
+      print('Token validation failed: Error fetching user $e');
+      // Re-throw repository exceptions directly for the error handler
+      rethrow;
+    } catch (e) {
+      // Catch unexpected errors during validation
+      print('Unexpected error during token validation: $e');
+      // Wrap unexpected errors in a standard exception type
+      throw OperationFailedException(
+        'Token validation failed unexpectedly: ${e.toString()}',
+      );
+    }
+  }
+}
diff --git a/pubspec.yaml b/pubspec.yaml
@@ -8,6 +8,7 @@ environment:
 
 dependencies:
   dart_frog: ^1.1.0
+  dart_jsonwebtoken: ^3.2.0
   ht_app_settings_client:
     git:
       url: https://github.com/headlines-toolkit/ht-app-settings-client.git
diff --git a/routes/_middleware.dart b/routes/_middleware.dart
@@ -9,8 +9,13 @@ import 'package:dart_frog/dart_frog.dart';
 import 'package:ht_api/src/middlewares/authentication_middleware.dart';
 import 'package:ht_api/src/middlewares/error_handler.dart';
 import 'package:ht_api/src/registry/model_registry.dart';
+import 'package:ht_api/src/middlewares/authentication_middleware.dart';
+import 'package:ht_api/src/middlewares/error_handler.dart';
+import 'package:ht_api/src/registry/model_registry.dart';
 import 'package:ht_api/src/services/auth_service.dart';
 import 'package:ht_api/src/services/auth_token_service.dart';
+// Import the new JWT service
+import 'package:ht_api/src/services/jwt_auth_token_service.dart';
 import 'package:ht_api/src/services/verification_code_storage_service.dart';
 import 'package:ht_app_settings_inmemory/ht_app_settings_inmemory.dart';
 import 'package:ht_app_settings_repository/ht_app_settings_repository.dart';
@@ -182,8 +187,12 @@ Handler middleware(Handler handler) {
   const emailRepository = HtEmailRepository(
     emailClient: HtEmailInMemoryClient(),
   );
-  // Auth Services (using simple/in-memory implementations)
-  const authTokenService = SimpleAuthTokenService();
+  // Auth Services (using JWT and in-memory implementations)
+  // Instantiate the new JWT service, passing its dependencies
+  final authTokenService = JwtAuthTokenService(
+    userRepository: userRepository,
+    uuidGenerator: uuid,
+  );
   final verificationCodeStorageService =
       InMemoryVerificationCodeStorageService();
   final authService = AuthService(
