refactor: centralize authentication with TokenManager

This commit introduces a centralized TokenManager for handling JWT token
creation and verification, eliminating scattered token logic.

New Module: auth/token.rs
- TokenManager: Centralized token management
  - create_token(): Generate JWT tokens with configured expiration
  - verify_token(): Validate tokens with proper verification options
  - Configurable expiration, subject, and secret

Benefits:
- Single source of truth for token handling
- Eliminates duplicate token creation/verification logic
- Consistent verification options (expiration, subject, tolerance)
- Better testability with 4 comprehensive tests
- Easier to change token strategy in future

Changes by Module:
- middleware.rs: Use TokenManager for verify_token()
  - Removed inline HS256Key creation
  - Removed manual VerificationOptions setup
  - 15 lines simplified to 1-line call

- api.rs: Use TokenManager for session_token()
  - Removed inline HS256Key and Claims creation
  - Cleaner error handling
  - 8 lines simplified to 6 lines

Signed-off-by: Jan Zachmann <50990105+JanZachmann@users.noreply.github.com>

Author: JanZachmann

Cargo.lock

@@ -7,7 +7,7 @@ license = "MIT OR Apache-2.0"
 name = "omnect-ui"
 readme = "README.md"
 repository = "git@github.com:omnect/omnect-ui.git"
-version = "1.0.4"
+version = "1.0.5"
 build = "src/build.rs"
 
 [dependencies]

Cargo.toml

@@ -1,4 +1,5 @@
 use crate::{
+    auth::TokenManager,
     common::{
         centrifugo_config, config_path, data_path, host_data_path, tmp_path, validate_password,
     },
@@ -15,9 +16,9 @@ use argon2::{
     Argon2,
     password_hash::{PasswordHasher, SaltString, rand_core::OsRng},
 };
-use jwt_simple::prelude::*;
 use log::{debug, error};
 use serde::Deserialize;
+use std::sync::OnceLock;
 use std::{
     fs::{self, File},
     io::Write,
@@ -62,6 +63,17 @@ where
 {
     const UPDATE_FILE_NAME: &str = "update.tar";
 
+    fn token_manager() -> &'static TokenManager {
+        static TOKEN_MANAGER: OnceLock<TokenManager> = OnceLock::new();
+        TOKEN_MANAGER.get_or_init(|| {
+            TokenManager::new(
+                &centrifugo_config().client_token,
+                TOKEN_EXPIRE_HOURS,
+                env!("CARGO_PKG_NAME").to_string(),
+            )
+        })
+    }
+
     /// Helper to handle service client results with consistent error logging
     fn handle_service_result(result: Result<()>, operation: &str) -> HttpResponse {
         match result {
@@ -356,13 +368,12 @@ where
     }
 
     fn session_token(session: Session) -> HttpResponse {
-        let key = HS256Key::from_bytes(centrifugo_config().client_token.as_bytes());
-        let claims =
-            Claims::create(Duration::from_hours(TOKEN_EXPIRE_HOURS)).with_subject("omnect-ui");
-
-        let Ok(token) = key.authenticate(claims) else {
-            error!("failed to create token");
-            return HttpResponse::InternalServerError().body("failed to create token");
+        let token = match Self::token_manager().create_token() {
+            Ok(token) => token,
+            Err(e) => {
+                error!("failed to create token: {e:#}");
+                return HttpResponse::InternalServerError().body("failed to create token");
+            }
         };
 
         if session.insert("token", &token).is_err() {

src/api.rs

@@ -0,0 +1,3 @@
+pub mod token;
+
+pub use token::TokenManager;

src/auth/mod.rs

@@ -0,0 +1,110 @@
+use anyhow::Result;
+use jwt_simple::prelude::*;
+
+/// Centralized token management for session tokens
+///
+/// Handles creation and verification of JWT tokens used for:
+/// - Session authentication
+/// - Centrifugo WebSocket authentication
+pub struct TokenManager {
+    key: HS256Key,
+    expire_hours: u64,
+    subject: String,
+}
+
+impl TokenManager {
+    /// Create a new TokenManager
+    ///
+    /// # Arguments
+    /// * `secret` - Secret key for HMAC-SHA256 signing
+    /// * `expire_hours` - Token expiration time in hours
+    /// * `subject` - Required subject claim for tokens
+    pub fn new(secret: &str, expire_hours: u64, subject: String) -> Self {
+        let key = HS256Key::from_bytes(secret.as_bytes());
+        Self {
+            key,
+            expire_hours,
+            subject,
+        }
+    }
+
+    /// Create a new token with the configured expiration and subject
+    ///
+    /// Returns a signed JWT token string
+    pub fn create_token(&self) -> Result<String> {
+        let claims =
+            Claims::create(Duration::from_hours(self.expire_hours)).with_subject(&self.subject);
+
+        self.key
+            .authenticate(claims)
+            .map_err(|e| anyhow::anyhow!("failed to create token: {}", e))
+    }
+
+    /// Verify a token and check if it's valid
+    ///
+    /// Validates:
+    /// - Signature
+    /// - Expiration (with 15 minute tolerance)
+    /// - Max validity (token age)
+    /// - Required subject claim
+    ///
+    /// Returns true if token is valid, false otherwise
+    pub fn verify_token(&self, token: &str) -> bool {
+        let options = VerificationOptions {
+            accept_future: true,
+            time_tolerance: Some(Duration::from_mins(15)),
+            max_validity: Some(Duration::from_hours(self.expire_hours)),
+            required_subject: Some(self.subject.clone()),
+            ..Default::default()
+        };
+
+        self.key
+            .verify_token::<NoCustomClaims>(token, Some(options))
+            .is_ok()
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_create_and_verify_token() {
+        let manager = TokenManager::new("test-secret", 2, "test-app".to_string());
+
+        let token = manager.create_token().expect("should create token");
+        assert!(!token.is_empty());
+
+        assert!(manager.verify_token(&token));
+    }
+
+    #[test]
+    fn test_verify_invalid_token() {
+        let manager = TokenManager::new("test-secret", 2, "test-app".to_string());
+
+        assert!(!manager.verify_token("invalid.token.here"));
+        assert!(!manager.verify_token(""));
+    }
+
+    #[test]
+    fn test_verify_token_wrong_secret() {
+        let manager1 = TokenManager::new("secret1", 2, "test-app".to_string());
+        let manager2 = TokenManager::new("secret2", 2, "test-app".to_string());
+
+        let token = manager1.create_token().expect("should create token");
+
+        // Token created with secret1 should not verify with secret2
+        assert!(!manager2.verify_token(&token));
+    }
+
+    #[test]
+    fn test_verify_token_wrong_subject() {
+        let manager1 = TokenManager::new("secret", 2, "app1".to_string());
+        let manager2 = TokenManager::new("secret", 2, "app2".to_string());
+
+        let token = manager1.create_token().expect("should create token");
+
+        // Token with subject "app1" should not verify when expecting "app2"
+        assert!(!manager2.verify_token(&token));
+    }
+}

src/auth/token.rs

@@ -1,4 +1,5 @@
 pub mod api;
+pub mod auth;
 pub mod common;
 pub mod http_client;
 pub mod keycloak_client;

src/lib.rs

@@ -1,4 +1,5 @@
 mod api;
+mod auth;
 mod certificate;
 mod common;
 mod http_client;

src/main.rs

@@ -1,4 +1,7 @@
-use crate::common::{centrifugo_config, validate_password};
+use crate::{
+    auth::TokenManager,
+    common::{centrifugo_config, validate_password},
+};
 use actix_session::SessionExt;
 use actix_web::{
     Error, FromRequest, HttpMessage, HttpResponse,
@@ -7,16 +10,28 @@ use actix_web::{
 };
 use actix_web_httpauth::extractors::basic::BasicAuth;
 use anyhow::Result;
-use jwt_simple::prelude::*;
 use log::error;
 use std::{
     future::{Future, Ready, ready},
     pin::Pin,
     rc::Rc,
+    sync::OnceLock,
 };
 
 pub const TOKEN_EXPIRE_HOURS: u64 = 2;
 
+static TOKEN_MANAGER: OnceLock<TokenManager> = OnceLock::new();
+
+fn token_manager() -> &'static TokenManager {
+    TOKEN_MANAGER.get_or_init(|| {
+        TokenManager::new(
+            &centrifugo_config().client_token,
+            TOKEN_EXPIRE_HOURS,
+            env!("CARGO_PKG_NAME").to_string(),
+        )
+    })
+}
+
 pub struct AuthMw;
 
 impl<S, B> Transform<S, ServiceRequest> for AuthMw
@@ -91,17 +106,7 @@ where
 }
 
 pub fn verify_token(token: &str) -> bool {
-    let key = HS256Key::from_bytes(centrifugo_config().client_token.as_bytes());
-    let options = VerificationOptions {
-        accept_future: true,
-        time_tolerance: Some(Duration::from_mins(15)),
-        max_validity: Some(Duration::from_hours(TOKEN_EXPIRE_HOURS)),
-        required_subject: Some(env!("CARGO_PKG_NAME").to_string()),
-        ..Default::default()
-    };
-
-    key.verify_token::<NoCustomClaims>(token, Some(options))
-        .is_ok()
+    token_manager().verify_token(token)
 }
 
 fn verify_user(auth: BasicAuth) -> bool {
@@ -147,6 +152,7 @@ pub mod tests {
     };
     use base64::prelude::*;
     use jwt_simple::claims::{JWTClaims, NoCustomClaims};
+    use jwt_simple::prelude::*;
     use std::{collections::HashMap, fs::File, io::Write};
 
     fn generate_valid_claim() -> JWTClaims<NoCustomClaims> {