wip: implement OAuth2 request guard and userinfo endpoint for JWT validation

eltorio · eltorio · commit 019f5e1e5e05 · 2025-05-26T14:40:35.000+02:00
diff --git a/src/visualization/jwt/jwt_validator.rs b/src/visualization/jwt/jwt_validator.rs
@@ -49,6 +49,7 @@
 use anyhow::{anyhow, Result};
 use chrono::{DateTime, TimeZone, Utc};
 use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
+use log::debug;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 
@@ -299,13 +300,15 @@ impl JwtValidator {
                     .hmac_key
                     .as_ref()
                     .ok_or_else(|| anyhow!("HS256 key not configured"))?;
+                debug!("Using HS256 key for validation");
                 (key, Algorithm::HS256)
             }
             Algorithm::RS256 => {
                 let key = self
                     .rs256_key
                     .as_ref()
                     .ok_or_else(|| anyhow!("RS256 key not configured"))?;
+                debug!("Using RS256 key for validation");
                 (key, Algorithm::RS256)
             }
             _ => return Err(anyhow!("Unsupported JWT algorithm: {:?}", alg)),
@@ -314,13 +317,24 @@ impl JwtValidator {
         validation.validate_exp = true;
         validation.validate_nbf = true;
         if let Some(ref issuer) = self.expected_issuer {
+            debug!("Validating issuer: {}", issuer);
             validation.set_issuer(&[issuer]);
         }
-        if let Some(ref aud) = self.expected_audience {
+        
+        // Get expected audience from config or set a default
+        let expected_audience = Some("LaserSmartClient"); // TODO: replace with config if needed
+        if let Some(ref aud) = expected_audience {
+            debug!("Validating audience: {}", aud);
             validation.set_audience(&[aud]);
         }
+
+        // TODO: remove this debug log in production
+        validation.validate_aud = false;
         let token_data = decode::<JwtClaims>(token, key, &validation)
-            .map_err(|e| anyhow!("JWT validation failed: {}", e))?;
+            .map_err(|e|{ 
+                debug!("JWT validation error: {}", e);
+                anyhow!("JWT validation failed: {}", e)
+        })?;
         let now = Utc::now();
         let exp_time = Utc
             .timestamp_opt(token_data.claims.exp, 0)
diff --git a/src/visualization/mod.rs b/src/visualization/mod.rs
@@ -130,6 +130,9 @@ pub mod server;
 /// OIDC discovery and configuration
 pub mod oidc;
 
+/// Oauth2 Request Guard
+pub mod oauth_guard;
+
 use crate::{config::Config, AnalysisResult};
 use anyhow::Result;
 use base64::{self, Engine};
diff --git a/src/visualization/oauth_guard.rs b/src/visualization/oauth_guard.rs
@@ -0,0 +1,60 @@
+// Copyright (c) 2025 Ronan LE MEILLAT, SCTG Development
+// This file is part of the rust-photoacoustic project and is licensed under the
+// SCTG Development Non-Commercial License v1.0 (see LICENSE.md for details).
+
+//! Rocket request guard for validating Bearer tokens using JwtValidator (HS256/RS256)
+
+use rocket::http::Status;
+use rocket::request::{FromRequest, Outcome, Request};
+use rocket::State;
+use crate::visualization::jwt::jwt_validator::{JwtValidator, UserInfo};
+use crate::visualization::oidc_auth::OxideState;
+use base64::Engine;
+
+/// Request guard for extracting and validating a Bearer JWT from the Authorization header
+pub struct OAuthBearer(pub UserInfo);
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for OAuthBearer {
+    type Error = (Status, &'static str);
+
+    async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
+        // Get the Authorization header
+        let auth_header = request.headers().get_one("Authorization");
+
+        if let Some(header) = auth_header {
+            if let Some(token) = header.strip_prefix("Bearer ") {
+                // Get the OxideState from Rocket state
+                let state = match request.guard::<&State<OxideState>>().await {
+                    Outcome::Success(state) => state,
+                    _ => return Outcome::Error((Status::InternalServerError,(Status::InternalServerError, "Missing state"))),
+                };
+                // Build JwtValidator from state (supporting both HS256 and RS256)
+                let hmac_secret = state.hmac_secret.as_bytes();
+                let rs256_public_key = if !state.rs256_public_key.is_empty() {
+                    base64::engine::general_purpose::STANDARD.decode(&state.rs256_public_key).ok()
+                } else {
+                    None
+                };
+
+                let mut validator = match rs256_public_key {
+                    Some(ref pem) => JwtValidator::new(Some(hmac_secret), Some(pem)),
+                    None => JwtValidator::new(Some(hmac_secret), None),
+                };
+                match validator {
+                    Ok(validator) => {
+                        match validator.get_user_info(token) {
+                            Ok(user_info) => Outcome::Success(OAuthBearer(user_info)),
+                            Err(_) => Outcome::Error((Status::Unauthorized,(Status::Unauthorized, "Invalid token"))),
+                        }
+                    }
+                    Err(_) => Outcome::Error((Status::InternalServerError,(Status::InternalServerError, "Validator error"))),
+                }
+            } else {
+                Outcome::Error((Status::Unauthorized,(Status::Unauthorized, "Missing Bearer token")))
+            }
+        } else {
+            Outcome::Error((Status::Unauthorized,(Status::Unauthorized, "Missing Authorization header")))
+        }
+    }
+}
diff --git a/src/visualization/oidc_auth.rs b/src/visualization/oidc_auth.rs
@@ -55,7 +55,6 @@ use oxide_auth::primitives::prelude::*;
 use oxide_auth::primitives::registrar::RegisteredUrl;
 use oxide_auth_rocket;
 use oxide_auth_rocket::{OAuthFailure, OAuthRequest, OAuthResponse};
-use rand::rand_core::le;
 use rocket::figment::Figment;
 use rocket::State;
 use rocket::{get, post};
@@ -64,6 +63,7 @@ use serde_json::json;
 use url::Url;
 
 use super::jwt::JwtIssuer;
+use super::oauth_guard::OAuthBearer;
 
 use crate::config::{AccessConfig, User, USER_SESSION_SEPARATOR};
 use base64::Engine;
@@ -830,6 +830,23 @@ pub async fn refresh<'r>(
         .map_err(|err| err.pack::<OAuthFailure>())
 }
 
+/// Openid userinfo endpoint
+/// Accessed via `GET /userinfo`
+/// This endpoint returns user information based on the access token provided in the Authorization header.
+/// It requires a valid JWT access token to be present in the request Authorization header.
+#[get("/userinfo")]
+pub async fn userinfo(
+    bearer: OAuthBearer,
+    state: &State<OxideState>,
+) -> Result<rocket::serde::json::Json<User>, OAuthFailure> {
+    // Return the authenticated user's information
+    debug!("Userinfo endpoint accessed with bearer token");
+    Ok(rocket::serde::json::Json(User {
+        user: "toto".to_string(), // Username is not returned in userinfo
+        pass: String::new(), // Password is not returned in userinfo
+        permissions: vec!["read:api".to_string(), "write:api".to_string()],
+    }))
+}
 impl OxideState {
     /// Create a preconfigured OxideState with default settings
     ///
diff --git a/src/visualization/server.rs b/src/visualization/server.rs
@@ -73,7 +73,7 @@ use std::net::{IpAddr, Ipv4Addr, SocketAddr};
 use std::ops::Deref;
 use std::path::PathBuf;
 
-use super::oidc_auth::{login, OxideState};
+use super::oidc_auth::{login, userinfo, OxideState};
 
 /// Static directory containing the web client files
 ///
@@ -496,6 +496,7 @@ pub async fn build_rocket(figment: Figment) -> Rocket<Build> {
                 authorize,
                 authorize_consent,
                 login,
+                userinfo,
                 token,
                 refresh,
                 super::introspection::introspect,
