wip username

Author: aeltorio

Cargo.lock

@@ -21,7 +21,7 @@ dasp_ring_buffer = "0.11.0" # Ring buffer for audio
 clap = { version = "4.5.38", features = ["derive"] }
 
 # Web interface
-rocket = { version = "0.5", features = ["json", "tls"] }
+rocket = { version = "0.5", features = ["json", "tls", "secrets"] }
 rocket_cors = "0.6.0"
 rocket_okapi = { version = "0.9.0", features = [
     "rapidoc",
@@ -53,6 +53,7 @@ time = "0.3.41"
 rsa = {version = "0.9.8", features=["pem","sha2"]}
 tokio = { version = "1.45.0", features = ["rt", "macros", "rt-multi-thread", "time"] }
 tokio-modbus = { version = "0.16.1", features = ["tcp", "tcp-server", "server"] }
+pwhash = "1.0.0"  # Add this dependency for password hashing
 
 [dev-dependencies]
 criterion = "0.6"                                   # Benchmarking

Cargo.toml

@@ -9,6 +9,12 @@ visualization:
   address: 127.0.0.1
   # The server name
   name: LaserSmartApiServer/0.1.0
+
+  # The session secret key for the visualization server
+  # This key is used to sign the session cookie
+  # It can be securely generated with `openssl rand -base64 32`
+  session_secret: 6wcVSUhxt1+YPEondChFXtesCL1boh57gqHv2gnEH7U=
+  
   # SSL certificate PEM data (Base64 encoded) - Optional
   # generated with `cat rust-photoacoustic.local.pem | base64 -w0`
   # cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t...

config.example.yaml

@@ -56,6 +56,12 @@
             "null"
           ],
           "description": "RS256 public key for JWT token verification (base64 encoded)"
+        },
+        "session_secret": {
+          "type": [
+            "string"
+          ],
+          "description": "Session secret for cookie signing (base64 encoded) can be generated with openssl rand -base64 32"
         }
       },
       "required": [
@@ -64,7 +70,8 @@
         "name",
         "hmac_secret",
         "rs256_private_key",
-        "rs256_public_key"
+        "rs256_public_key",
+        "session_secret"
       ]
     },
     "modbus": {

resources/config.schema.json

@@ -350,6 +350,10 @@ pub struct VisualizationConfig {
     /// without removing the configuration. Default is `true`.
     #[serde(default = "default_enabled")]
     pub enabled: bool,
+
+    /// Session secret key for cookie-based authentication.
+    #[serde(default = "default_session_secret")]
+    pub session_secret: String,
 }
 
 /// Provides the default TCP port (8080) for the visualization server.
@@ -448,6 +452,14 @@ fn default_enabled() -> bool {
     true
 }
 
+/// Generate a random session secret key for cookie-based authentication.
+fn default_session_secret() -> String {
+    use rand::Rng;
+    let mut rng = rand::rng();
+    let secret: [u8; 32] = rng.random();
+    base64::engine::general_purpose::STANDARD.encode(&secret)
+}
+
 impl Default for VisualizationConfig {
     fn default() -> Self {
         Self {
@@ -460,6 +472,7 @@ impl Default for VisualizationConfig {
             rs256_private_key: default_rs256_private_key(),
             rs256_public_key: default_rs256_public_key(),
             enabled: default_enabled(),
+            session_secret: default_session_secret(),
         }
     }
 }

src/config.rs

@@ -216,7 +216,8 @@ impl Daemon {
             .merge(("limits", Limits::new().limit("json", 2.mebibytes())))
             .merge(("address", config.visualization.address.clone()))
             .merge(("port", config.visualization.port))
-            .merge(("log_level", LogLevel::Normal));
+            .merge(("log_level", LogLevel::Normal))
+            .merge(("secret_key", config.visualization.session_secret.clone()));
 
         // Add RS256 keys to figment
         if !config.visualization.rs256_public_key.is_empty()

src/daemon/launch_daemon.rs

@@ -239,6 +239,18 @@ pub struct JwtTokenMap {
     /// The algorithm used to sign and verify JWT tokens.
     /// Default is HS256 (HMAC with SHA-256).
     algorithm: Algorithm,
+    
+    /// Additional claims to include in tokens
+    ///
+    /// This allows adding extra claims to the JWT tokens being generated.
+    /// Used for including user-specific information in tokens.
+    claims: HashMap<String, Value>,
+    
+    /// Token hook for extensibility
+    ///
+    /// A callback function that allows modifying token responses during issuance.
+    /// Used for enriching tokens with additional data.
+    token_hook: Option<Box<dyn FnMut(&mut oxide_auth::code_grant::accesstoken::TokenResponse) + Send>>,
 }
 
 impl JwtTokenMap {
@@ -254,6 +266,8 @@ impl JwtTokenMap {
             issuer: "rust-photoacoustic".to_string(),
             usage_counter: 0,
             algorithm: Algorithm::HS256, // Default to HMAC-SHA256
+            claims: HashMap::new(),
+            token_hook: None,
         }
     }
 
@@ -273,6 +287,8 @@ impl JwtTokenMap {
             issuer: "rust-photoacoustic".to_string(),
             usage_counter: 0,
             algorithm,
+            claims: HashMap::new(),
+            token_hook: None,
         }
     }
 
@@ -303,6 +319,8 @@ impl JwtTokenMap {
             issuer: "rust-photoacoustic".to_string(),
             usage_counter: 0,
             algorithm: Algorithm::RS256,
+            claims: HashMap::new(),
+            token_hook: None,
         })
     }
 
@@ -338,6 +356,15 @@ impl JwtTokenMap {
             }
         }
 
+        // Add any additional claims
+        for (key, value) in &self.claims {
+            if let Some(val) = value {
+                metadata.insert(key.to_string(), val.to_string());
+            } else {
+                metadata.insert(key.to_string(), "true".to_string());
+            }
+        }
+
         // Store the redirect URI in the metadata
         metadata.insert("redirect_uri".to_string(), grant.redirect_uri.to_string());
 
@@ -360,6 +387,27 @@ impl JwtTokenMap {
             },
         }
     }
+
+    /// Add user information to token claims
+    pub fn add_user_claims(&mut self, username: &str, permissions: &[String]) -> &mut Self {
+        // Add user information to claims
+        self.claims.insert("sub".to_string(), Value::public(Some(username.to_string())));
+        
+        // Add permissions as a space-separated string
+        let perms_str = permissions.join(" ");
+        self.claims.insert("permissions".to_string(), Value::public(Some(perms_str)));
+        
+        // Common identity claims
+        self.claims.insert("preferred_username".to_string(), Value::public(Some(username.to_string())));
+        self.claims.insert("name".to_string(), Value::public(Some(username.to_string())));
+        
+        self
+    }
+    
+    /// Set a token hook function
+    pub fn set_token_hook(&mut self, hook: Box<dyn FnMut(&mut oxide_auth::code_grant::accesstoken::TokenResponse) + Send>) {
+        self.token_hook = Some(hook);
+    }
 }
 
 impl Issuer for JwtTokenMap {
@@ -397,13 +445,27 @@ impl Issuer for JwtTokenMap {
                 .insert(refresh.clone(), Arc::clone(&token_entry));
         }
 
-        // Return the issued token
-        Ok(IssuedToken {
+        // Create the token response
+        let mut token = IssuedToken {
             token: access_token,
             refresh: refresh_token,
             until: grant.until,
             token_type: TokenType::Bearer,
-        })
+        };
+
+        // Apply token hook if present
+        if let Some(hook) = &mut self.token_hook {
+            // Convert IssuedToken to TokenResponse for the hook
+            let mut token_response = oxide_auth::code_grant::accesstoken::TokenResponse::from(token.clone());
+            
+            // Call the hook with our token response
+            hook(&mut token_response);
+            
+            // No need to convert back as we already have our IssuedToken
+        }
+
+        // Return the issued token
+        Ok(token)
     }
 
     fn refresh(&mut self, refresh: &str, mut grant: Grant) -> Result<RefreshedToken, ()> {
@@ -464,13 +526,27 @@ impl Issuer for JwtTokenMap {
                 .insert(refresh.clone(), Arc::clone(&new_token_entry));
         }
 
-        // Return the refreshed token
-        Ok(RefreshedToken {
+        // Create the refreshed token
+        let mut token = RefreshedToken {
             token: new_access_token,
             refresh: new_refresh_token,
             until: grant.until,
             token_type: TokenType::Bearer,
-        })
+        };
+
+        // Apply token hook if present
+        if let Some(hook) = &mut self.token_hook {
+            // Convert RefreshedToken to TokenResponse for the hook
+            let mut token_response = oxide_auth::code_grant::accesstoken::TokenResponse::from(token.clone());
+            
+            // Call the hook with our token response
+            hook(&mut token_response);
+            
+            // No need to convert back as we already have our RefreshedToken
+        }
+
+        // Return the refreshed token
+        Ok(token)
     }
 
     fn recover_token<'a>(&'a self, token: &'a str) -> Result<Option<Grant>, ()> {
@@ -627,6 +703,21 @@ impl JwtIssuer {
         self
     }
 
+    /// Add user information to token claims
+    pub fn add_user_claims(&mut self, username: &str, permissions: &[String]) -> &mut Self {
+        {
+            let mut map = self.0.lock().unwrap();
+            map.add_user_claims(username, permissions);
+        }
+        self
+    }
+    
+    /// Set a token hook function
+    pub fn set_token_hook(&mut self, hook: Box<dyn FnMut(&mut oxide_auth::code_grant::accesstoken::TokenResponse) + Send>) {
+        let mut map = self.0.lock().unwrap();
+        map.set_token_hook(hook);
+    }
+
     /// Print the decoded contents of a JWT token for debugging purposes
     /// Returns Ok if the token could be decoded, Err otherwise
     pub fn debug_token(&self, token: &str) -> Result<JwtClaims, String> {