Implemented Authentication with JWT

Author: zandemax

openlineplanner-backend/Cargo.lock

@@ -29,3 +29,5 @@ acc_reader = "2.0.0"
 uuid = { version = "1.3.0", features = ["v4", "serde", "v5"] }
 predicates = "3.0.3"
 postcard = { version = "1.0.4", features = ["alloc"] }
+actix-web-httpauth = "0.8.0"
+alcoholic_jwt = "4091.0.0"

openlineplanner-backend/Cargo.toml

@@ -5,6 +5,7 @@ use std::sync::RwLock;
 
 use actix_cors::Cors;
 use actix_web::{http, web, App, HttpServer};
+use actix_web_httpauth::middleware::HttpAuthentication;
 use anyhow::Result;
 use config::Config;
 use error::OLPError;
@@ -14,6 +15,7 @@ use openhousepopulator::Buildings;
 use osmpbfreader::OsmPbfReader;
 use population::InhabitantsMap;
 use serde::Deserialize;
+use alcoholic_jwt::JWKS;
 
 mod coverage;
 mod error;
@@ -22,6 +24,7 @@ mod layers;
 mod persistence;
 mod population;
 mod station;
+mod middleware;
 
 use coverage::{CoverageMap, Method, Routing};
 use layers::streetgraph::generate_streetgraph;
@@ -49,6 +52,7 @@ async fn station_info(
     request: web::Json<StationInfoRequest>,
     layers: web::Data<RwLock<Layers>>,
     streets: web::Data<Streets>,
+    auth: web::ReqData<middleware::auth::Claims>
 ) -> Result<InhabitantsMap, OLPError> {
     let merged_layers = layers
         .read()
@@ -101,13 +105,17 @@ async fn main() -> std::io::Result<()> {
     let config = Config::builder()
         .set_default("cache.dir", "./cache/").unwrap()
         .set_default("data.dir", "./pbf/").unwrap()
+        .set_default("oidc.issuer", "https://dex.prod.k8s.xatellite.space").unwrap()
         .add_source(config::File::with_name("Config.toml").required(false))
         .build()
         .unwrap();
 
     let (streets, buildings) = load_base_data(&config);
     let layers = load_layers(&config);
     let config = web::Data::new(config);
+    let jwks_data: JWKS = reqwest::get(format!("{}/keys", config.get_string("oidc.issuer").unwrap())).await.unwrap().json().await.unwrap();
+    log::info!("loaded jwks: {:?}", jwks_data);
+    let jwks = web::Data::new(jwks_data);
 
     log::info!("loading data done");
 
@@ -126,12 +134,16 @@ async fn main() -> std::io::Result<()> {
             .allowed_header(http::header::CONTENT_TYPE)
             .max_age(3600);
 
+        let authentication = HttpAuthentication::bearer(middleware::auth::validator);
+
         App::new()
             .wrap(cors)
+            .wrap(authentication)
             .app_data(layers.clone())
             .app_data(streets.clone())
             .app_data(buildings.clone())
             .app_data(config.clone())
+            .app_data(jwks.clone())
             .route("/station-info", web::post().to(station_info))
             .route(
                 "/coverage-info/{router}",

openlineplanner-backend/src/main.rs

@@ -0,0 +1,43 @@
+use actix_web::HttpMessage;
+use actix_web::web::Data;
+use actix_web::dev::ServiceRequest;
+use actix_web_httpauth::extractors::bearer::{BearerAuth, Config};
+use actix_web_httpauth::extractors::AuthenticationError;
+use serde::{Deserialize, Serialize};
+use alcoholic_jwt::{JWKS, Validation, validate, token_kid};
+use anyhow::anyhow;
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct Claims {
+   pub sub: String,
+   pub name: String
+}
+
+pub async fn validator(req: ServiceRequest, credentials: BearerAuth) -> Result<ServiceRequest, (actix_web::Error, ServiceRequest)> {
+    let config = req.app_data::<Config>().cloned().unwrap_or_default();
+    let jwks = req.app_data::<Data<JWKS>>().unwrap();
+    match validate_token(credentials.token(), jwks) {
+        Ok(claims) => {
+            log::debug!("Validated token with claims {:?}", claims);
+            req.extensions_mut().insert(claims);
+            Ok(req)
+        }
+        Err(e) => {
+            log::error!("Failed to validate token: {}", e);
+            Err((AuthenticationError::from(config).into(), req))
+        },
+    }
+}
+
+fn validate_token(token: &str, jwks: &JWKS) -> Result<Claims, anyhow::Error> {
+    let validations = vec![
+        Validation::Issuer("https://dex.prod.k8s.xatellite.space".into()),
+        Validation::Audience("example-app".into()),
+        Validation::NotExpired,
+        Validation::SubjectPresent,
+    ];
+    let kid = token_kid(&token)?.ok_or(anyhow!("KID is empty"))?;
+    let jwk = jwks.find(&kid).ok_or(anyhow!("KID not found"))?;
+    let decoded_token = validate(token, jwk, validations)?;
+    Ok(serde_json::from_value(decoded_token.claims)?)
+}

openlineplanner-backend/src/middleware/auth.rs

@@ -0,0 +1 @@
+pub mod auth;