JSON Webtoken (JWT) middleware for the actix-web framework

Home Page: https://docs.rs/actix-jwt-auth-middleware/

License: MIT License

Rust 100.00%

actix-web-middleware jwt rust

actix-jwt-auth-middleware's People

Contributors

Stargazers

Watchers

Forkers

cleanc-lab darkarp obeis mathieunls jimyx17 danieldonaldson dig-doug csm-kb yadominjinta timsueberkrueb franklx fuchsi dax cjs77 0xtaruhi

actix-jwt-auth-middleware's Issues

jwt_compact::traits::Algorithm is not implemented for Ed25519

I am currently receiving the error mentioned above when I try to compile code utilizing a TokenSigner, however did not receive any such error when using a CookieSigner. This only began after recently updating to version 0.3.0. My code is as follows:

let token_signer = TokenSigner::<UserJWT, _>::new()
        .signing_key(key_pair.sk.clone())
        .access_token_name("user_access_token")
        //Token's lifespan is 2 hours, then requires reauthentication
        .refresh_token_lifetime(chrono::Duration::minutes(120))
        .algorithm(Ed25519)
        .build()
        .unwrap();

The full error output is as follows (this output is also produced if I copy and paste the example code on docs.rs for a TokenSigner):

error[E0277]: the trait bound `Ed25519: jwt_compact::traits::Algorithm` is not satisfied
   --> src/main.rs:157:24
    |
157 |     let token_signer = TokenSigner::<UserJWT, _>::new()
    |                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `jwt_compact::traits::Algorithm` is not implemented for `Ed25519`
    |
    = help: the following other types implement trait `jwt_compact::traits::Algorithm`:
              jwt_compact::alg::StrongAlg<T>
              jwt_compact::alg::hmacs::Hs256
              jwt_compact::alg::hmacs::Hs384
              jwt_compact::alg::hmacs::Hs512
              jwt_compact::traits::Renamed<A>
note: required by a bound in `TokenSigner::<Claims, Algorithm>::new`
   --> /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-jwt-auth-middleware-0.3.0/src/token_signer.rs:129:16
    |
129 |     Algorithm: jwt_compact::Algorithm + Clone,
    |                ^^^^^^^^^^^^^^^^^^^^^^ required by this bound in `TokenSigner::<Claims, Algorithm>::new`

error[E0277]: the trait bound `Ed25519: jwt_compact::traits::Algorithm` is not satisfied
   --> src/main.rs:157:24
    |
157 |     let token_signer = TokenSigner::<UserJWT, _>::new()
    |                        ^^^^^^^^^^^^^^^^^^^^^^^^^ the trait `jwt_compact::traits::Algorithm` is not implemented for `Ed25519`
    |
    = help: the following other types implement trait `jwt_compact::traits::Algorithm`:
              jwt_compact::alg::StrongAlg<T>
              jwt_compact::alg::hmacs::Hs256
              jwt_compact::alg::hmacs::Hs384
              jwt_compact::alg::hmacs::Hs512
              jwt_compact::traits::Renamed<A>
note: required by a bound in `TokenSigner`
   --> /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-jwt-auth-middleware-0.3.0/src/token_signer.rs:57:11
    |
57  |     Algo: Algorithm,
    |           ^^^^^^^^^ required by this bound in `TokenSigner`

error[E0277]: the trait bound `Ed25519: jwt_compact::traits::Algorithm` is not satisfied
   --> src/main.rs:158:10
    |
158 |         .signing_key(key_pair.sk.clone())
    |          ^^^^^^^^^^^ the trait `jwt_compact::traits::Algorithm` is not implemented for `Ed25519`
    |
    = help: the following other types implement trait `jwt_compact::traits::Algorithm`:
              jwt_compact::alg::StrongAlg<T>
              jwt_compact::alg::hmacs::Hs256
              jwt_compact::alg::hmacs::Hs384
              jwt_compact::alg::hmacs::Hs512
              jwt_compact::traits::Renamed<A>
note: required by a bound in `TokenSignerBuilder::<Claims, Algo>::signing_key`
   --> /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-jwt-auth-middleware-0.3.0/src/token_signer.rs:57:11
    |
57  |     Algo: Algorithm,
    |           ^^^^^^^^^ required by this bound in `TokenSignerBuilder::<Claims, Algo>::signing_key`

error[E0277]: the trait bound `Ed25519: jwt_compact::traits::Algorithm` is not satisfied
   --> src/main.rs:159:10
    |
159 |         .access_token_name("user_access_token")
    |          ^^^^^^^^^^^^^^^^^ the trait `jwt_compact::traits::Algorithm` is not implemented for `Ed25519`
    |
    = help: the following other types implement trait `jwt_compact::traits::Algorithm`:
              jwt_compact::alg::StrongAlg<T>
              jwt_compact::alg::hmacs::Hs256
              jwt_compact::alg::hmacs::Hs384
              jwt_compact::alg::hmacs::Hs512
              jwt_compact::traits::Renamed<A>
note: required by a bound in `TokenSignerBuilder::<Claims, Algo>::access_token_name`
   --> /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-jwt-auth-middleware-0.3.0/src/token_signer.rs:57:11
    |
57  |     Algo: Algorithm,
    |           ^^^^^^^^^ required by this bound in `TokenSignerBuilder::<Claims, Algo>::access_token_name`

error[E0277]: the trait bound `Ed25519: jwt_compact::traits::Algorithm` is not satisfied
   --> src/main.rs:161:10
    |
161 |         .refresh_token_lifetime(chrono::Duration::minutes(120))
    |          ^^^^^^^^^^^^^^^^^^^^^^ the trait `jwt_compact::traits::Algorithm` is not implemented for `Ed25519`
    |
    = help: the following other types implement trait `jwt_compact::traits::Algorithm`:
              jwt_compact::alg::StrongAlg<T>
              jwt_compact::alg::hmacs::Hs256
              jwt_compact::alg::hmacs::Hs384
              jwt_compact::alg::hmacs::Hs512
              jwt_compact::traits::Renamed<A>
note: required by a bound in `TokenSignerBuilder::<Claims, Algo>::refresh_token_lifetime`
   --> /home//.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-jwt-auth-middleware-0.3.0/src/token_signer.rs:57:11
    |
57  |     Algo: Algorithm,
    |           ^^^^^^^^^ required by this bound in `TokenSignerBuilder::<Claims, Algo>::refresh_token_lifetime`

error[E0277]: the trait bound `Ed25519: jwt_compact::traits::Algorithm` is not satisfied
   --> src/main.rs:162:10
    |
162 |         .algorithm(Ed25519)
    |          ^^^^^^^^^ the trait `jwt_compact::traits::Algorithm` is not implemented for `Ed25519`
    |
    = help: the following other types implement trait `jwt_compact::traits::Algorithm`:
              jwt_compact::alg::StrongAlg<T>
              jwt_compact::alg::hmacs::Hs256
              jwt_compact::alg::hmacs::Hs384
              jwt_compact::alg::hmacs::Hs512
              jwt_compact::traits::Renamed<A>
note: required by a bound in `TokenSignerBuilder::<Claims, Algo>::algorithm`
   --> /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/actix-jwt-auth-middleware-0.3.0/src/token_signer.rs:57:11
    |
57  |     Algo: Algorithm,
    |           ^^^^^^^^^ required by this bound in `TokenSignerBuilder::<Claims, Algo>::algorithm`

error[E0599]: the method `build` exists for struct `TokenSignerBuilder<UserJWT, Ed25519>`, but its trait bounds were not satisfied
   --> src/main.rs:163:10
    |
157 |       let token_signer = TokenSigner::<UserJWT, _>::new()
    |  ________________________-
158 | |         .signing_key(key_pair.sk.clone())
159 | |         .access_token_name("user_access_token")
160 | |         //Token's lifespan is 2 hours, then requires reauthentication
161 | |         .refresh_token_lifetime(chrono::Duration::minutes(120))
162 | |         .algorithm(Ed25519)
163 | |         .build()
    | |         -^^^^^ method cannot be called on `TokenSignerBuilder<UserJWT, Ed25519>` due to unsatisfied trait bounds
    | |_________|
    | 
    |
   ::: /home/me/.cargo/registry/src/index.crates.io-6f17d22bba15001f/jwt-compact-0.8.0-beta.1/src/alg/eddsa_compact.rs:36:1
    |
36  |   pub struct Ed25519;
    |   ------------------ doesn't satisfy `Ed25519: jwt_compact::traits::Algorithm`
    |
    = note: the following trait bounds were not satisfied:
            `Ed25519: jwt_compact::traits::Algorithm`

exonum-crypto is a forced feature on jwt-compact, against this crate's documentation

actix-jwt-auth-middleware/Cargo.toml

Line 26 in 91d6fd4

"exonum-crypto",

exonum-crypto is enabled as a feature on jwt-compact even though the documentation says to refer to that crate's list of supported algorithms

actix-jwt-auth-middleware/src/cookie_signer.rs

Line 88 in 91d6fd4

  Please referee to the [`Supported algorithms`](https://docs.rs/jwt-compact/latest/jwt_compact/#supported-algorithms) section of the `jwt-compact` crate 

I'm somewhat new to rust, so I don't know if there is a way around this on my part, but it seems like a mistake. I'm trying to use ed25519-dalek or ed25519-compact instead of exonum-crypto as I want to use a pure-rust crypto implementation.

Allow setting the path for the cookie signer.

Currently, there is no explicit way of setting the designated path for the returned cookie pair, resulting in the cookie not being recognized by browsers.

Reproduction steps:

Have the following API layout, using the simple example:
/v1/auth/login
/v1/api/hello

Define the App with

App::new()
    .service(web::scope("/v1")
    .service(login)
    .use_jwt(authority.clone(), web::scope("").service(hello))

Retrieve the login cookie from /auth/login
Try to access /v1/api/hello

As you can see, hello will report unauthorized, as the cookie path has been set to /v1/auth, which doesn't cover the api route.

enable_authorization_header not available in version 0.3.0 of published crate

It is not possible to allow extraction of the claims from the Authorization header using the "enable _authorization_header" function in the version 0.3.0 of the crate (latest available atm).

Looking at the sources, seems that it disappeared:

authority.rs

 #[builder(setter(into))]
    pub(crate) refresh_token_name: String,
    /**
        If set to true the clients refresh token will automatically refreshed,
        this allows clients to basically stay authenticated over a infinite amount of time, so i don't recommend it.

        Defaults to `false`
    */
    #[builder(default = "false")]
    renew_refresh_token_automatically: bool,
    /**
       If set to true, the service will look for `access_token_name` and `refresh_token_name` in
       http headers.
    */
    #[builder(default = "false")]
    enable_header_tokens: bool,
    /**
       If set to true, the service will look for `access_token_name` and `refresh_token_name` in
       in the query parameters.
    */
    #[builder(default = "false")]
    enable_query_tokens: bool,
    /**
       If set to true, the service will look for `access_token_name` and `refresh_token_name` in
       in the cookies of the processed request.
    */
    #[builder(default = "true")]
    enable_cookie_tokens: bool,
    /**
        Key used to verify integrity of access and refresh token.
    */
    verifying_key: Algo::VerifyingKey,
    /**
        The Cryptographic signing algorithm used in the process of creation of access and refresh tokens.

        Please referee to the [`Supported algorithms`](https://docs.rs/jwt-compact/latest/jwt_compact/#supported-algorithms) section of the `jwt-compact` crate for a comprehensive list of the supported algorithms.

        Defaults to the value of the `algorithm` field set on the `token_signer`, if the `token_signer` is not set,
        this field needs to be set.
    */
    #[builder(default = "pull_from_token_signer!(self, algorithm)")]
    algorithm: Algo,
    /**
        Used in the creating of the `token`, the current time stamp is taken from this, but please referee to the Structs documentation.

        Defaults to the value of the `time_options` field set on the `token_signer`, if the `token_signer` is not set,
        this field needs to be set.
    */
    #[builder(default = "pull_from_token_signer!(self, time_options)")]
    time_options: TimeOptions,
    /**
       Not Passing a [`TokenSigner`] struct will make your middleware unable to refresh the access token automatically.

       You will have to provide a algorithm manually in this case because the Authority can not pull it from the `token_signer` field.

       Please referee to the structs own documentation for more details.
    */
    #[builder(default = "None")]
    token_signer: Option<TokenSigner<Claims, Algo>>,
    #[doc(hidden)]
    #[builder(setter(skip), default = "PhantomData")]
    claims_marker: PhantomData<Claims>,
    #[doc(hidden)]
    #[builder(setter(skip), default = "PhantomData")]
    args_marker: PhantomData<Args>,
}

I can see it in the current version published on github, so I'm not sure what went wrong during the crate publication.

It will be better to cache introspected user locally

It will be better to cache introspected user locally because it cause high request latency

Example simple.rs is not up to date

In the example file simple.rs, there is a function that is afaik not supported anymore.

actix-jwt-auth-middleware/examples/simple.rs

Line 43 in 91d6fd4

.use_jwt(authority.clone())

The same code which is not working is also used in the documentation.

allowing specific endpoints to be authorized by JWT

Hi, Thank you for creating this Library.

Im trying to achieve something like this:

App::new()
      .service(index)
      .service(web::scope("/api")
          .service(login)
          .service(hello))

      .use_jwt(authority,
               web::scope("/api")
                   .service(index)
                   .service(logout)
                   .service(hello2)
      )

I want the /api/login to be public and reset of the endpoints in that scope be authorized by jwt, but this is not possible because the first scope of "/api" will accept all of the requests containing "api" and will not go in use_jwt branch, so you end up with:

/api/login 200
/api/hello 200

/api/logout 404

right now you can just authorize the whole scope, which is kinda hard to work with.

I think use_jwt should NOT accept a scope, its a middleware and it should act like one, so maybe something like this:

web::scope("/api")
.service(hello1)
.wrap(use_jwt(..))
.service(hello2)

and it should allow /api/hello1 for everyone and only authorize /api/hello2.(or vice versa doesn't matter)

I mean, this is the design that most of the frameworks follow...

Example `use_jwt` clarification

Hello,

Thanks for the library ! I am playing with it and I had to follow the without use jwt example and not the simple ones as

.service(
                // we need this scope so we can exclude the login service
                // from being wrapped by the jwt middleware
                web::scope("").service(handlers::login::hello).use_jwt(authority.clone())
            )

returns

error[E0599]: no method named `use_jwt` found for struct `actix_web::Scope` in the current scope
  --> src/main.rs:83:64
   |
83 |                 web::scope("").service(handlers::login::hello).use_jwt(authority.clone())
   |                                                                ^^^^^^^ method not found in `actix_web::Scope`

Similarly,

use actix_jwt_auth_middleware::{AuthResult, Authority, CookieSigner, FromRequest, UseJWTOnScope};

shows

error[E0432]: unresolved import `actix_jwt_auth_middleware::UseJWTOnScope`
  --> src/main.rs:11:83
   |
11 | use actix_jwt_auth_middleware::{AuthResult, Authority, CookieSigner, FromRequest, UseJWTOnScope};
   |                                                                                   ^^^^^^^^^^^^^ no `UseJWTOnScope` in the root

I guess this code isn't available in the 0.0.2 ?

Implement clear and easy rest API Functionality

The current implementation does play that well when trying to implement a JWT wrapped rest API.
This is part to the fact that the crate was never really intentioned to do this, but it will be in the future.

This issue tracks the completion and the related issues.

error: failed to run custom build command for exonum-proto v1.0.0

I don't think this is an issue on actix-jwt but I get this error when building on my docker image. Was wondering if anyone saw this before?

examples/simple.rs does not work on linux

While implementing actix-jwt-auth-middleware I noticed that in examples/simple.rs the dependency exonum_crypto is no longer available for linux (I'm using Ubuntu), is there a drop in replacement for this dependency to generate the needed key pairs?

Thanks for your assistance

Use utoipa_swagger_ui

We would like to have swaggerUi page to document the rest API of our server.
We stumble upon the following problem: it seems that for swagger it is not possible to use 2 tokens in cookie (access+refresh).
Do you have any workaround ?
For instance, is-it possible to use the middleware without the refresh token ?

Time Crate for token signer is not very up to date

Hello there!

I am receiving error about crate time versioning conflict error when I use other crate (eg: Actix-web) which uses later version of the aforementioned crate (v0.2+). However, your crate still use version up to 0.1.45, which, in all newer version (0.2+ --> 0.3.33), have put the module time::duration::Duration into private, and use directly time::Duration. The reasons i brought this up is because whenever I compile my project, it conflict the versions used later and yours by your crate. It would be very much helpful if you could kindly update the time crate dependencies of your crate to version 2 or newer, or so I thought how it should work.

Below I have attached an image of the conflict error. Please let me know if you need something else from me.

Authorization Header "Error: invalid base64 decoding"

I think there's a bug using Authorization header, because I get Error: "invalid base64 decoding".

This error is caused because the word Bearer is checked but then not removed from token_value inside the method get_token_from_authorization_header:

let token_value = if header_value.strip_prefix("Bearer").is_some() { header_value.trim() }

michaelvanstraten / actix-jwt-auth-middleware Goto Github PK