+2 -3

Cargo.toml

··· 19 19 hex = "0.4" 20 20 jwt-compact = { version = "0.8.0", features = ["es256k"] } 21 21 scrypt = "0.11" 22 22 - #lettre = { version = "0.11.18", default-features = false, features = ["pool", "tokio1-rustls", "smtp-transport", "hostname", "builder"] } 23 23 - #lettre = { version = "0.11", default-features = false, features = ["builder", "webpki-roots", "rustls", "aws-lc-rs", "smtp-transport", "tokio1", "tokio1-rustls"] } 22 22 + #Leaveing these two cause I think it is needed by the 24 23 aws-lc-rs = "1.13.0" 25 25 - lettre = { version = "0.11", default-features = false, features = ["builder", "webpki-roots", "rustls", "aws-lc-rs", "smtp-transport", "tokio1", "tokio1-rustls"] } 26 24 rustls = { version = "0.23", default-features = false, features = ["tls12", "std", "logging", "aws_lc_rs"] } 25 25 + lettre = { version = "0.11", default-features = false, features = ["builder", "webpki-roots", "rustls", "aws-lc-rs", "smtp-transport", "tokio1", "tokio1-rustls"] } 27 26 handlebars = { version = "6.3.2", features = ["rust-embed"] } 28 27 rust-embed = "8.7.2" 29 28 axum-template = { version = "3.0.0", features = ["handlebars"] }

+3

src/main.rs

··· 175 175 .finish() 176 176 .expect("failed to create governor config. this should not happen and is a bug"); 177 177 178 178 + // let create_account_limiter_time: Option<String> = 179 179 + // env::var("GATEKEEPER_CREATE_ACCOUNT_LIMITER_WINDOW").unwrap_or_else(|_| None); 180 180 + 178 181 let create_session_governor_limiter = create_session_governor_conf.limiter().clone(); 179 182 let sign_in_governor_limiter = sign_in_governor_conf.limiter().clone(); 180 183 let interval = Duration::from_secs(60);

+40 -17

src/middleware.rs

··· 1 1 use crate::helpers::json_error_response; 2 2 use axum::extract::Request; 3 3 + use axum::http::header::AUTHORIZATION; 3 4 use axum::http::{HeaderMap, StatusCode}; 4 5 use axum::middleware::Next; 5 6 use axum::response::IntoResponse; ··· 12 13 #[derive(Clone, Debug)] 13 14 pub struct Did(pub Option<String>); 14 15 16 16 + #[derive(Clone, Copy, Debug, PartialEq, Eq)] 17 17 + pub enum AuthScheme { 18 18 + Bearer, 19 19 + DPoP, 20 20 + } 21 21 + 15 22 #[derive(Serialize, Deserialize)] 16 23 pub struct TokenClaims { 17 24 pub sub: String, 18 25 } 19 26 20 27 pub async fn extract_did(mut req: Request, next: Next) -> impl IntoResponse { 21 21 - let token = extract_bearer(req.headers()); 28 28 + let auth = extract_auth(req.headers()); 22 29 23 23 - match token { 24 24 - Ok(token) => { 25 25 - match token { 30 30 + match auth { 31 31 + Ok(auth_opt) => { 32 32 + match auth_opt { 26 33 None => json_error_response(StatusCode::BAD_REQUEST, "TokenRequired", "") 27 34 .expect("Error creating an error response"), 28 28 - Some(token) => { 29 29 - let token = UntrustedToken::new(&token); 35 35 + Some((scheme, token_str)) => { 36 36 + // For Bearer, validate JWT and extract DID from `sub`. 37 37 + // For DPoP, we currently only pass through and do not validate here; insert None DID. 38 38 + // match scheme { 39 39 + // AuthScheme::Bearer => { 40 40 + let token = UntrustedToken::new(&token_str); 30 41 if token.is_err() { 31 42 return json_error_response(StatusCode::BAD_REQUEST, "TokenRequired", "") 32 43 .expect("Error creating an error response"); ··· 49 60 .expect("Error creating an error response"); 50 61 } 51 62 let token = token.expect("Already checked for error,"); 52 52 - //Not going to worry about expiration since it still goes to the PDS 63 63 + // Not going to worry about expiration since it still goes to the PDS 53 64 req.extensions_mut() 54 65 .insert(Did(Some(token.claims().custom.sub.clone()))); 66 66 + // } 67 67 + // AuthScheme::DPoP => { 68 68 + // // No DID extraction from DPoP here; leave None 69 69 + // req.extensions_mut().insert(Did(None)); 70 70 + // } 71 71 + // } 72 72 + 55 73 next.run(req).await 56 74 } 57 75 } ··· 64 82 } 65 83 } 66 84 67 67 - fn extract_bearer(headers: &HeaderMap) -> Result<Option<String>, String> { 85 85 + fn extract_auth(headers: &HeaderMap) -> Result<Option<(AuthScheme, String)>, String> { 68 86 match headers.get(axum::http::header::AUTHORIZATION) { 69 87 None => Ok(None), 70 70 - Some(hv) => match hv.to_str() { 71 71 - Err(_) => Err("Authorization header is not valid".into()), 72 72 - Ok(s) => { 73 73 - // Accept forms like: "Bearer <token>" (case-sensitive for the scheme here) 74 74 - let mut parts = s.splitn(2, ' '); 75 75 - match (parts.next(), parts.next()) { 76 76 - (Some("Bearer"), Some(tok)) if !tok.is_empty() => Ok(Some(tok.to_string())), 77 77 - _ => Err("Authorization header must be in format 'Bearer <token>'".into()), 88 88 + Some(hv) => { 89 89 + match hv.to_str() { 90 90 + Err(_) => Err("Authorization header is not valid".into()), 91 91 + Ok(s) => { 92 92 + // Accept forms like: "Bearer <token>" or "DPoP <token>" (case-sensitive for the scheme here) 93 93 + let mut parts = s.splitn(2, ' '); 94 94 + match (parts.next(), parts.next()) { 95 95 + (Some("Bearer"), Some(tok)) if !tok.is_empty() => 96 96 + Ok(Some((AuthScheme::Bearer, tok.to_string()))), 97 97 + (Some("DPoP"), Some(tok)) if !tok.is_empty() => 98 98 + Ok(Some((AuthScheme::DPoP, tok.to_string()))), 99 99 + _ => Err("Authorization header must be in format 'Bearer <token>' or 'DPoP <token>'".into()), 100 100 + } 78 101 } 79 102 } 80 80 - }, 103 103 + } 81 104 } 82 105 }