this repo has no description
lewis.moe
1use super::helpers::{create_access_token, verify_pkce};
2use super::types::{TokenRequest, TokenResponse};
3use crate::config::AuthConfig;
4use crate::oauth::{
5 ClientAuth, OAuthError, RefreshToken, TokenData, TokenId,
6 client::{ClientMetadataCache, verify_client_auth},
7 db,
8 dpop::DPoPVerifier,
9};
10use crate::state::AppState;
11use axum::Json;
12use axum::http::HeaderMap;
13use chrono::{Duration, Utc};
14
15const ACCESS_TOKEN_EXPIRY_SECONDS: i64 = 300;
16const REFRESH_TOKEN_EXPIRY_DAYS_CONFIDENTIAL: i64 = 60;
17const REFRESH_TOKEN_EXPIRY_DAYS_PUBLIC: i64 = 14;
18
19pub async fn handle_authorization_code_grant(
20 state: AppState,
21 _headers: HeaderMap,
22 request: TokenRequest,
23 dpop_proof: Option<String>,
24) -> Result<(HeaderMap, Json<TokenResponse>), OAuthError> {
25 let code = request
26 .code
27 .ok_or_else(|| OAuthError::InvalidRequest("code is required".to_string()))?;
28 let code_verifier = request
29 .code_verifier
30 .ok_or_else(|| OAuthError::InvalidRequest("code_verifier is required".to_string()))?;
31 let auth_request = db::consume_authorization_request_by_code(&state.db, &code)
32 .await?
33 .ok_or_else(|| OAuthError::InvalidGrant("Invalid or expired code".to_string()))?;
34 if auth_request.expires_at < Utc::now() {
35 return Err(OAuthError::InvalidGrant(
36 "Authorization code has expired".to_string(),
37 ));
38 }
39 if let Some(request_client_id) = &request.client_id
40 && request_client_id != &auth_request.client_id
41 {
42 return Err(OAuthError::InvalidGrant("client_id mismatch".to_string()));
43 }
44 let did = auth_request
45 .did
46 .ok_or_else(|| OAuthError::InvalidGrant("Authorization not completed".to_string()))?;
47 let client_metadata_cache = ClientMetadataCache::new(3600);
48 let client_metadata = client_metadata_cache.get(&auth_request.client_id).await?;
49 let client_auth = if let (Some(assertion), Some(assertion_type)) =
50 (&request.client_assertion, &request.client_assertion_type)
51 {
52 if assertion_type != "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" {
53 return Err(OAuthError::InvalidClient(
54 "Unsupported client_assertion_type".to_string(),
55 ));
56 }
57 ClientAuth::PrivateKeyJwt {
58 client_assertion: assertion.clone(),
59 }
60 } else if let Some(secret) = &request.client_secret {
61 ClientAuth::SecretPost {
62 client_secret: secret.clone(),
63 }
64 } else {
65 ClientAuth::None
66 };
67 verify_client_auth(&client_metadata_cache, &client_metadata, &client_auth).await?;
68 verify_pkce(&auth_request.parameters.code_challenge, &code_verifier)?;
69 if let Some(redirect_uri) = &request.redirect_uri
70 && redirect_uri != &auth_request.parameters.redirect_uri
71 {
72 return Err(OAuthError::InvalidGrant(
73 "redirect_uri mismatch".to_string(),
74 ));
75 }
76 let dpop_jkt = if let Some(proof) = &dpop_proof {
77 let config = AuthConfig::get();
78 let verifier = DPoPVerifier::new(config.dpop_secret().as_bytes());
79 let pds_hostname =
80 std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
81 let token_endpoint = format!("https://{}/oauth/token", pds_hostname);
82 let result = verifier.verify_proof(proof, "POST", &token_endpoint, None)?;
83 if !db::check_and_record_dpop_jti(&state.db, &result.jti).await? {
84 return Err(OAuthError::InvalidDpopProof(
85 "DPoP proof has already been used".to_string(),
86 ));
87 }
88 if let Some(expected_jkt) = &auth_request.parameters.dpop_jkt
89 && &result.jkt != expected_jkt
90 {
91 return Err(OAuthError::InvalidDpopProof(
92 "DPoP key binding mismatch".to_string(),
93 ));
94 }
95 Some(result.jkt)
96 } else if auth_request.parameters.dpop_jkt.is_some() {
97 return Err(OAuthError::InvalidRequest(
98 "DPoP proof required for this authorization".to_string(),
99 ));
100 } else {
101 None
102 };
103 if let Err(e) = db::revoke_tokens_for_client(&state.db, &did, &auth_request.client_id).await {
104 tracing::warn!("Failed to revoke previous tokens for client: {:?}", e);
105 }
106 let token_id = TokenId::generate();
107 let refresh_token = RefreshToken::generate();
108 let now = Utc::now();
109 let access_token = create_access_token(
110 &token_id.0,
111 &did,
112 dpop_jkt.as_deref(),
113 auth_request.parameters.scope.as_deref(),
114 )?;
115 let stored_client_auth = auth_request.client_auth.unwrap_or(ClientAuth::None);
116 let refresh_expiry_days = if matches!(stored_client_auth, ClientAuth::None) {
117 REFRESH_TOKEN_EXPIRY_DAYS_PUBLIC
118 } else {
119 REFRESH_TOKEN_EXPIRY_DAYS_CONFIDENTIAL
120 };
121 let token_data = TokenData {
122 did: did.clone(),
123 token_id: token_id.0.clone(),
124 created_at: now,
125 updated_at: now,
126 expires_at: now + Duration::days(refresh_expiry_days),
127 client_id: auth_request.client_id.clone(),
128 client_auth: stored_client_auth,
129 device_id: auth_request.device_id,
130 parameters: auth_request.parameters.clone(),
131 details: None,
132 code: None,
133 current_refresh_token: Some(refresh_token.0.clone()),
134 scope: auth_request.parameters.scope.clone(),
135 };
136 db::create_token(&state.db, &token_data).await?;
137 tokio::spawn({
138 let pool = state.db.clone();
139 let did_clone = did.clone();
140 async move {
141 if let Err(e) = db::enforce_token_limit_for_user(&pool, &did_clone).await {
142 tracing::warn!("Failed to enforce token limit for user: {:?}", e);
143 }
144 }
145 });
146 let mut response_headers = HeaderMap::new();
147 let config = AuthConfig::get();
148 let verifier = DPoPVerifier::new(config.dpop_secret().as_bytes());
149 response_headers.insert("DPoP-Nonce", verifier.generate_nonce().parse().unwrap());
150 Ok((
151 response_headers,
152 Json(TokenResponse {
153 access_token,
154 token_type: if dpop_jkt.is_some() { "DPoP" } else { "Bearer" }.to_string(),
155 expires_in: ACCESS_TOKEN_EXPIRY_SECONDS as u64,
156 refresh_token: Some(refresh_token.0),
157 scope: auth_request.parameters.scope,
158 sub: Some(did),
159 }),
160 ))
161}
162
163pub async fn handle_refresh_token_grant(
164 state: AppState,
165 _headers: HeaderMap,
166 request: TokenRequest,
167 dpop_proof: Option<String>,
168) -> Result<(HeaderMap, Json<TokenResponse>), OAuthError> {
169 let refresh_token_str = request
170 .refresh_token
171 .ok_or_else(|| OAuthError::InvalidRequest("refresh_token is required".to_string()))?;
172 tracing::info!(
173 refresh_token_prefix = %&refresh_token_str[..std::cmp::min(16, refresh_token_str.len())],
174 has_dpop = dpop_proof.is_some(),
175 "Refresh token grant requested"
176 );
177 if let Some(token_id) = db::check_refresh_token_used(&state.db, &refresh_token_str).await? {
178 tracing::warn!(
179 refresh_token_prefix = %&refresh_token_str[..std::cmp::min(16, refresh_token_str.len())],
180 "Refresh token reuse detected, revoking token family"
181 );
182 db::delete_token_family(&state.db, token_id).await?;
183 return Err(OAuthError::InvalidGrant(
184 "Refresh token reuse detected, token family revoked".to_string(),
185 ));
186 }
187 let (db_id, token_data) = db::get_token_by_refresh_token(&state.db, &refresh_token_str)
188 .await?
189 .ok_or_else(|| {
190 tracing::warn!(
191 refresh_token_prefix = %&refresh_token_str[..std::cmp::min(16, refresh_token_str.len())],
192 "Refresh token not found in database"
193 );
194 OAuthError::InvalidGrant("Invalid refresh token".to_string())
195 })?;
196 if token_data.expires_at < Utc::now() {
197 tracing::warn!(
198 did = %token_data.did,
199 expired_at = %token_data.expires_at,
200 "Refresh token has expired"
201 );
202 db::delete_token_family(&state.db, db_id).await?;
203 return Err(OAuthError::InvalidGrant(
204 "Refresh token has expired".to_string(),
205 ));
206 }
207 let dpop_jkt = if let Some(proof) = &dpop_proof {
208 let config = AuthConfig::get();
209 let verifier = DPoPVerifier::new(config.dpop_secret().as_bytes());
210 let pds_hostname =
211 std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
212 let token_endpoint = format!("https://{}/oauth/token", pds_hostname);
213 let result = verifier.verify_proof(proof, "POST", &token_endpoint, None)?;
214 if !db::check_and_record_dpop_jti(&state.db, &result.jti).await? {
215 return Err(OAuthError::InvalidDpopProof(
216 "DPoP proof has already been used".to_string(),
217 ));
218 }
219 if let Some(expected_jkt) = &token_data.parameters.dpop_jkt
220 && &result.jkt != expected_jkt
221 {
222 return Err(OAuthError::InvalidDpopProof(
223 "DPoP key binding mismatch".to_string(),
224 ));
225 }
226 Some(result.jkt)
227 } else if token_data.parameters.dpop_jkt.is_some() {
228 return Err(OAuthError::InvalidRequest(
229 "DPoP proof required".to_string(),
230 ));
231 } else {
232 None
233 };
234 let new_token_id = TokenId::generate();
235 let new_refresh_token = RefreshToken::generate();
236 let refresh_expiry_days = if matches!(token_data.client_auth, ClientAuth::None) {
237 REFRESH_TOKEN_EXPIRY_DAYS_PUBLIC
238 } else {
239 REFRESH_TOKEN_EXPIRY_DAYS_CONFIDENTIAL
240 };
241 let new_expires_at = Utc::now() + Duration::days(refresh_expiry_days);
242 db::rotate_token(
243 &state.db,
244 db_id,
245 &new_token_id.0,
246 &new_refresh_token.0,
247 new_expires_at,
248 )
249 .await?;
250 tracing::info!(
251 did = %token_data.did,
252 new_expires_at = %new_expires_at,
253 "Refresh token rotated successfully"
254 );
255 let access_token = create_access_token(
256 &new_token_id.0,
257 &token_data.did,
258 dpop_jkt.as_deref(),
259 token_data.scope.as_deref(),
260 )?;
261 let mut response_headers = HeaderMap::new();
262 let config = AuthConfig::get();
263 let verifier = DPoPVerifier::new(config.dpop_secret().as_bytes());
264 response_headers.insert("DPoP-Nonce", verifier.generate_nonce().parse().unwrap());
265 Ok((
266 response_headers,
267 Json(TokenResponse {
268 access_token,
269 token_type: if dpop_jkt.is_some() { "DPoP" } else { "Bearer" }.to_string(),
270 expires_in: ACCESS_TOKEN_EXPIRY_SECONDS as u64,
271 refresh_token: Some(new_refresh_token.0),
272 scope: token_data.scope,
273 sub: Some(token_data.did),
274 }),
275 ))
276}