src/oauth/endpoints/token/introspect.rs at 6f959c6c1b6e9ee99e7f6e49c3fc78a4affe0491 · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / src / oauth / endpoints / token / introspect.rs
at 6f959c6c1b6e9ee99e7f6e49c3fc78a4affe0491 4.3 kB view raw
  1use axum::{Form, Json};
  2use axum::extract::State;
  3use axum::http::{HeaderMap, StatusCode};
  4use chrono::Utc;
  5use serde::{Deserialize, Serialize};
  6use crate::state::{AppState, RateLimitKind};
  7use crate::oauth::{OAuthError, db};
  8use super::helpers::extract_token_claims;
  9#[derive(Debug, Deserialize)]
 10pub struct RevokeRequest {
 11    pub token: Option<String>,
 12    #[serde(default)]
 13    pub token_type_hint: Option<String>,
 14}
 15pub async fn revoke_token(
 16    State(state): State<AppState>,
 17    headers: HeaderMap,
 18    Form(request): Form<RevokeRequest>,
 19) -> Result<StatusCode, OAuthError> {
 20    let client_ip = crate::rate_limit::extract_client_ip(&headers, None);
 21    if !state.check_rate_limit(RateLimitKind::OAuthIntrospect, &client_ip).await {
 22        tracing::warn!(ip = %client_ip, "OAuth revoke rate limit exceeded");
 23        return Err(OAuthError::RateLimited);
 24    }
 25    if let Some(token) = &request.token {
 26        if let Some((db_id, _)) = db::get_token_by_refresh_token(&state.db, token).await? {
 27            db::delete_token_family(&state.db, db_id).await?;
 28        } else {
 29            db::delete_token(&state.db, token).await?;
 30        }
 31    }
 32    Ok(StatusCode::OK)
 33}
 34#[derive(Debug, Deserialize)]
 35pub struct IntrospectRequest {
 36    pub token: String,
 37    #[serde(default)]
 38    pub token_type_hint: Option<String>,
 39}
 40#[derive(Debug, Serialize)]
 41pub struct IntrospectResponse {
 42    pub active: bool,
 43    #[serde(skip_serializing_if = "Option::is_none")]
 44    pub scope: Option<String>,
 45    #[serde(skip_serializing_if = "Option::is_none")]
 46    pub client_id: Option<String>,
 47    #[serde(skip_serializing_if = "Option::is_none")]
 48    pub username: Option<String>,
 49    #[serde(skip_serializing_if = "Option::is_none")]
 50    pub token_type: Option<String>,
 51    #[serde(skip_serializing_if = "Option::is_none")]
 52    pub exp: Option<i64>,
 53    #[serde(skip_serializing_if = "Option::is_none")]
 54    pub iat: Option<i64>,
 55    #[serde(skip_serializing_if = "Option::is_none")]
 56    pub nbf: Option<i64>,
 57    #[serde(skip_serializing_if = "Option::is_none")]
 58    pub sub: Option<String>,
 59    #[serde(skip_serializing_if = "Option::is_none")]
 60    pub aud: Option<String>,
 61    #[serde(skip_serializing_if = "Option::is_none")]
 62    pub iss: Option<String>,
 63    #[serde(skip_serializing_if = "Option::is_none")]
 64    pub jti: Option<String>,
 65}
 66pub async fn introspect_token(
 67    State(state): State<AppState>,
 68    headers: HeaderMap,
 69    Form(request): Form<IntrospectRequest>,
 70) -> Result<Json<IntrospectResponse>, OAuthError> {
 71    let client_ip = crate::rate_limit::extract_client_ip(&headers, None);
 72    if !state.check_rate_limit(RateLimitKind::OAuthIntrospect, &client_ip).await {
 73        tracing::warn!(ip = %client_ip, "OAuth introspect rate limit exceeded");
 74        return Err(OAuthError::RateLimited);
 75    }
 76    let inactive_response = IntrospectResponse {
 77        active: false,
 78        scope: None,
 79        client_id: None,
 80        username: None,
 81        token_type: None,
 82        exp: None,
 83        iat: None,
 84        nbf: None,
 85        sub: None,
 86        aud: None,
 87        iss: None,
 88        jti: None,
 89    };
 90    let token_info = match extract_token_claims(&request.token) {
 91        Ok(info) => info,
 92        Err(_) => return Ok(Json(inactive_response)),
 93    };
 94    let token_data = match db::get_token_by_id(&state.db, &token_info.jti).await {
 95        Ok(Some(data)) => data,
 96        _ => return Ok(Json(inactive_response)),
 97    };
 98    if token_data.expires_at < Utc::now() {
 99        return Ok(Json(inactive_response));
100    }
101    let pds_hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string());
102    let issuer = format!("https://{}", pds_hostname);
103    Ok(Json(IntrospectResponse {
104        active: true,
105        scope: token_data.scope,
106        client_id: Some(token_data.client_id),
107        username: None,
108        token_type: if token_data.parameters.dpop_jkt.is_some() {
109            Some("DPoP".to_string())
110        } else {
111            Some("Bearer".to_string())
112        },
113        exp: Some(token_info.exp),
114        iat: Some(token_info.iat),
115        nbf: Some(token_info.iat),
116        sub: Some(token_data.did),
117        aud: Some(issuer.clone()),
118        iss: Some(issuer),
119        jti: Some(token_info.jti),
120    }))
121}