jwt: replaced jwt, hmac, sha2 with jsonwebtoken

jwt seems abandoned 5 years ago

Signed-off-by: Denys Fedoryshchenko <denys.f@collabora.com>

Author: nuclearcat

Cargo.toml

@@ -6,7 +6,7 @@ edition = "2021"
 [dependencies]
 async-trait = "0.1"
 axum = { version = "0.7.9", features = ["tracing", "multipart", "macros"] }
-axum-server = { version = "0.8.0", features = ["rustls", "rustls-pemfile", "tls-rustls"] }
+axum-server = { version = "0.8.0", features = ["rustls", "tls-rustls"] }
 azure_blob_uploader = "0.1.4"
 azure_storage = "0.21.0"
 azure_storage_blobs = "0.21.0"
@@ -19,14 +19,12 @@ futures = "0.3.31"
 futures-util = "0.3.31"
 headers = "0.4.0"
 hex = "0.4.3"
-hmac = "0.13.0"
 http-body-util = "0.1.2"
-jwt = "0.16.0"
+jsonwebtoken = "10"
 rand = "0.8.5"
 reqwest = { version = "0.12.9", features = ["blocking"] }
 rustls = "0.23.20"
 serde = { version = "1.0.216", features = ["derive"] }
-sha2 = "0.11.0"
 sysinfo = { version = "0.35.2", features = ["serde"] }
 tempfile = "3.14.0"
 tokio = { version = "1.42.0", features = ["rt", "rt-multi-thread", "macros"] }
@@ -39,8 +37,6 @@ tracing-subscriber = "0.3.19"
 
 [dev-dependencies]
 reqwest = { version = "0.12.9", features = ["blocking", "multipart"] }
-hmac = "0.13.0"
-jwt = "0.16.0"
-sha2 = "0.11.0"
+jsonwebtoken = "10"
 tokio = { version = "1.42.0", features = ["rt", "rt-multi-thread", "macros", "time", "process"] }
 tempfile = "3.14.0"

src/storjwt.rs

@@ -1,24 +1,31 @@
 use crate::{debug_log, get_config_content};
-use hmac::{Hmac, Mac};
-use jwt::{Header, SignWithKey, Token, VerifyWithKey};
-use sha2::Sha256;
+use jsonwebtoken::{decode, encode, DecodingKey, EncodingKey, Header, Validation};
+use serde::{Deserialize, Serialize};
 use std::collections::BTreeMap;
 use toml::value::Table;
+
+#[derive(Debug, Serialize, Deserialize)]
+struct Claims {
+    email: String,
+}
+
 fn verify_with_key_str(
     token_str: &str,
     key_str: &str,
-) -> Result<BTreeMap<String, String>, jwt::Error> {
-    let key: Hmac<Sha256> = Hmac::new_from_slice(key_str.as_bytes())?;
-    let token: Token<Header, BTreeMap<String, String>, _> = token_str.verify_with_key(&key)?;
-    let claims = token.claims();
-    if claims.get("email").is_none() {
-        debug_log!("email not found");
-        return Err(jwt::Error::InvalidSignature);
-    }
-    Ok(claims.clone())
+) -> Result<BTreeMap<String, String>, jsonwebtoken::errors::Error> {
+    let key = DecodingKey::from_secret(key_str.as_bytes());
+    let mut validation = Validation::default();
+    validation.required_spec_claims.clear();
+    validation.validate_exp = false;
+    let token_data = decode::<Claims>(token_str, &key, &validation)?;
+    let mut claims = BTreeMap::new();
+    claims.insert("email".to_string(), token_data.claims.email);
+    Ok(claims)
 }
 
-pub fn verify_jwt_token(token_str: &str) -> Result<BTreeMap<String, String>, jwt::Error> {
+pub fn verify_jwt_token(
+    token_str: &str,
+) -> Result<BTreeMap<String, String>, jsonwebtoken::errors::Error> {
     let toml_cfg = get_config_content();
     let parsed_toml = toml_cfg.parse::<Table>().unwrap();
 
@@ -49,7 +56,7 @@ pub fn verify_jwt_token(token_str: &str) -> Result<BTreeMap<String, String>, jwt
         }
     }
 
-    Err(jwt::Error::InvalidSignature)
+    Err(jsonwebtoken::errors::ErrorKind::InvalidSignature.into())
 }
 
 pub fn generate_jwt_secret() {
@@ -64,7 +71,7 @@ pub fn generate_jwt_secret() {
     debug_log!("jwt_secret=\"{}\"", secret);
 }
 
-pub fn generate_jwt_token(email: &str) -> Result<String, jwt::Error> {
+pub fn generate_jwt_token(email: &str) -> Result<String, jsonwebtoken::errors::Error> {
     let toml_cfg = get_config_content();
     let parsed_toml = toml_cfg.parse::<Table>().unwrap();
     // For token generation, prefer jwt_secret, fall back to unified_secret
@@ -73,9 +80,9 @@ pub fn generate_jwt_token(email: &str) -> Result<String, jwt::Error> {
         .or_else(|| parsed_toml.get("unified_secret"))
         .and_then(|v| v.as_str())
         .expect("config must define jwt_secret or unified_secret");
-    let key: Hmac<Sha256> = Hmac::new_from_slice(key_str.as_bytes())?;
-    let mut claims = BTreeMap::new();
-    claims.insert("email".to_string(), email.to_string());
-    let token_str = claims.sign_with_key(&key)?;
-    Ok(token_str)
+    let key = EncodingKey::from_secret(key_str.as_bytes());
+    let claims = Claims {
+        email: email.to_string(),
+    };
+    encode(&Header::default(), &claims, &key)
 }

tests/e2e.rs

@@ -4,11 +4,9 @@
 // End-to-end tests for kernelci-storage using the local storage driver.
 // These tests start the actual server binary and exercise the HTTP API.
 
-use hmac::{Hmac, Mac};
-use jwt::SignWithKey;
+use jsonwebtoken::{encode, EncodingKey, Header};
 use reqwest::blocking::multipart;
-use sha2::Sha256;
-use std::collections::BTreeMap;
+use serde::Serialize;
 use std::net::TcpListener;
 use std::path::PathBuf;
 use std::process::{Child, Command};
@@ -18,6 +16,11 @@ const JWT_SECRET: &str = "test-secret-for-e2e-testing";
 const TEST_EMAIL: &str = "test@kernelci.org";
 const RESTRICTED_EMAIL: &str = "restricted@kernelci.org";
 
+#[derive(Serialize)]
+struct Claims {
+    email: String,
+}
+
 /// Find an available TCP port
 fn get_free_port() -> u16 {
     let listener = TcpListener::bind("127.0.0.1:0").expect("Failed to bind to ephemeral port");
@@ -26,10 +29,11 @@ fn get_free_port() -> u16 {
 
 /// Generate a JWT token for the given email using the test secret
 fn generate_token(email: &str) -> String {
-    let key: Hmac<Sha256> = Hmac::new_from_slice(JWT_SECRET.as_bytes()).unwrap();
-    let mut claims = BTreeMap::new();
-    claims.insert("email".to_string(), email.to_string());
-    claims.sign_with_key(&key).unwrap()
+    let key = EncodingKey::from_secret(JWT_SECRET.as_bytes());
+    let claims = Claims {
+        email: email.to_string(),
+    };
+    encode(&Header::default(), &claims, &key).unwrap()
 }
 
 /// Test server handle - kills the server process on drop