jwt: Add unified_secret handling

nuclearcat · nuclearcat · commit d25e45be5c08 · 2026-04-14T15:54:17.000+03:00
Signed-off-by: Denys Fedoryshchenko &lt;denys.f@collabora.com&gt;
diff --git a/src/storjwt.rs b/src/storjwt.rs
@@ -4,33 +4,49 @@ use jwt::{Header, SignWithKey, Token, VerifyWithKey};
 use sha2::Sha256;
 use std::collections::BTreeMap;
 use toml::value::Table;
+fn verify_with_key_str(
+    token_str: &str,
+    key_str: &str,
+) -> Result<BTreeMap<String, String>, jwt::Error> {
+    let key: Hmac<Sha256> = Hmac::new_from_slice(key_str.as_bytes())?;
+    let token: Token<Header, BTreeMap<String, String>, _> = token_str.verify_with_key(&key)?;
+    let claims = token.claims();
+    if claims.get("email").is_none() {
+        debug_log!("email not found");
+        return Err(jwt::Error::InvalidSignature);
+    }
+    Ok(claims.clone())
+}
+
 pub fn verify_jwt_token(token_str: &str) -> Result<BTreeMap<String, String>, jwt::Error> {
-    // config.toml, jwt_secret parameter
     let toml_cfg = get_config_content();
     let parsed_toml = toml_cfg.parse::<Table>().unwrap();
     let key_str = parsed_toml["jwt_secret"].as_str().unwrap();
-    let key: Hmac<Sha256> = Hmac::new_from_slice(key_str.as_bytes())?;
-    let verify_result = token_str.verify_with_key(&key);
-    let token: Token<Header, BTreeMap<String, String>, _> = match verify_result {
-        Ok(token) => token,
-        Err(e) => {
-            eprintln!("JWT verification error: {:?}", e);
-            return Err(e);
+
+    match verify_with_key_str(token_str, key_str) {
+        Ok(claims) => {
+            debug_log!("email: {}", claims["email"]);
+            return Ok(claims);
         }
-    };
-    //let header = token.header();
-    let claims = token.claims();
-    let email = claims.get("email");
-    match email {
-        Some(email) => {
-            debug_log!("email: {}", email);
+        Err(e) => {
+            debug_log!("JWT verification with jwt_secret failed: {:?}", e);
         }
-        None => {
-            debug_log!("email not found");
-            return Err(jwt::Error::InvalidSignature);
+    }
+
+    if let Some(unified) = parsed_toml.get("unified_secret").and_then(|v| v.as_str()) {
+        match verify_with_key_str(token_str, unified) {
+            Ok(claims) => {
+                debug_log!("email (unified_secret): {}", claims["email"]);
+                return Ok(claims);
+            }
+            Err(e) => {
+                eprintln!("JWT verification with unified_secret also failed: {:?}", e);
+                return Err(e);
+            }
         }
     }
-    Ok(claims.clone())
+
+    Err(jwt::Error::InvalidSignature)
 }
 
 pub fn generate_jwt_secret() {
