diff --git a/Cargo.lock b/Cargo.lock index e076cbe8..55f744d7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -153,9 +153,9 @@ dependencies = [ [[package]] name = "anstyle" -version = "1.0.11" +version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "862ed96ca487e809f1c8e5a8447f6ee2cf102f846893800b20cebdf541fc6bbd" +checksum = "5192cca8006f1fd4f7237516f40fa183bb07f8fbdfedaa0036de5ea9b0b45e78" [[package]] name = "anstyle-parse" @@ -587,11 +587,11 @@ dependencies = [ [[package]] name = "axum" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "98e529aee37b5c8206bb4bf4c44797127566d72f76952c970bd3d1e85de8f4e2" +checksum = "8a18ed336352031311f4e0b4dd2ff392d4fbb370777c9d18d7fc9d7359f73871" dependencies = [ - "axum-core 0.5.4", + "axum-core 0.5.5", "bytes", "form_urlencoded", "futures-util", @@ -641,9 +641,9 @@ dependencies = [ [[package]] name = "axum-core" -version = "0.5.4" +version = "0.5.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0ac7a6beb1182c7e30253ee75c3e918080bfb83f5a3023bcdf7209d85fd147e6" +checksum = "59446ce19cd142f8833f856eb31f3eb097812d1479ab224f54d72428ca21ea22" dependencies = [ "bytes", "futures-core", @@ -667,7 +667,7 @@ dependencies = [ "anyhow", "assert-json-diff", "auto-future", - "axum 0.8.5", + "axum 0.8.6", "bytes", "bytesize", "cookie", @@ -964,9 +964,9 @@ checksum = "f5c434ae3cf0089ca203e9019ebe529c47ff45cefe8af7c85ecb734ef541822f" [[package]] name = "camino" -version = "1.2.0" +version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e1de8bc0aa9e9385ceb3bf0c152e3a9b9544f6c4a912c8ae504e80c1f0368603" +checksum = "276a59bf2b2c967788139340c9f0c5b12d7fd6630315c15c217e559de85d2609" dependencies = [ "serde_core", ] @@ -1734,7 +1734,7 @@ dependencies = [ name = "custom-binary" version = "0.1.0" dependencies = [ - "axum 0.8.5", + "axum 0.8.6", "env_logger", "tokio", "trailbase", @@ -3925,10 +3925,31 @@ checksum = "5a87cc7a48537badeae96744432de36f4be2b4a34a05a5ef32e9dd8a1c169dde" dependencies = [ "base64", "js-sys", - "pem", "ring", "serde", "serde_json", +] + +[[package]] +name = "jsonwebtoken" +version = "10.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f1417155a38e99d7704ddb3ea7445fe57fdbd5d756d727740a9ed8b9ebaed6e1" +dependencies = [ + "base64", + "ed25519-dalek", + "getrandom 0.2.16", + "hmac", + "js-sys", + "p256", + "p384", + "pem", + "rand 0.8.5", + "rsa", + "serde", + "serde_json", + "sha2", + "signature", "simple_asn1", ] @@ -7686,7 +7707,7 @@ version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "151b5a3e3c45df17466454bb74e9ecedecc955269bdedbf4d150dfa393b55a36" dependencies = [ - "axum-core 0.5.4", + "axum-core 0.5.5", "cookie", "futures-util", "http", @@ -7803,7 +7824,7 @@ dependencies = [ "askama", "async-channel 2.5.0", "async-trait", - "axum 0.8.5", + "axum 0.8.6", "axum-test", "base64", "bytes", @@ -7823,7 +7844,7 @@ dependencies = [ "indoc", "itertools 0.14.0", "jsonschema", - "jsonwebtoken", + "jsonwebtoken 10.0.0", "kanal", "lazy_static", "lettre", @@ -7884,7 +7905,7 @@ name = "trailbase-assets" version = "0.2.0" dependencies = [ "askama", - "axum 0.8.5", + "axum 0.8.6", "itertools 0.14.0", "log", "rust-embed", @@ -7907,7 +7928,7 @@ dependencies = [ name = "trailbase-cli" version = "0.2.0" dependencies = [ - "axum 0.8.5", + "axum 0.8.6", "chrono", "clap", "env_logger", @@ -7935,7 +7956,7 @@ dependencies = [ "base64", "eventsource-stream", "futures-lite", - "jsonwebtoken", + "jsonwebtoken 9.3.1", "parking_lot", "reqwest", "serde", @@ -8437,7 +8458,7 @@ version = "9.0.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d047458f1b5b65237c2f6dc6db136945667f40a7668627b3490b9513a3d43a55" dependencies = [ - "axum 0.8.5", + "axum 0.8.6", "base64", "mime_guess", "regex", @@ -9823,9 +9844,9 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.8.1" +version = "1.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" +checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0" dependencies = [ "zeroize_derive", ] diff --git a/crates/client/Cargo.toml b/crates/client/Cargo.toml index 42e1fcab..87f581ec 100644 --- a/crates/client/Cargo.toml +++ b/crates/client/Cargo.toml @@ -14,7 +14,7 @@ exclude = [ [dependencies] eventsource-stream = { version = "0.2.3", features = [] } futures-lite = "2.6.1" -jsonwebtoken = { version = "9.3.0", default-features = false } +jsonwebtoken = { version = "9.3.1", default-features = false } parking_lot = { workspace = true } reqwest = { version = "0.12.8", features = ["stream"] } serde = { version = "1.0.217", features = ["derive"] } diff --git a/crates/client/src/lib.rs b/crates/client/src/lib.rs index 8c52fd8a..78c4d486 100644 --- a/crates/client/src/lib.rs +++ b/crates/client/src/lib.rs @@ -231,8 +231,8 @@ struct JwtTokenClaims { csrf_token: String, } -fn decode_auth_token(token: &str) -> Result { - let decoding_key = jsonwebtoken::DecodingKey::from_secret(&[]); +fn decode_auth_token(token: &str) -> Result { + let decoding_key = jsonwebtoken::DecodingKey::from_ed_der(&[]); // Don't validate the token, we don't have the secret key. Just deserialize the claims/contents. let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::EdDSA); @@ -584,11 +584,13 @@ impl TokenState { let headers = build_headers(tokens); return TokenState { state: tokens.and_then(|tokens| { - let Ok(jwt_token) = decode_auth_token::(&tokens.auth_token) else { - error!("Failed to decode auth token."); - return None; + return match decode_auth_token::(&tokens.auth_token) { + Ok(jwt_token) => Some((tokens.clone(), jwt_token)), + Err(err) => { + error!("Failed to decode auth token: {err}"); + None + } }; - return Some((tokens.clone(), jwt_token)); }), headers, }; diff --git a/crates/core/Cargo.toml b/crates/core/Cargo.toml index d1caa9a8..0125f19e 100644 --- a/crates/core/Cargo.toml +++ b/crates/core/Cargo.toml @@ -50,7 +50,7 @@ hyper-util = "0.1.7" indoc = "2.0.5" itertools = "0.14.0" jsonschema = { version = "0.33.0", default-features = false } -jsonwebtoken = { version = "^9.3.0", default-features = false, features = ["use_pem"] } +jsonwebtoken = { version = "^10.0.0", default-features = false, features = ["use_pem", "rust_crypto"] } kanal = "0.1.1" lazy_static = "1.4.0" lettre = { version = "^0.11.7", default-features = false, features = ["tokio1-rustls-tls", "sendmail-transport", "smtp-transport", "builder"] } diff --git a/crates/core/src/auth/jwt.rs b/crates/core/src/auth/jwt.rs index da12be2e..5d15ec96 100644 --- a/crates/core/src/auth/jwt.rs +++ b/crates/core/src/auth/jwt.rs @@ -117,7 +117,7 @@ impl JwtHelper { return self.public_key.clone(); } - pub fn decode(&self, token: &str) -> Result { + pub fn decode(&self, token: &str) -> Result { // Note: we don't need to expose the token headers. return jsonwebtoken::decode::(token, &self.decoding_key, &self.validation) .map(|data| data.claims); diff --git a/crates/core/src/auth/oauth/state.rs b/crates/core/src/auth/oauth/state.rs index f0748ba3..3f2ca621 100644 --- a/crates/core/src/auth/oauth/state.rs +++ b/crates/core/src/auth/oauth/state.rs @@ -1,6 +1,6 @@ use serde::{Deserialize, Serialize}; -#[derive(Debug, Serialize, Deserialize, PartialEq)] +#[derive(Clone, Debug, Serialize, Deserialize, PartialEq)] pub(crate) enum ResponseType { #[serde(rename = "code")] Code, @@ -9,7 +9,7 @@ pub(crate) enum ResponseType { /// State that will be round-tripped from login -> remote oauth -> callback via the user's cookies. /// /// NOTE: Consider encrypting the state to make it tamper-proof. -#[derive(Debug, Serialize, Deserialize, PartialEq)] +#[derive(Clone, Debug, Serialize, Deserialize, PartialEq)] pub(crate) struct OAuthState { /// Expiration timestamp. Required for JWT. We could remove this is we made this tamper-proof w/o /// JWT.