Merge pull request #1 from beclab/fix/exp-timestamp

fix: change jwt claims exp/iat to timestamp
beclab · Dec 27, 2024 · 806c862 · 806c862
2 parents 4447a6b + 5e9c2bc
commit 806c862
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 10 deletions.
diff --git a/auth/src/lib.rs b/auth/src/lib.rs
@@ -226,8 +226,8 @@ pub mod types {
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct JWTClaims {
-    pub exp: DateTime<Utc>,
-    pub iat: DateTime<Utc>,
-    pub user: String,
+    pub exp: i64,
+    pub iat: i64,
+    pub username: String,
     pub groups: HashSet<String>,
 }
diff --git a/server/src/infra/auth_service.rs b/server/src/infra/auth_service.rs
@@ -54,16 +54,17 @@ async fn create_jwt<Handler: TcpBackendHandler>(
     user: &UserId,
     groups: HashSet<GroupDetails>,
 ) -> SignedToken {
+    let exp_utc = Utc::now() + chrono::Duration::days(1);
     let claims = JWTClaims {
-        exp: Utc::now() + chrono::Duration::days(1),
-        iat: Utc::now(),
-        user: user.to_string(),
+        exp: exp_utc.timestamp(),
+        iat: Utc::now().timestamp(),
+        username: user.to_string(),
         groups: groups
             .into_iter()
             .map(|g| g.display_name.into_string())
             .collect(),
     };
-    let expiry = claims.exp.naive_utc();
+    let expiry = exp_utc.naive_utc();
     let header = jwt::Header {
         algorithm: jwt::AlgorithmType::Hs512,
         ..Default::default()
@@ -685,7 +686,9 @@ pub(crate) fn check_if_token_is_valid<Backend: BackendHandler>(
 ) -> Result<ValidationResults, actix_web::Error> {
     let token: Token<_> = VerifyWithKey::verify_with_key(token_str, &state.jwt_key)
         .map_err(|_| ErrorUnauthorized("Invalid JWT"))?;
-    if token.claims().exp.lt(&Utc::now()) {
+    let naive_datetime:NaiveDateTime = NaiveDateTime::from_timestamp_opt(token.claims().exp,0).unwrap();
+    let exp_utc = DateTime::<Utc>::from_utc(naive_datetime,Utc);
+    if exp_utc.lt(&Utc::now()) {
         return Err(ErrorUnauthorized("Expired JWT"));
     }
     if token.header().algorithm != jwt::AlgorithmType::Hs512 {
@@ -699,7 +702,7 @@ pub(crate) fn check_if_token_is_valid<Backend: BackendHandler>(
         return Err(ErrorUnauthorized("JWT was logged out"));
     }
     Ok(state.backend_handler.get_permissions_from_groups(
-        UserId::new(&token.claims().user),
+        UserId::new(&token.claims().username),
         token
             .claims()
             .groups

diff --git a/server/src/infra/sql_backend_handler.rs b/server/src/infra/sql_backend_handler.rs
@@ -78,6 +78,13 @@ impl TcpBackendHandler for SqlBackendHandler {
             expiry_date,
         }
         .into_active_model();
+        let existing_hash = model::jwt_storage::Entity::find()
+            .filter(model::jwt_storage::Column::JwtHash.eq(jwt_hash as i64))
+            .one(&self.sql_pool)
+            .await?;
+        if existing_hash.is_some() {
+            return Ok(());
+        }
         new_token.insert(&self.sql_pool).await?;
         Ok(())
     }

diff --git a/server/src/main.rs b/server/src/main.rs
@@ -26,7 +26,7 @@ use crate::{
 use actix::Actor;
 use actix_server::ServerBuilder;
 use anyhow::{anyhow, bail, Context, Result};
-use futures_util::TryFutureExt;
+//use futures_util::TryFutureExt;
 use sea_orm::{Database, DatabaseConnection};
 //use secstr::{SecUtf8};
 use tracing::*;