From 8f315ac1acb3d159e3d8bb5d20c7fad425655145 Mon Sep 17 00:00:00 2001
From: hys <hysyeah@gmail.com>
Date: Wed, 11 Dec 2024 21:06:22 +0800
Subject: [PATCH 1/2] fix: change jwt claims exp/iat to timestamp

---
 auth/src/lib.rs                  |  4 ++--
 server/src/infra/auth_service.rs | 11 +++++++----
 server/src/main.rs               |  2 +-
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/auth/src/lib.rs b/auth/src/lib.rs
index c6bb82e0..97c5a594 100644
--- a/auth/src/lib.rs
+++ b/auth/src/lib.rs
@@ -226,8 +226,8 @@ pub mod types {
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct JWTClaims {
-    pub exp: DateTime<Utc>,
-    pub iat: DateTime<Utc>,
+    pub exp: i64,
+    pub iat: i64,
     pub user: String,
     pub groups: HashSet<String>,
 }
diff --git a/server/src/infra/auth_service.rs b/server/src/infra/auth_service.rs
index 390b167d..54694b21 100644
--- a/server/src/infra/auth_service.rs
+++ b/server/src/infra/auth_service.rs
@@ -54,16 +54,17 @@ async fn create_jwt<Handler: TcpBackendHandler>(
     user: &UserId,
     groups: HashSet<GroupDetails>,
 ) -> SignedToken {
+    let exp_utc = Utc::now() + chrono::Duration::days(1);
     let claims = JWTClaims {
-        exp: Utc::now() + chrono::Duration::days(1),
-        iat: Utc::now(),
+        exp: exp_utc.timestamp(),
+        iat: Utc::now().timestamp(),
         user: user.to_string(),
         groups: groups
             .into_iter()
             .map(|g| g.display_name.into_string())
             .collect(),
     };
-    let expiry = claims.exp.naive_utc();
+    let expiry = exp_utc.naive_utc();
     let header = jwt::Header {
         algorithm: jwt::AlgorithmType::Hs512,
         ..Default::default()
@@ -685,7 +686,9 @@ pub(crate) fn check_if_token_is_valid<Backend: BackendHandler>(
 ) -> Result<ValidationResults, actix_web::Error> {
     let token: Token<_> = VerifyWithKey::verify_with_key(token_str, &state.jwt_key)
         .map_err(|_| ErrorUnauthorized("Invalid JWT"))?;
-    if token.claims().exp.lt(&Utc::now()) {
+    let naive_datetime:NaiveDateTime = NaiveDateTime::from_timestamp_opt(token.claims().exp,0).unwrap();
+    let exp_utc = DateTime::<Utc>::from_utc(naive_datetime,Utc);
+    if exp_utc.lt(&Utc::now()) {
         return Err(ErrorUnauthorized("Expired JWT"));
     }
     if token.header().algorithm != jwt::AlgorithmType::Hs512 {
diff --git a/server/src/main.rs b/server/src/main.rs
index b6ab115d..a0692706 100644
--- a/server/src/main.rs
+++ b/server/src/main.rs
@@ -26,7 +26,7 @@ use crate::{
 use actix::Actor;
 use actix_server::ServerBuilder;
 use anyhow::{anyhow, bail, Context, Result};
-use futures_util::TryFutureExt;
+//use futures_util::TryFutureExt;
 use sea_orm::{Database, DatabaseConnection};
 //use secstr::{SecUtf8};
 use tracing::*;

From 5e9c2bccc1785567a04e0660a526f42e2cb5f9d1 Mon Sep 17 00:00:00 2001
From: hys <hysyeah@gmail.com>
Date: Thu, 12 Dec 2024 15:59:41 +0800
Subject: [PATCH 2/2] fix: change jwt claims field user to username;and check
 for jwt_storage insert check

---
 auth/src/lib.rs                         | 2 +-
 server/src/infra/auth_service.rs        | 4 ++--
 server/src/infra/sql_backend_handler.rs | 7 +++++++
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/auth/src/lib.rs b/auth/src/lib.rs
index 97c5a594..6fa2f163 100644
--- a/auth/src/lib.rs
+++ b/auth/src/lib.rs
@@ -228,6 +228,6 @@ pub mod types {
 pub struct JWTClaims {
     pub exp: i64,
     pub iat: i64,
-    pub user: String,
+    pub username: String,
     pub groups: HashSet<String>,
 }
diff --git a/server/src/infra/auth_service.rs b/server/src/infra/auth_service.rs
index 54694b21..b7ccc784 100644
--- a/server/src/infra/auth_service.rs
+++ b/server/src/infra/auth_service.rs
@@ -58,7 +58,7 @@ async fn create_jwt<Handler: TcpBackendHandler>(
     let claims = JWTClaims {
         exp: exp_utc.timestamp(),
         iat: Utc::now().timestamp(),
-        user: user.to_string(),
+        username: user.to_string(),
         groups: groups
             .into_iter()
             .map(|g| g.display_name.into_string())
@@ -702,7 +702,7 @@ pub(crate) fn check_if_token_is_valid<Backend: BackendHandler>(
         return Err(ErrorUnauthorized("JWT was logged out"));
     }
     Ok(state.backend_handler.get_permissions_from_groups(
-        UserId::new(&token.claims().user),
+        UserId::new(&token.claims().username),
         token
             .claims()
             .groups
diff --git a/server/src/infra/sql_backend_handler.rs b/server/src/infra/sql_backend_handler.rs
index b64d13d5..99625aca 100644
--- a/server/src/infra/sql_backend_handler.rs
+++ b/server/src/infra/sql_backend_handler.rs
@@ -78,6 +78,13 @@ impl TcpBackendHandler for SqlBackendHandler {
             expiry_date,
         }
         .into_active_model();
+        let existing_hash = model::jwt_storage::Entity::find()
+            .filter(model::jwt_storage::Column::JwtHash.eq(jwt_hash as i64))
+            .one(&self.sql_pool)
+            .await?;
+        if existing_hash.is_some() {
+            return Ok(());
+        }
         new_token.insert(&self.sql_pool).await?;
         Ok(())
     }