Jw/changing how jwt is passed around

libsql-server/src/auth/errors.rs

@@ -22,6 +22,12 @@ pub enum AuthError {
     JwtExpired,
     #[error("The JWT is immature (not valid yet)")]
     JwtImmature,
+    #[error("Auth string does not conform to '<scheme> <token>' form")]
+    AuthStringMalformed,
+    #[error("Expected authorization header but none given")]
+    AuthHeaderNotFound,
+    #[error("Non-ASCII auth header")]
+    AuthHeaderNonAscii,
     #[error("Authentication failed")]
     Other,
 }
@@ -39,6 +45,9 @@ impl AuthError {
             Self::JwtInvalid => "AUTH_JWT_INVALID",
             Self::JwtExpired => "AUTH_JWT_EXPIRED",
             Self::JwtImmature => "AUTH_JWT_IMMATURE",
+            Self::AuthStringMalformed => "AUTH_HEADER_MALFORMED",
+            Self::AuthHeaderNotFound => "AUTH_HEADER_NOT_FOUND",
+            Self::AuthHeaderNonAscii => "AUTH_HEADER_MALFORMED",
             Self::Other => "AUTH_FAILED",
         }
     }

libsql-server/src/auth/mod.rs

@@ -27,7 +27,10 @@ impl Auth {
         }
     }
 
-    pub fn authenticate(&self, context: UserAuthContext) -> Result<Authenticated, AuthError> {
+    pub fn authenticate(
+        &self,
+        context: Result<UserAuthContext, AuthError>,
+    ) -> Result<Authenticated, AuthError> {
         self.user_strategy.authenticate(context)
     }
 }

libsql-server/src/auth/parsers.rs

@@ -4,6 +4,8 @@ use anyhow::{bail, Context as _, Result};
 use axum::http::HeaderValue;
 use tonic::metadata::MetadataMap;
 
+use super::UserAuthContext;
+
 pub fn parse_http_basic_auth_arg(arg: &str) -> Result<Option<String>> {
     if arg == "always" {
         return Ok(Some("always".to_string()));
@@ -34,11 +36,12 @@ pub fn parse_jwt_key(data: &str) -> Result<jsonwebtoken::DecodingKey> {
     }
 }
 
-pub(crate) fn parse_grpc_auth_header(metadata: &MetadataMap) -> Option<HeaderValue> {
+pub(crate) fn parse_grpc_auth_header(metadata: &MetadataMap) -> Result<UserAuthContext, AuthError> {
     metadata
         .get(GRPC_AUTH_HEADER)
-        .map(|v| v.to_bytes().expect("Auth should always be ASCII"))
-        .map(|v| HeaderValue::from_maybe_shared(v).expect("Should already be valid header"))
+        .ok_or(AuthError::AuthHeaderNotFound)
+        .and_then(|h| h.to_str().map_err(|_| AuthError::AuthHeaderNonAscii))
+        .and_then(|t| UserAuthContext::from_auth_str(t))
 }
 
 pub fn parse_http_auth_header<'a>(
@@ -71,7 +74,45 @@ mod tests {
 
     use crate::auth::{parse_http_auth_header, AuthError};
 
-    use super::parse_http_basic_auth_arg;
+    use super::{parse_grpc_auth_header, parse_http_basic_auth_arg};
+
+    #[test]
+    fn parse_grpc_auth_header_returns_valid_context() {
+        let mut map = tonic::metadata::MetadataMap::new();
+        map.insert("x-authorization", "bearer 123".parse().unwrap());
+        let context = parse_grpc_auth_header(&map).unwrap();
+        assert_eq!(context.scheme().as_ref().unwrap(), "bearer");
+        assert_eq!(context.token().as_ref().unwrap(), "123");
+    }
+
+    #[test]
+    fn parse_grpc_auth_header_error_no_header() {
+        let map = tonic::metadata::MetadataMap::new();
+        let result = parse_grpc_auth_header(&map);
+        assert_eq!(
+            result.unwrap_err().to_string(),
+            "Expected authorization header but none given"
+        );
+    }
+
+    #[test]
+    fn parse_grpc_auth_header_error_non_ascii() {
+        let mut map = tonic::metadata::MetadataMap::new();
+        map.insert("x-authorization", "bearer I❤NY".parse().unwrap());
+        let result = parse_grpc_auth_header(&map);
+        assert_eq!(result.unwrap_err().to_string(), "Non-ASCII auth header")
+    }
+
+    #[test]
+    fn parse_grpc_auth_header_error_malformed_auth_str() {
+        let mut map = tonic::metadata::MetadataMap::new();
+        map.insert("x-authorization", "bearer123".parse().unwrap());
+        let result = parse_grpc_auth_header(&map);
+        assert_eq!(
+            result.unwrap_err().to_string(),
+            "Auth string does not conform to '<scheme> <token>' form"
+        )
+    }
 
     #[test]
     fn parse_http_auth_header_returns_auth_header_param_when_valid() {

libsql-server/src/auth/user_auth_strategies/disabled.rs

@@ -4,7 +4,10 @@ use crate::auth::{AuthError, Authenticated};
 pub struct Disabled {}
 
 impl UserAuthStrategy for Disabled {
-    fn authenticate(&self, _context: UserAuthContext) -> Result<Authenticated, AuthError> {
+    fn authenticate(
+        &self,
+        _context: Result<UserAuthContext, AuthError>,
+    ) -> Result<Authenticated, AuthError> {
         tracing::trace!("executing disabled auth");
         Ok(Authenticated::FullAccess)
     }
@@ -23,9 +26,7 @@ mod tests {
     #[test]
     fn authenticates() {
         let strategy = Disabled::new();
-        let context = UserAuthContext {
-            user_credential: None,
-        };
+        let context = Ok(UserAuthContext::empty());
 
         assert!(matches!(
             strategy.authenticate(context).unwrap(),

libsql-server/src/auth/user_auth_strategies/http_basic.rs

@@ -1,4 +1,4 @@
-use crate::auth::{parse_http_auth_header, AuthError, Authenticated};
+use crate::auth::{AuthError, Authenticated};
 
 use super::{UserAuthContext, UserAuthStrategy};
 
@@ -7,17 +7,22 @@ pub struct HttpBasic {
 }
 
 impl UserAuthStrategy for HttpBasic {
-    fn authenticate(&self, context: UserAuthContext) -> Result<Authenticated, AuthError> {
+    fn authenticate(
+        &self,
+        context: Result<UserAuthContext, AuthError>,
+    ) -> Result<Authenticated, AuthError> {
         tracing::trace!("executing http basic auth");
 
-        let param = parse_http_auth_header("basic", &context.user_credential)?;
-
         // NOTE: this naive comparison may leak information about the `expected_value`
         // using a timing attack
-        let actual_value = param.trim_end_matches('=');
         let expected_value = self.credential.trim_end_matches('=');
 
-        if actual_value == expected_value {
+        let creds_match = match context?.token {
+            Some(s) => s.contains(expected_value),
+            None => expected_value.is_empty(),
+        };
+
+        if creds_match {
             return Ok(Authenticated::FullAccess);
         }
 
@@ -33,8 +38,6 @@ impl HttpBasic {
 
 #[cfg(test)]
 mod tests {
-    use axum::http::HeaderValue;
-
     use super::*;
 
     const CREDENTIAL: &str = "d29qdGVrOnRoZWJlYXI=";
@@ -45,9 +48,7 @@ mod tests {
 
     #[test]
     fn authenticates_with_valid_credential() {
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str(&format!("Basic {CREDENTIAL}")).ok(),
-        };
+        let context = Ok(UserAuthContext::basic(CREDENTIAL));
 
         assert!(matches!(
             strategy().authenticate(context).unwrap(),
@@ -58,10 +59,7 @@ mod tests {
     #[test]
     fn authenticates_with_valid_trimmed_credential() {
         let credential = CREDENTIAL.trim_end_matches('=');
-
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str(&format!("Basic {credential}")).ok(),
-        };
+        let context = Ok(UserAuthContext::basic(credential));
 
         assert!(matches!(
             strategy().authenticate(context).unwrap(),
@@ -71,9 +69,7 @@ mod tests {
 
     #[test]
     fn errors_when_credentials_do_not_match() {
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str("Basic abc").ok(),
-        };
+        let context = Ok(UserAuthContext::basic("abc"));
 
         assert_eq!(
             strategy().authenticate(context).unwrap_err(),

libsql-server/src/auth/user_auth_strategies/jwt.rs

@@ -1,10 +1,7 @@
 use chrono::{DateTime, Utc};
 
 use crate::{
-    auth::{
-        authenticated::LegacyAuth, parse_http_auth_header, AuthError, Authenticated, Authorized,
-        Permission,
-    },
+    auth::{authenticated::LegacyAuth, AuthError, Authenticated, Authorized, Permission},
     namespace::NamespaceName,
 };
 
@@ -15,10 +12,27 @@ pub struct Jwt {
 }
 
 impl UserAuthStrategy for Jwt {
-    fn authenticate(&self, context: UserAuthContext) -> Result<Authenticated, AuthError> {
+    fn authenticate(
+        &self,
+        context: Result<UserAuthContext, AuthError>,
+    ) -> Result<Authenticated, AuthError> {
         tracing::trace!("executing jwt auth");
-        let param = parse_http_auth_header("bearer", &context.user_credential)?;
-        validate_jwt(&self.key, param)
+
+        let ctx = context?;
+
+        let UserAuthContext {
+            scheme: Some(scheme),
+            token: Some(token),
+        } = ctx
+        else {
+            return Err(AuthError::HttpAuthHeaderInvalid);
+        };
+
+        if !scheme.eq_ignore_ascii_case("bearer") {
+            return Err(AuthError::HttpAuthHeaderUnsupportedScheme);
+        }
+
+        return validate_jwt(&self.key, &token);
     }
 }
 
@@ -104,7 +118,6 @@ fn validate_jwt(
 mod tests {
     use std::time::Duration;
 
-    use axum::http::HeaderValue;
     use jsonwebtoken::{DecodingKey, EncodingKey};
     use ring::signature::{Ed25519KeyPair, KeyPair};
     use serde::Serialize;
@@ -142,9 +155,7 @@ mod tests {
         };
         let token = encode(&token, &enc);
 
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str(&format!("Bearer {token}")).ok(),
-        };
+        let context = Ok(UserAuthContext::bearer(token.as_str()));
 
         assert!(matches!(
             strategy(dec).authenticate(context).unwrap(),
@@ -166,9 +177,7 @@ mod tests {
         };
         let token = encode(&token, &enc);
 
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str(&format!("Bearer {token}")).ok(),
-        };
+        let context = Ok(UserAuthContext::bearer(token.as_str()));
 
         let Authenticated::Legacy(a) = strategy(dec).authenticate(context).unwrap() else {
             panic!()
@@ -181,9 +190,7 @@ mod tests {
     #[test]
     fn errors_when_jwt_token_invalid() {
         let (_enc, dec) = key_pair();
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str("Bearer abc").ok(),
-        };
+        let context = Ok(UserAuthContext::bearer("abc"));
 
         assert_eq!(
             strategy(dec).authenticate(context).unwrap_err(),
@@ -203,9 +210,7 @@ mod tests {
 
         let token = encode(&token, &enc);
 
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str(&format!("Bearer {token}")).ok(),
-        };
+        let context = Ok(UserAuthContext::bearer(token.as_str()));
 
         assert_eq!(
             strategy(dec).authenticate(context).unwrap_err(),
@@ -227,9 +232,7 @@ mod tests {
 
         let token = encode(&token, &enc);
 
-        let context = UserAuthContext {
-            user_credential: HeaderValue::from_str(&format!("Bearer {token}")).ok(),
-        };
+        let context = Ok(UserAuthContext::bearer(token.as_str()));
 
         let Authenticated::Authorized(a) = strategy(dec).authenticate(context).unwrap() else {
             panic!()

libsql-server/src/auth/user_auth_strategies/mod.rs

@@ -2,17 +2,73 @@ pub mod disabled;
 pub mod http_basic;
 pub mod jwt;
 
-use axum::http::HeaderValue;
-pub use disabled::*;
-pub use http_basic::*;
-pub use jwt::*;
+pub use disabled::Disabled;
+pub use http_basic::HttpBasic;
+pub use jwt::Jwt;
 
 use super::{AuthError, Authenticated};
 
+#[derive(Debug)]
 pub struct UserAuthContext {
-    pub user_credential: Option<HeaderValue>,
+    scheme: Option<String>,
+    token: Option<String>,
+}
+
+impl UserAuthContext {
+    pub fn scheme(&self) -> &Option<String> {
+        &self.scheme
+    }
+
+    pub fn token(&self) -> &Option<String> {
+        &self.token
+    }
+
+    pub fn empty() -> UserAuthContext {
+        UserAuthContext {
+            scheme: None,
+            token: None,
+        }
+    }
+
+    pub fn basic(creds: &str) -> UserAuthContext {
+        UserAuthContext {
+            scheme: Some("Basic".into()),
+            token: Some(creds.into()),
+        }
+    }
+
+    pub fn bearer(token: &str) -> UserAuthContext {
+        UserAuthContext {
+            scheme: Some("Bearer".into()),
+            token: Some(token.into()),
+        }
+    }
+
+    pub fn bearer_opt(token: Option<String>) -> UserAuthContext {
+        UserAuthContext {
+            scheme: Some("Bearer".into()),
+            token: token,
+        }
+    }
+
+    pub fn new(scheme: &str, token: &str) -> UserAuthContext {
+        UserAuthContext {
+            scheme: Some(scheme.into()),
+            token: Some(token.into()),
+        }
+    }
+
+    pub fn from_auth_str(auth_string: &str) -> Result<Self, AuthError> {
+        let (scheme, token) = auth_string
+            .split_once(' ')
+            .ok_or(AuthError::AuthStringMalformed)?;
+        Ok(UserAuthContext::new(scheme, token))
+    }
 }
 
 pub trait UserAuthStrategy: Sync + Send {
-    fn authenticate(&self, context: UserAuthContext) -> Result<Authenticated, AuthError>;
+    fn authenticate(
+        &self,
+        context: Result<UserAuthContext, AuthError>,
+    ) -> Result<Authenticated, AuthError>;
 }