commit 1864232b9e228f35a6456cb8f4e48ccec327fbfc · zbrox.com/jacquard

+15

Cargo.lock

···

       1817
       1817
        
        "axum",

     

       1818
       1818
        
        "axum-macros",

     

       1819
       1819
        
        "axum-test",

     

       1820
       1820
       +
        "base64 0.22.1",

     

       1820
       1821
        
        "bytes",

     

       1822
       1822
       +
        "chrono",

     

       1821
       1823
        
        "jacquard",

     

       1822
       1824
        
        "jacquard-common 0.5.1",

     

       1825
       1825
       +
        "jacquard-derive 0.5.1",

     

       1826
       1826
       +
        "jacquard-identity 0.5.1",

     

       1827
       1827
       +
        "k256",

     

       1823
       1828
        
        "miette",

     

       1829
       1829
       +
        "multibase",

     

       1830
       1830
       +
        "rand 0.8.5",

     

       1831
       1831
       +
        "reqwest",

     

       1824
       1832
        
        "serde",

     

       1825
       1833
        
        "serde_html_form",

     

       1826
       1834
        
        "serde_ipld_dagcbor",

     
···

       1828
       1836
        
        "thiserror 2.0.17",

     

       1829
       1837
        
        "tokio",

     

       1830
       1838
        
        "tokio-test",

     

       1839
       1839
       +
        "tower",

     

       1831
       1840
        
        "tower-http",

     

       1832
       1841
        
        "tracing",

     

       1833
       1842
        
        "tracing-subscriber",

     

       1843
       1843
       +
        "urlencoding",

     

       1834
       1844
        
       ]

     

       1835
       1845
        
       

     

       1836
       1846
        
       [[package]]

     
···

       1861
       1871
        
        "serde_ipld_dagcbor",

     

       1862
       1872
        
        "serde_json",

     

       1863
       1873
        
        "serde_with",

     

       1874
       1874
       +
        "signature",

     

       1864
       1875
        
        "smol_str",

     

       1865
       1876
        
        "thiserror 2.0.17",

     

       1866
       1877
        
        "tokio",

     
···

       2120
       2131
        
       checksum = "f6e3919bbaa2945715f0bb6d3934a173d1e9a59ac23767fbaaef277265a7411b"

     

       2121
       2132
        
       dependencies = [

     

       2122
       2133
        
        "cfg-if",

     

       2134
       2134
       +
        "ecdsa",

     

       2123
       2135
        
        "elliptic-curve",

     

       2136
       2136
       +
        "once_cell",

     

       2137
       2137
       +
        "sha2",

     

       2138
       2138
       +
        "signature",

     

       2124
       2139
        
       ]

     

       2125
       2140
        
       

     

       2126
       2141
        
       [[package]]

+15

crates/jacquard-axum/Cargo.toml

···

       26
       26
        
       bytes.workspace = true

     

       27
       27
        
       jacquard = { version = "0.5", path = "../jacquard" }

     

       28
       28
        
       jacquard-common = { version = "0.5", path = "../jacquard-common", features = ["reqwest-client"] }

     

       29
       29
       +
       jacquard-derive = { version = "0.5.1", path = "../jacquard-derive" }

     

       30
       30
       +
       jacquard-identity = { version = "0.5", path = "../jacquard-identity", optional = true }

     

       29
       31
        
       miette.workspace = true

     

       32
       32
       +
       multibase = { version = "0.9.1", optional = true }

     

       30
       33
        
       serde.workspace = true

     

       31
       34
        
       serde_html_form.workspace = true

     

       32
       35
        
       serde_ipld_dagcbor.workspace = true

     
···

       36
       39
        
       tower-http = { version = "0.6.6", features = ["trace", "tracing"] }

     

       37
       40
        
       tracing = "0.1.41"

     

       38
       41
        
       tracing-subscriber = { version = "0.3.20", features = ["env-filter", "time"] }

     

       42
       42
       +
       urlencoding.workspace = true

     

       43
       43
       +
       

     

       44
       44
       +
       [features]

     

       45
       45
       +
       default = ["service-auth"]

     

       46
       46
       +
       service-auth = ["jacquard-common/service-auth", "dep:jacquard-identity", "dep:multibase"]

     

       39
       47
        
       

     

       40
       48
        
       [dev-dependencies]

     

       41
       49
        
       axum-test = "18.1.0"

     

       50
       50
       +
       base64.workspace = true

     

       51
       51
       +
       chrono.workspace = true

     

       52
       52
       +
       k256 = { version = "0.13", features = ["ecdsa"] }

     

       53
       53
       +
       rand = "0.8"

     

       54
       54
       +
       reqwest.workspace = true

     

       55
       55
       +
       serde_json.workspace = true

     

       42
       56
        
       tokio-test = "0.4.4"

     

       57
       57
       +
       tower = { version = "0.5", features = ["util"] }

+76

crates/jacquard-axum/src/did_web.rs

···

       1
       1
       +
       //! Helper for serving did:web DID documents

     

       2
       2
       +
       //!

     

       3
       3
       +
       //! did:web DIDs resolve to HTTPS endpoints serving DID documents. This module

     

       4
       4
       +
       //! provides a router that serves your service's DID document at `/.well-known/did.json`.

     

       5
       5
       +
       //!

     

       6
       6
       +
       //! # Example

     

       7
       7
       +
       //!

     

       8
       8
       +
       //! ```no_run

     

       9
       9
       +
       //! use axum::Router;

     

       10
       10
       +
       //! use jacquard_axum::did_web::did_web_router;

     

       11
       11
       +
       //! use jacquard_common::types::did_doc::DidDocument;

     

       12
       12
       +
       //!

     

       13
       13
       +
       //! #[tokio::main]

     

       14
       14
       +
       //! async fn main() {

     

       15
       15
       +
       //!     // Your DID document (typically loaded from config or generated)

     

       16
       16
       +
       //!     let did_doc: DidDocument = serde_json::from_str(r#"{

     

       17
       17
       +
       //!         "id": "did:web:feedgen.example.com",

     

       18
       18
       +
       //!         "verificationMethod": [{

     

       19
       19
       +
       //!             "id": "did:web:feedgen.example.com#atproto",

     

       20
       20
       +
       //!             "type": "Multikey",

     

       21
       21
       +
       //!             "controller": "did:web:feedgen.example.com",

     

       22
       22
       +
       //!             "publicKeyMultibase": "zQ3sh..."

     

       23
       23
       +
       //!         }]

     

       24
       24
       +
       //!     }"#).unwrap();

     

       25
       25
       +
       //!

     

       26
       26
       +
       //!     let app = Router::new()

     

       27
       27
       +
       //!         .merge(did_web_router(did_doc));

     

       28
       28
       +
       //!

     

       29
       29
       +
       //!     let listener = tokio::net::TcpListener::bind("0.0.0.0:443")

     

       30
       30
       +
       //!         .await

     

       31
       31
       +
       //!         .unwrap();

     

       32
       32
       +
       //!     axum::serve(listener, app).await.unwrap();

     

       33
       33
       +
       //! }

     

       34
       34
       +
       //! ```

     

       35
       35
       +
       

     

       36
       36
       +
       use axum::{

     

       37
       37
       +
           Json, Router,

     

       38
       38
       +
           http::{HeaderValue, StatusCode, header},

     

       39
       39
       +
           response::IntoResponse,

     

       40
       40
       +
           routing::get,

     

       41
       41
       +
       };

     

       42
       42
       +
       use jacquard_common::types::did_doc::DidDocument;

     

       43
       43
       +
       

     

       44
       44
       +
       /// Create a router that serves a DID document at `/.well-known/did.json`

     

       45
       45
       +
       ///

     

       46
       46
       +
       /// Returns a Router that can be merged into your main application router.

     

       47
       47
       +
       /// The DID document is cloned on each request.

     

       48
       48
       +
       ///

     

       49
       49
       +
       /// # Example

     

       50
       50
       +
       ///

     

       51
       51
       +
       /// ```no_run

     

       52
       52
       +
       /// use axum::Router;

     

       53
       53
       +
       /// use jacquard_axum::did_web::did_web_router;

     

       54
       54
       +
       /// use jacquard_common::types::did_doc::DidDocument;

     

       55
       55
       +
       ///

     

       56
       56
       +
       /// # async fn example(did_doc: DidDocument<'static>) {

     

       57
       57
       +
       /// let app = Router::new()

     

       58
       58
       +
       ///     .merge(did_web_router(did_doc));

     

       59
       59
       +
       /// # }

     

       60
       60
       +
       /// ```

     

       61
       61
       +
       pub fn did_web_router(did_doc: DidDocument<'static>) -> Router {

     

       62
       62
       +
           Router::new().route(

     

       63
       63
       +
               "/.well-known/did.json",

     

       64
       64
       +
               get(move || async move {

     

       65
       65
       +
                   (

     

       66
       66
       +
                       StatusCode::OK,

     

       67
       67
       +
                       [(

     

       68
       68
       +
                           header::CONTENT_TYPE,

     

       69
       69
       +
                           HeaderValue::from_static("application/did+json"),

     

       70
       70
       +
                       )],

     

       71
       71
       +
                       Json(did_doc.clone()),

     

       72
       72
       +
                   )

     

       73
       73
       +
                       .into_response()

     

       74
       74
       +
               }),

     

       75
       75
       +
           )

     

       76
       76
       +
       }

+24 -3

crates/jacquard-axum/src/lib.rs

···

       45
       45
        
       //! The extractor deserializes to borrowed types first, then converts to `'static` via

     

       46
       46
        
       //! [`IntoStatic`], avoiding the DeserializeOwned requirement of the Json axum extractor and similar.

     

       47
       47
        
       

     

       48
       48
       +
       pub mod did_web;

     

       49
       49
       +
       #[cfg(feature = "service-auth")]

     

       50
       50
       +
       pub mod service_auth;

     

       51
       51
       +
       

     

       48
       52
        
       use axum::{

     

       49
       53
        
           Json, Router,

     

       50
       54
        
           body::Bytes,

     
···

       102
       106
        
                       }

     

       103
       107
        
                       XrpcMethod::Query => {

     

       104
       108
        
                           if let Some(path_query) = req.uri().path_and_query() {

     

       105
       105
       -
                               let query = path_query.query().unwrap_or("");

     

       106
       106
       -
                               let value: R::Request<'_> =

     

       107
       107
       -
                                   serde_html_form::from_str::<R::Request<'_>>(query).map_err(|e| {

     

       109
       109
       +
                               // TODO: see if we can eliminate this now that we've fixed the deserialize impls for string types

     

       110
       110
       +
                               let query =

     

       111
       111
       +
                                   urlencoding::decode(path_query.query().unwrap_or("")).map_err(|e| {

     

       108
       112
        
                                       (

     

       109
       113
        
                                           StatusCode::BAD_REQUEST,

     

       110
       114
        
                                           [(

     
···

       118
       122
        
                                       )

     

       119
       123
        
                                           .into_response()

     

       120
       124
        
                                   })?;

     

       125
       125
       +
                               let value: R::Request<'_> = serde_html_form::from_str::<R::Request<'_>>(

     

       126
       126
       +
                                   query.as_ref(),

     

       127
       127
       +
                               )

     

       128
       128
       +
                               .map_err(|e| {

     

       129
       129
       +
                                   (

     

       130
       130
       +
                                       StatusCode::BAD_REQUEST,

     

       131
       131
       +
                                       [(

     

       132
       132
       +
                                           header::CONTENT_TYPE,

     

       133
       133
       +
                                           HeaderValue::from_static("application/json"),

     

       134
       134
       +
                                       )],

     

       135
       135
       +
                                       Json(json!({

     

       136
       136
       +
                                           "error": "InvalidRequest",

     

       137
       137
       +
                                           "message": format!("failed to decode request: {}", e)

     

       138
       138
       +
                                       })),

     

       139
       139
       +
                                   )

     

       140
       140
       +
                                       .into_response()

     

       141
       141
       +
                               })?;

     

       121
       142
        
                               Ok(ExtractXrpc(value.into_static()))

     

       122
       143
        
                           } else {

     

       123
       144
        
                               Err((

+516

crates/jacquard-axum/src/service_auth.rs

···

       1
       1
       +
       //! Service authentication extractor and middleware

     

       2
       2
       +
       //!

     

       3
       3
       +
       //! # Example

     

       4
       4
       +
       //!

     

       5
       5
       +
       //! ```no_run

     

       6
       6
       +
       //! use axum::{Router, routing::get};

     

       7
       7
       +
       //! use jacquard_axum::service_auth::{ServiceAuthConfig, ExtractServiceAuth};

     

       8
       8
       +
       //! use jacquard_identity::JacquardResolver;

     

       9
       9
       +
       //! use jacquard_identity::resolver::ResolverOptions;

     

       10
       10
       +
       //! use jacquard_common::types::string::Did;

     

       11
       11
       +
       //!

     

       12
       12
       +
       //! async fn handler(

     

       13
       13
       +
       //!     ExtractServiceAuth(auth): ExtractServiceAuth,

     

       14
       14
       +
       //! ) -> String {

     

       15
       15
       +
       //!     format!("Authenticated as {}", auth.did())

     

       16
       16
       +
       //! }

     

       17
       17
       +
       //!

     

       18
       18
       +
       //! #[tokio::main]

     

       19
       19
       +
       //! async fn main() {

     

       20
       20
       +
       //!     let resolver = JacquardResolver::new(

     

       21
       21
       +
       //!         reqwest::Client::new(),

     

       22
       22
       +
       //!         ResolverOptions::default(),

     

       23
       23
       +
       //!     );

     

       24
       24
       +
       //!     let config = ServiceAuthConfig::new(

     

       25
       25
       +
       //!         Did::new_static("did:web:feedgen.example.com").unwrap(),

     

       26
       26
       +
       //!         resolver,

     

       27
       27
       +
       //!     );

     

       28
       28
       +
       //!

     

       29
       29
       +
       //!     let app = Router::new()

     

       30
       30
       +
       //!         .route("/xrpc/app.bsky.feed.getFeedSkeleton", get(handler))

     

       31
       31
       +
       //!         .with_state(config);

     

       32
       32
       +
       //!

     

       33
       33
       +
       //!     let listener = tokio::net::TcpListener::bind("0.0.0.0:3000")

     

       34
       34
       +
       //!         .await

     

       35
       35
       +
       //!         .unwrap();

     

       36
       36
       +
       //!     axum::serve(listener, app).await.unwrap();

     

       37
       37
       +
       //! }

     

       38
       38
       +
       //! ```

     

       39
       39
       +
       

     

       40
       40
       +
       use axum::{

     

       41
       41
       +
           Json,

     

       42
       42
       +
           extract::FromRequestParts,

     

       43
       43
       +
           http::{HeaderValue, StatusCode, header, request::Parts},

     

       44
       44
       +
           middleware::Next,

     

       45
       45
       +
           response::{IntoResponse, Response},

     

       46
       46
       +
       };

     

       47
       47
       +
       use jacquard_common::{

     

       48
       48
       +
           CowStr, IntoStatic,

     

       49
       49
       +
           service_auth::{self, PublicKey},

     

       50
       50
       +
           types::{

     

       51
       51
       +
               did_doc::VerificationMethod,

     

       52
       52
       +
               string::{Did, Nsid},

     

       53
       53
       +
           },

     

       54
       54
       +
       };

     

       55
       55
       +
       use jacquard_identity::resolver::IdentityResolver;

     

       56
       56
       +
       use serde_json::json;

     

       57
       57
       +
       use std::sync::Arc;

     

       58
       58
       +
       use thiserror::Error;

     

       59
       59
       +
       

     

       60
       60
       +
       /// Trait for providing service authentication configuration.

     

       61
       61
       +
       ///

     

       62
       62
       +
       /// This trait allows custom state types to provide service auth configuration

     

       63
       63
       +
       /// without requiring `ServiceAuthConfig<R>` directly.

     

       64
       64
       +
       pub trait ServiceAuth {

     

       65
       65
       +
           /// The identity resolver type

     

       66
       66
       +
           type Resolver: IdentityResolver;

     

       67
       67
       +
       

     

       68
       68
       +
           /// Get the service DID (expected audience)

     

       69
       69
       +
           fn service_did(&self) -> &Did<'_>;

     

       70
       70
       +
       

     

       71
       71
       +
           /// Get a reference to the identity resolver

     

       72
       72
       +
           fn resolver(&self) -> &Self::Resolver;

     

       73
       73
       +
       

     

       74
       74
       +
           /// Whether to require the `lxm` (method binding) field

     

       75
       75
       +
           fn require_lxm(&self) -> bool;

     

       76
       76
       +
       }

     

       77
       77
       +
       

     

       78
       78
       +
       /// Configuration for service auth verification.

     

       79
       79
       +
       ///

     

       80
       80
       +
       /// This should be stored in your Axum app state and will be extracted

     

       81
       81
       +
       /// by the `ExtractServiceAuth` extractor.

     

       82
       82
       +
       pub struct ServiceAuthConfig<R> {

     

       83
       83
       +
           /// The DID of your service (the expected audience)

     

       84
       84
       +
           service_did: Did<'static>,

     

       85
       85
       +
           /// Identity resolver for fetching DID documents

     

       86
       86
       +
           resolver: Arc<R>,

     

       87
       87
       +
           /// Whether to require the `lxm` (method binding) field

     

       88
       88
       +
           require_lxm: bool,

     

       89
       89
       +
       }

     

       90
       90
       +
       

     

       91
       91
       +
       impl<R> Clone for ServiceAuthConfig<R> {

     

       92
       92
       +
           fn clone(&self) -> Self {

     

       93
       93
       +
               Self {

     

       94
       94
       +
                   service_did: self.service_did.clone(),

     

       95
       95
       +
                   resolver: Arc::clone(&self.resolver),

     

       96
       96
       +
                   require_lxm: self.require_lxm,

     

       97
       97
       +
               }

     

       98
       98
       +
           }

     

       99
       99
       +
       }

     

       100
       100
       +
       

     

       101
       101
       +
       impl<R: IdentityResolver> ServiceAuthConfig<R> {

     

       102
       102
       +
           /// Create a new service auth config.

     

       103
       103
       +
           ///

     

       104
       104
       +
           /// This enables `lxm` (method binding). If you need backward compatibility,

     

       105
       105
       +
           /// use `ServiceAuthConfig::new_legacy()`

     

       106
       106
       +
           pub fn new(service_did: Did<'static>, resolver: R) -> Self {

     

       107
       107
       +
               Self {

     

       108
       108
       +
                   service_did,

     

       109
       109
       +
                   resolver: Arc::new(resolver),

     

       110
       110
       +
                   require_lxm: true,

     

       111
       111
       +
               }

     

       112
       112
       +
           }

     

       113
       113
       +
       

     

       114
       114
       +
           /// Create a new service auth config.

     

       115
       115
       +
           ///

     

       116
       116
       +
           /// `lxm` (method binding) is disabled for backwards compatibility

     

       117
       117
       +
           pub fn new_legacy(service_did: Did<'static>, resolver: R) -> Self {

     

       118
       118
       +
               Self {

     

       119
       119
       +
                   service_did,

     

       120
       120
       +
                   resolver: Arc::new(resolver),

     

       121
       121
       +
                   require_lxm: false,

     

       122
       122
       +
               }

     

       123
       123
       +
           }

     

       124
       124
       +
       

     

       125
       125
       +
           /// Set whether to require the `lxm` field (method binding).

     

       126
       126
       +
           ///

     

       127
       127
       +
           /// When enabled, the JWT must contain an `lxm` field matching the requested endpoint.

     

       128
       128
       +
           /// This prevents token reuse across different methods.

     

       129
       129
       +
           pub fn require_lxm(mut self, require: bool) -> Self {

     

       130
       130
       +
               self.require_lxm = require;

     

       131
       131
       +
               self

     

       132
       132
       +
           }

     

       133
       133
       +
       

     

       134
       134
       +
           /// Get the service DID.

     

       135
       135
       +
           pub fn service_did(&self) -> &Did<'static> {

     

       136
       136
       +
               &self.service_did

     

       137
       137
       +
           }

     

       138
       138
       +
       

     

       139
       139
       +
           /// Get a reference to the identity resolver.

     

       140
       140
       +
           pub fn resolver(&self) -> &R {

     

       141
       141
       +
               &self.resolver

     

       142
       142
       +
           }

     

       143
       143
       +
       }

     

       144
       144
       +
       

     

       145
       145
       +
       impl<R: IdentityResolver> ServiceAuth for ServiceAuthConfig<R> {

     

       146
       146
       +
           type Resolver = R;

     

       147
       147
       +
       

     

       148
       148
       +
           fn service_did(&self) -> &Did<'_> {

     

       149
       149
       +
               &self.service_did

     

       150
       150
       +
           }

     

       151
       151
       +
       

     

       152
       152
       +
           fn resolver(&self) -> &Self::Resolver {

     

       153
       153
       +
               &self.resolver

     

       154
       154
       +
           }

     

       155
       155
       +
       

     

       156
       156
       +
           fn require_lxm(&self) -> bool {

     

       157
       157
       +
               self.require_lxm

     

       158
       158
       +
           }

     

       159
       159
       +
       }

     

       160
       160
       +
       

     

       161
       161
       +
       /// Verified service authentication information.

     

       162
       162
       +
       ///

     

       163
       163
       +
       /// This is the result of successfully verifying a service auth JWT.

     

       164
       164
       +
       /// This type is extracted by the `ExtractServiceAuth` extractor.

     

       165
       165
       +
       #[derive(Debug, Clone, jacquard_derive::IntoStatic)]

     

       166
       166
       +
       pub struct VerifiedServiceAuth<'a> {

     

       167
       167
       +
           /// The authenticated user's DID (from `iss` claim)

     

       168
       168
       +
           did: Did<'a>,

     

       169
       169
       +
           /// The audience (should match your service DID)

     

       170
       170
       +
           aud: Did<'a>,

     

       171
       171
       +
           /// The lexicon method NSID, if present

     

       172
       172
       +
           lxm: Option<Nsid<'a>>,

     

       173
       173
       +
           /// JWT ID (nonce), if present

     

       174
       174
       +
           jti: Option<CowStr<'a>>,

     

       175
       175
       +
       }

     

       176
       176
       +
       

     

       177
       177
       +
       impl<'a> VerifiedServiceAuth<'a> {

     

       178
       178
       +
           /// Get the authenticated user's DID.

     

       179
       179
       +
           pub fn did(&self) -> &Did<'a> {

     

       180
       180
       +
               &self.did

     

       181
       181
       +
           }

     

       182
       182
       +
       

     

       183
       183
       +
           /// Get the audience (your service DID).

     

       184
       184
       +
           pub fn aud(&self) -> &Did<'a> {

     

       185
       185
       +
               &self.aud

     

       186
       186
       +
           }

     

       187
       187
       +
       

     

       188
       188
       +
           /// Get the lexicon method NSID, if present.

     

       189
       189
       +
           pub fn lxm(&self) -> Option<&Nsid<'a>> {

     

       190
       190
       +
               self.lxm.as_ref()

     

       191
       191
       +
           }

     

       192
       192
       +
       

     

       193
       193
       +
           /// Get the JWT ID (nonce), if present.

     

       194
       194
       +
           ///

     

       195
       195
       +
           /// You can use this for replay protection by tracking seen JTIs

     

       196
       196
       +
           /// until their expiration time.

     

       197
       197
       +
           pub fn jti(&self) -> Option<&str> {

     

       198
       198
       +
               self.jti.as_ref().map(|j| j.as_ref())

     

       199
       199
       +
           }

     

       200
       200
       +
       }

     

       201
       201
       +
       

     

       202
       202
       +
       /// Axum extractor for service authentication.

     

       203
       203
       +
       ///

     

       204
       204
       +
       /// This extracts and verifies a service auth JWT from the Authorization header,

     

       205
       205
       +
       /// resolving the issuer's DID to verify the signature.

     

       206
       206
       +
       ///

     

       207
       207
       +
       /// # Example

     

       208
       208
       +
       ///

     

       209
       209
       +
       /// ```no_run

     

       210
       210
       +
       /// use axum::{Router, routing::get};

     

       211
       211
       +
       /// use jacquard_axum::service_auth::{ServiceAuthConfig, ExtractServiceAuth};

     

       212
       212
       +
       /// use jacquard_identity::JacquardResolver;

     

       213
       213
       +
       /// use jacquard_identity::resolver::ResolverOptions;

     

       214
       214
       +
       /// use jacquard_common::types::string::Did;

     

       215
       215
       +
       ///

     

       216
       216
       +
       /// async fn handler(

     

       217
       217
       +
       ///     ExtractServiceAuth(auth): ExtractServiceAuth,

     

       218
       218
       +
       /// ) -> String {

     

       219
       219
       +
       ///     format!("Authenticated as {}", auth.did())

     

       220
       220
       +
       /// }

     

       221
       221
       +
       ///

     

       222
       222
       +
       /// #[tokio::main]

     

       223
       223
       +
       /// async fn main() {

     

       224
       224
       +
       ///     let resolver = JacquardResolver::new(

     

       225
       225
       +
       ///         reqwest::Client::new(),

     

       226
       226
       +
       ///         ResolverOptions::default(),

     

       227
       227
       +
       ///     );

     

       228
       228
       +
       ///     let config = ServiceAuthConfig::new(

     

       229
       229
       +
       ///         Did::new_static("did:web:feedgen.example.com").unwrap(),

     

       230
       230
       +
       ///         resolver,

     

       231
       231
       +
       ///     );

     

       232
       232
       +
       ///

     

       233
       233
       +
       ///     let app = Router::new()

     

       234
       234
       +
       ///         .route("/xrpc/app.bsky.feed.getFeedSkeleton", get(handler))

     

       235
       235
       +
       ///         .with_state(config);

     

       236
       236
       +
       ///

     

       237
       237
       +
       ///     let listener = tokio::net::TcpListener::bind("0.0.0.0:3000")

     

       238
       238
       +
       ///         .await

     

       239
       239
       +
       ///         .unwrap();

     

       240
       240
       +
       ///     axum::serve(listener, app).await.unwrap();

     

       241
       241
       +
       /// }

     

       242
       242
       +
       /// ```

     

       243
       243
       +
       pub struct ExtractServiceAuth(pub VerifiedServiceAuth<'static>);

     

       244
       244
       +
       

     

       245
       245
       +
       /// Errors that can occur during service auth verification.

     

       246
       246
       +
       #[derive(Debug, Error, miette::Diagnostic)]

     

       247
       247
       +
       pub enum ServiceAuthError {

     

       248
       248
       +
           /// Authorization header is missing

     

       249
       249
       +
           #[error("missing Authorization header")]

     

       250
       250
       +
           MissingAuthHeader,

     

       251
       251
       +
       

     

       252
       252
       +
           /// Authorization header is malformed (not "Bearer <token>")

     

       253
       253
       +
           #[error("invalid Authorization header format")]

     

       254
       254
       +
           InvalidAuthHeader,

     

       255
       255
       +
       

     

       256
       256
       +
           /// JWT parsing or verification failed

     

       257
       257
       +
           #[error("JWT verification failed: {0}")]

     

       258
       258
       +
           JwtError(#[from] service_auth::ServiceAuthError),

     

       259
       259
       +
       

     

       260
       260
       +
           /// DID resolution failed

     

       261
       261
       +
           #[error("failed to resolve DID {did}: {source}")]

     

       262
       262
       +
           DidResolutionFailed {

     

       263
       263
       +
               did: Did<'static>,

     

       264
       264
       +
               #[source]

     

       265
       265
       +
               source: Box<dyn std::error::Error + Send + Sync>,

     

       266
       266
       +
           },

     

       267
       267
       +
       

     

       268
       268
       +
           /// No valid signing key found in DID document

     

       269
       269
       +
           #[error("no valid signing key found in DID document for {0}")]

     

       270
       270
       +
           NoSigningKey(Did<'static>),

     

       271
       271
       +
       

     

       272
       272
       +
           /// Method binding required but missing

     

       273
       273
       +
           #[error("lxm (method binding) is required but missing from token")]

     

       274
       274
       +
           MethodBindingRequired,

     

       275
       275
       +
       

     

       276
       276
       +
           /// Invalid key format

     

       277
       277
       +
           #[error("invalid key format: {0}")]

     

       278
       278
       +
           InvalidKey(String),

     

       279
       279
       +
       }

     

       280
       280
       +
       

     

       281
       281
       +
       impl IntoResponse for ServiceAuthError {

     

       282
       282
       +
           fn into_response(self) -> Response {

     

       283
       283
       +
               let (status, error_code, message) = match &self {

     

       284
       284
       +
                   ServiceAuthError::MissingAuthHeader => {

     

       285
       285
       +
                       (StatusCode::UNAUTHORIZED, "AuthMissing", self.to_string())

     

       286
       286
       +
                   }

     

       287
       287
       +
                   ServiceAuthError::InvalidAuthHeader => {

     

       288
       288
       +
                       (StatusCode::UNAUTHORIZED, "AuthMissing", self.to_string())

     

       289
       289
       +
                   }

     

       290
       290
       +
                   ServiceAuthError::JwtError(_) => (

     

       291
       291
       +
                       StatusCode::UNAUTHORIZED,

     

       292
       292
       +
                       "AuthenticationRequired",

     

       293
       293
       +
                       self.to_string(),

     

       294
       294
       +
                   ),

     

       295
       295
       +
                   ServiceAuthError::DidResolutionFailed { .. } => (

     

       296
       296
       +
                       StatusCode::UNAUTHORIZED,

     

       297
       297
       +
                       "AuthenticationRequired",

     

       298
       298
       +
                       self.to_string(),

     

       299
       299
       +
                   ),

     

       300
       300
       +
                   ServiceAuthError::NoSigningKey(_) => (

     

       301
       301
       +
                       StatusCode::UNAUTHORIZED,

     

       302
       302
       +
                       "AuthenticationRequired",

     

       303
       303
       +
                       self.to_string(),

     

       304
       304
       +
                   ),

     

       305
       305
       +
                   ServiceAuthError::MethodBindingRequired => (

     

       306
       306
       +
                       StatusCode::UNAUTHORIZED,

     

       307
       307
       +
                       "AuthenticationRequired",

     

       308
       308
       +
                       self.to_string(),

     

       309
       309
       +
                   ),

     

       310
       310
       +
                   ServiceAuthError::InvalidKey(_) => (

     

       311
       311
       +
                       StatusCode::UNAUTHORIZED,

     

       312
       312
       +
                       "AuthenticationRequired",

     

       313
       313
       +
                       self.to_string(),

     

       314
       314
       +
                   ),

     

       315
       315
       +
               };

     

       316
       316
       +
       

     

       317
       317
       +
               tracing::warn!("Service auth failed: {}", message);

     

       318
       318
       +
       

     

       319
       319
       +
               (

     

       320
       320
       +
                   status,

     

       321
       321
       +
                   [(

     

       322
       322
       +
                       header::CONTENT_TYPE,

     

       323
       323
       +
                       HeaderValue::from_static("application/json"),

     

       324
       324
       +
                   )],

     

       325
       325
       +
                   Json(json!({

     

       326
       326
       +
                       "error": error_code,

     

       327
       327
       +
                       "message": message,

     

       328
       328
       +
                   })),

     

       329
       329
       +
               )

     

       330
       330
       +
                   .into_response()

     

       331
       331
       +
           }

     

       332
       332
       +
       }

     

       333
       333
       +
       

     

       334
       334
       +
       impl<S> FromRequestParts<S> for ExtractServiceAuth

     

       335
       335
       +
       where

     

       336
       336
       +
           S: ServiceAuth + Send + Sync,

     

       337
       337
       +
           S::Resolver: Send + Sync,

     

       338
       338
       +
       {

     

       339
       339
       +
           type Rejection = ServiceAuthError;

     

       340
       340
       +
       

     

       341
       341
       +
           fn from_request_parts(

     

       342
       342
       +
               parts: &mut Parts,

     

       343
       343
       +
               state: &S,

     

       344
       344
       +
           ) -> impl std::future::Future<Output = Result<Self, Self::Rejection>> + Send {

     

       345
       345
       +
               async move {

     

       346
       346
       +
                   // Extract Authorization header

     

       347
       347
       +
                   let auth_header = parts

     

       348
       348
       +
                       .headers

     

       349
       349
       +
                       .get(header::AUTHORIZATION)

     

       350
       350
       +
                       .ok_or(ServiceAuthError::MissingAuthHeader)?;

     

       351
       351
       +
       

     

       352
       352
       +
                   // Parse Bearer token

     

       353
       353
       +
                   let auth_str = auth_header

     

       354
       354
       +
                       .to_str()

     

       355
       355
       +
                       .map_err(|_| ServiceAuthError::InvalidAuthHeader)?;

     

       356
       356
       +
       

     

       357
       357
       +
                   let token = auth_str

     

       358
       358
       +
                       .strip_prefix("Bearer ")

     

       359
       359
       +
                       .ok_or(ServiceAuthError::InvalidAuthHeader)?;

     

       360
       360
       +
       

     

       361
       361
       +
                   // Parse JWT

     

       362
       362
       +
                   let parsed = service_auth::parse_jwt(token)?;

     

       363
       363
       +
       

     

       364
       364
       +
                   // Get claims for DID resolution

     

       365
       365
       +
                   let claims = parsed.claims();

     

       366
       366
       +
       

     

       367
       367
       +
                   // Resolve DID to get signing key (do this before checking claims)

     

       368
       368
       +
                   let did_doc = state

     

       369
       369
       +
                       .resolver()

     

       370
       370
       +
                       .resolve_did_doc(&claims.iss)

     

       371
       371
       +
                       .await

     

       372
       372
       +
                       .map_err(|e| ServiceAuthError::DidResolutionFailed {

     

       373
       373
       +
                           did: claims.iss.clone().into_static(),

     

       374
       374
       +
                           source: Box::new(e),

     

       375
       375
       +
                       })?;

     

       376
       376
       +
       

     

       377
       377
       +
                   // Parse the DID document response to get verification methods

     

       378
       378
       +
                   let doc = did_doc

     

       379
       379
       +
                       .parse()

     

       380
       380
       +
                       .map_err(|e| ServiceAuthError::DidResolutionFailed {

     

       381
       381
       +
                           did: claims.iss.clone().into_static(),

     

       382
       382
       +
                           source: Box::new(e),

     

       383
       383
       +
                       })?;

     

       384
       384
       +
       

     

       385
       385
       +
                   // Extract signing key from DID document

     

       386
       386
       +
                   let verification_methods = doc

     

       387
       387
       +
                       .verification_method

     

       388
       388
       +
                       .as_deref()

     

       389
       389
       +
                       .ok_or_else(|| ServiceAuthError::NoSigningKey(claims.iss.clone().into_static()))?;

     

       390
       390
       +
       

     

       391
       391
       +
                   let signing_key = extract_signing_key(verification_methods)

     

       392
       392
       +
                       .ok_or_else(|| ServiceAuthError::NoSigningKey(claims.iss.clone().into_static()))?;

     

       393
       393
       +
       

     

       394
       394
       +
                   // Verify signature FIRST - if this fails, nothing else matters

     

       395
       395
       +
                   service_auth::verify_signature(&parsed, &signing_key)?;

     

       396
       396
       +
       

     

       397
       397
       +
                   // Now validate claims (audience, expiration, etc.)

     

       398
       398
       +
                   claims.validate(state.service_did())?;

     

       399
       399
       +
       

     

       400
       400
       +
                   // Check method binding if required

     

       401
       401
       +
                   if state.require_lxm() && claims.lxm.is_none() {

     

       402
       402
       +
                       return Err(ServiceAuthError::MethodBindingRequired);

     

       403
       403
       +
                   }

     

       404
       404
       +
       

     

       405
       405
       +
                   // All checks passed - return verified auth

     

       406
       406
       +
                   Ok(ExtractServiceAuth(VerifiedServiceAuth {

     

       407
       407
       +
                       did: claims.iss.clone().into_static(),

     

       408
       408
       +
                       aud: claims.aud.clone().into_static(),

     

       409
       409
       +
                       lxm: claims.lxm.as_ref().map(|l| l.clone().into_static()),

     

       410
       410
       +
                       jti: claims.jti.as_ref().map(|j| j.clone().into_static()),

     

       411
       411
       +
                   }))

     

       412
       412
       +
               }

     

       413
       413
       +
           }

     

       414
       414
       +
       }

     

       415
       415
       +
       

     

       416
       416
       +
       /// Extract the signing key from a DID document's verification methods.

     

       417
       417
       +
       ///

     

       418
       418
       +
       /// This looks for a key with type "atproto" or the first available key

     

       419
       419
       +
       /// if no atproto-specific key is found.

     

       420
       420
       +
       fn extract_signing_key(methods: &[VerificationMethod]) -> Option<PublicKey> {

     

       421
       421
       +
           // First try to find an atproto-specific key

     

       422
       422
       +
           let atproto_method = methods

     

       423
       423
       +
               .iter()

     

       424
       424
       +
               .find(|m| m.r#type.as_ref() == "Multikey" || m.r#type.as_ref() == "atproto");

     

       425
       425
       +
       

     

       426
       426
       +
           let method = atproto_method.or_else(|| methods.first())?;

     

       427
       427
       +
       

     

       428
       428
       +
           // Parse the multikey

     

       429
       429
       +
           let public_key_multibase = method.public_key_multibase.as_ref()?;

     

       430
       430
       +
       

     

       431
       431
       +
           // Decode multibase

     

       432
       432
       +
           let (_, key_bytes) = multibase::decode(public_key_multibase.as_ref()).ok()?;

     

       433
       433
       +
       

     

       434
       434
       +
           // First two bytes are the multicodec prefix

     

       435
       435
       +
           if key_bytes.len() < 2 {

     

       436
       436
       +
               return None;

     

       437
       437
       +
           }

     

       438
       438
       +
       

     

       439
       439
       +
           let codec = &key_bytes[..2];

     

       440
       440
       +
           let key_material = &key_bytes[2..];

     

       441
       441
       +
       

     

       442
       442
       +
           match codec {

     

       443
       443
       +
               // p256-pub (0x1200)

     

       444
       444
       +
               [0x80, 0x24] => PublicKey::from_p256_bytes(key_material).ok(),

     

       445
       445
       +
               // secp256k1-pub (0xe7)

     

       446
       446
       +
               [0xe7, 0x01] => PublicKey::from_k256_bytes(key_material).ok(),

     

       447
       447
       +
               _ => None,

     

       448
       448
       +
           }

     

       449
       449
       +
       }

     

       450
       450
       +
       

     

       451
       451
       +
       /// Middleware for verifying service authentication on all requests.

     

       452
       452
       +
       ///

     

       453
       453
       +
       /// This middleware extracts and verifies the service auth JWT, then adds the

     

       454
       454
       +
       /// `VerifiedServiceAuth` to request extensions for downstream handlers to access.

     

       455
       455
       +
       ///

     

       456
       456
       +
       /// # Example

     

       457
       457
       +
       ///

     

       458
       458
       +
       /// ```no_run

     

       459
       459
       +
       /// use axum::{Router, routing::get, middleware, Extension};

     

       460
       460
       +
       /// use jacquard_axum::service_auth::{ServiceAuthConfig, service_auth_middleware};

     

       461
       461
       +
       /// use jacquard_identity::JacquardResolver;

     

       462
       462
       +
       /// use jacquard_identity::resolver::ResolverOptions;

     

       463
       463
       +
       /// use jacquard_common::types::string::Did;

     

       464
       464
       +
       ///

     

       465
       465
       +
       /// async fn handler(

     

       466
       466
       +
       ///     Extension(auth): Extension<jacquard_axum::service_auth::VerifiedServiceAuth<'static>>,

     

       467
       467
       +
       /// ) -> String {

     

       468
       468
       +
       ///     format!("Authenticated as {}", auth.did())

     

       469
       469
       +
       /// }

     

       470
       470
       +
       ///

     

       471
       471
       +
       /// #[tokio::main]

     

       472
       472
       +
       /// async fn main() {

     

       473
       473
       +
       ///     let resolver = JacquardResolver::new(

     

       474
       474
       +
       ///         reqwest::Client::new(),

     

       475
       475
       +
       ///         ResolverOptions::default(),

     

       476
       476
       +
       ///     );

     

       477
       477
       +
       ///     let config = ServiceAuthConfig::new(

     

       478
       478
       +
       ///         Did::new_static("did:web:feedgen.example.com").unwrap(),

     

       479
       479
       +
       ///         resolver,

     

       480
       480
       +
       ///     );

     

       481
       481
       +
       ///

     

       482
       482
       +
       ///     let app = Router::new()

     

       483
       483
       +
       ///         .route("/xrpc/app.bsky.feed.getFeedSkeleton", get(handler))

     

       484
       484
       +
       ///         .layer(middleware::from_fn_with_state(

     

       485
       485
       +
       ///             config.clone(),

     

       486
       486
       +
       ///             service_auth_middleware::<ServiceAuthConfig<JacquardResolver>>,

     

       487
       487
       +
       ///         ))

     

       488
       488
       +
       ///         .with_state(config);

     

       489
       489
       +
       ///

     

       490
       490
       +
       ///     let listener = tokio::net::TcpListener::bind("0.0.0.0:3000")

     

       491
       491
       +
       ///         .await

     

       492
       492
       +
       ///         .unwrap();

     

       493
       493
       +
       ///     axum::serve(listener, app).await.unwrap();

     

       494
       494
       +
       /// }

     

       495
       495
       +
       /// ```

     

       496
       496
       +
       pub async fn service_auth_middleware<S>(

     

       497
       497
       +
           state: axum::extract::State<S>,

     

       498
       498
       +
           mut req: axum::extract::Request,

     

       499
       499
       +
           next: Next,

     

       500
       500
       +
       ) -> Result<Response, ServiceAuthError>

     

       501
       501
       +
       where

     

       502
       502
       +
           S: ServiceAuth + Send + Sync + Clone,

     

       503
       503
       +
           S::Resolver: Send + Sync,

     

       504
       504
       +
       {

     

       505
       505
       +
           // Extract auth from request parts

     

       506
       506
       +
           let (mut parts, body) = req.into_parts();

     

       507
       507
       +
           let ExtractServiceAuth(auth) =

     

       508
       508
       +
               ExtractServiceAuth::from_request_parts(&mut parts, &state.0).await?;

     

       509
       509
       +
       

     

       510
       510
       +
           // Add auth to extensions

     

       511
       511
       +
           parts.extensions.insert(auth);

     

       512
       512
       +
       

     

       513
       513
       +
           // Reconstruct request and continue

     

       514
       514
       +
           req = axum::extract::Request::from_parts(parts, body);

     

       515
       515
       +
           Ok(next.run(req).await)

     

       516
       516
       +
       }

+543

crates/jacquard-axum/tests/service_auth_tests.rs

···

       1
       1
       +
       use axum::{

     

       2
       2
       +
           Extension, Router,

     

       3
       3
       +
           body::Body,

     

       4
       4
       +
           extract::Request,

     

       5
       5
       +
           http::{StatusCode, header},

     

       6
       6
       +
           middleware,

     

       7
       7
       +
           routing::get,

     

       8
       8
       +
       };

     

       9
       9
       +
       use base64::Engine;

     

       10
       10
       +
       use base64::engine::general_purpose::URL_SAFE_NO_PAD;

     

       11
       11
       +
       use bytes::Bytes;

     

       12
       12
       +
       use jacquard_axum::service_auth::{

     

       13
       13
       +
           ExtractServiceAuth, ServiceAuthConfig, VerifiedServiceAuth, service_auth_middleware,

     

       14
       14
       +
       };

     

       15
       15
       +
       use jacquard_common::{

     

       16
       16
       +
           CowStr, IntoStatic,

     

       17
       17
       +
           service_auth::JwtHeader,

     

       18
       18
       +
           types::{

     

       19
       19
       +
               did::Did,

     

       20
       20
       +
               did_doc::{DidDocument, VerificationMethod},

     

       21
       21
       +
           },

     

       22
       22
       +
       };

     

       23
       23
       +
       use jacquard_identity::resolver::{

     

       24
       24
       +
           DidDocResponse, IdentityError, IdentityResolver, ResolverOptions,

     

       25
       25
       +
       };

     

       26
       26
       +
       use reqwest::StatusCode as ReqwestStatusCode;

     

       27
       27
       +
       use serde_json::json;

     

       28
       28
       +
       use std::future::Future;

     

       29
       29
       +
       use tower::ServiceExt;

     

       30
       30
       +
       

     

       31
       31
       +
       // Test helper: create a signed JWT

     

       32
       32
       +
       fn create_test_jwt(

     

       33
       33
       +
           iss: &str,

     

       34
       34
       +
           aud: &str,

     

       35
       35
       +
           exp: i64,

     

       36
       36
       +
           lxm: Option<&str>,

     

       37
       37
       +
           signing_key: &k256::ecdsa::SigningKey,

     

       38
       38
       +
       ) -> String {

     

       39
       39
       +
           use k256::ecdsa::signature::Signer;

     

       40
       40
       +
       

     

       41
       41
       +
           let header = JwtHeader {

     

       42
       42
       +
               alg: CowStr::new_static("ES256K"),

     

       43
       43
       +
               typ: CowStr::new_static("JWT"),

     

       44
       44
       +
           };

     

       45
       45
       +
       

     

       46
       46
       +
           let mut claims_json = json!({

     

       47
       47
       +
               "iss": iss,

     

       48
       48
       +
               "aud": aud,

     

       49
       49
       +
               "exp": exp,

     

       50
       50
       +
               "iat": chrono::Utc::now().timestamp(),

     

       51
       51
       +
           });

     

       52
       52
       +
       

     

       53
       53
       +
           if let Some(lxm_val) = lxm {

     

       54
       54
       +
               claims_json["lxm"] = json!(lxm_val);

     

       55
       55
       +
           }

     

       56
       56
       +
       

     

       57
       57
       +
           let header_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&header).unwrap());

     

       58
       58
       +
           let payload_b64 = URL_SAFE_NO_PAD.encode(serde_json::to_string(&claims_json).unwrap());

     

       59
       59
       +
       

     

       60
       60
       +
           let signing_input = format!("{}.{}", header_b64, payload_b64);

     

       61
       61
       +
       

     

       62
       62
       +
           let signature: k256::ecdsa::Signature = signing_key.sign(signing_input.as_bytes());

     

       63
       63
       +
           let signature_b64 = URL_SAFE_NO_PAD.encode(signature.to_bytes());

     

       64
       64
       +
       

     

       65
       65
       +
           format!("{}.{}", signing_input, signature_b64)

     

       66
       66
       +
       }

     

       67
       67
       +
       

     

       68
       68
       +
       // Test helper: create DID document with k256 key

     

       69
       69
       +
       fn create_test_did_doc(did: &str, public_key: &k256::ecdsa::VerifyingKey) -> DidDocument<'static> {

     

       70
       70
       +
           use std::collections::BTreeMap;

     

       71
       71
       +
       

     

       72
       72
       +
           // Encode as compressed SEC1

     

       73
       73
       +
           let encoded_point = public_key.to_encoded_point(true);

     

       74
       74
       +
           let key_bytes = encoded_point.as_bytes();

     

       75
       75
       +
       

     

       76
       76
       +
           // Multicodec prefix for secp256k1-pub (0xe701)

     

       77
       77
       +
           let mut multicodec_bytes = vec![0xe7, 0x01];

     

       78
       78
       +
           multicodec_bytes.extend_from_slice(key_bytes);

     

       79
       79
       +
       

     

       80
       80
       +
           // Multibase encode (base58btc = 'z')

     

       81
       81
       +
           let multibase_key = multibase::encode(multibase::Base::Base58Btc, &multicodec_bytes);

     

       82
       82
       +
       

     

       83
       83
       +
           DidDocument {

     

       84
       84
       +
               id: Did::new_owned(did).unwrap().into_static(),

     

       85
       85
       +
               also_known_as: None,

     

       86
       86
       +
               verification_method: Some(vec![VerificationMethod {

     

       87
       87
       +
                   id: CowStr::Owned(format!("{}#atproto", did).into()),

     

       88
       88
       +
                   r#type: CowStr::new_static("Multikey"),

     

       89
       89
       +
                   controller: Some(CowStr::Owned(did.into())),

     

       90
       90
       +
                   public_key_multibase: Some(CowStr::Owned(multibase_key.into())),

     

       91
       91
       +
                   extra_data: BTreeMap::new(),

     

       92
       92
       +
               }]),

     

       93
       93
       +
               service: None,

     

       94
       94
       +
               extra_data: BTreeMap::new(),

     

       95
       95
       +
           }

     

       96
       96
       +
       }

     

       97
       97
       +
       

     

       98
       98
       +
       // Mock resolver for tests

     

       99
       99
       +
       #[derive(Clone)]

     

       100
       100
       +
       struct MockResolver {

     

       101
       101
       +
           did_doc: DidDocument<'static>,

     

       102
       102
       +
           options: ResolverOptions,

     

       103
       103
       +
       }

     

       104
       104
       +
       

     

       105
       105
       +
       impl MockResolver {

     

       106
       106
       +
           fn new(did_doc: DidDocument<'static>) -> Self {

     

       107
       107
       +
               Self {

     

       108
       108
       +
                   did_doc,

     

       109
       109
       +
                   options: ResolverOptions::default(),

     

       110
       110
       +
               }

     

       111
       111
       +
           }

     

       112
       112
       +
       }

     

       113
       113
       +
       

     

       114
       114
       +
       impl IdentityResolver for MockResolver {

     

       115
       115
       +
           fn options(&self) -> &ResolverOptions {

     

       116
       116
       +
               &self.options

     

       117
       117
       +
           }

     

       118
       118
       +
       

     

       119
       119
       +
           fn resolve_handle(

     

       120
       120
       +
               &self,

     

       121
       121
       +
               _handle: &jacquard_common::types::string::Handle<'_>,

     

       122
       122
       +
           ) -> impl Future<Output = Result<Did<'static>, IdentityError>> + Send {

     

       123
       123
       +
               async { Err(IdentityError::InvalidWellKnown) }

     

       124
       124
       +
           }

     

       125
       125
       +
       

     

       126
       126
       +
           fn resolve_did_doc(

     

       127
       127
       +
               &self,

     

       128
       128
       +
               _did: &Did<'_>,

     

       129
       129
       +
           ) -> impl Future<Output = Result<DidDocResponse, IdentityError>> + Send {

     

       130
       130
       +
               let doc = self.did_doc.clone();

     

       131
       131
       +
               async move {

     

       132
       132
       +
                   let json = serde_json::to_vec(&doc).unwrap();

     

       133
       133
       +
                   Ok(DidDocResponse {

     

       134
       134
       +
                       buffer: Bytes::from(json),

     

       135
       135
       +
                       status: ReqwestStatusCode::OK,

     

       136
       136
       +
                       requested: Some(doc.id.clone()),

     

       137
       137
       +
                   })

     

       138
       138
       +
               }

     

       139
       139
       +
           }

     

       140
       140
       +
       }

     

       141
       141
       +
       

     

       142
       142
       +
       #[tokio::test]

     

       143
       143
       +
       async fn test_extractor_with_valid_jwt() {

     

       144
       144
       +
           // Generate keypair

     

       145
       145
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       146
       146
       +
           let verifying_key = signing_key.verifying_key();

     

       147
       147
       +
       

     

       148
       148
       +
           // Create test DID and JWT

     

       149
       149
       +
           let user_did = "did:plc:test123";

     

       150
       150
       +
           let service_did = "did:web:feedgen.example.com";

     

       151
       151
       +
           let exp = chrono::Utc::now().timestamp() + 300;

     

       152
       152
       +
       

     

       153
       153
       +
           // JWT with lxm

     

       154
       154
       +
           let jwt = create_test_jwt(

     

       155
       155
       +
               user_did,

     

       156
       156
       +
               service_did,

     

       157
       157
       +
               exp,

     

       158
       158
       +
               Some("app.bsky.feed.getFeedSkeleton"),

     

       159
       159
       +
               &signing_key,

     

       160
       160
       +
           );

     

       161
       161
       +
       

     

       162
       162
       +
           // Create mock resolver

     

       163
       163
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       164
       164
       +
           let resolver = MockResolver::new(did_doc);

     

       165
       165
       +
       

     

       166
       166
       +
           // Create config (default: require_lxm = true)

     

       167
       167
       +
           let config = ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver);

     

       168
       168
       +
       

     

       169
       169
       +
           // Create handler

     

       170
       170
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       171
       171
       +
               format!("Authenticated as {}", auth.did())

     

       172
       172
       +
           }

     

       173
       173
       +
       

     

       174
       174
       +
           let app = Router::new()

     

       175
       175
       +
               .route("/test", get(handler))

     

       176
       176
       +
               .with_state(config);

     

       177
       177
       +
       

     

       178
       178
       +
           // Create request with JWT

     

       179
       179
       +
           let request = Request::builder()

     

       180
       180
       +
               .uri("/test")

     

       181
       181
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       182
       182
       +
               .body(Body::empty())

     

       183
       183
       +
               .unwrap();

     

       184
       184
       +
       

     

       185
       185
       +
           // Send request

     

       186
       186
       +
           let response = app.oneshot(request).await.unwrap();

     

       187
       187
       +
       

     

       188
       188
       +
           assert_eq!(response.status(), StatusCode::OK);

     

       189
       189
       +
       

     

       190
       190
       +
           let body_bytes = axum::body::to_bytes(response.into_body(), usize::MAX)

     

       191
       191
       +
               .await

     

       192
       192
       +
               .unwrap();

     

       193
       193
       +
           let body = String::from_utf8(body_bytes.to_vec()).unwrap();

     

       194
       194
       +
       

     

       195
       195
       +
           assert_eq!(body, format!("Authenticated as {}", user_did));

     

       196
       196
       +
       }

     

       197
       197
       +
       

     

       198
       198
       +
       #[tokio::test]

     

       199
       199
       +
       async fn test_extractor_with_expired_jwt() {

     

       200
       200
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       201
       201
       +
           let verifying_key = signing_key.verifying_key();

     

       202
       202
       +
       

     

       203
       203
       +
           let user_did = "did:plc:test123";

     

       204
       204
       +
           let service_did = "did:web:feedgen.example.com";

     

       205
       205
       +
           let exp = chrono::Utc::now().timestamp() - 300; // Expired

     

       206
       206
       +
       

     

       207
       207
       +
           let jwt = create_test_jwt(user_did, service_did, exp, None, &signing_key);

     

       208
       208
       +
       

     

       209
       209
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       210
       210
       +
           let resolver = MockResolver::new(did_doc);

     

       211
       211
       +
       

     

       212
       212
       +
           let config = ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver);

     

       213
       213
       +
       

     

       214
       214
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       215
       215
       +
               format!("Authenticated as {}", auth.did())

     

       216
       216
       +
           }

     

       217
       217
       +
       

     

       218
       218
       +
           let app = Router::new()

     

       219
       219
       +
               .route("/test", get(handler))

     

       220
       220
       +
               .with_state(config);

     

       221
       221
       +
       

     

       222
       222
       +
           let request = Request::builder()

     

       223
       223
       +
               .uri("/test")

     

       224
       224
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       225
       225
       +
               .body(Body::empty())

     

       226
       226
       +
               .unwrap();

     

       227
       227
       +
       

     

       228
       228
       +
           let response = app.oneshot(request).await.unwrap();

     

       229
       229
       +
       

     

       230
       230
       +
           assert_eq!(response.status(), StatusCode::UNAUTHORIZED);

     

       231
       231
       +
       }

     

       232
       232
       +
       

     

       233
       233
       +
       #[tokio::test]

     

       234
       234
       +
       async fn test_extractor_with_wrong_audience() {

     

       235
       235
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       236
       236
       +
           let verifying_key = signing_key.verifying_key();

     

       237
       237
       +
       

     

       238
       238
       +
           let user_did = "did:plc:test123";

     

       239
       239
       +
           let service_did = "did:web:feedgen.example.com";

     

       240
       240
       +
           let wrong_aud = "did:web:other.example.com";

     

       241
       241
       +
           let exp = chrono::Utc::now().timestamp() + 300;

     

       242
       242
       +
       

     

       243
       243
       +
           let jwt = create_test_jwt(user_did, wrong_aud, exp, None, &signing_key);

     

       244
       244
       +
       

     

       245
       245
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       246
       246
       +
           let resolver = MockResolver::new(did_doc);

     

       247
       247
       +
       

     

       248
       248
       +
           let config = ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver);

     

       249
       249
       +
       

     

       250
       250
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       251
       251
       +
               format!("Authenticated as {}", auth.did())

     

       252
       252
       +
           }

     

       253
       253
       +
       

     

       254
       254
       +
           let app = Router::new()

     

       255
       255
       +
               .route("/test", get(handler))

     

       256
       256
       +
               .with_state(config);

     

       257
       257
       +
       

     

       258
       258
       +
           let request = Request::builder()

     

       259
       259
       +
               .uri("/test")

     

       260
       260
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       261
       261
       +
               .body(Body::empty())

     

       262
       262
       +
               .unwrap();

     

       263
       263
       +
       

     

       264
       264
       +
           let response = app.oneshot(request).await.unwrap();

     

       265
       265
       +
       

     

       266
       266
       +
           assert_eq!(response.status(), StatusCode::UNAUTHORIZED);

     

       267
       267
       +
       }

     

       268
       268
       +
       

     

       269
       269
       +
       #[tokio::test]

     

       270
       270
       +
       async fn test_extractor_missing_auth_header() {

     

       271
       271
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       272
       272
       +
           let verifying_key = signing_key.verifying_key();

     

       273
       273
       +
       

     

       274
       274
       +
           let user_did = "did:plc:test123";

     

       275
       275
       +
           let service_did = "did:web:feedgen.example.com";

     

       276
       276
       +
       

     

       277
       277
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       278
       278
       +
           let resolver = MockResolver::new(did_doc);

     

       279
       279
       +
       

     

       280
       280
       +
           let config = ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver);

     

       281
       281
       +
       

     

       282
       282
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       283
       283
       +
               format!("Authenticated as {}", auth.did())

     

       284
       284
       +
           }

     

       285
       285
       +
       

     

       286
       286
       +
           let app = Router::new()

     

       287
       287
       +
               .route("/test", get(handler))

     

       288
       288
       +
               .with_state(config);

     

       289
       289
       +
       

     

       290
       290
       +
           let request = Request::builder().uri("/test").body(Body::empty()).unwrap();

     

       291
       291
       +
       

     

       292
       292
       +
           let response = app.oneshot(request).await.unwrap();

     

       293
       293
       +
       

     

       294
       294
       +
           assert_eq!(response.status(), StatusCode::UNAUTHORIZED);

     

       295
       295
       +
       }

     

       296
       296
       +
       

     

       297
       297
       +
       #[tokio::test]

     

       298
       298
       +
       async fn test_middleware_with_valid_jwt() {

     

       299
       299
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       300
       300
       +
           let verifying_key = signing_key.verifying_key();

     

       301
       301
       +
       

     

       302
       302
       +
           let user_did = "did:plc:test123";

     

       303
       303
       +
           let service_did = "did:web:feedgen.example.com";

     

       304
       304
       +
           let exp = chrono::Utc::now().timestamp() + 300;

     

       305
       305
       +
       

     

       306
       306
       +
           // JWT with lxm

     

       307
       307
       +
           let jwt = create_test_jwt(

     

       308
       308
       +
               user_did,

     

       309
       309
       +
               service_did,

     

       310
       310
       +
               exp,

     

       311
       311
       +
               Some("app.bsky.feed.getFeedSkeleton"),

     

       312
       312
       +
               &signing_key,

     

       313
       313
       +
           );

     

       314
       314
       +
       

     

       315
       315
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       316
       316
       +
           let resolver = MockResolver::new(did_doc);

     

       317
       317
       +
       

     

       318
       318
       +
           // Create config (default: require_lxm = true)

     

       319
       319
       +
           let config = ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver);

     

       320
       320
       +
       

     

       321
       321
       +
           async fn handler(Extension(auth): Extension<VerifiedServiceAuth<'static>>) -> String {

     

       322
       322
       +
               format!("Authenticated as {}", auth.did())

     

       323
       323
       +
           }

     

       324
       324
       +
       

     

       325
       325
       +
           let app = Router::new()

     

       326
       326
       +
               .route("/test", get(handler))

     

       327
       327
       +
               .layer(middleware::from_fn_with_state(

     

       328
       328
       +
                   config.clone(),

     

       329
       329
       +
                   service_auth_middleware::<ServiceAuthConfig<MockResolver>>,

     

       330
       330
       +
               ))

     

       331
       331
       +
               .with_state(config);

     

       332
       332
       +
       

     

       333
       333
       +
           let request = Request::builder()

     

       334
       334
       +
               .uri("/test")

     

       335
       335
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       336
       336
       +
               .body(Body::empty())

     

       337
       337
       +
               .unwrap();

     

       338
       338
       +
       

     

       339
       339
       +
           let response = app.oneshot(request).await.unwrap();

     

       340
       340
       +
       

     

       341
       341
       +
           assert_eq!(response.status(), StatusCode::OK);

     

       342
       342
       +
       

     

       343
       343
       +
           let body_bytes = axum::body::to_bytes(response.into_body(), usize::MAX)

     

       344
       344
       +
               .await

     

       345
       345
       +
               .unwrap();

     

       346
       346
       +
           let body = String::from_utf8(body_bytes.to_vec()).unwrap();

     

       347
       347
       +
       

     

       348
       348
       +
           assert_eq!(body, format!("Authenticated as {}", user_did));

     

       349
       349
       +
       }

     

       350
       350
       +
       

     

       351
       351
       +
       #[tokio::test]

     

       352
       352
       +
       async fn test_require_lxm() {

     

       353
       353
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       354
       354
       +
           let verifying_key = signing_key.verifying_key();

     

       355
       355
       +
       

     

       356
       356
       +
           let user_did = "did:plc:test123";

     

       357
       357
       +
           let service_did = "did:web:feedgen.example.com";

     

       358
       358
       +
           let exp = chrono::Utc::now().timestamp() + 300;

     

       359
       359
       +
       

     

       360
       360
       +
           // JWT without lxm

     

       361
       361
       +
           let jwt = create_test_jwt(user_did, service_did, exp, None, &signing_key);

     

       362
       362
       +
       

     

       363
       363
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       364
       364
       +
           let resolver = MockResolver::new(did_doc);

     

       365
       365
       +
       

     

       366
       366
       +
           let config =

     

       367
       367
       +
               ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver).require_lxm(true);

     

       368
       368
       +
       

     

       369
       369
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       370
       370
       +
               format!("Authenticated as {}", auth.did())

     

       371
       371
       +
           }

     

       372
       372
       +
       

     

       373
       373
       +
           let app = Router::new()

     

       374
       374
       +
               .route("/test", get(handler))

     

       375
       375
       +
               .with_state(config);

     

       376
       376
       +
       

     

       377
       377
       +
           let request = Request::builder()

     

       378
       378
       +
               .uri("/test")

     

       379
       379
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       380
       380
       +
               .body(Body::empty())

     

       381
       381
       +
               .unwrap();

     

       382
       382
       +
       

     

       383
       383
       +
           let response = app.oneshot(request).await.unwrap();

     

       384
       384
       +
       

     

       385
       385
       +
           // Should fail because lxm is required but missing

     

       386
       386
       +
           assert_eq!(response.status(), StatusCode::UNAUTHORIZED);

     

       387
       387
       +
       }

     

       388
       388
       +
       

     

       389
       389
       +
       #[tokio::test]

     

       390
       390
       +
       async fn test_with_lxm_present() {

     

       391
       391
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       392
       392
       +
           let verifying_key = signing_key.verifying_key();

     

       393
       393
       +
       

     

       394
       394
       +
           let user_did = "did:plc:test123";

     

       395
       395
       +
           let service_did = "did:web:feedgen.example.com";

     

       396
       396
       +
           let exp = chrono::Utc::now().timestamp() + 300;

     

       397
       397
       +
       

     

       398
       398
       +
           // JWT with lxm

     

       399
       399
       +
           let jwt = create_test_jwt(

     

       400
       400
       +
               user_did,

     

       401
       401
       +
               service_did,

     

       402
       402
       +
               exp,

     

       403
       403
       +
               Some("app.bsky.feed.getFeedSkeleton"),

     

       404
       404
       +
               &signing_key,

     

       405
       405
       +
           );

     

       406
       406
       +
       

     

       407
       407
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       408
       408
       +
           let resolver = MockResolver::new(did_doc);

     

       409
       409
       +
       

     

       410
       410
       +
           let config =

     

       411
       411
       +
               ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver).require_lxm(true);

     

       412
       412
       +
       

     

       413
       413
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       414
       414
       +
               format!(

     

       415
       415
       +
                   "Authenticated as {} for {}",

     

       416
       416
       +
                   auth.did(),

     

       417
       417
       +
                   auth.lxm().unwrap()

     

       418
       418
       +
               )

     

       419
       419
       +
           }

     

       420
       420
       +
       

     

       421
       421
       +
           let app = Router::new()

     

       422
       422
       +
               .route("/test", get(handler))

     

       423
       423
       +
               .with_state(config);

     

       424
       424
       +
       

     

       425
       425
       +
           let request = Request::builder()

     

       426
       426
       +
               .uri("/test")

     

       427
       427
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       428
       428
       +
               .body(Body::empty())

     

       429
       429
       +
               .unwrap();

     

       430
       430
       +
       

     

       431
       431
       +
           let response = app.oneshot(request).await.unwrap();

     

       432
       432
       +
       

     

       433
       433
       +
           assert_eq!(response.status(), StatusCode::OK);

     

       434
       434
       +
       

     

       435
       435
       +
           let body_bytes = axum::body::to_bytes(response.into_body(), usize::MAX)

     

       436
       436
       +
               .await

     

       437
       437
       +
               .unwrap();

     

       438
       438
       +
           let body = String::from_utf8(body_bytes.to_vec()).unwrap();

     

       439
       439
       +
       

     

       440
       440
       +
           assert_eq!(

     

       441
       441
       +
               body,

     

       442
       442
       +
               format!(

     

       443
       443
       +
                   "Authenticated as {} for app.bsky.feed.getFeedSkeleton",

     

       444
       444
       +
                   user_did

     

       445
       445
       +
               )

     

       446
       446
       +
           );

     

       447
       447
       +
       }

     

       448
       448
       +
       

     

       449
       449
       +
       #[tokio::test]

     

       450
       450
       +
       async fn test_legacy_without_lxm() {

     

       451
       451
       +
           let signing_key = k256::ecdsa::SigningKey::random(&mut rand::thread_rng());

     

       452
       452
       +
           let verifying_key = signing_key.verifying_key();

     

       453
       453
       +
       

     

       454
       454
       +
           let user_did = "did:plc:test123";

     

       455
       455
       +
           let service_did = "did:web:feedgen.example.com";

     

       456
       456
       +
           let exp = chrono::Utc::now().timestamp() + 300;

     

       457
       457
       +
       

     

       458
       458
       +
           // JWT without lxm

     

       459
       459
       +
           let jwt = create_test_jwt(user_did, service_did, exp, None, &signing_key);

     

       460
       460
       +
       

     

       461
       461
       +
           let did_doc = create_test_did_doc(user_did, verifying_key);

     

       462
       462
       +
           let resolver = MockResolver::new(did_doc);

     

       463
       463
       +
       

     

       464
       464
       +
           // Legacy config: lxm not required

     

       465
       465
       +
           let config =

     

       466
       466
       +
               ServiceAuthConfig::new(Did::new_static(service_did).unwrap(), resolver).require_lxm(false);

     

       467
       467
       +
       

     

       468
       468
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       469
       469
       +
               format!("Authenticated as {}", auth.did())

     

       470
       470
       +
           }

     

       471
       471
       +
       

     

       472
       472
       +
           let app = Router::new()

     

       473
       473
       +
               .route("/test", get(handler))

     

       474
       474
       +
               .with_state(config);

     

       475
       475
       +
       

     

       476
       476
       +
           let request = Request::builder()

     

       477
       477
       +
               .uri("/test")

     

       478
       478
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", jwt))

     

       479
       479
       +
               .body(Body::empty())

     

       480
       480
       +
               .unwrap();

     

       481
       481
       +
       

     

       482
       482
       +
           let response = app.oneshot(request).await.unwrap();

     

       483
       483
       +
       

     

       484
       484
       +
           // Should succeed because lxm is not required

     

       485
       485
       +
           assert_eq!(response.status(), StatusCode::OK);

     

       486
       486
       +
       

     

       487
       487
       +
           let body_bytes = axum::body::to_bytes(response.into_body(), usize::MAX)

     

       488
       488
       +
               .await

     

       489
       489
       +
               .unwrap();

     

       490
       490
       +
           let body = String::from_utf8(body_bytes.to_vec()).unwrap();

     

       491
       491
       +
       

     

       492
       492
       +
           assert_eq!(body, format!("Authenticated as {}", user_did));

     

       493
       493
       +
       }

     

       494
       494
       +
       

     

       495
       495
       +
       #[tokio::test]

     

       496
       496
       +
       async fn test_invalid_signature() {

     

       497
       497
       +
           // Real JWT token from did:plc:uc7pehijmk5jrllip4cglxdd with bogus signature

     

       498
       498
       +
           let token = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NksifQ.eyJpYXQiOjE3NjAzOTMyMzUsImlzcyI6ImRpZDpwbGM6dWM3cGVoaWptazVqcmxsaXA0Y2dseGRkIiwiYXVkIjoiZGlkOndlYjpkZXYucGRzbW9vdmVyLmNvbSIsImV4cCI6MTc2MDM5MzI5NSwibHhtIjoiY29tLnBkc21vb3Zlci5iYWNrdXAuc2lnblVwIiwianRpIjoiMTk0MDQzMzQyNmMyNTNlZjhmNmYxZDJjZWE1YzI0NGMifQ.h5BrgYE";

     

       499
       499
       +
       

     

       500
       500
       +
           // Real DID document for did:plc:uc7pehijmk5jrllip4cglxdd

     

       501
       501
       +
           let did_doc_json = r##"{

     

       502
       502
       +
               "id": "did:plc:uc7pehijmk5jrllip4cglxdd",

     

       503
       503
       +
               "alsoKnownAs": ["at://bailey.skeetcentral.com"],

     

       504
       504
       +
               "verificationMethod": [{

     

       505
       505
       +
                   "controller": "did:plc:uc7pehijmk5jrllip4cglxdd",

     

       506
       506
       +
                   "id": "did:plc:uc7pehijmk5jrllip4cglxdd#atproto",

     

       507
       507
       +
                   "publicKeyMultibase": "zQ3shNBS3N4EB3vX5G1HoxFkS8tDLFXUHaV85rHQZgVM88rM5",

     

       508
       508
       +
                   "type": "Multikey"

     

       509
       509
       +
               }],

     

       510
       510
       +
               "service": [{

     

       511
       511
       +
                   "id": "#atproto_pds",

     

       512
       512
       +
                   "serviceEndpoint": "https://skeetcentral.com",

     

       513
       513
       +
                   "type": "AtprotoPersonalDataServer"

     

       514
       514
       +
               }]

     

       515
       515
       +
           }"##;

     

       516
       516
       +
       

     

       517
       517
       +
           let did_doc: DidDocument = serde_json::from_str(did_doc_json).unwrap();

     

       518
       518
       +
           let resolver = MockResolver::new(did_doc);

     

       519
       519
       +
       

     

       520
       520
       +
           let config = ServiceAuthConfig::new(

     

       521
       521
       +
               Did::new_static("did:web:dev.pdsmoover.com").unwrap(),

     

       522
       522
       +
               resolver,

     

       523
       523
       +
           );

     

       524
       524
       +
       

     

       525
       525
       +
           async fn handler(ExtractServiceAuth(auth): ExtractServiceAuth) -> String {

     

       526
       526
       +
               format!("Authenticated as {}", auth.did())

     

       527
       527
       +
           }

     

       528
       528
       +
       

     

       529
       529
       +
           let app = Router::new()

     

       530
       530
       +
               .route("/test", get(handler))

     

       531
       531
       +
               .with_state(config);

     

       532
       532
       +
       

     

       533
       533
       +
           let request = Request::builder()

     

       534
       534
       +
               .uri("/test")

     

       535
       535
       +
               .header(header::AUTHORIZATION, format!("Bearer {}", token))

     

       536
       536
       +
               .body(Body::empty())

     

       537
       537
       +
               .unwrap();

     

       538
       538
       +
       

     

       539
       539
       +
           let response = app.oneshot(request).await.unwrap();

     

       540
       540
       +
       

     

       541
       541
       +
           // Should fail due to invalid signature

     

       542
       542
       +
           assert_eq!(response.status(), StatusCode::UNAUTHORIZED);

     

       543
       543
       +
       }

+5 -3

crates/jacquard-common/Cargo.toml

···

       39
       39
        
       reqwest = { workspace = true, optional = true, features = ["charset", "http2", "json", "system-proxy", "gzip", "rustls-tls"] }

     

       40
       40
        
       serde_ipld_dagcbor.workspace = true

     

       41
       41
        
       trait-variant.workspace = true

     

       42
       42
       +
       signature = { version = "2", optional = true }

     

       42
       43
        
       

     

       43
       44
        
       [features]

     

       44
       44
       -
       default = []

     

       45
       45
       +
       default = ["service-auth", "reqwest-client", "crypto"]

     

       45
       46
        
       crypto = []

     

       46
       47
        
       crypto-ed25519 = ["crypto", "dep:ed25519-dalek"]

     

       47
       47
       -
       crypto-k256 = ["crypto", "dep:k256"]

     

       48
       48
       -
       crypto-p256 = ["crypto", "dep:p256"]

     

       48
       48
       +
       crypto-k256 = ["crypto", "dep:k256", "k256/ecdsa"]

     

       49
       49
       +
       crypto-p256 = ["crypto", "dep:p256", "p256/ecdsa"]

     

       50
       50
       +
       service-auth = ["crypto-k256", "crypto-p256", "dep:signature"]

     

       49
       51
        
       reqwest-client = ["dep:reqwest"]

     

       50
       52
        
       

     

       51
       53
        
       [dependencies.ed25519-dalek]

+47 -36

crates/jacquard-common/src/cowstr.rs

···

       1
       1
       -
       use serde::{Deserialize, Serialize};

     

       1
       1
       +
       use serde::{Deserialize, Deserializer, Serialize};

     

       2
       2
        
       use smol_str::SmolStr;

     

       3
       3
        
       use std::{

     

       4
       4
        
           borrow::Cow,

     
···

       283
       283
        
           }

     

       284
       284
        
       }

     

       285
       285
        
       

     

       286
       286
       +
       /// Deserialization helper for things that wrap a CowStr

     

       287
       287
       +
       pub struct CowStrVisitor;

     

       288
       288
       +
       

     

       289
       289
       +
       impl<'de> serde::de::Visitor<'de> for CowStrVisitor {

     

       290
       290
       +
           type Value = CowStr<'de>;

     

       291
       291
       +
       

     

       292
       292
       +
           #[inline]

     

       293
       293
       +
           fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {

     

       294
       294
       +
               write!(formatter, "a string")

     

       295
       295
       +
           }

     

       296
       296
       +
       

     

       297
       297
       +
           #[inline]

     

       298
       298
       +
           fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>

     

       299
       299
       +
           where

     

       300
       300
       +
               E: serde::de::Error,

     

       301
       301
       +
           {

     

       302
       302
       +
               Ok(CowStr::copy_from_str(v))

     

       303
       303
       +
           }

     

       304
       304
       +
       

     

       305
       305
       +
           #[inline]

     

       306
       306
       +
           fn visit_borrowed_str<E>(self, v: &'de str) -> Result<Self::Value, E>

     

       307
       307
       +
           where

     

       308
       308
       +
               E: serde::de::Error,

     

       309
       309
       +
           {

     

       310
       310
       +
               Ok(CowStr::Borrowed(v))

     

       311
       311
       +
           }

     

       312
       312
       +
       

     

       313
       313
       +
           #[inline]

     

       314
       314
       +
           fn visit_string<E>(self, v: String) -> Result<Self::Value, E>

     

       315
       315
       +
           where

     

       316
       316
       +
               E: serde::de::Error,

     

       317
       317
       +
           {

     

       318
       318
       +
               Ok(v.into())

     

       319
       319
       +
           }

     

       320
       320
       +
       }

     

       321
       321
       +
       

     

       286
       322
        
       impl<'de, 'a> Deserialize<'de> for CowStr<'a>

     

       287
       323
        
       where

     

       288
       324
        
           'de: 'a,

     
···

       292
       328
        
           where

     

       293
       329
        
               D: serde::Deserializer<'de>,

     

       294
       330
        
           {

     

       295
       295
       -
               struct CowStrVisitor;

     

       296
       296
       -
       

     

       297
       297
       -
               impl<'de> serde::de::Visitor<'de> for CowStrVisitor {

     

       298
       298
       -
                   type Value = CowStr<'de>;

     

       299
       299
       -
       

     

       300
       300
       -
                   #[inline]

     

       301
       301
       -
                   fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {

     

       302
       302
       -
                       write!(formatter, "a string")

     

       303
       303
       -
                   }

     

       304
       304
       -
       

     

       305
       305
       -
                   #[inline]

     

       306
       306
       -
                   fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>

     

       307
       307
       -
                   where

     

       308
       308
       -
                       E: serde::de::Error,

     

       309
       309
       -
                   {

     

       310
       310
       -
                       Ok(CowStr::copy_from_str(v))

     

       311
       311
       -
                   }

     

       312
       312
       -
       

     

       313
       313
       -
                   #[inline]

     

       314
       314
       -
                   fn visit_borrowed_str<E>(self, v: &'de str) -> Result<Self::Value, E>

     

       315
       315
       -
                   where

     

       316
       316
       -
                       E: serde::de::Error,

     

       317
       317
       -
                   {

     

       318
       318
       -
                       Ok(CowStr::Borrowed(v))

     

       319
       319
       -
                   }

     

       320
       320
       -
       

     

       321
       321
       -
                   #[inline]

     

       322
       322
       -
                   fn visit_string<E>(self, v: String) -> Result<Self::Value, E>

     

       323
       323
       -
                   where

     

       324
       324
       -
                       E: serde::de::Error,

     

       325
       325
       -
                   {

     

       326
       326
       -
                       Ok(v.into())

     

       327
       327
       -
                   }

     

       328
       328
       -
               }

     

       329
       329
       -
       

     

       330
       331
        
               deserializer.deserialize_str(CowStrVisitor)

     

       331
       332
        
           }

     

       333
       333
       +
       }

     

       334
       334
       +
       

     

       335
       335
       +
       /// Serde helper for deserializing stuff when you want an owned version

     

       336
       336
       +
       pub fn deserialize_owned<'de, T, D>(deserializer: D) -> Result<<T as IntoStatic>::Output, D::Error>

     

       337
       337
       +
       where

     

       338
       338
       +
           T: Deserialize<'de> + IntoStatic,

     

       339
       339
       +
           D: Deserializer<'de>,

     

       340
       340
       +
       {

     

       341
       341
       +
           let value = T::deserialize(deserializer)?;

     

       342
       342
       +
           Ok(value.into_static())

     

       332
       343
        
       }

     

       333
       344
        
       

     

       334
       345
        
       /// Convert to a CowStr.

crates/jacquard-common/src/lib.rs

···

       213
       213
        
       pub mod macros;

     

       214
       214
        
       /// Generic session storage traits and utilities.

     

       215
       215
        
       pub mod session;

     

       216
       216
       +
       /// Service authentication JWT parsing and verification.

     

       217
       217
       +
       #[cfg(feature = "service-auth")]

     

       218
       218
       +
       pub mod service_auth;

     

       216
       219
        
       /// Baseline fundamental AT Protocol data types.

     

       217
       220
        
       pub mod types;

     

       218
       221
        
       // XRPC protocol types and traits

+480

crates/jacquard-common/src/service_auth.rs

···

       1
       1
       +
       //! Service authentication JWT parsing and verification for AT Protocol.

     

       2
       2
       +
       //!

     

       3
       3
       +
       //! Service auth is atproto's inter-service authentication mechanism. When a backend

     

       4
       4
       +
       //! service (feed generator, labeler, etc.) receives requests, the PDS signs a

     

       5
       5
       +
       //! short-lived JWT with the user's signing key and includes it as a Bearer token.

     

       6
       6
       +
       //!

     

       7
       7
       +
       //! # JWT Structure

     

       8
       8
       +
       //!

     

       9
       9
       +
       //! - Header: `alg` (ES256K for k256, ES256 for p256), `typ` ("JWT")

     

       10
       10
       +
       //! - Payload:

     

       11
       11
       +
       //!   - `iss`: user's DID (issuer)

     

       12
       12
       +
       //!   - `aud`: target service DID (audience)

     

       13
       13
       +
       //!   - `exp`: expiration unix timestamp

     

       14
       14
       +
       //!   - `iat`: issued at unix timestamp

     

       15
       15
       +
       //!   - `jti`: random nonce (128-bit hex) for replay protection

     

       16
       16
       +
       //!   - `lxm`: lexicon method NSID (method binding)

     

       17
       17
       +
       //! - Signature: signed with user's signing key from DID doc (ES256 or ES256K)

     

       18
       18
       +
       

     

       19
       19
       +
       use crate::CowStr;

     

       20
       20
       +
       use crate::IntoStatic;

     

       21
       21
       +
       use crate::types::string::{Did, Nsid};

     

       22
       22
       +
       use base64::Engine;

     

       23
       23
       +
       use base64::engine::general_purpose::URL_SAFE_NO_PAD;

     

       24
       24
       +
       use ouroboros::self_referencing;

     

       25
       25
       +
       use serde::{Deserialize, Serialize};

     

       26
       26
       +
       use signature::Verifier;

     

       27
       27
       +
       use smol_str::SmolStr;

     

       28
       28
       +
       use smol_str::format_smolstr;

     

       29
       29
       +
       use thiserror::Error;

     

       30
       30
       +
       

     

       31
       31
       +
       #[cfg(feature = "crypto-p256")]

     

       32
       32
       +
       use p256::ecdsa::{Signature as P256Signature, VerifyingKey as P256VerifyingKey};

     

       33
       33
       +
       

     

       34
       34
       +
       #[cfg(feature = "crypto-k256")]

     

       35
       35
       +
       use k256::ecdsa::{Signature as K256Signature, VerifyingKey as K256VerifyingKey};

     

       36
       36
       +
       

     

       37
       37
       +
       /// Errors that can occur during JWT parsing and verification.

     

       38
       38
       +
       #[derive(Debug, Error, miette::Diagnostic)]

     

       39
       39
       +
       pub enum ServiceAuthError {

     

       40
       40
       +
           /// JWT format is invalid (not three base64-encoded parts separated by dots)

     

       41
       41
       +
           #[error("malformed JWT: {0}")]

     

       42
       42
       +
           MalformedToken(CowStr<'static>),

     

       43
       43
       +
       

     

       44
       44
       +
           /// Base64 decoding failed

     

       45
       45
       +
           #[error("base64 decode error: {0}")]

     

       46
       46
       +
           Base64Decode(#[from] base64::DecodeError),

     

       47
       47
       +
       

     

       48
       48
       +
           /// JSON parsing failed

     

       49
       49
       +
           #[error("JSON parsing error: {0}")]

     

       50
       50
       +
           JsonParse(#[from] serde_json::Error),

     

       51
       51
       +
       

     

       52
       52
       +
           /// Signature verification failed

     

       53
       53
       +
           #[error("invalid signature")]

     

       54
       54
       +
           InvalidSignature,

     

       55
       55
       +
       

     

       56
       56
       +
           /// Unsupported algorithm

     

       57
       57
       +
           #[error("unsupported algorithm: {alg}")]

     

       58
       58
       +
           UnsupportedAlgorithm {

     

       59
       59
       +
               /// Algorithm name from JWT header

     

       60
       60
       +
               alg: SmolStr,

     

       61
       61
       +
           },

     

       62
       62
       +
       

     

       63
       63
       +
           /// Token has expired

     

       64
       64
       +
           #[error("token expired at {exp} (current time: {now})")]

     

       65
       65
       +
           Expired {

     

       66
       66
       +
               /// Expiration timestamp from token

     

       67
       67
       +
               exp: i64,

     

       68
       68
       +
               /// Current timestamp

     

       69
       69
       +
               now: i64,

     

       70
       70
       +
           },

     

       71
       71
       +
       

     

       72
       72
       +
           /// Audience mismatch

     

       73
       73
       +
           #[error("audience mismatch: expected {expected}, got {actual}")]

     

       74
       74
       +
           AudienceMismatch {

     

       75
       75
       +
               /// Expected audience DID

     

       76
       76
       +
               expected: Did<'static>,

     

       77
       77
       +
               /// Actual audience DID in token

     

       78
       78
       +
               actual: Did<'static>,

     

       79
       79
       +
           },

     

       80
       80
       +
       

     

       81
       81
       +
           /// Method mismatch (lxm field)

     

       82
       82
       +
           #[error("method mismatch: expected {expected}, got {actual:?}")]

     

       83
       83
       +
           MethodMismatch {

     

       84
       84
       +
               /// Expected method NSID

     

       85
       85
       +
               expected: Nsid<'static>,

     

       86
       86
       +
               /// Actual method NSID in token (if any)

     

       87
       87
       +
               actual: Option<Nsid<'static>>,

     

       88
       88
       +
           },

     

       89
       89
       +
       

     

       90
       90
       +
           /// Missing required field

     

       91
       91
       +
           #[error("missing required field: {0}")]

     

       92
       92
       +
           MissingField(&'static str),

     

       93
       93
       +
       

     

       94
       94
       +
           /// Crypto error

     

       95
       95
       +
           #[error("crypto error: {0}")]

     

       96
       96
       +
           Crypto(CowStr<'static>),

     

       97
       97
       +
       }

     

       98
       98
       +
       

     

       99
       99
       +
       /// JWT header for service auth tokens.

     

       100
       100
       +
       #[derive(Debug, Clone, Serialize, Deserialize)]

     

       101
       101
       +
       pub struct JwtHeader<'a> {

     

       102
       102
       +
           /// Algorithm used for signing

     

       103
       103
       +
           #[serde(borrow)]

     

       104
       104
       +
           pub alg: CowStr<'a>,

     

       105
       105
       +
           /// Type (always "JWT")

     

       106
       106
       +
           #[serde(borrow)]

     

       107
       107
       +
           pub typ: CowStr<'a>,

     

       108
       108
       +
       }

     

       109
       109
       +
       

     

       110
       110
       +
       impl IntoStatic for JwtHeader<'_> {

     

       111
       111
       +
           type Output = JwtHeader<'static>;

     

       112
       112
       +
       

     

       113
       113
       +
           fn into_static(self) -> Self::Output {

     

       114
       114
       +
               JwtHeader {

     

       115
       115
       +
                   alg: self.alg.into_static(),

     

       116
       116
       +
                   typ: self.typ.into_static(),

     

       117
       117
       +
               }

     

       118
       118
       +
           }

     

       119
       119
       +
       }

     

       120
       120
       +
       

     

       121
       121
       +
       /// Service authentication claims.

     

       122
       122
       +
       ///

     

       123
       123
       +
       /// These are the payload fields in a service auth JWT.

     

       124
       124
       +
       #[derive(Debug, Clone, Serialize, Deserialize)]

     

       125
       125
       +
       pub struct ServiceAuthClaims<'a> {

     

       126
       126
       +
           /// Issuer (user's DID)

     

       127
       127
       +
           #[serde(borrow)]

     

       128
       128
       +
           pub iss: Did<'a>,

     

       129
       129
       +
       

     

       130
       130
       +
           /// Audience (target service DID)

     

       131
       131
       +
           #[serde(borrow)]

     

       132
       132
       +
           pub aud: Did<'a>,

     

       133
       133
       +
       

     

       134
       134
       +
           /// Expiration time (unix timestamp)

     

       135
       135
       +
           pub exp: i64,

     

       136
       136
       +
       

     

       137
       137
       +
           /// Issued at (unix timestamp)

     

       138
       138
       +
           pub iat: i64,

     

       139
       139
       +
       

     

       140
       140
       +
           /// JWT ID (nonce for replay protection)

     

       141
       141
       +
           #[serde(borrow, skip_serializing_if = "Option::is_none")]

     

       142
       142
       +
           pub jti: Option<CowStr<'a>>,

     

       143
       143
       +
       

     

       144
       144
       +
           /// Lexicon method NSID (method binding)

     

       145
       145
       +
           #[serde(borrow, skip_serializing_if = "Option::is_none")]

     

       146
       146
       +
           pub lxm: Option<Nsid<'a>>,

     

       147
       147
       +
       }

     

       148
       148
       +
       

     

       149
       149
       +
       impl<'a> IntoStatic for ServiceAuthClaims<'a> {

     

       150
       150
       +
           type Output = ServiceAuthClaims<'static>;

     

       151
       151
       +
       

     

       152
       152
       +
           fn into_static(self) -> Self::Output {

     

       153
       153
       +
               ServiceAuthClaims {

     

       154
       154
       +
                   iss: self.iss.into_static(),

     

       155
       155
       +
                   aud: self.aud.into_static(),

     

       156
       156
       +
                   exp: self.exp,

     

       157
       157
       +
                   iat: self.iat,

     

       158
       158
       +
                   jti: self.jti.map(|j| j.into_static()),

     

       159
       159
       +
                   lxm: self.lxm.map(|l| l.into_static()),

     

       160
       160
       +
               }

     

       161
       161
       +
           }

     

       162
       162
       +
       }

     

       163
       163
       +
       

     

       164
       164
       +
       impl<'a> ServiceAuthClaims<'a> {

     

       165
       165
       +
           /// Validate the claims against expected values.

     

       166
       166
       +
           ///

     

       167
       167
       +
           /// Checks:

     

       168
       168
       +
           /// - Audience matches expected DID

     

       169
       169
       +
           /// - Token is not expired

     

       170
       170
       +
           pub fn validate(&self, expected_aud: &Did) -> Result<(), ServiceAuthError> {

     

       171
       171
       +
               // Check audience

     

       172
       172
       +
               if self.aud.as_str() != expected_aud.as_str() {

     

       173
       173
       +
                   return Err(ServiceAuthError::AudienceMismatch {

     

       174
       174
       +
                       expected: expected_aud.clone().into_static(),

     

       175
       175
       +
                       actual: self.aud.clone().into_static(),

     

       176
       176
       +
                   });

     

       177
       177
       +
               }

     

       178
       178
       +
       

     

       179
       179
       +
               // Check expiration

     

       180
       180
       +
               if self.is_expired() {

     

       181
       181
       +
                   let now = chrono::Utc::now().timestamp();

     

       182
       182
       +
                   return Err(ServiceAuthError::Expired { exp: self.exp, now });

     

       183
       183
       +
               }

     

       184
       184
       +
       

     

       185
       185
       +
               Ok(())

     

       186
       186
       +
           }

     

       187
       187
       +
       

     

       188
       188
       +
           /// Check if the token has expired.

     

       189
       189
       +
           pub fn is_expired(&self) -> bool {

     

       190
       190
       +
               let now = chrono::Utc::now().timestamp();

     

       191
       191
       +
               self.exp <= now

     

       192
       192
       +
           }

     

       193
       193
       +
       

     

       194
       194
       +
           /// Check if the method (lxm) matches the expected NSID.

     

       195
       195
       +
           pub fn check_method(&self, nsid: &Nsid) -> bool {

     

       196
       196
       +
               self.lxm

     

       197
       197
       +
                   .as_ref()

     

       198
       198
       +
                   .map(|lxm| lxm.as_str() == nsid.as_str())

     

       199
       199
       +
                   .unwrap_or(false)

     

       200
       200
       +
           }

     

       201
       201
       +
       

     

       202
       202
       +
           /// Require that the method (lxm) matches the expected NSID.

     

       203
       203
       +
           pub fn require_method(&self, nsid: &Nsid) -> Result<(), ServiceAuthError> {

     

       204
       204
       +
               if !self.check_method(nsid) {

     

       205
       205
       +
                   return Err(ServiceAuthError::MethodMismatch {

     

       206
       206
       +
                       expected: nsid.clone().into_static(),

     

       207
       207
       +
                       actual: self.lxm.as_ref().map(|l| l.clone().into_static()),

     

       208
       208
       +
                   });

     

       209
       209
       +
               }

     

       210
       210
       +
               Ok(())

     

       211
       211
       +
           }

     

       212
       212
       +
       }

     

       213
       213
       +
       

     

       214
       214
       +
       /// Parsed JWT components.

     

       215
       215
       +
       ///

     

       216
       216
       +
       /// This struct owns the decoded buffers and parsed components using ouroboros

     

       217
       217
       +
       /// self-referencing. The header and claims borrow from their respective buffers.

     

       218
       218
       +
       #[self_referencing]

     

       219
       219
       +
       pub struct ParsedJwt {

     

       220
       220
       +
           /// Decoded header buffer (owned)

     

       221
       221
       +
           header_buf: Vec<u8>,

     

       222
       222
       +
           /// Decoded payload buffer (owned)

     

       223
       223
       +
           payload_buf: Vec<u8>,

     

       224
       224
       +
           /// Original token string for signing_input

     

       225
       225
       +
           token: String,

     

       226
       226
       +
           /// Signature bytes

     

       227
       227
       +
           signature: Vec<u8>,

     

       228
       228
       +
           /// Parsed header borrowing from header_buf

     

       229
       229
       +
           #[borrows(header_buf)]

     

       230
       230
       +
           #[covariant]

     

       231
       231
       +
           header: JwtHeader<'this>,

     

       232
       232
       +
           /// Parsed claims borrowing from payload_buf

     

       233
       233
       +
           #[borrows(payload_buf)]

     

       234
       234
       +
           #[covariant]

     

       235
       235
       +
           claims: ServiceAuthClaims<'this>,

     

       236
       236
       +
       }

     

       237
       237
       +
       

     

       238
       238
       +
       impl ParsedJwt {

     

       239
       239
       +
           /// Get the signing input (header.payload) for signature verification.

     

       240
       240
       +
           pub fn signing_input(&self) -> &[u8] {

     

       241
       241
       +
               self.with_token(|token| {

     

       242
       242
       +
                   let dot_pos = token.find('.').unwrap();

     

       243
       243
       +
                   let second_dot_pos = token[dot_pos + 1..].find('.').unwrap() + dot_pos + 1;

     

       244
       244
       +
                   token[..second_dot_pos].as_bytes()

     

       245
       245
       +
               })

     

       246
       246
       +
           }

     

       247
       247
       +
       

     

       248
       248
       +
           /// Get a reference to the header.

     

       249
       249
       +
           pub fn header(&self) -> &JwtHeader<'_> {

     

       250
       250
       +
               self.borrow_header()

     

       251
       251
       +
           }

     

       252
       252
       +
       

     

       253
       253
       +
           /// Get a reference to the claims.

     

       254
       254
       +
           pub fn claims(&self) -> &ServiceAuthClaims<'_> {

     

       255
       255
       +
               self.borrow_claims()

     

       256
       256
       +
           }

     

       257
       257
       +
       

     

       258
       258
       +
           /// Get a reference to the signature.

     

       259
       259
       +
           pub fn signature(&self) -> &[u8] {

     

       260
       260
       +
               self.borrow_signature()

     

       261
       261
       +
           }

     

       262
       262
       +
       

     

       263
       263
       +
           /// Get owned header with 'static lifetime.

     

       264
       264
       +
           pub fn into_header(self) -> JwtHeader<'static> {

     

       265
       265
       +
               self.with_header(|header| header.clone().into_static())

     

       266
       266
       +
           }

     

       267
       267
       +
       

     

       268
       268
       +
           /// Get owned claims with 'static lifetime.

     

       269
       269
       +
           pub fn into_claims(self) -> ServiceAuthClaims<'static> {

     

       270
       270
       +
               self.with_claims(|claims| claims.clone().into_static())

     

       271
       271
       +
           }

     

       272
       272
       +
       }

     

       273
       273
       +
       

     

       274
       274
       +
       /// Parse a JWT token into its components without verifying the signature.

     

       275
       275
       +
       ///

     

       276
       276
       +
       /// This extracts and decodes all JWT components. The header and claims are parsed

     

       277
       277
       +
       /// and borrow from their respective owned buffers using ouroboros self-referencing.

     

       278
       278
       +
       pub fn parse_jwt(token: &str) -> Result<ParsedJwt, ServiceAuthError> {

     

       279
       279
       +
           let parts: Vec<&str> = token.split('.').collect();

     

       280
       280
       +
           if parts.len() != 3 {

     

       281
       281
       +
               return Err(ServiceAuthError::MalformedToken(CowStr::new_static(

     

       282
       282
       +
                   "JWT must have exactly 3 parts separated by dots",

     

       283
       283
       +
               )));

     

       284
       284
       +
           }

     

       285
       285
       +
       

     

       286
       286
       +
           let header_b64 = parts[0];

     

       287
       287
       +
           let payload_b64 = parts[1];

     

       288
       288
       +
           let signature_b64 = parts[2];

     

       289
       289
       +
       

     

       290
       290
       +
           // Decode all components

     

       291
       291
       +
           let header_buf = URL_SAFE_NO_PAD.decode(header_b64)?;

     

       292
       292
       +
           let payload_buf = URL_SAFE_NO_PAD.decode(payload_b64)?;

     

       293
       293
       +
           let signature = URL_SAFE_NO_PAD.decode(signature_b64)?;

     

       294
       294
       +
       

     

       295
       295
       +
           // Validate that buffers contain valid JSON for their types

     

       296
       296
       +
           // We parse once here to validate, then again in the builder (unavoidable with ouroboros)

     

       297
       297
       +
           let _header: JwtHeader = serde_json::from_slice(&header_buf)?;

     

       298
       298
       +
           let _claims: ServiceAuthClaims = serde_json::from_slice(&payload_buf)?;

     

       299
       299
       +
       

     

       300
       300
       +
           Ok(ParsedJwtBuilder {

     

       301
       301
       +
               header_buf,

     

       302
       302
       +
               payload_buf,

     

       303
       303
       +
               token: token.to_string(),

     

       304
       304
       +
               signature,

     

       305
       305
       +
               header_builder: |buf| {

     

       306
       306
       +
                   // Safe: we validated this succeeds above

     

       307
       307
       +
                   serde_json::from_slice(buf).expect("header was validated")

     

       308
       308
       +
               },

     

       309
       309
       +
               claims_builder: |buf| {

     

       310
       310
       +
                   // Safe: we validated this succeeds above

     

       311
       311
       +
                   serde_json::from_slice(buf).expect("claims were validated")

     

       312
       312
       +
               },

     

       313
       313
       +
           }

     

       314
       314
       +
           .build())

     

       315
       315
       +
       }

     

       316
       316
       +
       

     

       317
       317
       +
       /// Public key types for signature verification.

     

       318
       318
       +
       #[derive(Debug, Clone)]

     

       319
       319
       +
       pub enum PublicKey {

     

       320
       320
       +
           /// P-256 (ES256) public key

     

       321
       321
       +
           #[cfg(feature = "crypto-p256")]

     

       322
       322
       +
           P256(P256VerifyingKey),

     

       323
       323
       +
       

     

       324
       324
       +
           /// secp256k1 (ES256K) public key

     

       325
       325
       +
           #[cfg(feature = "crypto-k256")]

     

       326
       326
       +
           K256(K256VerifyingKey),

     

       327
       327
       +
       }

     

       328
       328
       +
       

     

       329
       329
       +
       impl PublicKey {

     

       330
       330
       +
           /// Create a P-256 public key from compressed or uncompressed bytes.

     

       331
       331
       +
           #[cfg(feature = "crypto-p256")]

     

       332
       332
       +
           pub fn from_p256_bytes(bytes: &[u8]) -> Result<Self, ServiceAuthError> {

     

       333
       333
       +
               let key = P256VerifyingKey::from_sec1_bytes(bytes).map_err(|e| {

     

       334
       334
       +
                   ServiceAuthError::Crypto(CowStr::Owned(format_smolstr!("invalid P-256 key: {}", e)))

     

       335
       335
       +
               })?;

     

       336
       336
       +
               Ok(PublicKey::P256(key))

     

       337
       337
       +
           }

     

       338
       338
       +
       

     

       339
       339
       +
           /// Create a secp256k1 public key from compressed or uncompressed bytes.

     

       340
       340
       +
           #[cfg(feature = "crypto-k256")]

     

       341
       341
       +
           pub fn from_k256_bytes(bytes: &[u8]) -> Result<Self, ServiceAuthError> {

     

       342
       342
       +
               let key = K256VerifyingKey::from_sec1_bytes(bytes).map_err(|e| {

     

       343
       343
       +
                   ServiceAuthError::Crypto(CowStr::Owned(format_smolstr!("invalid K-256 key: {}", e)))

     

       344
       344
       +
               })?;

     

       345
       345
       +
               Ok(PublicKey::K256(key))

     

       346
       346
       +
           }

     

       347
       347
       +
       }

     

       348
       348
       +
       

     

       349
       349
       +
       /// Verify a JWT signature using the provided public key.

     

       350
       350
       +
       ///

     

       351
       351
       +
       /// The algorithm is determined by the JWT header and must match the public key type.

     

       352
       352
       +
       pub fn verify_signature(

     

       353
       353
       +
           parsed: &ParsedJwt,

     

       354
       354
       +
           public_key: &PublicKey,

     

       355
       355
       +
       ) -> Result<(), ServiceAuthError> {

     

       356
       356
       +
           let alg = parsed.header().alg.as_str();

     

       357
       357
       +
           let signing_input = parsed.signing_input();

     

       358
       358
       +
           let signature = parsed.signature();

     

       359
       359
       +
       

     

       360
       360
       +
           match (alg, public_key) {

     

       361
       361
       +
               #[cfg(feature = "crypto-p256")]

     

       362
       362
       +
               ("ES256", PublicKey::P256(key)) => {

     

       363
       363
       +
                   let sig = P256Signature::from_slice(signature).map_err(|e| {

     

       364
       364
       +
                       ServiceAuthError::Crypto(CowStr::Owned(format_smolstr!(

     

       365
       365
       +
                           "invalid ES256 signature: {}",

     

       366
       366
       +
                           e

     

       367
       367
       +
                       )))

     

       368
       368
       +
                   })?;

     

       369
       369
       +
                   key.verify(signing_input, &sig)

     

       370
       370
       +
                       .map_err(|_| ServiceAuthError::InvalidSignature)?;

     

       371
       371
       +
                   Ok(())

     

       372
       372
       +
               }

     

       373
       373
       +
       

     

       374
       374
       +
               #[cfg(feature = "crypto-k256")]

     

       375
       375
       +
               ("ES256K", PublicKey::K256(key)) => {

     

       376
       376
       +
                   let sig = K256Signature::from_slice(signature).map_err(|e| {

     

       377
       377
       +
                       ServiceAuthError::Crypto(CowStr::Owned(format_smolstr!(

     

       378
       378
       +
                           "invalid ES256K signature: {}",

     

       379
       379
       +
                           e

     

       380
       380
       +
                       )))

     

       381
       381
       +
                   })?;

     

       382
       382
       +
                   key.verify(signing_input, &sig)

     

       383
       383
       +
                       .map_err(|_| ServiceAuthError::InvalidSignature)?;

     

       384
       384
       +
                   Ok(())

     

       385
       385
       +
               }

     

       386
       386
       +
       

     

       387
       387
       +
               _ => Err(ServiceAuthError::UnsupportedAlgorithm {

     

       388
       388
       +
                   alg: SmolStr::new(alg),

     

       389
       389
       +
               }),

     

       390
       390
       +
           }

     

       391
       391
       +
       }

     

       392
       392
       +
       

     

       393
       393
       +
       /// Parse and verify a service auth JWT in one step, returning owned claims.

     

       394
       394
       +
       ///

     

       395
       395
       +
       /// This is a convenience function that combines parsing and signature verification.

     

       396
       396
       +
       pub fn verify_service_jwt(

     

       397
       397
       +
           token: &str,

     

       398
       398
       +
           public_key: &PublicKey,

     

       399
       399
       +
       ) -> Result<ServiceAuthClaims<'static>, ServiceAuthError> {

     

       400
       400
       +
           let parsed = parse_jwt(token)?;

     

       401
       401
       +
           verify_signature(&parsed, public_key)?;

     

       402
       402
       +
           Ok(parsed.into_claims())

     

       403
       403
       +
       }

     

       404
       404
       +
       

     

       405
       405
       +
       #[cfg(test)]

     

       406
       406
       +
       mod tests {

     

       407
       407
       +
           use super::*;

     

       408
       408
       +
       

     

       409
       409
       +
           #[test]

     

       410
       410
       +
           fn test_parse_jwt_invalid_format() {

     

       411
       411
       +
               let result = parse_jwt("not.a.valid.jwt.with.too.many.parts");

     

       412
       412
       +
               assert!(matches!(result, Err(ServiceAuthError::MalformedToken(_))));

     

       413
       413
       +
           }

     

       414
       414
       +
       

     

       415
       415
       +
           #[test]

     

       416
       416
       +
           fn test_claims_expiration() {

     

       417
       417
       +
               let now = chrono::Utc::now().timestamp();

     

       418
       418
       +
               let expired_claims = ServiceAuthClaims {

     

       419
       419
       +
                   iss: Did::new("did:plc:test").unwrap(),

     

       420
       420
       +
                   aud: Did::new("did:web:example.com").unwrap(),

     

       421
       421
       +
                   exp: now - 100,

     

       422
       422
       +
                   iat: now - 200,

     

       423
       423
       +
                   jti: None,

     

       424
       424
       +
                   lxm: None,

     

       425
       425
       +
               };

     

       426
       426
       +
       

     

       427
       427
       +
               assert!(expired_claims.is_expired());

     

       428
       428
       +
       

     

       429
       429
       +
               let valid_claims = ServiceAuthClaims {

     

       430
       430
       +
                   iss: Did::new("did:plc:test").unwrap(),

     

       431
       431
       +
                   aud: Did::new("did:web:example.com").unwrap(),

     

       432
       432
       +
                   exp: now + 100,

     

       433
       433
       +
                   iat: now,

     

       434
       434
       +
                   jti: None,

     

       435
       435
       +
                   lxm: None,

     

       436
       436
       +
               };

     

       437
       437
       +
       

     

       438
       438
       +
               assert!(!valid_claims.is_expired());

     

       439
       439
       +
           }

     

       440
       440
       +
       

     

       441
       441
       +
           #[test]

     

       442
       442
       +
           fn test_audience_validation() {

     

       443
       443
       +
               let now = chrono::Utc::now().timestamp();

     

       444
       444
       +
               let claims = ServiceAuthClaims {

     

       445
       445
       +
                   iss: Did::new("did:plc:test").unwrap(),

     

       446
       446
       +
                   aud: Did::new("did:web:example.com").unwrap(),

     

       447
       447
       +
                   exp: now + 100,

     

       448
       448
       +
                   iat: now,

     

       449
       449
       +
                   jti: None,

     

       450
       450
       +
                   lxm: None,

     

       451
       451
       +
               };

     

       452
       452
       +
       

     

       453
       453
       +
               let expected_aud = Did::new("did:web:example.com").unwrap();

     

       454
       454
       +
               assert!(claims.validate(&expected_aud).is_ok());

     

       455
       455
       +
       

     

       456
       456
       +
               let wrong_aud = Did::new("did:web:wrong.com").unwrap();

     

       457
       457
       +
               assert!(matches!(

     

       458
       458
       +
                   claims.validate(&wrong_aud),

     

       459
       459
       +
                   Err(ServiceAuthError::AudienceMismatch { .. })

     

       460
       460
       +
               ));

     

       461
       461
       +
           }

     

       462
       462
       +
       

     

       463
       463
       +
           #[test]

     

       464
       464
       +
           fn test_method_check() {

     

       465
       465
       +
               let claims = ServiceAuthClaims {

     

       466
       466
       +
                   iss: Did::new("did:plc:test").unwrap(),

     

       467
       467
       +
                   aud: Did::new("did:web:example.com").unwrap(),

     

       468
       468
       +
                   exp: chrono::Utc::now().timestamp() + 100,

     

       469
       469
       +
                   iat: chrono::Utc::now().timestamp(),

     

       470
       470
       +
                   jti: None,

     

       471
       471
       +
                   lxm: Some(Nsid::new("app.bsky.feed.getFeedSkeleton").unwrap()),

     

       472
       472
       +
               };

     

       473
       473
       +
       

     

       474
       474
       +
               let expected = Nsid::new("app.bsky.feed.getFeedSkeleton").unwrap();

     

       475
       475
       +
               assert!(claims.check_method(&expected));

     

       476
       476
       +
       

     

       477
       477
       +
               let wrong = Nsid::new("app.bsky.feed.getTimeline").unwrap();

     

       478
       478
       +
               assert!(!claims.check_method(&wrong));

     

       479
       479
       +
           }

     

       480
       480
       +
       }

-2

crates/jacquard-common/src/types.rs

···

       24
       24
        
       pub mod integer;

     

       25
       25
        
       /// Language tag types per BCP 47

     

       26
       26
        
       pub mod language;

     

       27
       27
       -
       /// CID link wrapper for JSON serialization

     

       28
       28
       -
       pub mod link;

     

       29
       27
        
       /// Namespaced Identifier (NSID) types and validation

     

       30
       28
        
       pub mod nsid;

     

       31
       29
        
       /// Record key types and validation

+6 -1

crates/jacquard-common/src/types/aturi.rs

···

       330
       330
        
                   .as_ref()

     

       331
       331
        
                   .and_then(|p| p.rkey.as_ref())

     

       332
       332
        
           }

     

       333
       333
       +
       

     

       334
       334
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       335
       335
       +
           pub fn new_cow(uri: CowStr<'u>) -> Result<Self, AtStrError> {

     

       336
       336
       +
               Self::try_from(uri)

     

       337
       337
       +
           }

     

       333
       338
        
       }

     

       334
       339
        
       

     

       335
       340
        
       impl AtUri<'static> {

     
···

       615
       620
        
               D: Deserializer<'de>,

     

       616
       621
        
           {

     

       617
       622
        
               let value = Deserialize::deserialize(deserializer)?;

     

       618
       618
       -
               Self::new(value).map_err(D::Error::custom)

     

       623
       623
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       619
       624
        
           }

     

       620
       625
        
       }

     

       621
       626

+6 -1

crates/jacquard-common/src/types/blob.rs

···

       150
       150
        
               Ok(Self(mime_type))

     

       151
       151
        
           }

     

       152
       152
        
       

     

       153
       153
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       154
       154
       +
           pub fn new_cow(mime_type: CowStr<'m>) -> Result<MimeType<'m>, &'static str> {

     

       155
       155
       +
               Self::from_cowstr(mime_type)

     

       156
       156
       +
           }

     

       157
       157
       +
       

     

       153
       158
        
           /// Infallible constructor for trusted MIME type strings

     

       154
       159
        
           pub fn raw(mime_type: &'m str) -> Self {

     

       155
       160
        
               Self(CowStr::Borrowed(mime_type))

     
···

       190
       195
        
               D: Deserializer<'de>,

     

       191
       196
        
           {

     

       192
       197
        
               let value = Deserialize::deserialize(deserializer)?;

     

       193
       193
       -
               Self::new(value).map_err(D::Error::custom)

     

       198
       198
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       194
       199
        
           }

     

       195
       200
        
       }

     

       196
       201

+32 -10

crates/jacquard-common/src/types/cid.rs

···

       2
       2
        
       pub use cid::Cid as IpldCid;

     

       3
       3
        
       use serde::{Deserialize, Deserializer, Serialize, Serializer, de::Visitor};

     

       4
       4
        
       use smol_str::ToSmolStr;

     

       5
       5
       -
       use std::{convert::Infallible, fmt, marker::PhantomData, ops::Deref, str::FromStr};

     

       5
       5
       +
       use std::{convert::Infallible, fmt, ops::Deref, str::FromStr};

     

       6
       6
        
       

     

       7
       7
        
       /// CID codec for AT Protocol (raw)

     

       8
       8
        
       pub const ATP_CID_CODEC: u64 = 0x55;

     
···

       19
       19
        
       /// This type supports both string and parsed IPLD forms, with string caching

     

       20
       20
        
       /// for the parsed form to optimize serialization.

     

       21
       21
        
       ///

     

       22
       22
       -
       /// Deserialization automatically detects the format (bytes trigger IPLD parsing).

     

       22
       22
       +
       /// # Validation

     

       23
       23
       +
       ///

     

       24
       24
       +
       /// String deserialization does NOT validate CIDs. This is intentional for performance:

     

       25
       25
       +
       /// CID strings from AT Protocol endpoints are generally trustworthy, so validation

     

       26
       26
       +
       /// is deferred until needed. Use `to_ipld()` to parse and validate, or `is_valid()`

     

       27
       27
       +
       /// to check without parsing.

     

       28
       28
       +
       ///

     

       29
       29
       +
       /// Byte deserialization (CBOR) parses immediately since the data is already in binary form.

     

       23
       30
        
       #[derive(Debug, Clone, PartialEq, Eq, Hash)]

     

       24
       31
        
       pub enum Cid<'c> {

     

       25
       32
        
           /// Parsed IPLD CID with cached string representation

     
···

       100
       107
        
                   Cid::Str(cow_str) => cow_str.as_ref(),

     

       101
       108
        
               }

     

       102
       109
        
           }

     

       110
       110
       +
       

     

       111
       111
       +
           /// Check if the CID string is valid without parsing

     

       112
       112
       +
           ///

     

       113
       113
       +
           /// Returns `true` if the CID is already parsed (`Ipld` variant) or if

     

       114
       114
       +
           /// the string can be successfully parsed as an IPLD CID.

     

       115
       115
       +
           pub fn is_valid(&self) -> bool {

     

       116
       116
       +
               match self {

     

       117
       117
       +
                   Cid::Ipld { .. } => true,

     

       118
       118
       +
                   Cid::Str(s) => IpldCid::try_from(s.as_ref()).is_ok(),

     

       119
       119
       +
               }

     

       120
       120
       +
           }

     

       103
       121
        
       }

     

       104
       122
        
       

     

       105
       123
        
       impl std::fmt::Display for Cid<'_> {

     
···

       155
       173
        
           where

     

       156
       174
        
               D: Deserializer<'de>,

     

       157
       175
        
           {

     

       158
       158
       -
               struct StringOrBytes<T>(PhantomData<fn() -> T>);

     

       176
       176
       +
               struct CidVisitor;

     

       159
       177
        
       

     

       160
       160
       -
               impl<'de, T> Visitor<'de> for StringOrBytes<T>

     

       161
       161
       -
               where

     

       162
       162
       -
                   T: Deserialize<'de> + FromStr<Err = Infallible> + From<IpldCid>,

     

       163
       163
       -
               {

     

       164
       164
       -
                   type Value = T;

     

       178
       178
       +
               impl<'de> Visitor<'de> for CidVisitor {

     

       179
       179
       +
                   type Value = Cid<'de>;

     

       165
       180
        
       

     

       166
       181
        
                   fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {

     

       167
       182
        
                       formatter.write_str("either valid IPLD CID bytes or a str")

     

       168
       183
        
                   }

     

       169
       184
        
       

     

       185
       185
       +
                   fn visit_borrowed_str<E>(self, v: &'de str) -> Result<Self::Value, E>

     

       186
       186
       +
                   where

     

       187
       187
       +
                       E: serde::de::Error,

     

       188
       188
       +
                   {

     

       189
       189
       +
                       Ok(Cid::str(v))

     

       190
       190
       +
                   }

     

       191
       191
       +
       

     

       170
       192
        
                   fn visit_str<E>(self, v: &str) -> Result<Self::Value, E>

     

       171
       193
        
                   where

     

       172
       194
        
                       E: serde::de::Error,

     
···

       179
       201
        
                       E: serde::de::Error,

     

       180
       202
        
                   {

     

       181
       203
        
                       let hash = cid::multihash::Multihash::from_bytes(v).map_err(|e| E::custom(e))?;

     

       182
       182
       -
                       Ok(T::from(IpldCid::new_v1(ATP_CID_CODEC, hash)))

     

       204
       204
       +
                       Ok(Cid::ipld(IpldCid::new_v1(ATP_CID_CODEC, hash)))

     

       183
       205
        
                   }

     

       184
       206
        
               }

     

       185
       207
        
       

     

       186
       186
       -
               deserializer.deserialize_any(StringOrBytes(PhantomData))

     

       208
       208
       +
               deserializer.deserialize_any(CidVisitor)

     

       187
       209
        
           }

     

       188
       210
        
       }

     

       189
       211

+23 -1

crates/jacquard-common/src/types/did.rs

···

       54
       54
        
               }

     

       55
       55
        
           }

     

       56
       56
        
       

     

       57
       57
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       58
       58
       +
           ///

     

       59
       59
       +
           /// May allocate for a long DID with an at:// prefix, otherwise borrows.

     

       60
       60
       +
           pub fn new_cow(did: CowStr<'d>) -> Result<Self, AtStrError> {

     

       61
       61
       +
               let did = if let Some(did) = did.strip_prefix("at://") {

     

       62
       62
       +
                   CowStr::copy_from_str(did)

     

       63
       63
       +
               } else {

     

       64
       64
       +
                   did

     

       65
       65
       +
               };

     

       66
       66
       +
               if did.len() > 2048 {

     

       67
       67
       +
                   Err(AtStrError::too_long("did", &did, 2048, did.len()))

     

       68
       68
       +
               } else if !DID_REGEX.is_match(&did) {

     

       69
       69
       +
                   Err(AtStrError::regex(

     

       70
       70
       +
                       "did",

     

       71
       71
       +
                       &did,

     

       72
       72
       +
                       SmolStr::new_static("invalid"),

     

       73
       73
       +
                   ))

     

       74
       74
       +
               } else {

     

       75
       75
       +
                   Ok(Self(did))

     

       76
       76
       +
               }

     

       77
       77
       +
           }

     

       78
       78
       +
       

     

       57
       79
        
           /// Fallible constructor, validates, takes ownership

     

       58
       80
        
           pub fn new_owned(did: impl AsRef<str>) -> Result<Self, AtStrError> {

     

       59
       81
        
               let did = did.as_ref();

     
···

       144
       166
        
               D: Deserializer<'de>,

     

       145
       167
        
           {

     

       146
       168
        
               let value = Deserialize::deserialize(deserializer)?;

     

       147
       147
       -
               Self::new(value).map_err(D::Error::custom)

     

       169
       169
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       148
       170
        
           }

     

       149
       171
        
       }

     

       150
       172

+29 -1

crates/jacquard-common/src/types/handle.rs

···

       108
       108
        
                   Ok(Self(CowStr::new_static(handle)))

     

       109
       109
        
               }

     

       110
       110
        
           }

     

       111
       111
       +
       

     

       112
       112
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       113
       113
       +
           ///

     

       114
       114
       +
           /// May allocate for a long handle with an at:// or @ prefix, otherwise borrows.

     

       115
       115
       +
           /// Accepts (and strips) preceding '@' or 'at://' if present

     

       116
       116
       +
           pub fn new_cow(handle: CowStr<'h>) -> Result<Self, AtStrError> {

     

       117
       117
       +
               let handle = if let Some(stripped) = handle.strip_prefix("at://") {

     

       118
       118
       +
                   CowStr::copy_from_str(stripped)

     

       119
       119
       +
               } else if let Some(stripped) = handle.strip_prefix('@') {

     

       120
       120
       +
                   CowStr::copy_from_str(stripped)

     

       121
       121
       +
               } else {

     

       122
       122
       +
                   handle

     

       123
       123
       +
               };

     

       124
       124
       +
               if handle.len() > 253 {

     

       125
       125
       +
                   Err(AtStrError::too_long("handle", &handle, 253, handle.len()))

     

       126
       126
       +
               } else if !HANDLE_REGEX.is_match(&handle) {

     

       127
       127
       +
                   Err(AtStrError::regex(

     

       128
       128
       +
                       "handle",

     

       129
       129
       +
                       &handle,

     

       130
       130
       +
                       SmolStr::new_static("invalid"),

     

       131
       131
       +
                   ))

     

       132
       132
       +
               } else if ends_with(&handle, DISALLOWED_TLDS) {

     

       133
       133
       +
                   Err(AtStrError::disallowed("handle", &handle, DISALLOWED_TLDS))

     

       134
       134
       +
               } else {

     

       135
       135
       +
                   Ok(Self(handle))

     

       136
       136
       +
               }

     

       137
       137
       +
           }

     

       138
       138
       +
       

     

       111
       139
        
           /// Infallible constructor for when you *know* the string is a valid handle.

     

       112
       140
        
           /// Will panic on invalid handles. If you're manually decoding atproto records

     

       113
       141
        
           /// or API values you know are valid (rather than using serde), this is the one to use.

     
···

       179
       207
        
               D: Deserializer<'de>,

     

       180
       208
        
           {

     

       181
       209
        
               let value = Deserialize::deserialize(deserializer)?;

     

       182
       182
       -
               Self::new(value).map_err(D::Error::custom)

     

       210
       210
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       183
       211
        
           }

     

       184
       212
        
       }

     

       185
       213

crates/jacquard-common/src/types/ident.rs

···

       54
       54
        
               }

     

       55
       55
        
           }

     

       56
       56
        
       

     

       57
       57
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       58
       58
       +
           pub fn new_cow(ident: CowStr<'i>) -> Result<Self, AtStrError> {

     

       59
       59
       +
               if let Ok(did) = Did::new_cow(ident.clone()) {

     

       60
       60
       +
                   Ok(AtIdentifier::Did(did))

     

       61
       61
       +
               } else {

     

       62
       62
       +
                   Ok(AtIdentifier::Handle(Handle::new_cow(ident)?))

     

       63
       63
       +
               }

     

       64
       64
       +
           }

     

       65
       65
       +
       

     

       57
       66
        
           /// Infallible constructor for when you *know* the string is a valid identifier.

     

       58
       67
        
           /// Will panic on invalid identifiers. If you're manually decoding atproto records

     

       59
       68
        
           /// or API values you know are valid (rather than using serde), this is the one to use.

-1

crates/jacquard-common/src/types/link.rs

···

       1
       1
       -
       // strongref, blobref(s), cid links

+17 -2

crates/jacquard-common/src/types/nsid.rs

···

       81
       81
        
               }

     

       82
       82
        
           }

     

       83
       83
        
       

     

       84
       84
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       85
       85
       +
           pub fn new_cow(nsid: CowStr<'n>) -> Result<Self, AtStrError> {

     

       86
       86
       +
               if nsid.len() > 317 {

     

       87
       87
       +
                   Err(AtStrError::too_long("nsid", &nsid, 317, nsid.len()))

     

       88
       88
       +
               } else if !NSID_REGEX.is_match(&nsid) {

     

       89
       89
       +
                   Err(AtStrError::regex(

     

       90
       90
       +
                       "nsid",

     

       91
       91
       +
                       &nsid,

     

       92
       92
       +
                       SmolStr::new_static("invalid"),

     

       93
       93
       +
                   ))

     

       94
       94
       +
               } else {

     

       95
       95
       +
                   Ok(Self(nsid))

     

       96
       96
       +
               }

     

       97
       97
       +
           }

     

       98
       98
       +
       

     

       84
       99
        
           /// Infallible constructor for when you *know* the string is a valid NSID.

     

       85
       100
        
           /// Will panic on invalid NSIDs. If you're manually decoding atproto records

     

       86
       101
        
           /// or API values you know are valid (rather than using serde), this is the one to use.

     
···

       148
       163
        
           where

     

       149
       164
        
               D: Deserializer<'de>,

     

       150
       165
        
           {

     

       151
       151
       -
               let value: &str = Deserialize::deserialize(deserializer)?;

     

       152
       152
       -
               Self::new(value).map_err(D::Error::custom)

     

       166
       166
       +
               let value = Deserialize::deserialize(deserializer)?;

     

       167
       167
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       153
       168
        
           }

     

       154
       169
        
       }

     

       155
       170

+17 -2

crates/jacquard-common/src/types/recordkey.rs

···

       137
       137
        
               }

     

       138
       138
        
           }

     

       139
       139
        
       

     

       140
       140
       +
           /// Fallible constructor, validates, borrows from input if possible

     

       141
       141
       +
           pub fn new_cow(rkey: CowStr<'r>) -> Result<Self, AtStrError> {

     

       142
       142
       +
               if [".", ".."].contains(&rkey.as_ref()) {

     

       143
       143
       +
                   Err(AtStrError::disallowed("record-key", &rkey, &[".", ".."]))

     

       144
       144
       +
               } else if !RKEY_REGEX.is_match(&rkey) {

     

       145
       145
       +
                   Err(AtStrError::regex(

     

       146
       146
       +
                       "record-key",

     

       147
       147
       +
                       &rkey,

     

       148
       148
       +
                       SmolStr::new_static("doesn't match 'any' schema"),

     

       149
       149
       +
                   ))

     

       150
       150
       +
               } else {

     

       151
       151
       +
                   Ok(Self(rkey))

     

       152
       152
       +
               }

     

       153
       153
       +
           }

     

       154
       154
       +
       

     

       140
       155
        
           /// Infallible constructor for when you *know* the string is a valid rkey.

     

       141
       156
        
           /// Will panic on invalid rkeys. If you're manually decoding atproto records

     

       142
       157
        
           /// or API values you know are valid (rather than using serde), this is the one to use.

     
···

       200
       215
        
           where

     

       201
       216
        
               D: Deserializer<'de>,

     

       202
       217
        
           {

     

       203
       203
       -
               let value: &str = Deserialize::deserialize(deserializer)?;

     

       204
       204
       -
               Self::new(value).map_err(D::Error::custom)

     

       218
       218
       +
               let value = Deserialize::deserialize(deserializer)?;

     

       219
       219
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       205
       220
        
           }

     

       206
       221
        
       }

     

       207
       222

+30 -7

crates/jacquard-common/src/types/uri.rs

···

       1
       1
       -
       use serde::{Deserialize, Deserializer, Serialize, Serializer};

     

       2
       2
       -
       use smol_str::ToSmolStr;

     

       3
       3
       -
       use url::Url;

     

       4
       4
       -
       

     

       5
       1
        
       use crate::{

     

       6
       2
        
           CowStr, IntoStatic,

     

       7
       3
        
           types::{aturi::AtUri, cid::Cid, did::Did, string::AtStrError},

     

       8
       4
        
       };

     

       5
       5
       +
       use serde::{Deserialize, Deserializer, Serialize, Serializer};

     

       6
       6
       +
       use smol_str::ToSmolStr;

     

       7
       7
       +
       use std::str::FromStr;

     

       8
       8
       +
       use url::Url;

     

       9
       9
        
       

     

       10
       10
        
       /// Generic URI with type-specific parsing

     

       11
       11
        
       ///

     
···

       55
       55
        
               } else if uri.starts_with("wss://") {

     

       56
       56
        
                   Ok(Uri::Https(Url::parse(uri)?))

     

       57
       57
        
               } else if uri.starts_with("ipld://") {

     

       58
       58
       -
                   Ok(Uri::Cid(Cid::new(uri.as_bytes())?))

     

       58
       58
       +
                   Ok(Uri::Cid(

     

       59
       59
       +
                       Cid::from_str(uri.strip_prefix("ipld://").unwrap_or(uri.as_ref())).unwrap(),

     

       60
       60
       +
                   ))

     

       59
       61
        
               } else {

     

       60
       62
        
                   Ok(Uri::Any(CowStr::Borrowed(uri)))

     

       61
       63
        
               }

     
···

       73
       75
        
               } else if uri.starts_with("wss://") {

     

       74
       76
        
                   Ok(Uri::Https(Url::parse(uri)?))

     

       75
       77
        
               } else if uri.starts_with("ipld://") {

     

       76
       76
       -
                   Ok(Uri::Cid(Cid::new_owned(uri.as_bytes())?))

     

       78
       78
       +
                   Ok(Uri::Cid(

     

       79
       79
       +
                       Cid::from_str(uri.strip_prefix("ipld://").unwrap_or(uri.as_ref())).unwrap(),

     

       80
       80
       +
                   ))

     

       77
       81
        
               } else {

     

       78
       82
        
                   Ok(Uri::Any(CowStr::Owned(uri.to_smolstr())))

     

       79
       83
        
               }

     

       80
       84
        
           }

     

       81
       85
        
       

     

       86
       86
       +
           /// Parse a URI from a CowStr, borrowing where possible

     

       87
       87
       +
           pub fn new_cow(uri: CowStr<'u>) -> Result<Self, UriParseError> {

     

       88
       88
       +
               if uri.starts_with("did:") {

     

       89
       89
       +
                   Ok(Uri::Did(Did::new_cow(uri)?))

     

       90
       90
       +
               } else if uri.starts_with("at://") {

     

       91
       91
       +
                   Ok(Uri::At(AtUri::new_cow(uri)?))

     

       92
       92
       +
               } else if uri.starts_with("https://") {

     

       93
       93
       +
                   Ok(Uri::Https(Url::parse(uri.as_ref())?))

     

       94
       94
       +
               } else if uri.starts_with("wss://") {

     

       95
       95
       +
                   Ok(Uri::Https(Url::parse(uri.as_ref())?))

     

       96
       96
       +
               } else if uri.starts_with("ipld://") {

     

       97
       97
       +
                   Ok(Uri::Cid(

     

       98
       98
       +
                       Cid::from_str(uri.strip_prefix("ipld://").unwrap_or(uri.as_str())).unwrap(),

     

       99
       99
       +
                   ))

     

       100
       100
       +
               } else {

     

       101
       101
       +
                   Ok(Uri::Any(uri))

     

       102
       102
       +
               }

     

       103
       103
       +
           }

     

       104
       104
       +
       

     

       82
       105
        
           /// Get the URI as a string slice

     

       83
       106
        
           pub fn as_str(&self) -> &str {

     

       84
       107
        
               match self {

     
···

       111
       134
        
           {

     

       112
       135
        
               use serde::de::Error;

     

       113
       136
        
               let value = Deserialize::deserialize(deserializer)?;

     

       114
       114
       -
               Self::new(value).map_err(D::Error::custom)

     

       137
       137
       +
               Self::new_cow(value).map_err(D::Error::custom)

     

       115
       138
        
           }

     

       116
       139
        
       }

     

       117
       140

+1 -1

crates/jacquard-common/src/xrpc.rs

···

       238
       238
        
           fn send<R>(

     

       239
       239
        
               &self,

     

       240
       240
        
               request: R,

     

       241
       241
       -
           ) -> impl Future<Output = XrpcResult<Response<<R as XrpcRequest>::Response>>>

     

       241
       241
       +
           ) -> impl Future<Output = XrpcResult<Response<<R as XrpcRequest>::Response>>> + Send

     

       242
       242
        
           where

     

       243
       243
        
               R: XrpcRequest + Send + Sync,

     

       244
       244
        
               <R as XrpcRequest>::Response: Send + Sync;

+7 -5

crates/jacquard-identity/src/lib.rs

···

       84
       84
        
       use jacquard_common::{IntoStatic, types::string::Handle};

     

       85
       85
        
       use percent_encoding::percent_decode_str;

     

       86
       86
        
       use reqwest::StatusCode;

     

       87
       87
       +
       use std::sync::Arc;

     

       87
       88
        
       use url::{ParseError, Url};

     

       88
       89
        
       

     

       89
       90
        
       #[cfg(feature = "dns")]

     

       90
       91
        
       use hickory_resolver::{TokioAsyncResolver, config::ResolverConfig};

     

       91
       92
        
       

     

       92
       93
        
       /// Default resolver implementation with configurable fallback order.

     

       94
       94
       +
       #[derive(Clone)]

     

       93
       95
        
       pub struct JacquardResolver {

     

       94
       96
        
           http: reqwest::Client,

     

       95
       97
        
           opts: ResolverOptions,

     

       96
       98
        
           #[cfg(feature = "dns")]

     

       97
       97
       -
           dns: Option<TokioAsyncResolver>,

     

       99
       99
       +
           dns: Option<Arc<TokioAsyncResolver>>,

     

       98
       100
        
       }

     

       99
       101
        
       

     

       100
       102
        
       impl JacquardResolver {

     
···

       114
       116
        
               Self {

     

       115
       117
        
                   http,

     

       116
       118
        
                   opts,

     

       117
       117
       -
                   dns: Some(TokioAsyncResolver::tokio(

     

       119
       119
       +
                   dns: Some(Arc::new(TokioAsyncResolver::tokio(

     

       118
       120
        
                       ResolverConfig::default(),

     

       119
       121
        
                       Default::default(),

     

       120
       120
       -
                   )),

     

       122
       122
       +
                   ))),

     

       121
       123
        
               }

     

       122
       124
        
           }

     

       123
       125
        
       

     

       124
       126
        
           #[cfg(feature = "dns")]

     

       125
       127
        
           /// Add default DNS resolution to the resolver

     

       126
       128
        
           pub fn with_system_dns(mut self) -> Self {

     

       127
       127
       -
               self.dns = Some(TokioAsyncResolver::tokio(

     

       129
       129
       +
               self.dns = Some(Arc::new(TokioAsyncResolver::tokio(

     

       128
       130
        
                   ResolverConfig::default(),

     

       129
       131
        
                   Default::default(),

     

       130
       130
       -
               ));

     

       132
       132
       +
               )));

     

       131
       133
        
               self

     

       132
       134
        
           }

     

       133
       135

+28 -8

crates/jacquard-identity/src/resolver.rs

···

       10
       10
        
       //! and optionally validate the document `id` against the requested DID.

     

       11
       11
        
       

     

       12
       12
        
       use std::collections::BTreeMap;

     

       13
       13
       +
       use std::marker::Sync;

     

       13
       14
        
       use std::str::FromStr;

     

       14
       15
        
       

     

       15
       16
        
       use bon::Builder;

     
···

       333
       334
        
           fn resolve_handle(

     

       334
       335
        
               &self,

     

       335
       336
        
               handle: &Handle<'_>,

     

       336
       336
       -
           ) -> impl Future<Output = Result<Did<'static>, IdentityError>>;

     

       337
       337
       +
           ) -> impl Future<Output = Result<Did<'static>, IdentityError>> + Send

     

       338
       338
       +
           where

     

       339
       339
       +
               Self: Sync;

     

       337
       340
        
       

     

       338
       341
        
           /// Resolve DID document

     

       339
       342
        
           fn resolve_did_doc(

     

       340
       343
        
               &self,

     

       341
       344
        
               did: &Did<'_>,

     

       342
       342
       -
           ) -> impl Future<Output = Result<DidDocResponse, IdentityError>>;

     

       345
       345
       +
           ) -> impl Future<Output = Result<DidDocResponse, IdentityError>> + Send

     

       346
       346
       +
           where

     

       347
       347
       +
               Self: Sync;

     

       343
       348
        
       

     

       344
       349
        
           /// Resolve DID doc from an identifier

     

       345
       350
        
           fn resolve_ident(

     

       346
       351
        
               &self,

     

       347
       352
        
               actor: &AtIdentifier<'_>,

     

       348
       348
       -
           ) -> impl Future<Output = Result<DidDocResponse, IdentityError>> {

     

       353
       353
       +
           ) -> impl Future<Output = Result<DidDocResponse, IdentityError>> + Send

     

       354
       354
       +
           where

     

       355
       355
       +
               Self: Sync,

     

       356
       356
       +
           {

     

       349
       357
        
               async move {

     

       350
       358
        
                   match actor {

     

       351
       359
        
                       AtIdentifier::Did(did) => self.resolve_did_doc(&did).await,

     
···

       361
       369
        
           fn resolve_ident_owned(

     

       362
       370
        
               &self,

     

       363
       371
        
               actor: &AtIdentifier<'_>,

     

       364
       364
       -
           ) -> impl Future<Output = Result<DidDocument<'static>, IdentityError>> {

     

       372
       372
       +
           ) -> impl Future<Output = Result<DidDocument<'static>, IdentityError>> + Send

     

       373
       373
       +
           where

     

       374
       374
       +
               Self: Sync,

     

       375
       375
       +
           {

     

       365
       376
        
               async move {

     

       366
       377
        
                   match actor {

     

       367
       378
        
                       AtIdentifier::Did(did) => self.resolve_did_doc_owned(&did).await,

     
···

       377
       388
        
           fn resolve_did_doc_owned(

     

       378
       389
        
               &self,

     

       379
       390
        
               did: &Did<'_>,

     

       380
       380
       -
           ) -> impl Future<Output = Result<DidDocument<'static>, IdentityError>> {

     

       391
       391
       +
           ) -> impl Future<Output = Result<DidDocument<'static>, IdentityError>> + Send

     

       392
       392
       +
           where

     

       393
       393
       +
               Self: Sync,

     

       394
       394
       +
           {

     

       381
       395
        
               async { self.resolve_did_doc(did).await?.into_owned() }

     

       382
       396
        
           }

     

       383
       397
        
           /// Return the PDS url for a DID

     

       384
       384
       -
           fn pds_for_did(&self, did: &Did<'_>) -> impl Future<Output = Result<Url, IdentityError>> {

     

       398
       398
       +
           fn pds_for_did(&self, did: &Did<'_>) -> impl Future<Output = Result<Url, IdentityError>> + Send

     

       399
       399
       +
           where

     

       400
       400
       +
               Self: Sync,

     

       401
       401
       +
           {

     

       385
       402
        
               async {

     

       386
       403
        
                   let resp = self.resolve_did_doc(did).await?;

     

       387
       404
        
                   let doc = resp.parse()?;

     
···

       401
       418
        
           fn pds_for_handle(

     

       402
       419
        
               &self,

     

       403
       420
        
               handle: &Handle<'_>,

     

       404
       404
       -
           ) -> impl Future<Output = Result<(Did<'static>, Url), IdentityError>> {

     

       421
       421
       +
           ) -> impl Future<Output = Result<(Did<'static>, Url), IdentityError>> + Send

     

       422
       422
       +
           where

     

       423
       423
       +
               Self: Sync,

     

       424
       424
       +
           {

     

       405
       425
        
               async {

     

       406
       426
        
                   let did = self.resolve_handle(handle).await?;

     

       407
       427
        
                   let pds = self.pds_for_did(&did).await?;

     
···

       410
       430
        
           }

     

       411
       431
        
       }

     

       412
       432
        
       

     

       413
       413
       -
       impl<T: IdentityResolver> IdentityResolver for std::sync::Arc<T> {

     

       433
       433
       +
       impl<T: IdentityResolver + Sync> IdentityResolver for std::sync::Arc<T> {

     

       414
       434
        
           fn options(&self) -> &ResolverOptions {

     

       415
       435
        
               self.as_ref().options()

     

       416
       436
        
           }

+21 -6

crates/jacquard-oauth/src/resolver.rs

···

       120
       120
        
               &self,

     

       121
       121
        
               server_metadata: &OAuthAuthorizationServerMetadata<'_>,

     

       122
       122
        
               sub: &Did<'_>,

     

       123
       123
       -
           ) -> impl std::future::Future<Output = Result<Url, ResolverError>> {

     

       123
       123
       +
           ) -> impl std::future::Future<Output = Result<Url, ResolverError>> + Send

     

       124
       124
       +
           where

     

       125
       125
       +
               Self: Sync,

     

       126
       126
       +
           {

     

       124
       127
        
               async {

     

       125
       128
        
                   let (metadata, identity) = self.resolve_from_identity(sub).await?;

     

       126
       129
        
                   if !issuer_equivalent(&metadata.issuer, &server_metadata.issuer) {

     
···

       144
       147
        
                   ),

     

       145
       148
        
                   ResolverError,

     

       146
       149
        
               >,

     

       147
       147
       -
           > {

     

       150
       150
       +
           > + Send

     

       151
       151
       +
           where

     

       152
       152
       +
               Self: Sync,

     

       153
       153
       +
           {

     

       148
       154
        
               // Allow using an entryway, or PDS url, directly as login input (e.g.

     

       149
       155
        
               // when the user forgot their handle, or when the handle does not

     

       150
       156
        
               // resolve to a DID)

     
···

       161
       167
        
           fn resolve_from_service(

     

       162
       168
        
               &self,

     

       163
       169
        
               input: &Url,

     

       164
       164
       -
           ) -> impl Future<Output = Result<OAuthAuthorizationServerMetadata<'static>, ResolverError>>

     

       170
       170
       +
           ) -> impl Future<Output = Result<OAuthAuthorizationServerMetadata<'static>, ResolverError>> + Send

     

       171
       171
       +
           where

     

       172
       172
       +
               Self: Sync,

     

       165
       173
        
           {

     

       166
       174
        
               async {

     

       167
       175
        
                   // Assume first that input is a PDS URL (as required by ATPROTO)

     
···

       183
       191
        
                   ),

     

       184
       192
        
                   ResolverError,

     

       185
       193
        
               >,

     

       186
       186
       -
           > {

     

       194
       194
       +
           > + Send

     

       195
       195
       +
           where

     

       196
       196
       +
               Self: Sync,

     

       197
       197
       +
           {

     

       187
       198
        
               async {

     

       188
       199
        
                   let actor = AtIdentifier::new(input)

     

       189
       200
        
                       .map_err(|e| ResolverError::AtIdentifier(format!("{:?}", e)))?;

     
···

       199
       210
        
           fn get_authorization_server_metadata(

     

       200
       211
        
               &self,

     

       201
       212
        
               issuer: &Url,

     

       202
       202
       -
           ) -> impl Future<Output = Result<OAuthAuthorizationServerMetadata<'static>, ResolverError>>

     

       213
       213
       +
           ) -> impl Future<Output = Result<OAuthAuthorizationServerMetadata<'static>, ResolverError>> + Send

     

       214
       214
       +
           where

     

       215
       215
       +
               Self: Sync,

     

       203
       216
        
           {

     

       204
       217
        
               async {

     

       205
       218
        
                   let mut md = resolve_authorization_server(self, issuer).await?;

     
···

       211
       224
        
           fn get_resource_server_metadata(

     

       212
       225
        
               &self,

     

       213
       226
        
               pds: &Url,

     

       214
       214
       -
           ) -> impl Future<Output = Result<OAuthAuthorizationServerMetadata<'static>, ResolverError>>

     

       227
       227
       +
           ) -> impl Future<Output = Result<OAuthAuthorizationServerMetadata<'static>, ResolverError>> + Send

     

       228
       228
       +
           where

     

       229
       229
       +
               Self: Sync,

     

       215
       230
        
           {

     

       216
       231
        
               async move {

     

       217
       232
        
                   let rs_metadata = resolve_protected_resource_info(self, pds).await?;

+1 -1

crates/jacquard/src/client/credential_session.rs

···

       149
       149
        
       impl<S, T> CredentialSession<S, T>

     

       150
       150
        
       where

     

       151
       151
        
           S: SessionStore<SessionKey, AtpSession>,

     

       152
       152
       -
           T: HttpClient + IdentityResolver + XrpcExt,

     

       152
       152
       +
           T: HttpClient + IdentityResolver + XrpcExt + Sync + Send,

     

       153
       153
        
       {

     

       154
       154
        
           /// Resolve the user's PDS and create an app-password session.

     

       155
       155
        
           ///