Validate token

api/src/actors/token_manager.rs

@@ -1,8 +1,12 @@
+use std::collections::BTreeMap;
 use std::str::FromStr;
 use std::sync::Arc;
 
 use actix::{Addr, Message};
 use chrono::prelude::*;
+use hmac::digest::KeyInit;
+use hmac::Hmac;
+use sha2::Sha256;
 
 use crate::database::{Database, TokenByJti};
 use crate::model::{AccountId, Audience, Token, TokenString};
@@ -73,7 +77,7 @@ pub struct CreateToken {
 
 token_async_handler!(CreateToken, create_token, (Token, TokenString));
 
-async fn create_token(
+pub(crate) async fn create_token(
     msg: CreateToken,
     db: Addr<Database>,
     secret: Arc<String>,
@@ -107,19 +111,9 @@ async fn create_token(
     };
 
     let token_string = {
-        use std::collections::BTreeMap;
-
-        use hmac::{Hmac, Mac};
         use jwt::SignWithKey;
-        use sha2::Sha256;
 
-        let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) {
-            Ok(key) => key,
-            Err(e) => {
-                log::error!("{e:?}");
-                return Err(Error::SaveInternal);
-            }
-        };
+        let key: Hmac<Sha256> = build_key(secret)?;
         let mut claims = BTreeMap::new();
 
         // cti (customer id): Customer uuid identifier used by payment service
@@ -168,21 +162,11 @@ pub(crate) async fn validate(
     db: Addr<Database>,
     secret: Arc<String>,
 ) -> Result<(Token, bool)> {
-    use std::collections::BTreeMap;
-
-    use hmac::{Hmac, Mac};
     use jwt::VerifyWithKey;
-    use sha2::Sha256;
 
     log::info!("Validating token {:?}", msg.token);
 
-    let key: Hmac<Sha256> = match Hmac::new_from_slice(secret.as_bytes()) {
-        Ok(key) => key,
-        Err(e) => {
-            log::error!("{e:?}");
-            return Err(Error::ValidateInternal);
-        }
-    };
+    let key: Hmac<Sha256> = build_key(secret)?;
     let claims: BTreeMap<String, String> = match msg.token.verify_with_key(&key) {
         Ok(claims) => claims,
         _ => return Err(Error::Validate),
@@ -209,59 +193,72 @@ pub(crate) async fn validate(
         }
     };
 
-    match (claims.get("cti"), &token.customer_id) {
-        (Some(cti), id) => {
-            if !uuid::Uuid::from_str(cti)
-                .map(|u| u == *id)
-                .unwrap_or_default()
-            {
-                return Ok((token, false));
-            }
-        }
-        _ => return Ok((token, false)),
+    if !validate_pair(&claims, "cti", token.customer_id, validate_uuid) {
+        return Ok((token, false));
     }
+    // if !validate_pair(&claims, "arl", token.role, |left, right| right == left) {
+    //     return Ok((token, false));
+    // }
     match (claims.get("arl"), &token.role) {
-        (Some(arl), role) if arl == role.as_str() => {}
+        (Some(arl), role) if role == arl.as_str() => {}
         _ => return Ok((token, false)),
     }
     match (claims.get("iss"), &token.issuer) {
         (Some(iss), issuer) if iss == issuer => {}
         _ => return Ok((token, false)),
     }
-    match (claims.get("sub"), &token.subject) {
-        (Some(sub), subject) => {
-            if !sub
-                .parse::<i32>()
-                .map(|n| n == *subject)
-                .unwrap_or_default()
-            {
-                return Ok((token, false));
-            }
-        }
-        _ => return Ok((token, false)),
+    if !validate_pair(&claims, "sub", token.subject, validate_num) {
+        return Ok((token, false));
     }
+
     match (claims.get("aud"), &token.audience) {
         (Some(aud), audience) if aud == audience.as_str() => {}
         _ => return Ok((token, false)),
     }
-    match (claims.get("exp"), &token.expiration_time) {
-        (Some(left), right) if validate_time(left, right) => {}
-        _ => return Ok((token, false)),
+
+    if !validate_pair(&claims, "exp", &token.expiration_time, validate_time) {
+        return Ok((token, false));
     }
-    match (claims.get("nbt"), &token.not_before_time) {
-        (Some(left), right) if validate_time(left, right) => {}
-        _ => return Ok((token, false)),
+    if !validate_pair(&claims, "nbt", &token.not_before_time, validate_time) {
+        return Ok((token, false));
     }
-    match (claims.get("iat"), &token.issued_at_time) {
-        (Some(left), right) if validate_time(left, right) => {}
-        _ => return Ok((token, false)),
+    if !validate_pair(&claims, "iat", &token.issued_at_time, validate_time) {
+        return Ok((token, false));
     }
 
     Ok((token, true))
 }
 
+fn build_key(secret: Arc<String>) -> Result<Hmac<Sha256>> {
+    match Hmac::new_from_slice(secret.as_bytes()) {
+        Ok(key) => Ok(key),
+        Err(e) => {
+            log::error!("{e:?}");
+            Err(Error::ValidateInternal)
+        }
+    }
+}
+
+fn validate_pair<F, V>(claims: &BTreeMap<String, String>, key: &str, v: V, cmp: F) -> bool
+where
+    F: FnOnce(&str, V) -> bool,
+    V: PartialEq,
+{
+    claims.get(key).map(|s| cmp(s, v)).unwrap_or_default()
+}
+
 fn validate_time(left: &str, right: &NaiveDateTime) -> bool {
     chrono::DateTime::parse_from_str(left, "%+")
         .map(|t| t.naive_utc() == *right)
         .unwrap_or_default()
 }
+
+fn validate_num(left: &str, right: i32) -> bool {
+    left.parse::<i32>().map(|n| n == right).unwrap_or_default()
+}
+
+fn validate_uuid(left: &str, right: uuid::Uuid) -> bool {
+    uuid::Uuid::from_str(left)
+        .map(|u| u == right)
+        .unwrap_or_default()
+}

api/src/model.rs

@@ -31,7 +31,7 @@ pub enum OrderStatus {
     Refunded,
 }
 
-#[derive(sqlx::Type, Copy, Clone, Debug, Display, Deserialize, Serialize)]
+#[derive(sqlx::Type, Copy, Clone, Debug, Display, Deserialize, Serialize, PartialEq)]
 #[sqlx(rename_all = "snake_case")]
 pub enum Role {
     #[display(fmt = "Adminitrator")]
@@ -40,6 +40,12 @@ pub enum Role {
     User,
 }
 
+impl PartialEq<str> for Role {
+    fn eq(&self, other: &str) -> bool {
+        self.as_str() == other
+    }
+}
+
 impl Role {
     pub fn as_str(&self) -> &str {
         match self {