custom JWT security

[nelsonsilva94]

Hi, I'm trying to implement a custom JWT security with rocket 0.5.0-rc.2, and for now, I already see the token sent as an authorization in the endpoint request. This is good, but in my endpoint, I later call another external API and I need the previous token to be sent. Is there a way to "catch" the jwt token and use it later?

That is what I have:

    #[utoipa::path(
        context_path = "/auth",
        responses(
            (status = 200, description = "User Logged in successfully", body = User),
            (status = 401, description = "Unauthorized: The request requires valid record authorization token to be set.", body = AuthError, example = json!(AuthError::Unauthorized(String::from("The request requires valid record authorization token to be set.")))),
            (status = 403, description = "Forbidden: The authorized record model is not allowed to perform this action.", body = AuthError, example = json!(AuthError::Forbidden(String::from("The authorized record model is not allowed to perform this action.")))),
            (status = 404, description = "Bad request: Missing auth record context.", body = AuthError, example = json!(AuthError::NotFound(String::from("Missing auth record context.")))),
        ),
        security(
            ("api_auth_token" = [])
        )
    )]
    #[post("/auth-refresh")]
    pub async fn auth_refresh(pocket_base_config: &State<PocketBaseConfig>) -> Json<User> {
        user_auth_refresh(pocket_base_config).await
    }

So, when I call this endpoint, the curl is this:

curl -X 'POST' \
  'http://localhost:8000/auth/auth-refresh' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer eyJhbGciOiJI...........' \
  -d ''

I can see that the token is there and I want to use it later on the user_auth_refresh() function

The user_auth_refresh() function looks like this:

 async fn user_auth_refresh(pocket_base_config: &State<PocketBaseConfig>) -> Json<User> {

        let user_info = pocket_base_config
            .reqwest_client
            .post(format!(
                "{}/api/collections/users/auth-refresh",
                pocket_base_config.pb_url
            ))
            // .bearer_auth(&token)
            .send()
            .await
            .unwrap();

        let res_str = user_info.text().await.unwrap();
        let res_json: User = serde_json::from_str(&res_str).unwrap();

        Json(res_json)
    }

It is possible at all? It is a good practice?

Thanks so much in advance, I have been using utoipa and I think you're doing such a good job!

[juhaku]

I later call another external API and I need the previous token to be sent. Is there a way to "catch" the jwt token and use it later?

Hey, sure this is possible. Though utoipa does not itself provide such mechanism. utoipa is merely a massive derive macro / rust Open API types library that helps you to document the api.

Way to access that information is dependant to framework in use. In case of rocket (or in any other framework to be honest) you need to find a way to access request headers within your handler enpoint. e.g. let token = headers.get("Authorization"); Note this code is not a real code but something similar should be available for each framework. A wild guess is that you either need to implement a custom request guard if you cannot have a direct access to the request itself within the handler.

It is a good practice?

I would say that it depends on what you are trying to build. Sure this is okay, there are cases e.g. if you are implementing a proxy where you need to get access to the authorization and other headers that are then forwared to another API down the line. But if you are doing authorization validation twice then usually doing double job is not a best way to implement things. Though in these cases most likely the authorization valiation check would have been abstracted away so it will not be visible to the actual endpoint itself.

Hope this helps

Cheers

[nelsonsilva94]

Hey,

Thanks for the informative answer!
Problem solved, you were right, I was able to access the token using use rocket::request::FromRequest; trait.

Here is some of my working example:

use rocket::http::Status;
use rocket::request::{self, FromRequest, Request};
use rocket::Outcome;

// The struct that represents a JWT token.
#[derive(Debug)]
struct JWT {
    // Add fields for the JWT claims here.
}

impl<'a, 'r> FromRequest<'a, 'r> for JWT {
    type Error = ();

    fn from_request(request: &'a Request<'r>) -> request::Outcome<Self, Self::Error> {
        let headers = request.headers();
        let authorization = headers.get_one("Authorization");
        if let Some(auth) = authorization {
            if auth.starts_with("Bearer ") {
                // Extract the JWT token from the "Bearer" scheme in the `Authorization` header.
                let token = &auth["Bearer ".len()..];
                // Use a JWT library to decode the token and create a `JWT` struct.
                // Return a successful outcome with the `JWT` struct.
                return Outcome::Success(JWT {
                    // Fill in the claims from the JWT.
                });
            }
        }
        // If the `Authorization` header is not present or is not a "Bearer" token, return a failure outcome.
        Outcome::Failure((Status::BadRequest, ()))
    }
}

I know is not related to utoipa but might help someone in the future.

Best regards