reth_rpc_layer/
jwt_validator.rs

Help
1use crate::{AuthValidator, JwtError, JwtSecret};
2use http::{header, HeaderMap, Response, StatusCode};
3use jsonrpsee_http_client::{HttpBody, HttpResponse};
4use tracing::error;
5
6/// Implements JWT validation logics and integrates
7/// to an Http [`AuthLayer`][crate::AuthLayer]
8/// by implementing the [`AuthValidator`] trait.
9#[derive(Debug, Clone)]
10pub struct JwtAuthValidator {
11    secret: JwtSecret,
12}
13
14impl JwtAuthValidator {
15    /// Creates a new instance of [`JwtAuthValidator`].
16    /// Validation logics are implemented by the `secret`
17    /// argument (see [`JwtSecret`]).
18    pub const fn new(secret: JwtSecret) -> Self {
19        Self { secret }
20    }
21}
22
23impl AuthValidator for JwtAuthValidator {
24    fn validate(&self, headers: &HeaderMap) -> Result<(), HttpResponse> {
25        match get_bearer(headers) {
26            Some(jwt) => match self.secret.validate(&jwt) {
27                Ok(_) => Ok(()),
28                Err(e) => {
29                    error!(target: "engine::jwt-validator", "Invalid JWT: {e}");
30                    let response = err_response(e);
31                    Err(response)
32                }
33            },
34            None => {
35                let e = JwtError::MissingOrInvalidAuthorizationHeader;
36                error!(target: "engine::jwt-validator", "Invalid JWT: {e}");
37                let response = err_response(e);
38                Err(response)
39            }
40        }
41    }
42}
43
44/// This is an utility function that retrieves a bearer
45/// token from an authorization Http header.
46fn get_bearer(headers: &HeaderMap) -> Option<String> {
47    let header = headers.get(header::AUTHORIZATION)?;
48    let auth: &str = header.to_str().ok()?;
49    let prefix = "Bearer ";
50    let index = auth.find(prefix)?;
51    let token: &str = &auth[index + prefix.len()..];
52    Some(token.into())
53}
54
55fn err_response(err: JwtError) -> HttpResponse {
56    // We build a response from an error message.
57    // We don't cope with headers or other structured fields.
58    // Then we are safe to "expect" on the result.
59    Response::builder()
60        .status(StatusCode::UNAUTHORIZED)
61        .body(HttpBody::new(err.to_string()))
62        .expect("This should never happen")
63}
64
65#[cfg(test)]
66mod tests {
67    use crate::jwt_validator::get_bearer;
68    use http::{header, HeaderMap};
69
70    #[test]
71    fn auth_header_available() {
72        let jwt = "foo";
73        let bearer = format!("Bearer {jwt}");
74        let mut headers = HeaderMap::new();
75        headers.insert(header::AUTHORIZATION, bearer.parse().unwrap());
76        let token = get_bearer(&headers).unwrap();
77        assert_eq!(token, jwt);
78    }
79
80    #[test]
81    fn auth_header_not_available() {
82        let headers = HeaderMap::new();
83        let token = get_bearer(&headers);
84        assert!(token.is_none());
85    }
86
87    #[test]
88    fn auth_header_malformed() {
89        let jwt = "foo";
90        let bearer = format!("Bea___rer {jwt}");
91        let mut headers = HeaderMap::new();
92        headers.insert(header::AUTHORIZATION, bearer.parse().unwrap());
93        let token = get_bearer(&headers);
94        assert!(token.is_none());
95    }
96}
reth_rpc_layer/jwt_validator.rs

reth_rpc_layer/
jwt_validator.rs
