feat(decoder): Create decoder

Author: sidrubs

src/builder.rs

@@ -2,16 +2,17 @@
 //!
 //! - Documentation
 
-use serde::Serialize;
+use serde::{de::DeserializeOwned, Serialize};
 
 use crate::{
     crypto::{
         hmac::{HmacSecret, Hs256, Hs384},
-        JwtSigner,
+        JwtSigner, JwtVerifier,
     },
-    errors::{new_error, Result},
-    serialization::{b64_encode, b64_encode_part},
-    Header,
+    errors::{new_error, ErrorKind, Result},
+    serialization::{b64_encode, b64_encode_part, DecodedJwtPartClaims},
+    validation::validate,
+    Header, TokenData, Validation,
 };
 
 /// # Todo
@@ -44,13 +45,13 @@ impl JwtEncoder {
     /// # Todo
     ///
     /// - Test the the error checking works
-    pub fn with_header(mut self, header: Header) -> Result<Self> {
+    pub fn with_header(mut self, header: &Header) -> Result<Self> {
         // Check that the header makes use of the correct algorithm
         if header.alg != self.signing_provider.algorithm() {
             return Err(new_error(crate::errors::ErrorKind::InvalidAlgorithm));
         }
 
-        self.header = header;
+        self.header = header.clone();
         Ok(self)
     }
 
@@ -84,6 +85,111 @@ impl JwtEncoder {
     }
 }
 
+/// Takes the result of a rsplit and ensure we only get 2 parts
+/// Errors if we don't
+macro_rules! expect_two {
+    ($iter:expr) => {{
+        let mut i = $iter;
+        match (i.next(), i.next(), i.next()) {
+            (Some(first), Some(second), None) => (first, second),
+            _ => return Err(new_error(ErrorKind::InvalidToken)),
+        }
+    }};
+}
+
+/// Todo
+pub struct JwtDecoder {
+    verifying_provider: Box<dyn JwtVerifier>,
+    validation: Validation,
+}
+
+impl JwtDecoder {
+    /// Todo
+    pub fn from_verifier<V: JwtVerifier + 'static>(verifying_provider: V) -> Self {
+        Self::from_boxed_verifiyer(Box::new(verifying_provider))
+    }
+
+    /// Todo
+    pub fn from_boxed_verifiyer(verifying_provider: Box<dyn JwtVerifier>) -> Self {
+        let validation = Validation::new(verifying_provider.algorithm());
+
+        Self { verifying_provider, validation }
+    }
+
+    /// Todo
+    pub fn with_validation(mut self, validation: &Validation) -> Result<Self> {
+        // Check that the validation contains the correct algorithm
+        if !validation.algorithms.contains(&self.verifying_provider.algorithm()) {
+            return Err(new_error(crate::errors::ErrorKind::InvalidAlgorithm));
+        }
+
+        self.validation = validation.clone();
+        Ok(self)
+    }
+
+    /// Todo
+    pub fn decode<T: DeserializeOwned>(&self, token: &str) -> Result<TokenData<T>> {
+        let (header, claims) = self.verify_signature(token)?;
+
+        let decoded_claims = DecodedJwtPartClaims::from_jwt_part_claims(claims)?;
+        let claims = decoded_claims.deserialize()?;
+        validate(decoded_claims.deserialize()?, &self.validation)?;
+
+        Ok(TokenData { header, claims })
+    }
+
+    /// Verify signature of a JWT, and return header object and raw payload
+    ///
+    /// If the token or its signature is invalid, it will return an error.
+    fn verify_signature<'a>(&self, token: &'a str) -> Result<(Header, &'a str)> {
+        if self.validation.validate_signature && self.validation.algorithms.is_empty() {
+            return Err(new_error(ErrorKind::MissingAlgorithm));
+        }
+
+        // Todo: This behaviour is currently not captured anywhere.
+        // if validation.validate_signature {
+        //     for alg in &validation.algorithms {
+        //         if key.family != alg.family() {
+        //             return Err(new_error(ErrorKind::InvalidAlgorithm));
+        //         }
+        //     }
+        // }
+
+        let (signature, message) = expect_two!(token.rsplitn(2, '.'));
+        let (payload, header) = expect_two!(message.rsplitn(2, '.'));
+        let header = Header::from_encoded(header)?;
+
+        if self.validation.validate_signature && !self.validation.algorithms.contains(&header.alg) {
+            return Err(new_error(ErrorKind::InvalidAlgorithm));
+        }
+
+        if self.validation.validate_signature
+            && self
+                .verifying_provider
+                .verify(message.as_bytes(), &signature.as_bytes().to_vec())
+                .is_err()
+        {
+            return Err(new_error(ErrorKind::InvalidSignature));
+        }
+
+        Ok((header, payload))
+    }
+
+    /// Create new [`JwtDecoder`] with the `HS256` algorithm.
+    pub fn hs_256(secret: HmacSecret) -> Result<JwtDecoder> {
+        let verifying_provider = Box::new(Hs256::new(secret)?);
+
+        Ok(JwtDecoder::from_boxed_verifiyer(verifying_provider))
+    }
+
+    /// Create new [`JwtDecoder`] with the `HS384` algorithm.
+    pub fn hs_384(secret: HmacSecret) -> Result<JwtDecoder> {
+        let verifying_provider = Box::new(Hs384::new(secret)?);
+
+        Ok(JwtDecoder::from_boxed_verifiyer(verifying_provider))
+    }
+}
+
 #[cfg(test)]
 mod builder_tests {
 

src/decoding.rs

@@ -2,6 +2,7 @@ use base64::{engine::general_purpose::STANDARD, Engine};
 use serde::de::DeserializeOwned;
 
 use crate::algorithms::AlgorithmFamily;
+use crate::builder::JwtDecoder;
 use crate::crypto::verify;
 use crate::errors::{new_error, ErrorKind, Result};
 use crate::header::Header;
@@ -271,6 +272,25 @@ pub fn decode<T: DeserializeOwned>(
     }
 }
 
+fn decoder_factory(algorithm: &Algorithm, key: &DecodingKey) -> Result<JwtDecoder> {
+    let jwt_encoder = match algorithm {
+        Algorithm::HS256 => JwtDecoder::hs_256(HmacSecret::from_secret(&key.content))?,
+        Algorithm::HS384 => JwtDecoder::hs_384(HmacSecret::from_secret(&key.content))?,
+        Algorithm::HS512 => todo!(),
+        Algorithm::ES256 => todo!(),
+        Algorithm::ES384 => todo!(),
+        Algorithm::RS256 => todo!(),
+        Algorithm::RS384 => todo!(),
+        Algorithm::RS512 => todo!(),
+        Algorithm::PS256 => todo!(),
+        Algorithm::PS384 => todo!(),
+        Algorithm::PS512 => todo!(),
+        Algorithm::EdDSA => todo!(),
+    };
+
+    Ok(jwt_encoder)
+}
+
 /// Decode a JWT without any signature verification/validations and return its [Header](struct.Header.html).
 ///
 /// If the token has an invalid format (ie 3 parts separated by a `.`), it will return an error.

src/encoding.rs

@@ -126,7 +126,7 @@ pub fn encode<T: Serialize>(header: &Header, claims: &T, key: &EncodingKey) -> R
         return Err(new_error(ErrorKind::InvalidAlgorithm));
     }
 
-    let jwt_encoder = encoder_factory(&header.alg, key)?;
+    let jwt_encoder = encoder_factory(&header.alg, key)?.with_header(header)?;
 
     jwt_encoder.encode(claims)
 }

src/lib.rs

@@ -4,7 +4,7 @@
 #![deny(missing_docs)]
 
 pub use algorithms::Algorithm;
-// pub use decoding::{decode, decode_header, DecodingKey, TokenData};
+pub use decoding::{decode, decode_header, DecodingKey, TokenData};
 pub use encoding::{encode, EncodingKey};
 pub use header::Header;
 pub use validation::{get_current_timestamp, Validation};
@@ -13,7 +13,7 @@ mod algorithms;
 pub mod builder;
 /// Lower level functions, if you want to do something other than JWTs
 pub mod crypto;
-// mod decoding;
+mod decoding;
 mod encoding;
 /// All the errors that can be encountered while encoding/decoding JWTs
 pub mod errors;