checking iss for multiple values (#173)
This commit is contained in:
parent
48770d4797
commit
da761fe039
|
@ -169,7 +169,7 @@ struct Validation {
|
||||||
pub validate_exp: bool, // Default: true
|
pub validate_exp: bool, // Default: true
|
||||||
pub validate_nbf: bool, // Default: false
|
pub validate_nbf: bool, // Default: false
|
||||||
pub aud: Option<HashSet<String>>, // Default: None
|
pub aud: Option<HashSet<String>>, // Default: None
|
||||||
pub iss: Option<String>, // Default: None
|
pub iss: Option<HashSet<String>>, // Default: None
|
||||||
pub sub: Option<String>, // Default: None
|
pub sub: Option<String>, // Default: None
|
||||||
pub algorithms: Vec<Algorithm>, // Default: vec![Algorithm::HS256]
|
pub algorithms: Vec<Algorithm>, // Default: vec![Algorithm::HS256]
|
||||||
}
|
}
|
||||||
|
@ -185,7 +185,9 @@ let validation = Validation::new(Algorithm::HS512);
|
||||||
// Adding some leeway (in seconds) for exp and nbf checks
|
// Adding some leeway (in seconds) for exp and nbf checks
|
||||||
let mut validation = Validation {leeway: 60, ..Default::default()};
|
let mut validation = Validation {leeway: 60, ..Default::default()};
|
||||||
// Checking issuer
|
// Checking issuer
|
||||||
let mut validation = Validation {iss: Some("issuer".to_string()), ..Default::default()};
|
let mut iss = std::collections::HashSet::new();
|
||||||
|
iss.insert("issuer".to_string());
|
||||||
|
let mut validation = Validation {iss: Some(iss), ..Default::default()};
|
||||||
// Setting audience
|
// Setting audience
|
||||||
let mut validation = Validation::default();
|
let mut validation = Validation::default();
|
||||||
validation.set_audience(&"Me"); // string
|
validation.set_audience(&"Me"); // string
|
||||||
|
|
|
@ -49,11 +49,11 @@ pub struct Validation {
|
||||||
///
|
///
|
||||||
/// Defaults to `None`.
|
/// Defaults to `None`.
|
||||||
pub aud: Option<HashSet<String>>,
|
pub aud: Option<HashSet<String>>,
|
||||||
/// If it contains a value, the validation will check that the `iss` field is the same as the
|
/// If it contains a value, the validation will check that the `iss` field is a member of the
|
||||||
/// one provided and will error otherwise.
|
/// iss provided and will error otherwise.
|
||||||
///
|
///
|
||||||
/// Defaults to `None`.
|
/// Defaults to `None`.
|
||||||
pub iss: Option<String>,
|
pub iss: Option<HashSet<String>>,
|
||||||
/// If it contains a value, the validation will check that the `sub` field is the same as the
|
/// If it contains a value, the validation will check that the `sub` field is the same as the
|
||||||
/// one provided and will error otherwise.
|
/// one provided and will error otherwise.
|
||||||
///
|
///
|
||||||
|
@ -76,6 +76,11 @@ impl Validation {
|
||||||
pub fn set_audience<T: ToString>(&mut self, items: &[T]) {
|
pub fn set_audience<T: ToString>(&mut self, items: &[T]) {
|
||||||
self.aud = Some(items.iter().map(|x| x.to_string()).collect())
|
self.aud = Some(items.iter().map(|x| x.to_string()).collect())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// `iss` is a collection of one or more acceptable iss members
|
||||||
|
pub fn set_iss<T: ToString>(&mut self, items: &[T]) {
|
||||||
|
self.iss = Some(items.iter().map(|x| x.to_string()).collect())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
impl Default for Validation {
|
impl Default for Validation {
|
||||||
|
@ -124,16 +129,6 @@ pub fn validate(claims: &Map<String, Value>, options: &Validation) -> Result<()>
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if let Some(ref correct_iss) = options.iss {
|
|
||||||
if let Some(iss) = claims.get("iss") {
|
|
||||||
if from_value::<String>(iss.clone())? != *correct_iss {
|
|
||||||
return Err(new_error(ErrorKind::InvalidIssuer));
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
return Err(new_error(ErrorKind::InvalidIssuer));
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if let Some(ref correct_sub) = options.sub {
|
if let Some(ref correct_sub) = options.sub {
|
||||||
if let Some(sub) = claims.get("sub") {
|
if let Some(sub) = claims.get("sub") {
|
||||||
if from_value::<String>(sub.clone())? != *correct_sub {
|
if from_value::<String>(sub.clone())? != *correct_sub {
|
||||||
|
@ -144,6 +139,16 @@ pub fn validate(claims: &Map<String, Value>, options: &Validation) -> Result<()>
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if let Some(ref correct_iss) = options.iss {
|
||||||
|
if let Some(Value::String(iss)) = claims.get("iss") {
|
||||||
|
if !correct_iss.contains(iss) {
|
||||||
|
return Err(new_error(ErrorKind::InvalidIssuer));
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
return Err(new_error(ErrorKind::InvalidIssuer));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if let Some(ref correct_aud) = options.aud {
|
if let Some(ref correct_aud) = options.aud {
|
||||||
if let Some(aud) = claims.get("aud") {
|
if let Some(aud) = claims.get("aud") {
|
||||||
match aud {
|
match aud {
|
||||||
|
@ -262,11 +267,11 @@ mod tests {
|
||||||
fn iss_ok() {
|
fn iss_ok() {
|
||||||
let mut claims = Map::new();
|
let mut claims = Map::new();
|
||||||
claims.insert("iss".to_string(), to_value("Keats").unwrap());
|
claims.insert("iss".to_string(), to_value("Keats").unwrap());
|
||||||
let validation = Validation {
|
|
||||||
validate_exp: false,
|
let mut iss = std::collections::HashSet::new();
|
||||||
iss: Some("Keats".to_string()),
|
iss.insert("Keats".to_string());
|
||||||
..Default::default()
|
|
||||||
};
|
let validation = Validation { validate_exp: false, iss: Some(iss), ..Default::default() };
|
||||||
let res = validate(&claims, &validation);
|
let res = validate(&claims, &validation);
|
||||||
assert!(res.is_ok());
|
assert!(res.is_ok());
|
||||||
}
|
}
|
||||||
|
@ -275,11 +280,11 @@ mod tests {
|
||||||
fn iss_not_matching_fails() {
|
fn iss_not_matching_fails() {
|
||||||
let mut claims = Map::new();
|
let mut claims = Map::new();
|
||||||
claims.insert("iss".to_string(), to_value("Hacked").unwrap());
|
claims.insert("iss".to_string(), to_value("Hacked").unwrap());
|
||||||
let validation = Validation {
|
|
||||||
validate_exp: false,
|
let mut iss = std::collections::HashSet::new();
|
||||||
iss: Some("Keats".to_string()),
|
iss.insert("Keats".to_string());
|
||||||
..Default::default()
|
|
||||||
};
|
let validation = Validation { validate_exp: false, iss: Some(iss), ..Default::default() };
|
||||||
let res = validate(&claims, &validation);
|
let res = validate(&claims, &validation);
|
||||||
assert!(res.is_err());
|
assert!(res.is_err());
|
||||||
|
|
||||||
|
@ -292,11 +297,11 @@ mod tests {
|
||||||
#[test]
|
#[test]
|
||||||
fn iss_missing_fails() {
|
fn iss_missing_fails() {
|
||||||
let claims = Map::new();
|
let claims = Map::new();
|
||||||
let validation = Validation {
|
|
||||||
validate_exp: false,
|
let mut iss = std::collections::HashSet::new();
|
||||||
iss: Some("Keats".to_string()),
|
iss.insert("Keats".to_string());
|
||||||
..Default::default()
|
|
||||||
};
|
let validation = Validation { validate_exp: false, iss: Some(iss), ..Default::default() };
|
||||||
let res = validate(&claims, &validation);
|
let res = validate(&claims, &validation);
|
||||||
assert!(res.is_err());
|
assert!(res.is_err());
|
||||||
|
|
||||||
|
@ -420,13 +425,18 @@ mod tests {
|
||||||
|
|
||||||
// https://github.com/Keats/jsonwebtoken/issues/51
|
// https://github.com/Keats/jsonwebtoken/issues/51
|
||||||
#[test]
|
#[test]
|
||||||
|
#[should_panic]
|
||||||
fn does_validation_in_right_order() {
|
fn does_validation_in_right_order() {
|
||||||
let mut claims = Map::new();
|
let mut claims = Map::new();
|
||||||
claims.insert("exp".to_string(), to_value(get_current_timestamp() + 10000).unwrap());
|
claims.insert("exp".to_string(), to_value(get_current_timestamp() + 10000).unwrap());
|
||||||
|
|
||||||
|
let mut iss = std::collections::HashSet::new();
|
||||||
|
iss.insert("iss no check".to_string());
|
||||||
|
|
||||||
let v = Validation {
|
let v = Validation {
|
||||||
leeway: 5,
|
leeway: 5,
|
||||||
validate_exp: true,
|
validate_exp: true,
|
||||||
iss: Some("iss no check".to_string()),
|
iss: Some(iss),
|
||||||
sub: Some("sub no check".to_string()),
|
sub: Some("sub no check".to_string()),
|
||||||
..Validation::default()
|
..Validation::default()
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in New Issue