Port Python use of jwcrypto to new Rust library #8299
Conversation
mmastrac
force-pushed
the
gel_jwt
branch
2 times, most recently
from
8943243 to
0a7f752
Compare
Minor housekeeping -- trying to rename internal crates to `gel-*`. Extracted from #8299. Some internal modules moved in `gel-auth` in anticipation of adding some more auth methods. As part of the work, trimmed some deps using `cargo-shear`.
mmastrac
force-pushed
the
gel_jwt
branch
5 times, most recently
from
3fed1c7 to
6bf2a2f
Compare
mmastrac
changed the title
Extracted from #8299 This implements JWT signing and validation in Rust. The implementation is provided by the external crate `jsonwebtoken`, but we manage all key loading and storage as that crate is somewhat lacking in that department. The backend crypto for this is provided by Ring, though the external crate may offer pluggable backends in the future. The crate provides an interface `KeyRegistry` that can be used to generate, load and save `JWK`s using one of three algorithms: `HS256`, `RS256` or `EC256`.
| ) -> str: | ||
| signing_ctx = jwt_auth.SigningCtx() | ||
| signing_ctx.set_expiry(int(expires_in.total_seconds())) | ||
| signing_ctx.set_not_before(30) |
There was a problem hiding this comment.
Why are we setting an nbf here? Maybe related to removing the iat check?
There was a problem hiding this comment.
This is a safeguard to prevent tokens issued in the future from being used for extended periods of time. I noticed that the Rust library doesn't check that iat is in the past, so it prevents tokens from the future from being used.
It's pretty unlikely you could trick a server into issuing a token from the future, but if you did you could potentially have a long-lived token.
There was a problem hiding this comment.
I think I specifically wanted to understand why we removed the iat handling from the email verification JWT. I don't recall 100% of the details here, but I remember switching to iat from exp for a specific reason. I'll see if I can resurrect it. Something about handling old verification emails (someone forgot to verify, waited too long, and tried to verify again) and still being able to send a refreshed one.
There was a problem hiding this comment.
Oh, yes -- there's a skip_expiration_check on the verification token JWT method that explicitly ignores the expiry for the case of resending validation emails.
So basically we still check the signature in that case, but we ignore the timestamps. That's the only case I could find where that was required.
We might want to limit how far we extend the expiry to resend an email (maybe 30 days?) but for now I believe it acts the same way as before.
There was a problem hiding this comment.
Yeah, I think the iat-related logic was explicitly to still limit the validity to some reasonable time frame without using an expiration time. I'll take another look at the old logic and do a little bit of research from back when I implemented this to be sure. I'm not sure I trust that there is an existing test for this case, so might be worth writing one in the course of figuring out what the actual behavior is meant to be.
There was a problem hiding this comment.
I looked at the old source -- it appears that we were using iat to do a pseudo 24-hour expiration without an 'exp' token. I put all of the expiration times into constants in the jwt module and confirmed that they were the same as the previous.
There was a problem hiding this comment.
There was some explicit reason I avoided an exp time back when I wrote it, but I can't quite recall. When I get a little space to go back into the history a bit, I'll give a final approval on this. I'd rather keep the existing behavior to not block landing this, but I'm also fine with sitting on it to be sure.
Minor housekeeping -- trying to rename internal crates to `gel-*`. Extracted from #8299. Some internal modules moved in `gel-auth` in anticipation of adding some more auth methods. As part of the work, trimmed some deps using `cargo-shear`.
Extracted from #8299 This implements JWT signing and validation in Rust. The implementation is provided by the external crate `jsonwebtoken`, but we manage all key loading and storage as that crate is somewhat lacking in that department. The backend crypto for this is provided by Ring, though the external crate may offer pluggable backends in the future. The crate provides an interface `KeyRegistry` that can be used to generate, load and save `JWK`s using one of three algorithms: `HS256`, `RS256` or `EC256`.
This migrates all Python code from
jwcryptotogel-jwt.As part of the work, the auth-ext code is reorganized a bit so all the token types are managed centrally and given common names.
Server notes:
JWKSet'sdefault_validation_contextand checked internally at token validation time. These are still reloadable and can be updates as files on disk change.auth_ext notes
Additional changes:
gel-jwtlibrary so we can remove all of that handling internally.generate_and_serve_jwk