Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add JWT and claim validation directives #4377

Merged
merged 29 commits into from
Apr 17, 2024
Merged

feat: add JWT and claim validation directives #4377

merged 29 commits into from
Apr 17, 2024

Conversation

efgpinto
Copy link
Contributor

@efgpinto efgpinto commented Apr 8, 2024

With this PR, we want to:

  • add directive for JWT validation (should validate issue, expiration, signature, etc.)
  • allow for claim validation and assertions

Opening as an early version for feedback.

@efgpinto efgpinto marked this pull request as draft April 8, 2024 14:07
@efgpinto efgpinto force-pushed the jwt-directives branch 2 times, most recently from 7dcd7d7 to aeff9ea Compare April 8, 2024 14:18
johanandren
johanandren reviewed Apr 8, 2024
View reviewed changes
akka-http/src/main/scala/akka/http/scaladsl/server/util/JwtSprayJson.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/util/JwtKeyLoader.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/util/JwtSupport.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
project/Dependencies.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/util/JwtSupport.scala Outdated Show resolved Hide resolved
akka-http/src/main/scala/akka/http/scaladsl/server/util/JwtSupport.scala Outdated Show resolved Hide resolved
johanandren
johanandren reviewed Apr 10, 2024
View reviewed changes
Copy link
Member

@johanandren johanandren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking good!

akka-http-jwt/src/main/scala/akka/http/jwt/impl/settings/JwtSettingsImpl.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/jwt/scaladsl/JwtSettings.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/resources/reference.conf Outdated Show resolved Hide resolved
akka-http-jwt/src/main/resources/reference.conf Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/jwt/impl/settings/JwtSprayJson.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
johanandren
johanandren reviewed Apr 11, 2024
View reviewed changes
Copy link
Member

@johanandren johanandren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shaping up nicely, left a few smaller things except for those I think it's time to add a section to the docs.

akka-http-jwt/src/main/scala/akka/http/jwt/javadsl/server/directives/JwtClaims.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/jwt/javadsl/server/directives/JwtClaims.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/jwt/javadsl/JwtSettings.scala Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/jwt/javadsl/JwtSettings.scala Show resolved Hide resolved
akka-http-jwt/src/test/resources/my-private.key Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/scaladsl/server/directives/JwtDirectives.scala Outdated Show resolved Hide resolved
@efgpinto efgpinto marked this pull request as ready for review April 15, 2024 14:15
johanandren
johanandren approved these changes Apr 15, 2024
View reviewed changes
Copy link
Member

@johanandren johanandren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM with one tiny fix to docs

docs/src/main/paradox/routing-dsl/directives/jwt-directives/jwt.md Outdated Show resolved Hide resolved
efgpinto
efgpinto commented Apr 15, 2024
View reviewed changes
Copy link
Contributor Author

@efgpinto efgpinto left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I've addressed all feedback now. Don't have any outstanding items on my list but left a few questions for final review/considerations. Feel free to send any additional feedback of course.

akka-http-jwt/src/main/scala/akka/http/jwt/javadsl/server/directives/JwtDirectives.scala Show resolved Hide resolved
docs/src/test/scala/docs/http/scaladsl/server/directives/JwtDirectivesExamplesSpec.scala Outdated Show resolved Hide resolved
akka-http-jwt/src/main/scala/akka/http/jwt/internal/JwtSettingsImpl.scala

def fromConfig(jwtConfig: Config): JwtSupport = {
val devSecret = if (jwtConfig.getBoolean("dev")) {
Some(JwtSecret("dev", None, JwtNoneAlgorithmSecret))
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we should print a log warning about dev being on if that's the case? Trying to avoid people having it on in production without noticing..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, sounds like a good idea.

Somewhat tricky to implement though, we wouldn't want to log it for each request, and not sure we want to put a logger in the settings class. So in the directive with a flag to only log it one or a few times (flag would need to be volatile because cross-thread access, but if can be setting first so it is only ever touched if dev enabled)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added with c65785d

Let me know what you think. It's logging once every minute.

@efgpinto @johanandren
Update docs/src/main/paradox/routing-dsl/directives/jwt-directives/jw…
4b218a8 
…t.md

Co-authored-by: Johan Andrén <johan@markatta.com>
@efgpinto
Copy link
Contributor Author

@johanandren do you have a clue on what might be missing to make CI happy? Had a look at the failing pipelines but not obvious for me.

@johanandren
Copy link
Member

One thing is a test failure:

--> [jwt] Start of log messages of test that [Failed(org.scalatest.exceptions.TestFailedException: Request was rejected with rejection AuthenticationFailedRejection(CredentialsRejected,***"akka-http-jwt"))]
| [DEBUG] [04/15/2024 15:27:38.107] [pool-8-thread-12-ScalaTest-running-JwtDirectivesExamplesSpec] [WithLogCapturing(akka://docs-http-scaladsl-server-directives-JwtDirectivesExamplesSpec)] Logging started for test [jwt]
| [DEBUG] [04/15/2024 15:27:38.176] [pool-8-thread-12-ScalaTest-running-JwtDirectivesExamplesSpec] [akka.actor.ActorSystemImpl(docs-http-scaladsl-server-directives-JwtDirectivesExamplesSpec)] The token was rejected: Failed to verify JWT token due to unsupported algorithm
| [DEBUG] [04/15/2024 15:27:38.181] [pool-8-thread-12-ScalaTest-running-JwtDirectivesExamplesSpec] [WithLogCapturing(akka://docs-http-scaladsl-server-directives-JwtDirectivesExamplesSpec)] Logging finished for test [jwt]
<-- [jwt] End of log messages of test that [Failed(org.scalatest.exceptions.TestFailedException: Request was rejected with rejection AuthenticationFailedRejection(CredentialsRejected,***"akka-http-jwt"))]
[info] JwtDirectivesExamplesSpec:
[info] - jwt *** FAILED *** (77 milliseconds)
[info]   Request was rejected with rejection AuthenticationFailedRejection(CredentialsRejected,***"akka-http-jwt") (JwtDirectivesExamplesSpec.scala:32)
[info]   org.scalatest.exceptions.TestFailedException:
[info]   at akka.http.scaladsl.testkit.TestFrameworkInterface$Scalatest.failTest(TestFrameworkInterface.scala:27)
[info]   at akka.http.scaladsl.testkit.TestFrameworkInterface$Scalatest.failTest$(TestFrameworkInterface.scala:27)
[info]   at akka.http.scaladsl.server.RoutingSpec.failTest(RoutingSpec.scala:25)
[info]   at akka.http.scaladsl.testkit.RouteTestResultComponent$RouteTestResult.rawResponse(RouteTestResultComponent.scala:62)
[info]   at akka.http.scaladsl.testkit.RouteTestResultComponent$RouteTestResult.response(RouteTestResultComponent.scala:39)
[info]   at akka.http.scaladsl.testkit.RouteTest.response(RouteTest.scala:66)
[info]   at akka.http.scaladsl.testkit.RouteTest.response$(RouteTest.scala:66)
[info]   at akka.http.scaladsl.server.RoutingSpec.response(RoutingSpec.scala:25)
[info]   at akka.http.scaladsl.testkit.RouteTest.responseAs(RouteTest.scala:77)
[info]   at akka.http.scaladsl.testkit.RouteTest.responseAs$(RouteTest.scala:75)
[info]   at akka.http.scaladsl.server.RoutingSpec.responseAs(RoutingSpec.scala:25)
[info]   at docs.http.scaladsl.server.directives.JwtDirectivesExamplesSpec.$anonfun$new$4(JwtDirectivesExamplesSpec.scala:32)

the other is a check that any api annotated with @ApiMayChange is listed in the compatibility-guidelines.md doc page, so you need to add the public may-change JWT api:s there

@efgpinto
Copy link
Contributor Author

Green at last. Thanks Johan for the tips. See what you think about c65785d .. otherwise I think this is good to go.

@johanandren johanandren merged commit bdcff24 into main Apr 17, 2024
8 checks passed
@johanandren johanandren deleted the jwt-directives branch April 17, 2024 07:19
@johanandren johanandren added this to the 10.6.2 milestone Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johanandren johanandren johanandren approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
10.6.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@efgpinto @johanandren