nushell-plugins/nu_plugin_auth/src/auth.rs

//! JWT authentication and verification logic.
//!
//! This module provides RS256 JWT token verification, claims extraction,
//! and token management utilities.

use base64::{engine::general_purpose, Engine as _};
use jsonwebtoken::{decode, decode_header, Algorithm, DecodingKey, Validation};
use serde::{Deserialize, Serialize};

use crate::error::{AuthError, AuthErrorKind};

/// Default Control Center URL for authentication.
pub const DEFAULT_CONTROL_CENTER_URL: &str = "http://localhost:8081";

/// JWT Claims structure for provisioning platform tokens.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct Claims {
    /// Subject (user ID)
    pub sub: String,
    /// Username
    pub username: String,
    /// User email
    pub email: String,
    /// User roles
    pub roles: Vec<String>,
    /// Expiration time (Unix timestamp)
    pub exp: i64,
    /// Issued at time (Unix timestamp)
    pub iat: i64,
    /// Not before time (Unix timestamp)
    #[serde(default)]
    pub nbf: i64,
    /// JWT ID (unique identifier)
    #[serde(default)]
    pub jti: String,
    /// Issuer
    #[serde(default)]
    pub iss: String,
    /// Audience
    #[serde(default)]
    pub aud: String,
}

/// Result of token verification.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct VerificationResult {
    /// Whether the token is valid
    pub valid: bool,
    /// Extracted claims if valid
    pub claims: Option<Claims>,
    /// Error message if invalid
    pub error: Option<String>,
    /// Time remaining until expiration (seconds)
    pub expires_in: Option<i64>,
}

impl VerificationResult {
    /// Creates a successful verification result.
    pub fn success(claims: Claims) -> Self {
        let now = chrono::Utc::now().timestamp();
        let expires_in = claims.exp - now;
        Self {
            valid: true,
            claims: Some(claims),
            error: None,
            expires_in: Some(expires_in),
        }
    }

    /// Creates a failed verification result.
    pub fn failure(error: impl Into<String>) -> Self {
        Self {
            valid: false,
            claims: None,
            error: Some(error.into()),
            expires_in: None,
        }
    }
}

/// Decodes and extracts claims from a JWT without verification.
///
/// This is useful for inspecting token contents before verification
/// or when verification is not possible (e.g., no public key available).
///
/// # Arguments
///
/// * `token` - The JWT token string
///
/// # Returns
///
/// Returns the decoded claims or an error if the token format is invalid.
pub fn decode_claims_unverified(token: &str) -> Result<Claims, AuthError> {
    let parts: Vec<&str> = token.split('.').collect();
    if parts.len() != 3 {
        return Err(AuthError::invalid_token(
            "Token must have 3 parts separated by '.'",
        ));
    }

    let payload = parts[1];
    let decoded = general_purpose::URL_SAFE_NO_PAD
        .decode(payload)
        .map_err(|e| AuthError::invalid_token(format!("Failed to decode payload: {}", e)))?;

    let claims: Claims = serde_json::from_slice(&decoded)
        .map_err(|e| AuthError::invalid_token(format!("Failed to parse claims: {}", e)))?;

    Ok(claims)
}

/// Verifies a JWT token using RS256 algorithm with the provided public key.
///
/// # Arguments
///
/// * `token` - The JWT token string
/// * `public_key_pem` - The RSA public key in PEM format
///
/// # Returns
///
/// Returns a VerificationResult indicating whether the token is valid
/// and containing the claims if verification succeeded.
pub fn verify_token_rs256(
    token: &str,
    public_key_pem: &str,
) -> Result<VerificationResult, AuthError> {
    // Verify the token header uses RS256
    let header = decode_header(token)
        .map_err(|e| AuthError::invalid_token(format!("Failed to decode header: {}", e)))?;

    if header.alg != Algorithm::RS256 {
        return Err(AuthError::new(
            AuthErrorKind::SignatureVerificationFailed,
            format!("Expected RS256 algorithm, got {:?}", header.alg),
        ));
    }

    // Create decoding key from PEM
    let decoding_key = DecodingKey::from_rsa_pem(public_key_pem.as_bytes())
        .map_err(|e| AuthError::configuration_error(format!("Invalid public key: {}", e)))?;

    // Set up validation
    let mut validation = Validation::new(Algorithm::RS256);
    validation.validate_exp = true;
    validation.validate_nbf = true;

    // Decode and verify
    match decode::<Claims>(token, &decoding_key, &validation) {
        Ok(token_data) => Ok(VerificationResult::success(token_data.claims)),
        Err(e) => {
            let error_msg = match e.kind() {
                jsonwebtoken::errors::ErrorKind::ExpiredSignature => "Token has expired",
                jsonwebtoken::errors::ErrorKind::InvalidSignature => "Invalid signature",
                jsonwebtoken::errors::ErrorKind::InvalidToken => "Invalid token format",
                jsonwebtoken::errors::ErrorKind::InvalidIssuer => "Invalid issuer",
                jsonwebtoken::errors::ErrorKind::InvalidAudience => "Invalid audience",
                _ => "Token verification failed",
            };
            Ok(VerificationResult::failure(error_msg))
        }
    }
}

/// Verifies a JWT token locally by checking format and expiration.
///
/// This performs basic validation without cryptographic verification:
/// - Token format (3 parts)
/// - Expiration time
/// - Not-before time
///
/// Use this for quick local checks when the public key is not available.
pub fn verify_token_local(token: &str) -> Result<VerificationResult, AuthError> {
    let claims = decode_claims_unverified(token)?;
    let now = chrono::Utc::now().timestamp();

    // Check expiration
    if claims.exp < now {
        return Ok(VerificationResult::failure(format!(
            "Token expired {} seconds ago",
            now - claims.exp
        )));
    }

    // Check not-before (if set)
    if claims.nbf > 0 && claims.nbf > now {
        return Ok(VerificationResult::failure(format!(
            "Token not valid for {} more seconds",
            claims.nbf - now
        )));
    }

    Ok(VerificationResult::success(claims))
}

/// Checks if a token is expired.
pub fn is_token_expired(token: &str) -> Result<bool, AuthError> {
    let claims = decode_claims_unverified(token)?;
    let now = chrono::Utc::now().timestamp();
    Ok(claims.exp < now)
}

/// Gets the time remaining until token expiration in seconds.
pub fn get_token_expiry_seconds(token: &str) -> Result<i64, AuthError> {
    let claims = decode_claims_unverified(token)?;
    let now = chrono::Utc::now().timestamp();
    Ok(claims.exp - now)
}

/// Extracts the user ID from a token.
pub fn get_user_id(token: &str) -> Result<String, AuthError> {
    let claims = decode_claims_unverified(token)?;
    Ok(claims.sub)
}

/// Extracts the username from a token.
pub fn get_username(token: &str) -> Result<String, AuthError> {
    let claims = decode_claims_unverified(token)?;
    Ok(claims.username)
}

/// Extracts the roles from a token.
pub fn get_roles(token: &str) -> Result<Vec<String>, AuthError> {
    let claims = decode_claims_unverified(token)?;
    Ok(claims.roles)
}

#[cfg(test)]
mod tests {
    use super::*;

    // Test token (expired, but valid format)
    const TEST_TOKEN: &str = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyLTEyMyIsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZXMiOlsiYWRtaW4iLCJ1c2VyIl0sImV4cCI6MTcwMDAwMDAwMCwiaWF0IjoxNjk5OTk2NDAwLCJuYmYiOjAsImp0aSI6Imp0aS0xMjMiLCJpc3MiOiJwcm92aXNpb25pbmciLCJhdWQiOiJwcm92aXNpb25pbmctY2xpIn0.signature";

    #[test]
    fn test_decode_claims_unverified_invalid_format() {
        let result = decode_claims_unverified("not.a.valid.token.format");
        assert!(result.is_err());
    }

    #[test]
    fn test_decode_claims_unverified_missing_parts() {
        let result = decode_claims_unverified("only.two");
        assert!(result.is_err());
        let error = result.unwrap_err();
        assert_eq!(error.kind, AuthErrorKind::InvalidToken);
    }

    #[test]
    fn test_verification_result_success() {
        let claims = Claims {
            sub: "user-123".to_string(),
            username: "admin".to_string(),
            email: "admin@example.com".to_string(),
            roles: vec!["admin".to_string()],
            exp: chrono::Utc::now().timestamp() + 3600,
            iat: chrono::Utc::now().timestamp(),
            nbf: 0,
            jti: "jti-123".to_string(),
            iss: "provisioning".to_string(),
            aud: "cli".to_string(),
        };
        let result = VerificationResult::success(claims);
        assert!(result.valid);
        assert!(result.claims.is_some());
        assert!(result.expires_in.is_some());
    }

    #[test]
    fn test_verification_result_failure() {
        let result = VerificationResult::failure("test error");
        assert!(!result.valid);
        assert!(result.claims.is_none());
        assert_eq!(result.error, Some("test error".to_string()));
    }

    #[test]
    fn test_is_token_expired_handles_invalid() {
        let result = is_token_expired("invalid");
        assert!(result.is_err());
    }
}
implements a production-ready bootstrap installer with comprehensive error handling, version-agnostic archive extraction, and clear user messaging. All improvements follow DRY principles using symlink-based architecture for single-source-of-truth maintenance 2025-12-11 22:04:54 +00:00			`//! JWT authentication and verification logic.`
			`//!`
			`//! This module provides RS256 JWT token verification, claims extraction,`
			`//! and token management utilities.`

			`use base64::{engine::general_purpose, Engine as _};`
			`use jsonwebtoken::{decode, decode_header, Algorithm, DecodingKey, Validation};`
			`use serde::{Deserialize, Serialize};`

			`use crate::error::{AuthError, AuthErrorKind};`

			`/// Default Control Center URL for authentication.`
			`pub const DEFAULT_CONTROL_CENTER_URL: &str = "http://localhost:8081";`

			`/// JWT Claims structure for provisioning platform tokens.`
			`#[derive(Debug, Clone, Serialize, Deserialize)]`
			`pub struct Claims {`
			`/// Subject (user ID)`
			`pub sub: String,`
			`/// Username`
			`pub username: String,`
			`/// User email`
			`pub email: String,`
			`/// User roles`
			`pub roles: Vec<String>,`
			`/// Expiration time (Unix timestamp)`
			`pub exp: i64,`
			`/// Issued at time (Unix timestamp)`
			`pub iat: i64,`
			`/// Not before time (Unix timestamp)`
			`#[serde(default)]`
			`pub nbf: i64,`
			`/// JWT ID (unique identifier)`
			`#[serde(default)]`
			`pub jti: String,`
			`/// Issuer`
			`#[serde(default)]`
			`pub iss: String,`
			`/// Audience`
			`#[serde(default)]`
			`pub aud: String,`
			`}`

			`/// Result of token verification.`
			`#[derive(Debug, Clone, Serialize, Deserialize)]`
			`pub struct VerificationResult {`
			`/// Whether the token is valid`
			`pub valid: bool,`
			`/// Extracted claims if valid`
			`pub claims: Option<Claims>,`
			`/// Error message if invalid`
			`pub error: Option<String>,`
			`/// Time remaining until expiration (seconds)`
			`pub expires_in: Option<i64>,`
			`}`

			`impl VerificationResult {`
			`/// Creates a successful verification result.`
			`pub fn success(claims: Claims) -> Self {`
			`let now = chrono::Utc::now().timestamp();`
			`let expires_in = claims.exp - now;`
			`Self {`
			`valid: true,`
			`claims: Some(claims),`
			`error: None,`
			`expires_in: Some(expires_in),`
			`}`
			`}`

			`/// Creates a failed verification result.`
			`pub fn failure(error: impl Into<String>) -> Self {`
			`Self {`
			`valid: false,`
			`claims: None,`
			`error: Some(error.into()),`
			`expires_in: None,`
			`}`
			`}`
			`}`

			`/// Decodes and extracts claims from a JWT without verification.`
			`///`
			`/// This is useful for inspecting token contents before verification`
			`/// or when verification is not possible (e.g., no public key available).`
			`///`
			`/// # Arguments`
			`///`
			/// * `token` - The JWT token string
			`///`
			`/// # Returns`
			`///`
			`/// Returns the decoded claims or an error if the token format is invalid.`
			`pub fn decode_claims_unverified(token: &str) -> Result<Claims, AuthError> {`
			`let parts: Vec<&str> = token.split('.').collect();`
			`if parts.len() != 3 {`
chore: update all plugins to Nushell 0.111.0 - Bump all 18 plugins from 0.110.0 to 0.111.0 - Update rust-toolchain.toml channel to 1.93.1 (nu 0.111.0 requires ≥1.91.1) Fixes: - interprocess pin =2.2.x → ^2.3.1 in nu_plugin_mcp, nu_plugin_nats, nu_plugin_typedialog (required by nu-plugin-core 0.111.0) - nu_plugin_typedialog: BackendType::Web initializer — add open_browser: false field - nu_plugin_auth: implement missing user_info_to_value helper referenced in tests Scripts: - update_all_plugins.nu: fix [package].version update on minor bumps; add [dev-dependencies] pass; add nu-plugin-test-support to managed crates - download_nushell.nu: rustup override unset before rm -rf on nushell dir replace; fix unclosed ) in string interpolation 2026-03-11 03:22:42 +00:00			`return Err(AuthError::invalid_token(`
			`"Token must have 3 parts separated by '.'",`
			`));`
implements a production-ready bootstrap installer with comprehensive error handling, version-agnostic archive extraction, and clear user messaging. All improvements follow DRY principles using symlink-based architecture for single-source-of-truth maintenance 2025-12-11 22:04:54 +00:00			`}`

			`let payload = parts[1];`
			`let decoded = general_purpose::URL_SAFE_NO_PAD`
			`.decode(payload)`
			`.map_err(\|e\| AuthError::invalid_token(format!("Failed to decode payload: {}", e)))?;`

			`let claims: Claims = serde_json::from_slice(&decoded)`
			`.map_err(\|e\| AuthError::invalid_token(format!("Failed to parse claims: {}", e)))?;`

			`Ok(claims)`
			`}`

			`/// Verifies a JWT token using RS256 algorithm with the provided public key.`
			`///`
			`/// # Arguments`
			`///`
			/// * `token` - The JWT token string
			/// * `public_key_pem` - The RSA public key in PEM format
			`///`
			`/// # Returns`
			`///`
			`/// Returns a VerificationResult indicating whether the token is valid`
			`/// and containing the claims if verification succeeded.`
chore: update all plugins to Nushell 0.111.0 - Bump all 18 plugins from 0.110.0 to 0.111.0 - Update rust-toolchain.toml channel to 1.93.1 (nu 0.111.0 requires ≥1.91.1) Fixes: - interprocess pin =2.2.x → ^2.3.1 in nu_plugin_mcp, nu_plugin_nats, nu_plugin_typedialog (required by nu-plugin-core 0.111.0) - nu_plugin_typedialog: BackendType::Web initializer — add open_browser: false field - nu_plugin_auth: implement missing user_info_to_value helper referenced in tests Scripts: - update_all_plugins.nu: fix [package].version update on minor bumps; add [dev-dependencies] pass; add nu-plugin-test-support to managed crates - download_nushell.nu: rustup override unset before rm -rf on nushell dir replace; fix unclosed ) in string interpolation 2026-03-11 03:22:42 +00:00			`pub fn verify_token_rs256(`
			`token: &str,`
			`public_key_pem: &str,`
			`) -> Result<VerificationResult, AuthError> {`
implements a production-ready bootstrap installer with comprehensive error handling, version-agnostic archive extraction, and clear user messaging. All improvements follow DRY principles using symlink-based architecture for single-source-of-truth maintenance 2025-12-11 22:04:54 +00:00			`// Verify the token header uses RS256`
			`let header = decode_header(token)`
			`.map_err(\|e\| AuthError::invalid_token(format!("Failed to decode header: {}", e)))?;`

			`if header.alg != Algorithm::RS256 {`
			`return Err(AuthError::new(`
			`AuthErrorKind::SignatureVerificationFailed,`
			`format!("Expected RS256 algorithm, got {:?}", header.alg),`
			`));`
			`}`

			`// Create decoding key from PEM`
			`let decoding_key = DecodingKey::from_rsa_pem(public_key_pem.as_bytes())`
			`.map_err(\|e\| AuthError::configuration_error(format!("Invalid public key: {}", e)))?;`

			`// Set up validation`
			`let mut validation = Validation::new(Algorithm::RS256);`
			`validation.validate_exp = true;`
			`validation.validate_nbf = true;`

			`// Decode and verify`
			`match decode::<Claims>(token, &decoding_key, &validation) {`
			`Ok(token_data) => Ok(VerificationResult::success(token_data.claims)),`
			`Err(e) => {`
			`let error_msg = match e.kind() {`
			`jsonwebtoken::errors::ErrorKind::ExpiredSignature => "Token has expired",`
			`jsonwebtoken::errors::ErrorKind::InvalidSignature => "Invalid signature",`
			`jsonwebtoken::errors::ErrorKind::InvalidToken => "Invalid token format",`
			`jsonwebtoken::errors::ErrorKind::InvalidIssuer => "Invalid issuer",`
			`jsonwebtoken::errors::ErrorKind::InvalidAudience => "Invalid audience",`
			`_ => "Token verification failed",`
			`};`
			`Ok(VerificationResult::failure(error_msg))`
			`}`
			`}`
			`}`

			`/// Verifies a JWT token locally by checking format and expiration.`
			`///`
			`/// This performs basic validation without cryptographic verification:`
			`/// - Token format (3 parts)`
			`/// - Expiration time`
			`/// - Not-before time`
			`///`
			`/// Use this for quick local checks when the public key is not available.`
			`pub fn verify_token_local(token: &str) -> Result<VerificationResult, AuthError> {`
			`let claims = decode_claims_unverified(token)?;`
			`let now = chrono::Utc::now().timestamp();`

			`// Check expiration`
			`if claims.exp < now {`
			`return Ok(VerificationResult::failure(format!(`
			`"Token expired {} seconds ago",`
			`now - claims.exp`
			`)));`
			`}`

			`// Check not-before (if set)`
			`if claims.nbf > 0 && claims.nbf > now {`
			`return Ok(VerificationResult::failure(format!(`
			`"Token not valid for {} more seconds",`
			`claims.nbf - now`
			`)));`
			`}`

			`Ok(VerificationResult::success(claims))`
			`}`

			`/// Checks if a token is expired.`
			`pub fn is_token_expired(token: &str) -> Result<bool, AuthError> {`
			`let claims = decode_claims_unverified(token)?;`
			`let now = chrono::Utc::now().timestamp();`
			`Ok(claims.exp < now)`
			`}`

			`/// Gets the time remaining until token expiration in seconds.`
			`pub fn get_token_expiry_seconds(token: &str) -> Result<i64, AuthError> {`
			`let claims = decode_claims_unverified(token)?;`
			`let now = chrono::Utc::now().timestamp();`
			`Ok(claims.exp - now)`
			`}`

			`/// Extracts the user ID from a token.`
			`pub fn get_user_id(token: &str) -> Result<String, AuthError> {`
			`let claims = decode_claims_unverified(token)?;`
			`Ok(claims.sub)`
			`}`

			`/// Extracts the username from a token.`
			`pub fn get_username(token: &str) -> Result<String, AuthError> {`
			`let claims = decode_claims_unverified(token)?;`
			`Ok(claims.username)`
			`}`

			`/// Extracts the roles from a token.`
			`pub fn get_roles(token: &str) -> Result<Vec<String>, AuthError> {`
			`let claims = decode_claims_unverified(token)?;`
			`Ok(claims.roles)`
			`}`

			`#[cfg(test)]`
			`mod tests {`
			`use super::*;`

			`// Test token (expired, but valid format)`
			`const TEST_TOKEN: &str = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyLTEyMyIsInVzZXJuYW1lIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZXMiOlsiYWRtaW4iLCJ1c2VyIl0sImV4cCI6MTcwMDAwMDAwMCwiaWF0IjoxNjk5OTk2NDAwLCJuYmYiOjAsImp0aSI6Imp0aS0xMjMiLCJpc3MiOiJwcm92aXNpb25pbmciLCJhdWQiOiJwcm92aXNpb25pbmctY2xpIn0.signature";`

			`#[test]`
			`fn test_decode_claims_unverified_invalid_format() {`
			`let result = decode_claims_unverified("not.a.valid.token.format");`
			`assert!(result.is_err());`
			`}`

			`#[test]`
			`fn test_decode_claims_unverified_missing_parts() {`
			`let result = decode_claims_unverified("only.two");`
			`assert!(result.is_err());`
			`let error = result.unwrap_err();`
			`assert_eq!(error.kind, AuthErrorKind::InvalidToken);`
			`}`

			`#[test]`
			`fn test_verification_result_success() {`
			`let claims = Claims {`
			`sub: "user-123".to_string(),`
			`username: "admin".to_string(),`
			`email: "admin@example.com".to_string(),`
			`roles: vec!["admin".to_string()],`
			`exp: chrono::Utc::now().timestamp() + 3600,`
			`iat: chrono::Utc::now().timestamp(),`
			`nbf: 0,`
			`jti: "jti-123".to_string(),`
			`iss: "provisioning".to_string(),`
			`aud: "cli".to_string(),`
			`};`
			`let result = VerificationResult::success(claims);`
			`assert!(result.valid);`
			`assert!(result.claims.is_some());`
			`assert!(result.expires_in.is_some());`
			`}`

			`#[test]`
			`fn test_verification_result_failure() {`
			`let result = VerificationResult::failure("test error");`
			`assert!(!result.valid);`
			`assert!(result.claims.is_none());`
			`assert_eq!(result.error, Some("test error".to_string()));`
			`}`

			`#[test]`
			`fn test_is_token_expired_handles_invalid() {`
			`let result = is_token_expired("invalid");`
			`assert!(result.is_err());`
			`}`
			`}`