Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add JWT token expiration at JWTSettings level - NominalDiffTime #1599

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions changelog.d/1599
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
synopsis: Allow setting a NominalDiffTime for JWT Token expiration on JWTSettings
prs: #1599

description: {

## Introduction

The ability to set expiration to the `JWT Token` in `servant-auth-server` library, rests on the `CookieSettings` data type configuration and in particular in the field `cookieExpires` as we can appreciate it [here](https://github.com/haskell-servant/servant/blob/f0e2316895ee5fda52ba9d5b2b7e10f8a80a9019/servant-auth/servant-auth-server/src/Servant/Auth/Server/Internal/ConfigTypes.hs#L66).

## Discussion

The problems regarding using this field for setting `JWT Token` expiration time are the following:
1. `CookieSettings` are usually created at application startup time and it keeps with the same values during the whole application life cycle. Since `cookieExpires` is an absolute and deterministic point in time, futures `JWT Tokens` will contain precisely the same expiration time leading to an undesired behavior and expiring the token upon creation.
2. `CookieSettings` is a particular Data Type for all the cookies and `JWT Token` should not be coupled to the rest of the cookies.
3. With the current setup and using the automatic authentication schema like the one described [here](https://docs.servant.dev/en/stable/cookbook/jwt-and-basic-auth/JWTAndBasicAuth.html), it is not possible to configure the application to create `JWT Tokens` with specific `DiffTime` expirations, like for example configure the authentication context to create a JWT that expires in 2 hours, even using `CookieSettings.cookieExpires`.
4. The only possible way to do this is using the `acceptLogin` function and the creation of the `CookieSettings` value every time the entity authenticates successfully, but this authentication setup is manual and cannot be done with `BasicAuthentication` combinator.

## Proposal
The proposal is implemented in this PR and includes the following changes:

1. Add `expiresIn :: Maybe NominalDiffTime` in `JWTSettings`
2. Remove `Maybe UTCTime` parameter from `makeJWT` function.
3. Calculate expiration on `makeJWT` function using `getCurrentTime + expiresIn` if it is present.

## Solution

- The implemented solution will allow to create once `JWTSettings` and `CookieSettings` but allow the user to set an optional `NominalDiffTime` to calculate the expiration of the `JWT Token` upon token creation if the value is present.
- This removes the need of calling explicitly `acceptLogin` and allowing `BasicAuthentication` context to handle the creation of the token by itself.

}
2 changes: 1 addition & 1 deletion servant-auth/servant-auth-server/README.lhs
Original file line number Diff line number Diff line change
Expand Up @@ -134,7 +134,7 @@ mainWithJWT = do
xs <- words <$> getLine
case xs of
[name', email'] -> do
etoken <- makeJWT (User name' email') jwtCfg Nothing
etoken <- makeJWT (User name' email') jwtCfg
case etoken of
Left e -> putStrLn $ "Error generating token:t" ++ show e
Right v -> putStrLn $ "New token:\t" ++ show v
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ data JWTSettings = JWTSettings
-- | An @aud@ predicate. The @aud@ is a string or URI that identifies the
-- intended recipient of the JWT.
, audienceMatches :: Jose.StringOrURI -> IsMatch

-- | How long from now until the jwt expires. Default: @Nothing@.
, expiresIn :: Maybe NominalDiffTime

} deriving (Generic)

-- | A @JWTSettings@ where the audience always matches.
Expand All @@ -45,7 +49,9 @@ defaultJWTSettings k = JWTSettings
{ signingKey = k
, jwtAlg = Nothing
, validationKeys = pure $ Jose.JWKSet [k]
, audienceMatches = const Matches }
, audienceMatches = const Matches
, expiresIn = Nothing
}

-- | The policies to use when generating cookies.
--
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,6 @@ module Servant.Auth.Server.Internal.Cookie where
import Blaze.ByteString.Builder (toByteString)
import Control.Monad.Except
import Control.Monad.Reader
import qualified Crypto.JOSE as Jose
import qualified Crypto.JWT as Jose
import Data.ByteArray (constEq)
import qualified Data.ByteString as BS
import qualified Data.ByteString.Base64 as BS64
Expand All @@ -21,7 +19,7 @@ import Servant (AddHeader, addHeader)
import System.Entropy (getEntropy)
import Web.Cookie

import Servant.Auth.JWT (FromJWT (decodeJWT), ToJWT)
import Servant.Auth.JWT (FromJWT, ToJWT)
import Servant.Auth.Server.Internal.ConfigTypes
import Servant.Auth.Server.Internal.JWT (makeJWT, verifyJWT)
import Servant.Auth.Server.Internal.Types
Expand Down Expand Up @@ -80,7 +78,7 @@ makeCsrfCookie = makeXsrfCookie
-- | Makes a cookie with session information.
makeSessionCookie :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe SetCookie)
makeSessionCookie cookieSettings jwtSettings v = do
ejwt <- makeJWT v jwtSettings (cookieExpires cookieSettings)
ejwt <- makeJWT v jwtSettings
case ejwt of
Left _ -> return Nothing
Right jwt -> return
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ import qualified Data.ByteString.Lazy as BSL
import qualified Data.HashMap.Strict as HM
import Data.Maybe (fromMaybe)
import qualified Data.Text as T
import Data.Time (UTCTime)
import Data.Time (UTCTime, getCurrentTime, addUTCTime)
import Network.Wai (requestHeaders)

import Servant.Auth.JWT (FromJWT(..), ToJWT(..))
Expand All @@ -38,22 +38,23 @@ jwtAuthCheck jwtSettings = do
Just v -> return v

-- | Creates a JWT containing the specified data. The data is stored in the
-- @dat@ claim. The 'Maybe UTCTime' argument indicates the time at which the
-- token expires.
-- @dat@ claim. The expiration time 'Maybe NominalDiffTime' is taken from 'JWTSettings'
-- and indicates the time at which the token expires.
makeJWT :: ToJWT a
=> a -> JWTSettings -> Maybe UTCTime -> IO (Either Jose.Error BSL.ByteString)
makeJWT v cfg expiry = runExceptT $ do
=> a -> JWTSettings -> IO (Either Jose.Error BSL.ByteString)
makeJWT v cfg = runExceptT $ do
currentTime <- ExceptT $ pure <$> getCurrentTime
bestAlg <- Jose.bestJWSAlg $ signingKey cfg
let alg = fromMaybe bestAlg $ jwtAlg cfg
ejwt <- Jose.signClaims (signingKey cfg)
(Jose.newJWSHeader ((), alg))
(addExp $ encodeJWT v)
(addExp currentTime $ encodeJWT v)

return $ Jose.encodeCompact ejwt
where
addExp claims = case expiry of
addExp currTime claims = case expiresIn cfg of
Nothing -> claims
Just e -> claims & Jose.claimExp ?~ Jose.NumericDate e
Just e -> claims & Jose.claimExp ?~ Jose.NumericDate (addUTCTime e currTime)


verifyJWT :: FromJWT a => JWTSettings -> BS.ByteString -> IO (Maybe a)
Expand Down
30 changes: 17 additions & 13 deletions servant-auth/servant-auth-server/test/Servant/Auth/ServerSpec.hs
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{-# LANGUAGE NumericUnderscores #-}
{-# LANGUAGE CPP #-}
module Servant.Auth.ServerSpec (spec) where

Expand Down Expand Up @@ -85,7 +86,7 @@ authSpec

it "succeeds if one authentication suceeds" $ \port -> property $
\(user :: User) -> do
jwt <- makeJWT user jwtCfg Nothing
jwt <- makeJWT user jwtCfg
opts <- addJwtToHeader jwt
resp <- getWith opts (url port)
resp ^? responseBody . _JSON `shouldBe` Just (length $ name user)
Expand All @@ -95,7 +96,7 @@ authSpec

it "doesn't clobber pre-existing response headers" $ \port -> property $
\(user :: User) -> do
jwt <- makeJWT user jwtCfg Nothing
jwt <- makeJWT user jwtCfg
opts <- addJwtToHeader jwt
resp <- getWith opts (url port ++ "/header")
resp ^. responseHeader "Blah" `shouldBe` "1797"
Expand All @@ -104,14 +105,14 @@ authSpec
context "Raw" $ do

it "gets the response body" $ \port -> property $ \(user :: User) -> do
jwt <- makeJWT user jwtCfg Nothing
jwt <- makeJWT user jwtCfg
opts <- addJwtToHeader jwt
resp <- getWith opts (url port ++ "/raw")
resp ^. responseBody `shouldBe` "how are you?"

it "doesn't clobber pre-existing reponse headers" $ \port -> property $
\(user :: User) -> do
jwt <- makeJWT user jwtCfg Nothing
jwt <- makeJWT user jwtCfg
opts <- addJwtToHeader jwt
resp <- getWith opts (url port ++ "/raw")
resp ^. responseHeader "hi" `shouldBe` "there"
Expand Down Expand Up @@ -146,7 +147,7 @@ authSpec
let (cookieJar:_) = resp ^.. responseCookieJar
Just xxsrf = find (\x -> cookie_name x == xsrfField xsrfCookieName cookieCfg)
$ destroyCookieJar cookieJar
xxsrf ^. cookieExpiryTime `shouldBe` future
xxsrf ^. cookieExpiryTime `shouldBe` futureUTC

it "sets the token cookie as HttpOnly" $ \port -> property $ \(user :: User) -> do
jwt <- createJWT theKey (newJWSHeader ((), HS256))
Expand Down Expand Up @@ -318,19 +319,19 @@ jwtAuthSpec
it "fails if 'nbf' is set to a future date" $ \port -> property $
\(user :: User) -> do
jwt <- createJWT theKey (newJWSHeader ((), HS256))
(claims (toJSON user) & claimNbf .~ Just (NumericDate future))
(claims (toJSON user) & claimNbf .~ Just (NumericDate futureUTC))
opts <- addJwtToHeader (jwt >>= (return . encodeCompact))
getWith opts (url port) `shouldHTTPErrorWith` status401

it "fails if 'exp' is set to a past date" $ \port -> property $
\(user :: User) -> do
jwt <- makeJWT user jwtCfg (Just past)
jwt <- makeJWT user $ jwtCfg {expiresIn = Just past}
opts <- addJwtToHeader jwt
getWith opts (url port) `shouldHTTPErrorWith` status401

it "succeeds if 'exp' is set to a future date" $ \port -> property $
\(user :: User) -> do
jwt <- makeJWT user jwtCfg (Just future)
jwt <- makeJWT user $ jwtCfg {expiresIn = Just future}
opts <- addJwtToHeader jwt
resp <- getWith opts (url port)
resp ^. responseStatus `shouldBe` status200
Expand Down Expand Up @@ -441,7 +442,7 @@ theKey = unsafePerformIO . genJWK $ OctGenParam 256

cookieCfg :: CookieSettings
cookieCfg = def
{ cookieExpires = Just future
{ cookieExpires = Just futureUTC
, cookieIsSecure = NotSecure
, sessionCookieName = "RuncibleSpoon"
, cookieXsrfSetting = pure $ def
Expand Down Expand Up @@ -527,11 +528,14 @@ server ccfg =
------------------------------------------------------------------------------
-- * Utils {{{

past :: UTCTime
past = parseTimeOrError True defaultTimeLocale "%Y-%m-%d" "1970-01-01"
past :: NominalDiffTime
past = (-1) * future

future :: UTCTime
future = parseTimeOrError True defaultTimeLocale "%Y-%m-%d" "2070-01-01"
future :: NominalDiffTime
future = 1_000_000

futureUTC :: UTCTime
futureUTC = parseTimeOrError True defaultTimeLocale "%Y-%m-%d" "2070-01-01"

addJwtToHeader :: Either Error BSL.ByteString -> IO Options
addJwtToHeader jwt = case jwt of
Expand Down