Refactor request token to be a JWT #125
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## main #125 +/- ##
==========================================
- Coverage 78.39% 76.68% -1.71%
==========================================
Files 30 32 +2
Lines 671 725 +54
Branches 65 71 +6
==========================================
+ Hits 526 556 +30
- Misses 111 129 +18
- Partials 34 40 +6
|
| val jwt: SignedJWT | ||
| try { | ||
| jwt = SignedJWT.parse(token) | ||
| // todo: resolving header.kid against a didresolver |
There was a problem hiding this comment.
put these todos in a new issue: #128
jiyoontbd
requested review from
mistermoe,
phoebe-lew,
michaelneale,
KendallWeihe,
ethan-tbd and
tomdaffurn
as code owners
There was a problem hiding this comment.
@jiyoontbd thoughts on doing the same as this here?
httpclient/build.gradle.kts
Outdated
| @@ -28,6 +28,7 @@ dependencies { | |||
| implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.9.8") | |||
| implementation("com.fasterxml.jackson.core:jackson-databind:2.15.2") | |||
| implementation("decentralized-identity:did-common-java:1.9.0") // would like to grab this via web5 dids | |||
| implementation("com.github.f4b6a3:uuid-creator:5.3.3") | |||
There was a problem hiding this comment.
can we use import java.util.UUID or naw?
There was a problem hiding this comment.
i believe java uuid does not natively support uuidv7 - but we can resort to just regular java uuid for now and punt on whether we want to require uuidv7 for all token generation. i will remove this dep and use java uuid for now
| * @param pfiDid DID of the PFI | ||
| * @return DID of the requester/JWT token issuer | ||
| */ | ||
| fun verifyRequestToken(token: String, pfiDid: String): String { |
There was a problem hiding this comment.
We should use this in http-server in protected endpoints.
httpclient/src/main/kotlin/tbdex/sdk/httpclient/ExceptionDeclarations.kt
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I would separate out the request token related methods into a RequestTokenUtils file
| } | ||
| } | ||
|
|
||
| if (expirationTime.before(Date.from(Instant.now()))) { |
There was a problem hiding this comment.
Could also convert to require if we invert, i.e
require(Instant.now().isBefore(expirationTime.toInstant()))
| val expirationTime = claimsSet.expirationTime | ||
|
|
||
| val requiredKeys = listOf("aud", "iss", "exp", "jti", "iat") | ||
| requiredKeys.forEach { key -> |
There was a problem hiding this comment.
Since this is checking every key, we can use all. i.e
require(requiredKeys.all { key ->
claimsSet.claims.containsKey(key)
}) {
throw RequestTokenMissingClaimsException("Missing required claims.")
}
or similar. If we want to log out which specific claim is missing, can keep as forEach and require inside the loop
There was a problem hiding this comment.
oh yea. in js, we do log out specifically which claim is missing. i adjusted the exception message to log which one's missing.
| val token = generateRequestToken(did, pfiDid) | ||
| val claimsSet = SignedJWT.parse(token).jwtClaimsSet | ||
|
|
||
| val requiredKeys = listOf("aud", "iss", "exp", "jti", "iat") |
There was a problem hiding this comment.
this list is duplicated between test and impl, should extract out to a const in the utils file
| requiredKeys.forEach { | ||
| assertTrue(claimsSet.claims.containsKey(it)) | ||
| } |
There was a problem hiding this comment.
Using assertk, can do:
assertThat(claimsSet.claims.keys).containsExactlyInAnyOrder(requiredKeys)
…rations.kt Co-authored-by: phoebe-lew <plew@squareup.com>
Co-authored-by: phoebe-lew <plew@squareup.com>
…to httpserver getexchange handler with a todo
| // verifying JWT token: https://github.com/TBD54566975/tbdex/issues/210 | ||
|
|
||
| val token = arr[1] | ||
| // TODO: how to access pfiDid here? |
There was a problem hiding this comment.
@phoebe-lew so i want to actually call RequestToken.verify() in this protected endpoint, but not sure how to access pfiDid from here?
There was a problem hiding this comment.
punting it to a separate issue #135
closes #121