025b143d88
The time crate is the underlying crate which chrono uses for its various operations. Unfortunately, chrono is unmaintained and older versions of the time crate have security vulnerabilites[0] which are unfixed in chrono[1]. The medallion code does not use any chrono-specific features and all uses of it could be trivially replaced with the underlying time structs. Note that this change adds calls to `expect`. Where these calls are made, the previous chrono functions also panicked internally if out-of-range values were passed. We noticed this issue while doing a similar refactoring in a program that also uses medallion[2]. [0]: https://rustsec.org/advisories/RUSTSEC-2020-0071.html [1]: https://rustsec.org/advisories/RUSTSEC-2020-0159.html [2]: https://cl.tvl.fyi/c/depot/+/5311 |
||
---|---|---|
examples | ||
src | ||
.gitignore | ||
.travis.yml | ||
Cargo.toml | ||
LICENSE | ||
README.md |
Medallion
A JWT library for rust using serde, serde_json and openssl.
Usage
The library provides a Token
type that wraps headers and claims.
extern crate medallion;
use medallion::{
Header,
DefaultPayload,
Token,
};
fn main() {
// will default to Algorithm::HS256
let header: Header = Header::default();
let payload = DefaultPayload {
iss: Some("example.com".into()),
sub: Some("Random User".into()),
..DefaultPayload::default()
};
let token = Token::new(header, payload);
token.sign(b"secret_key").unwrap();
}
The Header
struct contains all of the headers of the JWT. It requires that a
supported algorithm (HS256
, HS384
, HS512
, RS256
, RS384
, and RS512
)
be specified. It requires a type for additional header fields. That type must
implement serde's Serialize
and Deserialize
as well as PartialEq
. These
traits can usually be derived, e.g. #[derive(PartialEq, Serialize, Deserialize)
.
extern crate medallion;
use serde::{Serialize, Deserialize};
use medallion::{Header, DefaultPayload, Token};
#[derive(Debug, Serialize, Deserialize, PartialEq)]
struct CustomHeaders {
kid: String,
typ: String,
}
fn main() {
let header = Header {
headers: CustomHeaders {
kid: "0001",)
typ: "JWT",)
}
..Header::default()
}
let payload = DefaultPayload {
iss: Some("example.com".into()),
sub: Some("Random User".into()),
..DefaultPayload::default()
};
let token = Token::new(header, payload);
token.sign(b"secret_key").unwrap();
}
The Payload
struct contains all of the claims of the JWT. It provides the set
of registered, public claims. Additional claims can be added by constructing
the Payload
with a generically typed value. That value's type must implement
serde's Serialize
and Deserialize
as well as PartialEq
. These traits can
usually be derived, e.g. #[derive(PartialEq, Serialize, Deserialize)
. A
convenience type, DefaultPayload
, is provided that binds the generic
parameter of Payload
to an empty tuple type.
extern crate medallion;
use serde::{Serialize, Deserialize};
use medallion::{Header, DefaultPayload, Token};
#[derive(Debug, Serialize, Deserialize, PartialEq)]
struct CustomHeaders {
kid: String,
typ: String,
}
#[derive(Debug, Serialize, Deserialize, PartialEq)]
struct CustomClaims {
user_id: u64,
email: String,
}
fn main() {
let header = Header {
headers: CustomHeaders {
kid: "0001",)
typ: "JWT",)
}
..Header::default()
}
let payload = DefaultPayload {
iss: Some("example.com".into()),
sub: Some("Random User".into()),
claims: CustomClaims {
user_id: 1234,
email: "random@example.com",
}
..DefaultPayload::default()
};
let token = Token::new(header, payload);
token.sign(b"secret_key").unwrap();
}
See the examples for more detailed usage.
This library was originally forked from @mikkyang's rust-jwt.