taler-rust

oauth.rs (5314B)

---

 /*
   This file is part of TALER
   Copyright (C) 2025 Taler Systems SA
 
   TALER is free software; you can redistribute it and/or modify it under the
   terms of the GNU Affero General Public License as published by the Free Software
   Foundation; either version 3, or (at your option) any later version.
 
   TALER is distributed in the hope that it will be useful, but WITHOUT ANY
   WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
   A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more details.
 
   You should have received a copy of the GNU Affero General Public License along with
   TALER; see the file COPYING.  If not, see <http://www.gnu.org/licenses/>
 */
 
 use std::{borrow::Cow, time::SystemTime};
 
 use base64::{Engine as _, prelude::BASE64_STANDARD};
 use hmac::{Hmac, Mac};
 use percent_encoding::NON_ALPHANUMERIC;
 use rand_core::RngCore;
 use reqwest::{Request, header::HeaderValue};
 use serde::{Deserialize, Serialize};
 use sha1::Sha1;
 
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Token {
     #[serde(rename = "oauth_token")]
     pub key: String,
     #[serde(rename = "oauth_token_secret")]
     pub secret: String,
 }
 
 #[derive(Debug, Deserialize)]
 pub struct TokenAuth {
     pub oauth_token: String,
     pub oauth_verifier: String,
 }
 
 /** Generate a secure OAuth nonce  */
 fn oauth_nonce() -> String {
     // Generate 8 secure random bytes
     let mut buf = [0u8; 8];
     rand_core::OsRng.fill_bytes(&mut buf);
     // Encode as base64 string
     BASE64_STANDARD.encode(buf)
 }
 
 /** Generate an OAuth timestamp  */
 fn oauth_timestamp() -> u64 {
     let start = SystemTime::now();
     let since_the_epoch = start
         .duration_since(std::time::UNIX_EPOCH)
         .expect("Time went backwards");
 
     since_the_epoch.as_secs()
 }
 
 /** Generate a valid OAuth Authorization header */
 fn oauth_header(
     method: &reqwest::Method,
     url: &reqwest::Url,
     consumer: &Token,
     access: Option<&Token>,
     verifier: Option<&str>,
 ) -> String {
     // Per request value
     let oauth_nonce = oauth_nonce();
     let oauth_timestamp = oauth_timestamp().to_string();
 
     // Base string
     let base_string = {
         let oauth_data = {
             let mut oauth_query: Vec<(&str, &str)> = vec![
                 ("oauth_consumer_key", &consumer.key),
                 ("oauth_nonce", &oauth_nonce),
                 ("oauth_signature_method", "HMAC-SHA1"),
                 ("oauth_timestamp", &oauth_timestamp),
             ];
             if let Some(token) = &access {
                 oauth_query.push(("oauth_token", &token.key));
             }
             if let Some(verifier) = &verifier {
                 oauth_query.push(("oauth_verifier", verifier));
             }
             oauth_query.push(("oauth_version", "1.0"));
             let mut all_query: Vec<_> = oauth_query
                 .into_iter()
                 .map(|(a, b)| (Cow::Borrowed(a), Cow::Borrowed(b)))
                 .chain(url.query_pairs())
                 .collect();
             all_query.sort_unstable();
 
             let mut tmp: form_urlencoded::Serializer<'_, String> =
                 form_urlencoded::Serializer::new(String::new());
             for (k, v) in all_query {
                 tmp.append_pair(&k, &v);
             }
             tmp.finish()
         };
         let mut stripped = url.clone();
         stripped.set_query(None);
         form_urlencoded::Serializer::new(String::new())
             .append_key_only(method.as_str())
             .append_key_only(stripped.as_str())
             .append_key_only(&oauth_data)
             .finish()
     };
 
     // Signature
     let key = {
         let mut buf = consumer.secret.clone();
         buf.push('&');
         if let Some(token) = access {
             buf.push_str(&token.secret);
         }
         buf
     };
     let signature = Hmac::<Sha1>::new_from_slice(key.as_bytes())
         .expect("HMAC can take key of any size")
         .chain_update(base_string.as_bytes())
         .finalize()
         .into_bytes();
     let signature_encoded = BASE64_STANDARD.encode(signature);
 
     // Authorization header
     {
         let mut buf = "OAuth ".to_string();
         let mut append = |key: &str, value: &str| {
             buf.push_str(key);
             buf.push_str("=\"");
             for part in percent_encoding::percent_encode(value.as_bytes(), NON_ALPHANUMERIC) {
                 buf.push_str(part);
             }
             buf.push_str("\",");
         };
         append("oauth_consumer_key", &consumer.key);
         append("oauth_nonce", &oauth_nonce);
         append("oauth_signature_method", "HMAC-SHA1");
         append("oauth_timestamp", &oauth_timestamp);
         if let Some(token) = &access {
             append("oauth_token", &token.key);
         }
         if let Some(verifier) = &verifier {
             append("oauth_verifier", verifier);
         }
         append("oauth_version", "1.0");
         append("oauth_signature", &signature_encoded);
         buf
     }
 }
 
 /** Perform OAuth on an HTTP request */
 pub fn oauth(req: &mut Request, consumer: &Token, access: Option<&Token>, verifier: Option<&str>) {
     let header = oauth_header(req.method(), req.url(), consumer, access, verifier);
     req.headers_mut()
         .append("Authorization", HeaderValue::from_str(&header).unwrap());
 }