Add org.matrix.login.jwt support.

Signed-off-by: Jason Volk <jason@zemos.net>

src/core/Cargo.toml

@@ -78,6 +78,7 @@ http-body-util.workspace = true
 http.workspace = true
 ipaddress.workspace = true
 itertools.workspace = true
+jsonwebtoken.workspace = true
 ldap3.workspace = true
 libc.workspace = true
 libloading.workspace = true

src/core/config/mod.rs

@@ -52,7 +52,7 @@ use crate::{Result, err, error::Error, utils::sys};
 ### For more information, see:
 ### https://tuwunel.chat/configuration.html
 "#,
-	ignore = "catchall well_known tls blurhashing allow_invalid_tls_certificates ldap"
+	ignore = "catchall well_known tls blurhashing allow_invalid_tls_certificates ldap jwt"
 )]
 pub struct Config {
 	/// The server_name is the pretty name of this server. It is used as a
@@ -1814,6 +1814,10 @@ pub struct Config {
 	#[serde(default)]
 	pub ldap: LdapConfig,
 
+	// external structure; separate section
+	#[serde(default)]
+	pub jwt: JwtConfig,
+
 	#[serde(flatten)]
 	#[allow(clippy::zero_sized_map_values)]
 	// this is a catchall, the map shouldn't be zero at runtime
@@ -1991,6 +1995,99 @@ pub struct LdapConfig {
 	pub admin_filter: String,
 }
 
+#[derive(Clone, Debug, Default, Deserialize)]
+#[config_example_generator(filename = "tuwunel-example.toml", section = "global.jwt")]
+pub struct JwtConfig {
+	/// Enable JWT logins
+	///
+	/// default: false
+	#[serde(default)]
+	pub enable: bool,
+
+	/// Validation key, also called 'secret' in Synapse config. The type of key
+	/// can be configured in 'format', but defaults to the common HMAC which
+	/// is a plaintext shared-secret, so you should keep this value private.
+	///
+	/// display: sensitive
+	/// default:
+	#[serde(default, alias = "secret")]
+	pub key: String,
+
+	/// Format of the 'key'. Only HMAC, ECDSA, and B64HMAC are supported
+	/// Binary keys cannot be pasted into this config, so B64HMAC is an
+	/// alternative to HMAC for properly random secret strings.
+	/// - HMAC is a plaintext shared-secret private-key.
+	/// - B64HMAC is a base64-encoded version of HMAC.
+	/// - ECDSA is a PEM-encoded public-key.
+	///
+	/// default: "HMAC"
+	#[serde(default = "default_jwt_format")]
+	pub format: String,
+
+	/// Automatically create new user from a valid claim, otherwise access is
+	/// denied for an unknown even with an authentic token.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub register_user: bool,
+
+	/// JWT algorithm
+	///
+	/// default: "HS256"
+	#[serde(default = "default_jwt_algorithm")]
+	pub algorithm: String,
+
+	/// Optional audience claim list. The token must claim one or more values
+	/// from this list when set.
+	///
+	/// default: []
+	#[serde(default)]
+	pub audience: Vec<String>,
+
+	/// Optional issuer claim list. The token must claim one or more values
+	/// from this list when set.
+	///
+	/// default: []
+	#[serde(default)]
+	pub issuer: Vec<String>,
+
+	/// Require expiration claim in the token. This defaults to false for
+	/// synapse migration compatibility.
+	///
+	/// default: false
+	#[serde(default)]
+	pub require_exp: bool,
+
+	/// Require not-before claim in the token. This defaults to false for
+	/// synapse migration compatibility.
+	///
+	/// default: false
+	#[serde(default)]
+	pub require_nbf: bool,
+
+	/// Validate expiration time of the token when present. Whether or not it is
+	/// required depends on require_exp, but when present this ensures the token
+	/// is not used after a time.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub validate_exp: bool,
+
+	/// Validate not-before time of the token when present. Whether or not it is
+	/// required depends on require_nbf, but when present this ensures the token
+	/// is not used before a time.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub validate_nbf: bool,
+
+	/// Bypass validation for diagnostic/debug use only.
+	///
+	/// default: true
+	#[serde(default = "true_fn")]
+	pub validate_signature: bool,
+}
+
 #[derive(Deserialize, Clone, Debug)]
 #[serde(transparent)]
 struct ListeningPort {
@@ -2392,3 +2489,7 @@ fn default_ldap_uid_attribute() -> String { String::from("uid") }
 fn default_ldap_mail_attribute() -> String { String::from("mail") }
 
 fn default_ldap_name_attribute() -> String { String::from("givenName") }
+
+fn default_jwt_algorithm() -> String { "HS256".to_owned() }
+
+fn default_jwt_format() -> String { "HMAC".to_owned() }

src/core/mod.rs

@@ -14,6 +14,7 @@ pub mod utils;
 
 pub use ::arrayvec;
 pub use ::http;
+pub use ::jsonwebtoken as jwt;
 pub use ::ruma;
 pub use ::smallstr;
 pub use ::smallvec;