#include <jwt_validator.h>

Collaboration diagram for kcenon::pacs::web::auth::jwt_validator:

Public Member Functions
	jwt_validator (const oauth2_config &config)
	Construct validator with OAuth 2.0 configuration.

std::pair< jwt_token, jwt_error >	decode (std::string_view token_string) const
	Decode a JWT token string into its components.

jwt_error	validate_claims (const jwt_claims &claims) const
	Validate JWT claims against configuration.

bool	verify_rs256 (const jwt_token &token, std::string_view public_key_pem) const
	Verify RS256 (RSA-SHA256) signature.

bool	verify_es256 (const jwt_token &token, std::string_view public_key_pem) const
	Verify ES256 (ECDSA-SHA256) signature.

const oauth2_config &	config () const noexcept
	Get the OAuth 2.0 configuration.

Static Public Member Functions
static bool	has_scope (const jwt_claims &claims, std::string_view scope) noexcept
	Check if token has a specific scope.

static bool	has_any_scope (const jwt_claims &claims, const std::vector< std::string > &scopes) noexcept
	Check if token has any of the specified scopes.

Private Attributes
oauth2_config	config_

Detailed Description

Definition at line 124 of file jwt_validator.h.

Constructor & Destructor Documentation

◆ jwt_validator()

kcenon::pacs::web::auth::jwt_validator::jwt_validator ( const oauth2_config & config )

explicit

Construct validator with OAuth 2.0 configuration.

Parameters

config The OAuth 2.0 configuration

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 178 of file jwt_validator.cpp.

179 : config_(config) {}

kcenon::pacs::web::auth::jwt_validator::config_

oauth2_config config_

Definition jwt_validator.h:201

kcenon::pacs::web::auth::jwt_validator::config

const oauth2_config & config() const noexcept

Get the OAuth 2.0 configuration.

Definition jwt_validator.cpp:481

Member Function Documentation

◆ config()

const oauth2_config & kcenon::pacs::web::auth::jwt_validator::config ( ) const

nodiscardnoexcept

Get the OAuth 2.0 configuration.

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 481 of file jwt_validator.cpp.

                                                          {
    return config_;
}

References config_.

◆ decode()

std::pair< jwt_token, jwt_error > kcenon::pacs::web::auth::jwt_validator::decode ( std::string_view token_string ) const

nodiscard

Decode a JWT token string into its components.

Splits the token, decodes Base64url segments, and parses JSON. Does NOT verify the signature.

Parameters

token_string The raw JWT string (header.payload.signature)

Returns: Pair of decoded token and error code

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 181 of file jwt_validator.cpp.

                                       {
 
    jwt_token token;
 
    // Split into 3 parts: header.payload.signature
    auto dot1 = token_string.find('.');
    if (dot1 == std::string_view::npos) {
        return {token, jwt_error::malformed_token};
    }
 
    auto dot2 = token_string.find('.', dot1 + 1);
    if (dot2 == std::string_view::npos) {
        return {token, jwt_error::malformed_token};
    }
 
    // Check no additional dots
    if (token_string.find('.', dot2 + 1) != std::string_view::npos) {
        return {token, jwt_error::malformed_token};
    }
 
    auto header_b64 = token_string.substr(0, dot1);
    auto payload_b64 = token_string.substr(dot1 + 1, dot2 - dot1 - 1);
    auto signature_b64 = token_string.substr(dot2 + 1);
 
    // Store header.payload for signature verification
    token.header_payload = std::string(token_string.substr(0, dot2));
 
    // Decode header
    auto header_json = base64url_decode(header_b64);
    if (!header_json) {
        return {token, jwt_error::invalid_base64};
    }
 
    // Decode payload
    auto payload_json = base64url_decode(payload_b64);
    if (!payload_json) {
        return {token, jwt_error::invalid_base64};
    }
 
    // Decode signature
    auto sig_bytes = base64url_decode(signature_b64);
    if (!sig_bytes) {
        return {token, jwt_error::invalid_base64};
    }
    token.signature_bytes = std::move(*sig_bytes);
 
    // Parse header JSON
    auto header_rv = crow::json::load(*header_json);
    if (!header_rv) {
        return {token, jwt_error::invalid_json};
    }
 
    token.header.alg = json_string(header_rv, "alg");
    token.header.typ = json_string(header_rv, "typ");
    token.header.kid = json_string(header_rv, "kid");
 
    if (token.header.alg.empty()) {
        return {token, jwt_error::missing_required_claim};
    }
 
    // Block dangerous algorithms unconditionally (CVE: JWT alg:none attack)
    static const std::set<std::string> kDangerousAlgorithms = {
        "none", "None", "NONE", "HS256", "HS384", "HS512"};
    if (kDangerousAlgorithms.count(token.header.alg)) {
        return {token, jwt_error::unsupported_algorithm};
    }
 
    // Check algorithm is allowed
    auto& allowed = config_.allowed_algorithms;
    if (!allowed.empty()) {
        bool alg_allowed = std::any_of(
            allowed.begin(), allowed.end(),
            [&](const std::string& a) { return a == token.header.alg; });
        if (!alg_allowed) {
            return {token, jwt_error::unsupported_algorithm};
        }
    }
 
    // Parse payload JSON
    auto payload_rv = crow::json::load(*payload_json);
    if (!payload_rv) {
        return {token, jwt_error::invalid_json};
    }
 
    token.claims.iss = json_string(payload_rv, "iss");
    token.claims.sub = json_string(payload_rv, "sub");
    token.claims.aud = json_string(payload_rv, "aud");
    token.claims.exp = json_int64(payload_rv, "exp");
    token.claims.iat = json_int64(payload_rv, "iat");
    token.claims.nbf = json_int64(payload_rv, "nbf");
    token.claims.jti = json_string(payload_rv, "jti");
 
    // Parse scopes from "scope" claim (space-delimited string per RFC 6749)
    auto scope_str = json_string(payload_rv, "scope");
    if (!scope_str.empty()) {
        token.claims.scopes = parse_scopes(scope_str);
    }
 
    return {token, jwt_error::none};
}

Referenced by kcenon::pacs::web::auth::oauth2_middleware::authenticate().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ has_any_scope()

bool kcenon::pacs::web::auth::jwt_validator::has_any_scope	(	const jwt_claims &	claims,
		const std::vector< std::string > &	scopes )

staticnodiscardnoexcept

Check if token has any of the specified scopes.

Parameters

claims	The token claims
scopes	List of acceptable scopes

Returns: true if at least one scope matches

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 471 of file jwt_validator.cpp.

                                                 {
 
    return std::any_of(scopes.begin(), scopes.end(),
                       [&claims](const std::string& scope) {
                           return has_scope(claims, scope);
                       });
}

Referenced by kcenon::pacs::web::auth::oauth2_middleware::require_any_scope().

Here is the caller graph for this function:

◆ has_scope()

bool kcenon::pacs::web::auth::jwt_validator::has_scope	(	const jwt_claims &	claims,
		std::string_view	scope )

staticnodiscardnoexcept

Check if token has a specific scope.

Parameters

claims	The token claims
scope	The required scope

Returns: true if the scope is present

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 463 of file jwt_validator.cpp.

                                   {
 
    return std::any_of(claims.scopes.begin(), claims.scopes.end(),
                       [scope](const std::string& s) { return s == scope; });
}

Referenced by kcenon::pacs::web::auth::oauth2_middleware::require_scope().

Here is the caller graph for this function:

◆ validate_claims()

jwt_error kcenon::pacs::web::auth::jwt_validator::validate_claims ( const jwt_claims & claims ) const

nodiscard

Validate JWT claims against configuration.

Checks issuer, audience, expiration, and not-before claims.

Parameters

claims The decoded claims to validate

Returns: jwt_error::none if all claims are valid

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 283 of file jwt_validator.cpp.

                                                                       {
    auto now = current_timestamp();
    auto skew = static_cast<std::int64_t>(config_.clock_skew_seconds);
 
    // Check expiration
    if (claims.exp > 0 && now > claims.exp + skew) {
        return jwt_error::token_expired;
    }
 
    // Check not-before
    if (claims.nbf > 0 && now < claims.nbf - skew) {
        return jwt_error::token_not_yet_valid;
    }
 
    // Check issuer
    if (!config_.issuer.empty() && claims.iss != config_.issuer) {
        return jwt_error::invalid_issuer;
    }
 
    // Check audience
    if (!config_.audience.empty() && claims.aud != config_.audience) {
        return jwt_error::invalid_audience;
    }
 
    // Sub claim is typically required
    if (claims.sub.empty()) {
        return jwt_error::missing_required_claim;
    }
 
    return jwt_error::none;
}

Referenced by kcenon::pacs::web::auth::oauth2_middleware::authenticate().

Here is the caller graph for this function:

◆ verify_es256()

bool kcenon::pacs::web::auth::jwt_validator::verify_es256	(	const jwt_token &	token,
		std::string_view	public_key_pem ) const

nodiscard

Verify ES256 (ECDSA-SHA256) signature.

Parameters

token	The decoded token with signature data
public_key_pem	EC public key in PEM format

Returns: true if signature is valid

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 451 of file jwt_validator.cpp.

                            {
    return false;
}

Referenced by kcenon::pacs::web::auth::oauth2_middleware::verify_signature().

Here is the caller graph for this function:

◆ verify_rs256()

bool kcenon::pacs::web::auth::jwt_validator::verify_rs256	(	const jwt_token &	token,
		std::string_view	public_key_pem ) const

nodiscard

Verify RS256 (RSA-SHA256) signature.

Parameters

token	The decoded token with signature data
public_key_pem	RSA public key in PEM format

Returns: true if signature is valid

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 445 of file jwt_validator.cpp.

                            {
    return false;
}

Referenced by kcenon::pacs::web::auth::oauth2_middleware::verify_signature().

Here is the caller graph for this function:

Member Data Documentation

◆ config_

oauth2_config kcenon::pacs::web::auth::jwt_validator::config_

private

Examples: /home/runner/work/pacs_system/pacs_system/include/kcenon/pacs/web/auth/jwt_validator.h.

Definition at line 201 of file jwt_validator.h.

Referenced by config(), decode(), and validate_claims().

The documentation for this class was generated from the following files:

include/kcenon/pacs/web/auth/jwt_validator.h
src/web/auth/jwt_validator.cpp

Public Member Functions

Static Public Member Functions

Private Attributes

Detailed Description

Constructor & Destructor Documentation

◆ jwt_validator()

Member Function Documentation

◆ config()

◆ decode()

◆ has_any_scope()

◆ has_scope()

◆ validate_claims()

◆ verify_es256()

◆ verify_rs256()

Member Data Documentation

◆ config_