Parse unverified JWT (#756)

* Unverified token

* CR: Names

* CR: Test token

Author: pblazej

livekit-api/src/access_token.rs

@@ -151,6 +151,24 @@ pub struct Claims {
     pub room_config: Option<livekit_protocol::RoomConfiguration>,
 }
 
+impl Claims {
+    pub fn from_unverified(token: &str) -> Result<Self, AccessTokenError> {
+        let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::HS256);
+        validation.validate_exp = true;
+        validation.validate_nbf = true;
+        validation.set_required_spec_claims::<String>(&[]);
+        validation.insecure_disable_signature_validation();
+
+        let token = jsonwebtoken::decode::<Claims>(
+            token,
+            &DecodingKey::from_secret(&[]),
+            &validation,
+        )?;
+
+        Ok(token.claims)
+    }
+}
+
 #[derive(Clone)]
 pub struct AccessToken {
     api_key: String,
@@ -299,10 +317,6 @@ impl TokenVerifier {
     pub fn verify(&self, token: &str) -> Result<Claims, AccessTokenError> {
         let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::HS256);
         validation.validate_exp = true;
-        #[cfg(test)] // FIXME: TEST_TOKEN is expired, TODO: generate TEST_TOKEN at test runtime
-        {
-            validation.validate_exp = false;
-        }
         validation.validate_nbf = true;
         validation.set_issuer(&[&self.api_key]);
 
@@ -320,7 +334,7 @@ impl TokenVerifier {
 mod tests {
     use std::time::Duration;
 
-    use super::{AccessToken, TokenVerifier, VideoGrants};
+    use super::{AccessToken, Claims, TokenVerifier, VideoGrants};
 
     const TEST_API_KEY: &str = "myapikey";
     const TEST_API_SECRET: &str = "thiskeyistotallyunsafe";
@@ -383,4 +397,44 @@ mod tests {
             claims
         );
     }
+
+    #[test]
+    fn test_unverified_token() {
+        let claims = Claims::from_unverified(TEST_TOKEN).expect("Failed to parse token");
+
+        assert_eq!(claims.sub, "identity");
+        assert_eq!(claims.name, "name");
+        assert_eq!(claims.iss, TEST_API_KEY);
+        assert_eq!(
+            claims.room_config,
+            Some(livekit_protocol::RoomConfiguration {
+                agents: vec![livekit_protocol::RoomAgentDispatch {
+                    agent_name: "test-agent".to_string(),
+                    metadata: "test-metadata".to_string(),
+                }],
+                ..Default::default()
+            })
+        );
+
+        let token = AccessToken::with_api_key(TEST_API_KEY, TEST_API_SECRET)
+            .with_ttl(Duration::from_secs(60))
+            .with_identity("test")
+            .with_name("test")
+            .with_grants(VideoGrants { room_join: true, room: "test-room".to_string(), ..Default::default() })
+            .to_jwt()
+            .unwrap();
+
+        let claims = Claims::from_unverified(&token).expect("Failed to parse fresh token");
+        assert_eq!(claims.sub, "test");
+        assert_eq!(claims.name, "test");
+        assert_eq!(claims.video.room, "test-room");
+        assert!(claims.video.room_join);
+
+        let parts: Vec<&str> = token.split('.').collect();
+        let malformed_token = format!("{}.{}.wrongsignature", parts[0], parts[1]);
+        
+        let claims = Claims::from_unverified(&malformed_token).expect("Failed to parse token with wrong signature");
+        assert_eq!(claims.sub, "test");
+        assert_eq!(claims.name, "test");
+    }
 }

livekit-api/src/test_token.txt

@@ -1 +1 @@
-eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoibmFtZSIsInZpZGVvIjp7InJvb21Kb2luIjp0cnVlLCJyb29tIjoibXktcm9vbSIsImNhblB1Ymxpc2giOnRydWUsImNhblN1YnNjcmliZSI6dHJ1ZSwiY2FuUHVibGlzaERhdGEiOnRydWV9LCJyb29tQ29uZmlnIjp7ImFnZW50cyI6W3siYWdlbnROYW1lIjoidGVzdC1hZ2VudCIsIm1ldGFkYXRhIjoidGVzdC1tZXRhZGF0YSJ9XX0sInN1YiI6ImlkZW50aXR5IiwiaXNzIjoibXlhcGlrZXkiLCJuYmYiOjE3NDE4Njk2NzksImV4cCI6MTc0MTg5MTI3OX0.9_eOcZ1RNaRXxwdU36LTYoxsHtv_IhfhLk-kTd8MDY4
+eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoibmFtZSIsInZpZGVvIjp7InJvb21Kb2luIjp0cnVlLCJyb29tIjoibXktcm9vbSIsImNhblB1Ymxpc2giOnRydWUsImNhblN1YnNjcmliZSI6dHJ1ZSwiY2FuUHVibGlzaERhdGEiOnRydWV9LCJyb29tQ29uZmlnIjp7ImFnZW50cyI6W3siYWdlbnROYW1lIjoidGVzdC1hZ2VudCIsIm1ldGFkYXRhIjoidGVzdC1tZXRhZGF0YSJ9XX0sInN1YiI6ImlkZW50aXR5IiwiaXNzIjoibXlhcGlrZXkiLCJuYmYiOjE3NDE4Njk2NzksImV4cCI6NDEwMjQ0NDgwMH0.hmKovgw6sDbQUFZxAQ9Xjb9-VUzeBw1A6URTXFuCLMU

livekit-uniffi/python_test/main.py

@@ -29,13 +29,13 @@ def main():
 
     credentials = ApiCredentials(key="devkey", secret="secret")
 
-    jwt = generate_token(
+    jwt = token_generate(
         options=TokenOptions(room_name="test", identity="some_participant"),
         credentials=credentials,
     )
     print(f"Generated JWT: {jwt}")
 
-    decoded_grants = verify_token(
+    decoded_grants = token_verify(
         token=jwt,
         credentials=credentials,
     )

livekit-uniffi/src/access_token.rs

@@ -13,7 +13,7 @@
 // limitations under the License.
 
 use livekit_api::access_token::{
-    AccessToken, AccessTokenError, SIPGrants, TokenVerifier, VideoGrants,
+    self, AccessToken, AccessTokenError, SIPGrants, TokenVerifier, VideoGrants,
 };
 use std::{collections::HashMap, time::Duration};
 
@@ -79,6 +79,25 @@ pub struct Claims {
     pub room_name: String,
 }
 
+impl From<livekit_api::access_token::Claims> for Claims {
+    fn from(claims: livekit_api::access_token::Claims) -> Self {
+        let room_name = claims.room_config.map_or(String::default(), |config| config.name);
+        Self {
+            exp: claims.exp as u64,
+            iss: claims.iss,
+            nbf: claims.nbf as u64,
+            sub: claims.sub,
+            name: claims.name,
+            video: claims.video,
+            sip: claims.sip,
+            sha256: claims.sha256,
+            metadata: claims.metadata,
+            attributes: claims.attributes,
+            room_name,
+        }
+    }
+}
+
 /// API credentials for access token generation and verification.
 #[derive(uniffi::Record)]
 pub struct ApiCredentials {
@@ -121,7 +140,7 @@ pub struct TokenOptions {
 /// variables `LIVEKIT_API_KEY` and `LIVEKIT_SECRET` respectively.
 ///
 #[uniffi::export]
-pub fn generate_token(
+pub fn token_generate(
     options: TokenOptions,
     credentials: Option<ApiCredentials>,
 ) -> Result<String, AccessTokenError> {
@@ -168,7 +187,7 @@ pub fn generate_token(
 /// variables `LIVEKIT_API_KEY` and `LIVEKIT_SECRET` respectively.
 ///
 #[uniffi::export]
-pub fn verify_token(
+pub fn token_verify(
     token: &str,
     credentials: Option<ApiCredentials>,
 ) -> Result<Claims, AccessTokenError> {
@@ -179,18 +198,17 @@ pub fn verify_token(
         None => TokenVerifier::new()?,
     };
     let claims = verifier.verify(token)?;
-    let room_name = claims.room_config.map_or(String::default(), |config| config.name);
-    Ok(Claims {
-        exp: claims.exp as u64,
-        iss: claims.iss,
-        nbf: claims.nbf as u64,
-        sub: claims.sub,
-        name: claims.name,
-        video: claims.video,
-        sip: claims.sip,
-        sha256: claims.sha256,
-        metadata: claims.metadata,
-        attributes: claims.attributes,
-        room_name,
-    })
+    Ok(claims.into())
+}
+
+/// Parses an access token without verifying its signature.
+///
+/// This is useful when you want to inspect token contents without having the secret.
+/// The token's expiration (exp) and not-before (nbf) times are still validated.
+/// WARNING: Do not use this for authentication - the signature is not verified!
+///
+#[uniffi::export]
+pub fn token_claims_from_unverified(token: &str) -> Result<Claims, AccessTokenError> {
+    let claims = access_token::Claims::from_unverified(token)?;
+    Ok(claims.into())
 }