From 77f18f54374b6a2994d3b29cf3fcb1fd7908d77d Mon Sep 17 00:00:00 2001
From: Jade Ellis <jade@ellis.link>
Date: Sat, 11 Jan 2025 16:04:19 +0000
Subject: [PATCH] remove undocumented jwt token login

---
 Cargo.lock                 | 15 ---------------
 Cargo.toml                 |  4 ----
 conduwuit-example.toml     |  4 ----
 src/api/Cargo.toml         |  1 -
 src/api/client/session.rs  | 38 ++++----------------------------------
 src/core/config/mod.rs     |  6 ------
 src/service/Cargo.toml     |  1 -
 src/service/globals/mod.rs | 11 -----------
 8 files changed, 4 insertions(+), 76 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index f777a50ce..18bd7aab6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -685,7 +685,6 @@ dependencies = [
  "http-body-util",
  "hyper",
  "ipaddress",
- "jsonwebtoken",
  "log",
  "rand",
  "reqwest",
@@ -831,7 +830,6 @@ dependencies = [
  "image",
  "ipaddress",
  "itertools 0.13.0",
- "jsonwebtoken",
  "log",
  "loole",
  "lru-cache",
@@ -2115,19 +2113,6 @@ dependencies = [
  "serde",
 ]
 
-[[package]]
-name = "jsonwebtoken"
-version = "9.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b9ae10193d25051e74945f1ea2d0b42e03cc3b890f7e4cc5faa44997d808193f"
-dependencies = [
- "base64 0.21.7",
- "js-sys",
- "ring",
- "serde",
- "serde_json",
-]
-
 [[package]]
 name = "konst"
 version = "0.3.16"
diff --git a/Cargo.toml b/Cargo.toml
index 855b8dda1..c0b31a693 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -58,10 +58,6 @@ features = ["parse"]
 [workspace.dependencies.sanitize-filename]
 version = "0.6.0"
 
-[workspace.dependencies.jsonwebtoken]
-version = "9.3.0"
-default-features = false
-
 [workspace.dependencies.base64]
 version = "0.22.1"
 default-features = false
diff --git a/conduwuit-example.toml b/conduwuit-example.toml
index 9eefedbb4..28e7012b4 100644
--- a/conduwuit-example.toml
+++ b/conduwuit-example.toml
@@ -563,10 +563,6 @@
 #
 #proxy = "none"
 
-# This item is undocumented. Please contribute documentation for it.
-#
-#jwt_secret =
-
 # Servers listed here will be used to gather public keys of other servers
 # (notary trusted key servers).
 #
diff --git a/src/api/Cargo.toml b/src/api/Cargo.toml
index 1bc736245..1b463fbcf 100644
--- a/src/api/Cargo.toml
+++ b/src/api/Cargo.toml
@@ -50,7 +50,6 @@ http.workspace = true
 http-body-util.workspace = true
 hyper.workspace = true
 ipaddress.workspace = true
-jsonwebtoken.workspace = true
 log.workspace = true
 rand.workspace = true
 reqwest.workspace = true
diff --git a/src/api/client/session.rs b/src/api/client/session.rs
index 26377c556..21b8786c9 100644
--- a/src/api/client/session.rs
+++ b/src/api/client/session.rs
@@ -20,17 +20,10 @@ use ruma::{
 	},
 	OwnedUserId, UserId,
 };
-use serde::Deserialize;
 
 use super::{DEVICE_ID_LENGTH, TOKEN_LENGTH};
 use crate::{utils, utils::hash, Error, Result, Ruma};
 
-#[derive(Debug, Deserialize)]
-struct Claims {
-	sub: String,
-	//exp: usize,
-}
-
 /// # `GET /_matrix/client/v3/login`
 ///
 /// Get the supported login types of this server. One of these should be used as
@@ -106,34 +99,11 @@ pub(crate) async fn login_route(
 
 			user_id
 		},
-		| login::v3::LoginInfo::Token(login::v3::Token { token }) => {
+		| login::v3::LoginInfo::Token(login::v3::Token { token: _ }) => {
 			debug!("Got token login type");
-			if let Some(jwt_decoding_key) = services.globals.jwt_decoding_key() {
-				let token = jsonwebtoken::decode::<Claims>(
-					token,
-					jwt_decoding_key,
-					&jsonwebtoken::Validation::default(),
-				)
-				.map_err(|e| {
-					warn!("Failed to parse JWT token from user logging in: {e}");
-					Error::BadRequest(ErrorKind::InvalidUsername, "Token is invalid.")
-				})?;
-
-				let username = token.claims.sub.to_lowercase();
-
-				UserId::parse_with_server_name(username, services.globals.server_name()).map_err(
-					|e| {
-						err!(Request(InvalidUsername(debug_error!(
-							?e,
-							"Failed to parse login username"
-						))))
-					},
-				)?
-			} else {
-				return Err!(Request(Unknown(
-					"Token login is not supported (server has no jwt decoding key)."
-				)));
-			}
+			return Err!(Request(Unknown(
+				"Token login is not supported."
+			)));
 		},
 		#[allow(deprecated)]
 		| login::v3::LoginInfo::ApplicationService(login::v3::ApplicationService {
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 97ecbeaf8..d65d38125 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -671,8 +671,6 @@ pub struct Config {
 	#[serde(default)]
 	pub proxy: ProxyConfig,
 
-	pub jwt_secret: Option<String>,
-
 	/// Servers listed here will be used to gather public keys of other servers
 	/// (notary trusted key servers).
 	///
@@ -2005,10 +2003,6 @@ impl fmt::Display for Config {
 			"Lockdown public room directory (only allow admins to publish)",
 			&self.lockdown_public_room_directory.to_string(),
 		);
-		line("JWT secret", match self.jwt_secret {
-			| Some(_) => "set",
-			| None => "not set",
-		});
 		line(
 			"Trusted key servers",
 			&self
diff --git a/src/service/Cargo.toml b/src/service/Cargo.toml
index 4708ff4e1..21fbb4172 100644
--- a/src/service/Cargo.toml
+++ b/src/service/Cargo.toml
@@ -61,7 +61,6 @@ image.workspace = true
 image.optional = true
 ipaddress.workspace = true
 itertools.workspace = true
-jsonwebtoken.workspace = true
 log.workspace = true
 loole.workspace = true
 lru-cache.workspace = true
diff --git a/src/service/globals/mod.rs b/src/service/globals/mod.rs
index 38d7f786b..f6ff2b093 100644
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@@ -18,7 +18,6 @@ pub struct Service {
 	pub db: Data,
 
 	pub config: Config,
-	jwt_decoding_key: Option<jsonwebtoken::DecodingKey>,
 	pub bad_event_ratelimiter: Arc<RwLock<HashMap<OwnedEventId, RateLimitState>>>,
 	pub server_user: OwnedUserId,
 	pub admin_alias: OwnedRoomAliasId,
@@ -33,11 +32,6 @@ impl crate::Service for Service {
 		let db = Data::new(&args);
 		let config = &args.server.config;
 
-		let jwt_decoding_key = config
-			.jwt_secret
-			.as_ref()
-			.map(|secret| jsonwebtoken::DecodingKey::from_secret(secret.as_bytes()));
-
 		let turn_secret =
 			config
 				.turn_secret_file
@@ -66,7 +60,6 @@ impl crate::Service for Service {
 		let mut s = Self {
 			db,
 			config: config.clone(),
-			jwt_decoding_key,
 			bad_event_ratelimiter: Arc::new(RwLock::new(HashMap::new())),
 			admin_alias: OwnedRoomAliasId::try_from(format!("#admins:{}", &config.server_name))
 				.expect("#admins:server_name is valid alias name"),
@@ -158,10 +151,6 @@ impl Service {
 
 	pub fn trusted_servers(&self) -> &[OwnedServerName] { &self.config.trusted_servers }
 
-	pub fn jwt_decoding_key(&self) -> Option<&jsonwebtoken::DecodingKey> {
-		self.jwt_decoding_key.as_ref()
-	}
-
 	pub fn turn_password(&self) -> &String { &self.config.turn_password }
 
 	pub fn turn_ttl(&self) -> u64 { self.config.turn_ttl }