Unverified token

pblazej · pblazej · commit e584ecb13e51 · 2025-10-20T13:12:01.000+02:00
diff --git a/livekit-api/src/access_token.rs b/livekit-api/src/access_token.rs
@@ -151,6 +151,28 @@ pub struct Claims {
     pub room_config: Option<livekit_protocol::RoomConfiguration>,
 }
 
+impl Claims {
+    pub fn with_unverified(token: &str) -> Result<Self, AccessTokenError> {
+        let mut validation = jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::HS256);
+        validation.validate_exp = true;
+        #[cfg(test)]
+        {
+            validation.validate_exp = false;
+        }
+        validation.validate_nbf = true;
+        validation.set_required_spec_claims::<String>(&[]);
+        validation.insecure_disable_signature_validation();
+
+        let token = jsonwebtoken::decode::<Claims>(
+            token,
+            &DecodingKey::from_secret(&[]),
+            &validation,
+        )?;
+
+        Ok(token.claims)
+    }
+}
+
 #[derive(Clone)]
 pub struct AccessToken {
     api_key: String,
@@ -320,7 +342,7 @@ impl TokenVerifier {
 mod tests {
     use std::time::Duration;
 
-    use super::{AccessToken, TokenVerifier, VideoGrants};
+    use super::{AccessToken, Claims, TokenVerifier, VideoGrants};
 
     const TEST_API_KEY: &str = "myapikey";
     const TEST_API_SECRET: &str = "thiskeyistotallyunsafe";
@@ -383,4 +405,44 @@ mod tests {
             claims
         );
     }
+
+    #[test]
+    fn test_unverified_token() {
+        let claims = Claims::with_unverified(TEST_TOKEN).expect("Failed to parse token");
+
+        assert_eq!(claims.sub, "identity");
+        assert_eq!(claims.name, "name");
+        assert_eq!(claims.iss, TEST_API_KEY);
+        assert_eq!(
+            claims.room_config,
+            Some(livekit_protocol::RoomConfiguration {
+                agents: vec![livekit_protocol::RoomAgentDispatch {
+                    agent_name: "test-agent".to_string(),
+                    metadata: "test-metadata".to_string(),
+                }],
+                ..Default::default()
+            })
+        );
+
+        let token = AccessToken::with_api_key(TEST_API_KEY, TEST_API_SECRET)
+            .with_ttl(Duration::from_secs(60))
+            .with_identity("test")
+            .with_name("test")
+            .with_grants(VideoGrants { room_join: true, room: "test-room".to_string(), ..Default::default() })
+            .to_jwt()
+            .unwrap();
+
+        let claims = Claims::with_unverified(&token).expect("Failed to parse fresh token");
+        assert_eq!(claims.sub, "test");
+        assert_eq!(claims.name, "test");
+        assert_eq!(claims.video.room, "test-room");
+        assert!(claims.video.room_join);
+
+        let parts: Vec<&str> = token.split('.').collect();
+        let malformed_token = format!("{}.{}.wrongsignature", parts[0], parts[1]);
+        
+        let claims = Claims::with_unverified(&malformed_token).expect("Failed to parse token with wrong signature");
+        assert_eq!(claims.sub, "test");
+        assert_eq!(claims.name, "test");
+    }
 }
diff --git a/livekit-uniffi/src/access_token.rs b/livekit-uniffi/src/access_token.rs
@@ -13,7 +13,7 @@
 // limitations under the License.
 
 use livekit_api::access_token::{
-    AccessToken, AccessTokenError, SIPGrants, TokenVerifier, VideoGrants,
+    self, AccessToken, AccessTokenError, SIPGrants, TokenVerifier, VideoGrants,
 };
 use std::{collections::HashMap, time::Duration};
 
@@ -79,6 +79,25 @@ pub struct Claims {
     pub room_name: String,
 }
 
+impl From<livekit_api::access_token::Claims> for Claims {
+    fn from(claims: livekit_api::access_token::Claims) -> Self {
+        let room_name = claims.room_config.map_or(String::default(), |config| config.name);
+        Self {
+            exp: claims.exp as u64,
+            iss: claims.iss,
+            nbf: claims.nbf as u64,
+            sub: claims.sub,
+            name: claims.name,
+            video: claims.video,
+            sip: claims.sip,
+            sha256: claims.sha256,
+            metadata: claims.metadata,
+            attributes: claims.attributes,
+            room_name,
+        }
+    }
+}
+
 /// API credentials for access token generation and verification.
 #[derive(uniffi::Record)]
 pub struct ApiCredentials {
@@ -179,18 +198,17 @@ pub fn verify_token(
         None => TokenVerifier::new()?,
     };
     let claims = verifier.verify(token)?;
-    let room_name = claims.room_config.map_or(String::default(), |config| config.name);
-    Ok(Claims {
-        exp: claims.exp as u64,
-        iss: claims.iss,
-        nbf: claims.nbf as u64,
-        sub: claims.sub,
-        name: claims.name,
-        video: claims.video,
-        sip: claims.sip,
-        sha256: claims.sha256,
-        metadata: claims.metadata,
-        attributes: claims.attributes,
-        room_name,
-    })
+    Ok(claims.into())
+}
+
+/// Parses an access token without verifying its signature.
+///
+/// This is useful when you want to inspect token contents without having the secret.
+/// The token's expiration (exp) and not-before (nbf) times are still validated.
+/// WARNING: Do not use this for authentication - the signature is not verified!
+///
+#[uniffi::export]
+pub fn unverified_token(token: &str) -> Result<Claims, AccessTokenError> {
+    let claims = access_token::Claims::with_unverified(token)?;
+    Ok(claims.into())
 }
