Just some comments

service/OneService.cpp

@@ -261,9 +261,7 @@ public:
 				// fprintf(stderr, "Client ID: %s\n", _config.ssoClientID);
 				// fprintf(stderr, "Central Auth URL: %s\n", _config.centralAuthURL);
 				
-				char buf[17] = {};
 				_idc = zeroidc::zeroidc_new(
-					Utils::hex(_config.nwid, buf),
 					_config.issuerURL,
 					_config.ssoClientID,
 					_config.centralAuthURL,

zeroidc/src/ext.rs

@@ -1,3 +1,15 @@
+/*
+ * Copyright (c)2021 ZeroTier, Inc.
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file in the project's root directory.
+ *
+ * Change Date: 2025-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2.0 of the Apache License.
+ */
+
 use std::ffi::{CStr, CString};
 use std::os::raw::c_char;
 use url::{Url};
@@ -6,17 +18,11 @@ use crate::ZeroIDC;
 
 #[no_mangle]
 pub extern "C" fn zeroidc_new(
-    network_id: *const c_char,
     issuer: *const c_char,
     client_id: *const c_char,
     auth_endpoint: *const c_char,
     web_listen_port: u16,
 ) -> *mut ZeroIDC {
-    if network_id.is_null() {
-        println!("network_id is null");
-        return std::ptr::null_mut();
-
-    }
     if issuer.is_null() {
         println!("issuer is null");
         return std::ptr::null_mut();
@@ -32,12 +38,10 @@ pub extern "C" fn zeroidc_new(
         return std::ptr::null_mut();
     }
 
-    let network_id = unsafe {CStr::from_ptr(network_id) };
     let issuer = unsafe { CStr::from_ptr(issuer) };
     let client_id = unsafe { CStr::from_ptr(client_id) };
     let auth_endpoint = unsafe { CStr::from_ptr(auth_endpoint) };
     match ZeroIDC::new(
-        network_id.to_str().unwrap(),
         issuer.to_str().unwrap(),
         client_id.to_str().unwrap(),
         auth_endpoint.to_str().unwrap(),
@@ -101,24 +105,6 @@ pub extern "C" fn zeroidc_get_exp_time(ptr: *mut ZeroIDC) -> u64 {
     id.get_exp_time()
 }
 
-// #[no_mangle]
-// pub extern "C" fn zeroidc_process_form_post(ptr: *mut ZeroIDC, body: *const c_char) -> bool {
-//     let idc = unsafe {
-//         assert!(!ptr.is_null());
-//         &mut *ptr
-//     };
-
-//     if body.is_null() {
-//         println!("body is null");
-//         return false
-//     }
-
-//     let body = unsafe { CStr::from_ptr(body) }
-//         .to_str().unwrap().to_string();
-
-//     false
-// }
-
 #[no_mangle]
 pub extern "C" fn zeroidc_set_nonce_and_csrf(
     ptr: *mut ZeroIDC,

zeroidc/src/lib.rs

@@ -1,3 +1,15 @@
+/*
+ * Copyright (c)2021 ZeroTier, Inc.
+ *
+ * Use of this software is governed by the Business Source License included
+ * in the LICENSE.TXT file in the project's root directory.
+ *
+ * Change Date: 2025-01-01
+ *
+ * On the date above, in accordance with the Business Source License, use
+ * of this software will be governed by version 2.0 of the Apache License.
+ */
+
 pub mod ext;
 
 extern crate base64;
@@ -27,7 +39,6 @@ pub struct ZeroIDC {
 
 struct Inner {
     running: bool,
-    network_id: String,
     auth_endpoint: String,
     oidc_thread: Option<JoinHandle<()>>,
     oidc_client: Option<openidconnect::core::CoreClient>,
@@ -80,7 +91,6 @@ fn systemtime_strftime<T>(dt: T, format: &str) -> String
 
 impl ZeroIDC {
     fn new(
-        network_id: &str,
         issuer: &str,
         client_id: &str,
         auth_ep: &str,
@@ -89,7 +99,6 @@ impl ZeroIDC {
         let idc = ZeroIDC {
             inner: Arc::new(Mutex::new(Inner {
                 running: false,
-                network_id: network_id.to_string(),
                 auth_endpoint: auth_ep.to_string(),
                 oidc_thread: None,
                 oidc_client: None,
@@ -162,7 +171,7 @@ impl ZeroIDC {
                 // Keep a copy of the initial nonce used to get the tokens
                 // Will be needed later when verifying the responses from refresh tokens
                 let nonce = (*inner_local.lock().unwrap()).nonce.clone();
-                
+
                 while running {
                     let exp = UNIX_EPOCH + Duration::from_secs((*inner_local.lock().unwrap()).exp_time);
                     let now = SystemTime::now();
@@ -200,6 +209,7 @@ impl ZeroIDC {
                                             }
                                         };
             
+                                        // verify & validate claims
                                         let verified = (*inner_local.lock().unwrap()).oidc_client.as_ref().map(|c| {
                                             let claims = match id.claims(&c.id_token_verifier(), &n) {
                                                 Ok(c) => c,
@@ -271,6 +281,10 @@ impl ZeroIDC {
 
                                                             let access_token = res.access_token();
                                                             let at = access_token.secret();
+                                                            // yes this function is called `dangerous_insecure_decode`
+                                                            // and it doesn't validate the jwt token signature, 
+                                                            // but if we've gotten this far, our claims have already
+                                                            // been validated up above
                                                             let exp = dangerous_insecure_decode::<Exp>(&at);
                                                             
                                                             if let Ok(e) = exp {
@@ -350,10 +364,6 @@ impl ZeroIDC {
         }
     }
 
-    fn get_network_id(&mut self) -> String {
-        return (*self.inner.lock().unwrap()).network_id.clone();
-    }
-
     fn get_exp_time(&mut self) -> u64 {
         return (*self.inner.lock().unwrap()).exp_time;
     }
@@ -438,6 +448,8 @@ impl ZeroIDC {
                     let r = c.exchange_code(AuthorizationCode::new(code.to_string()))
                         .set_pkce_verifier(verifier)
                         .request(http_client);
+
+                    // validate the token hashes
                     match r {
                         Ok(res) =>{
                             let n = match i.nonce.clone() {
@@ -525,6 +537,8 @@ impl ZeroIDC {
                                 }
 
                                 let at = tok.access_token().secret();
+
+                                // see previous note about this function's use
                                 let exp = dangerous_insecure_decode::<Exp>(&at);
                                 if let Ok(e) = exp {
                                     i.exp_time = e.claims.exp