itsi 0.1.14 → 0.1.18

data/crates/itsi_server/src/server/binds/mod.rs

@@ -0,0 +1,4 @@
+pub mod bind;
+pub mod bind_protocol;
+pub mod listener;
+pub mod tls;

data/crates/itsi_server/src/server/{tls.rs → binds/tls.rs}

@@ -3,7 +3,7 @@ use itsi_error::Result;
 use itsi_tracing::info;
 use locked_dir_cache::LockedDirCache;
 use rcgen::{
-    generate_simple_self_signed, CertificateParams, CertifiedKey, DnType, KeyPair, SanType,
+    BasicConstraints, CertificateParams, DistinguishedName, DnType, IsCa, KeyPair, SanType,
 };
 use rustls::{
     pki_types::{CertificateDer, PrivateKeyDer},
@@ -24,6 +24,7 @@ use crate::env::{
     ITSI_ACME_CACHE_DIR, ITSI_ACME_CA_PEM_PATH, ITSI_ACME_CONTACT_EMAIL, ITSI_ACME_DIRECTORY_URL,
     ITSI_LOCAL_CA_DIR,
 };
+
 mod locked_dir_cache;
 
 #[derive(Clone)]
@@ -253,9 +254,13 @@ fn get_or_create_local_dev_ca() -> Result<(String, String)> {
         Ok((key_pem, cert_pem))
     } else {
         let subject_alt_names = vec!["dev.itsi.fyi".to_string(), "localhost".to_string()];
-
-        let CertifiedKey { cert, key_pair } =
-            generate_simple_self_signed(subject_alt_names).unwrap();
+        let mut params = CertificateParams::new(subject_alt_names)?;
+        let mut distinguished_name = DistinguishedName::new();
+        distinguished_name.push(DnType::CommonName, "Itsi Development CA");
+        params.distinguished_name = distinguished_name;
+        params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
+        let key_pair = KeyPair::generate()?;
+        let cert = params.self_signed(&key_pair)?;
 
         fs::write(&key_path, key_pair.serialize_pem())?;
         fs::write(&cert_path, cert.pem())?;

data/crates/itsi_server/src/server/http_message_types.rs

@@ -0,0 +1,97 @@
+use std::convert::Infallible;
+
+use bytes::Bytes;
+use http::{Request, Response};
+use http_body_util::combinators::BoxBody;
+use hyper::body::Incoming;
+
+use super::size_limited_incoming::SizeLimitedIncoming;
+
+pub type HttpResponse = Response<BoxBody<Bytes, Infallible>>;
+pub type HttpRequest = Request<SizeLimitedIncoming<Incoming>>;
+
+pub trait ConversionExt {
+    fn limit(self) -> HttpRequest;
+}
+
+impl ConversionExt for Request<Incoming> {
+    fn limit(self) -> HttpRequest {
+        let (parts, body) = self.into_parts();
+        Request::from_parts(parts, SizeLimitedIncoming::new(body))
+    }
+}
+
+pub trait RequestExt {
+    fn content_type(&self) -> Option<&str>;
+    fn accept(&self) -> Option<&str>;
+    fn header(&self, header_name: &str) -> Option<&str>;
+    fn query_param(&self, query_name: &str) -> Option<&str>;
+}
+
+pub trait PathExt {
+    fn no_trailing_slash(&self) -> &str;
+}
+
+#[derive(Debug, Clone)]
+pub enum ResponseFormat {
+    JSON,
+    HTML,
+    TEXT,
+    UNKNOWN,
+}
+
+#[derive(Debug, Clone, Default)]
+pub struct SupportedEncodingSet {
+    pub zstd: bool,
+    pub br: bool,
+    pub deflate: bool,
+    pub gzip: bool,
+}
+
+impl From<Option<&str>> for ResponseFormat {
+    fn from(value: Option<&str>) -> Self {
+        match value {
+            Some("application/json") => ResponseFormat::JSON,
+            Some("text/html") => ResponseFormat::HTML,
+            Some("text/plain") => ResponseFormat::TEXT,
+            _ => ResponseFormat::UNKNOWN,
+        }
+    }
+}
+
+impl PathExt for str {
+    fn no_trailing_slash(&self) -> &str {
+        if self == "/" {
+            self
+        } else {
+            self.trim_end_matches("/")
+        }
+    }
+}
+
+impl RequestExt for HttpRequest {
+    fn content_type(&self) -> Option<&str> {
+        self.headers()
+            .get("content-type")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn accept(&self) -> Option<&str> {
+        self.headers()
+            .get("accept")
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn header(&self, header_name: &str) -> Option<&str> {
+        self.headers()
+            .get(header_name)
+            .map(|hv| hv.to_str().unwrap_or(""))
+    }
+
+    fn query_param(&self, query_name: &str) -> Option<&str> {
+        self.uri()
+            .query()
+            .and_then(|query| query.split('&').find(|param| param.starts_with(query_name)))
+            .map(|param| param.split('=').nth(1).unwrap_or(""))
+    }
+}

data/crates/itsi_server/src/server/io_stream.rs

@@ -1,4 +1,3 @@
-use super::listener::SockAddr;
 use pin_project::pin_project;
 use tokio::net::{TcpStream, UnixStream};
 use tokio_rustls::server::TlsStream;
@@ -8,6 +7,8 @@ use std::pin::Pin;
 use std::task::{Context, Poll};
 use tokio::io::{AsyncRead, AsyncWrite};
 
+use super::binds::listener::SockAddr;
+
 #[pin_project(project = IoStreamEnumProj)]
 pub enum IoStream {
     Tcp {

data/crates/itsi_server/src/server/middleware_stack/middleware.rs

@@ -1,8 +1,10 @@
-use super::middlewares::*;
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse},
+    services::itsi_http_service::HttpRequestContext,
 };
+
+use super::middlewares::*;
+
 use async_trait::async_trait;
 use either::Either;
 use magnus::error::Result;
@@ -21,6 +23,7 @@ pub enum Middleware {
     ETag(ETag),
     IntrusionProtection(IntrusionProtection),
     LogRequests(LogRequests),
+    MaxBody(MaxBody),
     Proxy(Proxy),
     RateLimit(RateLimit),
     Redirect(Redirect),
@@ -28,6 +31,7 @@ pub enum Middleware {
     ResponseHeaders(ResponseHeaders),
     RubyApp(RubyApp),
     StaticAssets(StaticAssets),
+    StaticResponse(StaticResponse),
 }
 
 #[async_trait]
@@ -41,6 +45,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::AuthJwt(filter) => filter.initialize().await,
             Middleware::AuthAPIKey(filter) => filter.initialize().await,
             Middleware::IntrusionProtection(filter) => filter.initialize().await,
+            Middleware::MaxBody(filter) => filter.initialize().await,
             Middleware::RateLimit(filter) => filter.initialize().await,
             Middleware::RequestHeaders(filter) => filter.initialize().await,
             Middleware::ResponseHeaders(filter) => filter.initialize().await,
@@ -48,6 +53,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::Cors(filter) => filter.initialize().await,
             Middleware::ETag(filter) => filter.initialize().await,
             Middleware::StaticAssets(filter) => filter.initialize().await,
+            Middleware::StaticResponse(filter) => filter.initialize().await,
             Middleware::Compression(filter) => filter.initialize().await,
             Middleware::LogRequests(filter) => filter.initialize().await,
             Middleware::Redirect(filter) => filter.initialize().await,
@@ -59,7 +65,7 @@ impl MiddlewareLayer for Middleware {
     async fn before(
         &self,
         req: HttpRequest,
-        context: &mut RequestContext,
+        context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         match self {
             Middleware::DenyList(filter) => filter.before(req, context).await,
@@ -68,6 +74,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::AuthJwt(filter) => filter.before(req, context).await,
             Middleware::AuthAPIKey(filter) => filter.before(req, context).await,
             Middleware::IntrusionProtection(filter) => filter.before(req, context).await,
+            Middleware::MaxBody(filter) => filter.before(req, context).await,
             Middleware::RequestHeaders(filter) => filter.before(req, context).await,
             Middleware::ResponseHeaders(filter) => filter.before(req, context).await,
             Middleware::RateLimit(filter) => filter.before(req, context).await,
@@ -75,6 +82,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::Cors(filter) => filter.before(req, context).await,
             Middleware::ETag(filter) => filter.before(req, context).await,
             Middleware::StaticAssets(filter) => filter.before(req, context).await,
+            Middleware::StaticResponse(filter) => filter.before(req, context).await,
             Middleware::Compression(filter) => filter.before(req, context).await,
             Middleware::LogRequests(filter) => filter.before(req, context).await,
             Middleware::Redirect(filter) => filter.before(req, context).await,
@@ -83,7 +91,7 @@ impl MiddlewareLayer for Middleware {
         }
     }
 
-    async fn after(&self, res: HttpResponse, context: &mut RequestContext) -> HttpResponse {
+    async fn after(&self, res: HttpResponse, context: &mut HttpRequestContext) -> HttpResponse {
         match self {
             Middleware::DenyList(filter) => filter.after(res, context).await,
             Middleware::AllowList(filter) => filter.after(res, context).await,
@@ -91,6 +99,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::AuthJwt(filter) => filter.after(res, context).await,
             Middleware::AuthAPIKey(filter) => filter.after(res, context).await,
             Middleware::IntrusionProtection(filter) => filter.after(res, context).await,
+            Middleware::MaxBody(filter) => filter.after(res, context).await,
             Middleware::RateLimit(filter) => filter.after(res, context).await,
             Middleware::RequestHeaders(filter) => filter.after(res, context).await,
             Middleware::ResponseHeaders(filter) => filter.after(res, context).await,
@@ -98,6 +107,7 @@ impl MiddlewareLayer for Middleware {
             Middleware::Cors(filter) => filter.after(res, context).await,
             Middleware::ETag(filter) => filter.after(res, context).await,
             Middleware::StaticAssets(filter) => filter.after(res, context).await,
+            Middleware::StaticResponse(filter) => filter.after(res, context).await,
             Middleware::Compression(filter) => filter.after(res, context).await,
             Middleware::LogRequests(filter) => filter.after(res, context).await,
             Middleware::Redirect(filter) => filter.after(res, context).await,
@@ -118,16 +128,18 @@ impl Middleware {
             Middleware::CacheControl(_) => 5,
             Middleware::RequestHeaders(_) => 6,
             Middleware::ResponseHeaders(_) => 7,
-            Middleware::AuthBasic(_) => 8,
-            Middleware::AuthJwt(_) => 9,
-            Middleware::AuthAPIKey(_) => 10,
-            Middleware::RateLimit(_) => 11,
-            Middleware::ETag(_) => 12,
-            Middleware::Compression(_) => 13,
-            Middleware::Proxy(_) => 14,
-            Middleware::Cors(_) => 15,
-            Middleware::StaticAssets(_) => 16,
-            Middleware::RubyApp(_) => 17,
+            Middleware::MaxBody(_) => 8,
+            Middleware::AuthBasic(_) => 9,
+            Middleware::AuthJwt(_) => 10,
+            Middleware::AuthAPIKey(_) => 11,
+            Middleware::RateLimit(_) => 12,
+            Middleware::ETag(_) => 13,
+            Middleware::Compression(_) => 14,
+            Middleware::Proxy(_) => 15,
+            Middleware::Cors(_) => 16,
+            Middleware::StaticResponse(_) => 17,
+            Middleware::StaticAssets(_) => 18,
+            Middleware::RubyApp(_) => 19,
         }
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/allow_list.rs

@@ -1,8 +1,10 @@
-use super::{ErrorResponse, FromValue, MiddlewareLayer};
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
 };
+
+use super::{ErrorResponse, FromValue, MiddlewareLayer};
+
 use async_trait::async_trait;
 use either::Either;
 use itsi_error::ItsiError;
@@ -16,28 +18,35 @@ pub struct AllowList {
     #[serde(skip_deserializing)]
     pub allowed_ips: OnceLock<RegexSet>,
     pub allowed_patterns: Vec<String>,
+    #[serde(default = "forbidden_error_response")]
     pub error_response: ErrorResponse,
 }
 
+fn forbidden_error_response() -> ErrorResponse {
+    ErrorResponse::forbidden()
+}
+
 #[async_trait]
 impl MiddlewareLayer for AllowList {
     async fn initialize(&self) -> Result<()> {
-        let allowed_ips = RegexSet::new(&self.allowed_patterns).map_err(ItsiError::default)?;
+        let allowed_ips = RegexSet::new(&self.allowed_patterns).map_err(ItsiError::new)?;
         self.allowed_ips
             .set(allowed_ips)
-            .map_err(|e| ItsiError::default(format!("Failed to set allowed IPs: {:?}", e)))?;
+            .map_err(|e| ItsiError::new(format!("Failed to set allowed IPs: {:?}", e)))?;
         Ok(())
     }
 
     async fn before(
         &self,
         req: HttpRequest,
-        context: &mut RequestContext,
+        context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         if let Some(allowed_ips) = self.allowed_ips.get() {
             if !allowed_ips.is_match(&context.addr) {
                 return Ok(Either::Right(
-                    self.error_response.to_http_response(&req).await,
+                    self.error_response
+                        .to_http_response(req.accept().into())
+                        .await,
                 ));
             }
         }

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_api_key.rs

@@ -1,6 +1,8 @@
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse, RequestExt},
+use std::collections::HashMap;
+
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher},
 };
 
 use super::{error_response::ErrorResponse, token_source::TokenSource, FromValue, MiddlewareLayer};
@@ -10,25 +12,32 @@ use either::Either;
 use magnus::error::Result;
 use serde::Deserialize;
 
+type PasswordHash = String;
+
 /// A simple API key filter.
 /// The API key can be given inside the header or a query string
 /// Keys are validated against a list of allowed key values (Changing these requires a restart)
-///
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthAPIKey {
-    pub valid_keys: Vec<String>,
+    pub valid_keys: HashMap<String, PasswordHash>,
+    pub key_id_source: Option<TokenSource>,
     pub token_source: TokenSource,
+    #[serde(default = "unauthorized_error_response")]
     pub error_response: ErrorResponse,
 }
 
+fn unauthorized_error_response() -> ErrorResponse {
+    ErrorResponse::unauthorized()
+}
+
 #[async_trait]
 impl MiddlewareLayer for AuthAPIKey {
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut RequestContext,
+        _context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
-        let submitted_value = match &self.token_source {
+        if let Some(submitted_key) = match &self.token_source {
             TokenSource::Header { name, prefix } => {
                 if let Some(header) = req.header(name) {
                     if let Some(prefix) = prefix {
@@ -41,18 +50,38 @@ impl MiddlewareLayer for AuthAPIKey {
                 }
             }
             TokenSource::Query(query_name) => req.query_param(query_name),
-        };
-        if !self
-            .valid_keys
-            .iter()
-            .any(|key| submitted_value.is_some_and(|sv| sv == key))
-        {
-            Ok(Either::Right(
-                self.error_response.to_http_response(&req).await,
-            ))
-        } else {
-            Ok(Either::Left(req))
+        } {
+            if let Some(key_id) = self.key_id_source.as_ref() {
+                let key_id = match &key_id {
+                    TokenSource::Header { name, prefix } => {
+                        if let Some(header) = req.header(name) {
+                            if let Some(prefix) = prefix {
+                                Some(header.strip_prefix(prefix).unwrap_or("").trim_ascii())
+                            } else {
+                                Some(header.trim_ascii())
+                            }
+                        } else {
+                            None
+                        }
+                    }
+                    TokenSource::Query(query_name) => req.query_param(query_name),
+                };
+                if let Some(hash) = key_id.and_then(|kid| self.valid_keys.get(kid)) {
+                    if password_hasher::verify_password_hash(submitted_key, hash).is_ok_and(|v| v) {
+                        return Ok(Either::Left(req));
+                    }
+                }
+            } else if self.valid_keys.iter().any(|(_key_id, key)| {
+                password_hasher::verify_password_hash(submitted_key, key).is_ok_and(|v| v)
+            }) {
+                return Ok(Either::Left(req));
+            }
         }
+        Ok(Either::Right(
+            self.error_response
+                .to_http_response(req.accept().into())
+                .await,
+        ))
     }
 }
 impl FromValue for AuthAPIKey {}

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_basic.rs

@@ -9,18 +9,20 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::str;
 
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse, RequestExt},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::{itsi_http_service::HttpRequestContext, password_hasher::verify_password_hash},
 };
 
 use super::{FromValue, MiddlewareLayer};
 
+type PasswordHash = String;
+
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct AuthBasic {
     pub realm: String,
     /// Maps usernames to passwords.
-    pub credential_pairs: HashMap<String, String>,
+    pub credential_pairs: HashMap<String, PasswordHash>,
 }
 
 impl AuthBasic {
@@ -40,7 +42,7 @@ impl MiddlewareLayer for AuthBasic {
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut RequestContext,
+        _context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         // Retrieve the Authorization header.
         let auth_header = req.header("Authorization");
@@ -69,12 +71,14 @@ impl MiddlewareLayer for AuthBasic {
         let mut parts = decoded_str.splitn(2, ':');
         let username = parts.next().unwrap_or("");
         let password = parts.next().unwrap_or("");
-
         match self.credential_pairs.get(username) {
-            Some(expected_password) if expected_password == password => Ok(Either::Left(req)),
-            _ => {
-                return Ok(Either::Right(self.basic_auth_failed_response()));
+            Some(expected_password_hash) => {
+                match verify_password_hash(password, expected_password_hash) {
+                    Ok(true) => Ok(Either::Left(req)),
+                    _ => Ok(Either::Right(self.basic_auth_failed_response())),
+                }
             }
+            None => Ok(Either::Right(self.basic_auth_failed_response())),
         }
     }
 }

data/crates/itsi_server/src/server/middleware_stack/middlewares/auth_jwt.rs

@@ -1,8 +1,9 @@
 use super::{error_response::ErrorResponse, token_source::TokenSource, FromValue, MiddlewareLayer};
-use crate::server::{
-    itsi_service::RequestContext,
-    types::{HttpRequest, HttpResponse, RequestExt},
+use crate::{
+    server::http_message_types::{HttpRequest, HttpResponse, RequestExt},
+    services::itsi_http_service::HttpRequestContext,
 };
+
 use async_trait::async_trait;
 use base64::{engine::general_purpose, Engine};
 use derive_more::Debug;
@@ -17,6 +18,7 @@ use std::{
     collections::{HashMap, HashSet},
     sync::OnceLock,
 };
+use tracing::error;
 
 #[derive(Debug, Clone, Deserialize)]
 pub struct AuthJwt {
@@ -31,9 +33,14 @@ pub struct AuthJwt {
     pub subjects: Option<HashSet<String>>,
     pub issuers: Option<HashSet<String>>,
     pub leeway: Option<u64>,
+    #[serde(default = "unauthorized_error_response")]
     pub error_response: ErrorResponse,
 }
 
+fn unauthorized_error_response() -> ErrorResponse {
+    ErrorResponse::unauthorized()
+}
+
 #[derive(Debug, Clone, Deserialize, PartialEq, Eq, Hash)]
 pub enum JwtAlgorithm {
     #[serde(rename(deserialize = "hs256"))]
@@ -83,13 +90,14 @@ impl From<JwtAlg> for JwtAlgorithm {
 impl JwtAlgorithm {
     /// Given a base64-encoded key string, decode and construct a jsonwebtoken::DecodingKey.
     pub fn key_from(&self, base64: &str) -> itsi_error::Result<DecodingKey> {
-        let bytes = general_purpose::STANDARD
-            .decode(base64)
-            .map_err(ItsiError::default)?;
         match self {
             // For HMAC algorithms, use the secret directly.
             JwtAlgorithm::Hs256 | JwtAlgorithm::Hs384 | JwtAlgorithm::Hs512 => {
-                Ok(DecodingKey::from_secret(&bytes))
+                Ok(DecodingKey::from_secret(
+                    &general_purpose::STANDARD
+                        .decode(base64)
+                        .map_err(ItsiError::new)?,
+                ))
             }
             // For RSA (and PS) algorithms, expect a PEM-formatted key.
             JwtAlgorithm::Rs256
@@ -97,12 +105,12 @@ impl JwtAlgorithm {
             | JwtAlgorithm::Rs512
             | JwtAlgorithm::Ps256
             | JwtAlgorithm::Ps384
-            | JwtAlgorithm::Ps512 => {
-                DecodingKey::from_rsa_pem(&bytes).map_err(|e| ItsiError::default(e.to_string()))
-            }
+            | JwtAlgorithm::Ps512 => DecodingKey::from_rsa_pem(base64.trim_ascii().as_bytes())
+                .map_err(|e| ItsiError::new(e.to_string())),
             // For ECDSA algorithms, expect a PEM-formatted key.
             JwtAlgorithm::Es256 | JwtAlgorithm::Es384 => {
-                DecodingKey::from_ec_pem(&bytes).map_err(|e| ItsiError::default(e.to_string()))
+                DecodingKey::from_ec_pem(base64.trim_ascii().as_bytes())
+                    .map_err(|e| ItsiError::new(e.to_string()))
             }
         }
     }
@@ -143,14 +151,14 @@ impl MiddlewareLayer for AuthJwt {
             .collect::<itsi_error::Result<HashMap<JwtAlgorithm, Vec<DecodingKey>>>>()?;
         self.keys
             .set(keys)
-            .map_err(|_| ItsiError::default("Failed to set keys".to_string()))?;
+            .map_err(|_| ItsiError::new("Failed to set keys"))?;
         Ok(())
     }
 
     async fn before(
         &self,
         req: HttpRequest,
-        _context: &mut RequestContext,
+        _context: &mut HttpRequestContext,
     ) -> Result<Either<HttpRequest, HttpResponse>> {
         // Retrieve the JWT token from either a header or a query parameter.
         let token_str = match &self.token_source {
@@ -170,19 +178,21 @@ impl MiddlewareLayer for AuthJwt {
 
         if token_str.is_none() {
             return Ok(Either::Right(
-                self.error_response.to_http_response(&req).await,
+                self.error_response
+                    .to_http_response(req.accept().into())
+                    .await,
             ));
         }
         let token_str = token_str.unwrap();
-
-        // Use jsonwebtoken's decode_header to inspect the token and determine its algorithm.
         let header =
-            decode_header(token_str).map_err(|_| ItsiError::default("Invalid token header"))?;
+            decode_header(token_str).map_err(|_| ItsiError::new("Invalid token header"))?;
         let alg: JwtAlgorithm = header.alg.into();
 
         if !self.verifiers.contains_key(&alg) {
             return Ok(Either::Right(
-                self.error_response.to_http_response(&req).await,
+                self.error_response
+                    .to_http_response(req.accept().into())
+                    .await,
             ));
         }
         let keys = self.keys.get().unwrap().get(&alg).unwrap();
@@ -201,26 +211,32 @@ impl MiddlewareLayer for AuthJwt {
             JwtAlgorithm::Ps384 => JwtAlg::PS384,
             JwtAlgorithm::Ps512 => JwtAlg::PS512,
         });
+
         if let Some(leeway) = self.leeway {
             validation.leeway = leeway;
         }
-        // (Optional) You could set expected issuer or audience on `validation` here.
 
-        // Try verifying the token using each key until one succeeds.
-        let token_data: Option<TokenData<Claims>> = keys
-            .iter()
-            .find_map(|key| decode::<Claims>(token_str, key, &validation).ok());
+        let token_data: Option<TokenData<Claims>> =
+            keys.iter()
+                .find_map(|key| match decode::<Claims>(token_str, key, &validation) {
+                    Ok(data) => Some(data),
+                    Err(e) => {
+                        error!("Token validation failed: {:?}", e);
+                        None
+                    }
+                });
         let token_data = if let Some(data) = token_data {
             data
         } else {
             return Ok(Either::Right(
-                self.error_response.to_http_response(&req).await,
+                self.error_response
+                    .to_http_response(req.accept().into())
+                    .await,
             ));
         };
 
         let claims = token_data.claims;
 
-        // Verify expected audiences.
         if let Some(expected_audiences) = &self.audiences {
             if let Some(aud) = &claims.aud {
                 let token_auds: HashSet<String> = match aud {
@@ -229,18 +245,21 @@ impl MiddlewareLayer for AuthJwt {
                 };
                 if expected_audiences.is_disjoint(&token_auds) {
                     return Ok(Either::Right(
-                        self.error_response.to_http_response(&req).await,
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
                     ));
                 }
             }
         }
 
-        // Verify expected subject.
         if let Some(expected_subjects) = &self.subjects {
             if let Some(sub) = &claims.sub {
                 if !expected_subjects.contains(sub) {
                     return Ok(Either::Right(
-                        self.error_response.to_http_response(&req).await,
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
                     ));
                 }
             }
@@ -251,7 +270,9 @@ impl MiddlewareLayer for AuthJwt {
             if let Some(iss) = &claims.iss {
                 if !expected_issuers.contains(iss) {
                     return Ok(Either::Right(
-                        self.error_response.to_http_response(&req).await,
+                        self.error_response
+                            .to_http_response(req.accept().into())
+                            .await,
                     ));
                 }
             }