How to handle authentication #96
Comments
|
One day, there would be a more "out of the box" strategy (maybe you can investigate it). The strategy would be for you to have a In your handler, you would do: #[get("/protected")]
fn my_action(&self, user: User) -> ... { }You have access to the request via Now, for more advanced cases, you would have to have different struct User<C: Capability> {
capability: C,
}
trait Capability {
// Whatever you need to authenticate a user
}
impl<C: Capability> Extract for User<C> {
type Future = ExtractUserFuture<C>;
fn extract(context: &Context) -> Self::Future {
C::method_used_for_validating_capability(context);
}
}In this case, you would be using the type system to enforce capabilities. You can get as crazy as you want... fn action(&self, user: User<(CreateFoo, DeleteFoo)>) { } |
|
In order to validate a JWT I need a secret. It is stored in a configuration file of an application or it can be loaded from a database in some cases. What would be a convenient way to access it from within the #[derive(Debug)]
struct Resource {
secret: Secret,
}
#[derive(Debug)]
struct User {
id: &'static str,
}
impl<B: BufStream> Extract<B> for User {
type Future = Immediate<User>;
fn extract(context: &Context) -> Self::Future {
info!("{:?}", context);
Immediate::ok(User { id: "123" })
}
}
impl_web! {
impl Resource {
#[get("/")]
fn action(&self, user: User) {
...
}
}
} |
|
My plan has been to enable configuration through the context argument. This has not been implemented yet. Either you can try to take a stab at it, or I can try to get it done sometime this week or so. Configuration will have to be stored using an "any map" strategy. This would be similar to: https://github.com/hyperium/http/blob/master/src/extensions.rs The Then, from extract, you could do: context.config.get::<MyConfigType>() |
|
@carllerche Please, take a look. Is that what you had in mind?
|
|
Here is an application example struct State {
secret: String,
}
struct Resource;
struct User;
impl<B: BufStream> Extract<B> for User {
type Future = Immediate<User>;
fn extract(context: &Context) -> Self::Future {
let state = context.config::<State>().unwrap();
...
}
}
impl_web! {
impl Resource {
#[get("/")]
fn action(&self, user: User) {
...
}
}
}
fn main() {
...
ServiceBuilder::new()
.config(State { secret: "secret".to_owned() })
.resource(Resource)
.run(&addr)
.unwrap();
} |
|
It looks like there are some errors for rustc 1.26.0. Do we need workarounds? |
|
Ideally, I believe that it would just require a manual |
|
Ok. Will do. What else should be added / changed? |
|
@manifest I left some inline comments. I'm still thinking about |
|
@carllerche while the user extraction methods works, it is going to be very verbose if most of the routes need to be authenticated but no use of user param. Probably a better way is to provide something like a filter. https://tomcat.apache.org/tomcat-9.0-doc/servletapi/javax/servlet/Filter.html |
|
@mmrath I'm not familiar with Java. Could you please elaborate on how filter differs from middleware? Could you provide an example how it may look like in Rust? |
|
@mmrath I would be happy to continue that discussion in a new issue. |
In our applications we use JSON Web Tokens in authorization header and in some cases an access_token parameter in query string to authenticate user requests. Since some resources may allow an anonymous access, while other restrict it to users with particular permissions, we need a way to determine if token was presented in a request and if it's presented – validate and extract an information from it (for instance, sub claim in our tokens contains a user identifier).
Is there already any concept how it could be implemented?
The text was updated successfully, but these errors were encountered: