Skip to content
A Rust Boilerplate server with GraphQL API, Diesel, PostgreSQL, session authentication and JWT
Branch: master
Clone or download
shirshak55 and clifinger Update diesel.toml (#16)
Generate docs
also add patch file that helps to see how schema changes overtime.
Latest commit 4488c58 Nov 11, 2019

MIT license Status Status

Canduma rust authentication server boilerplate

A Rust authentication server with GraphQL API, Diesel, PostgreSQL session authentication and JWT

This repository contains boilerplate rust code for getting a GraphQL prototype with JWT up and running quickly.

It uses actix-web, Juniper, Diesel and jsonwebtoken

Your own pull requests are welcome!

Benchmarks with insert into PostgreSQL

▶ ./bombardier -c 125 -n 10000000 http://localhost:3000/graphql -k -f body --method=POST -H "Content-Type: application/json" -s    
Bombarding http://localhost:3000/graphql with 10000000 request(s) using 125 connection(s)

10000000 / 10000000 [===========================================================================] 100.00% 28777/s 5m47s
Statistics        Avg      Stdev        Max
  Reqs/sec     28788.66    2183.47   34605.95
  Latency        4.32ms   543.07us   110.95ms
  HTTP codes:
    1xx - 0, 2xx - 10000000, 3xx - 0, 4xx - 0, 5xx - 0
    others - 0
  Throughput:    20.75MB/s

Collection of major crates used in Canduma


  • Rustup
  • Stable Toolchain: rustup default stable
  • Diesel cli with postgres cargo install diesel_cli --no-default-features --features "postgres"
  • PostgreSQL database server or use our docker-compose.yml (require docker)

Getting Started

git clone
cd canduma
docker-compose up
cp .env.example .env
diesel setup --database-url='postgres://postgres:canduma@localhost/canduma'
diesel migration run
cargo run

Test the GraphQL API with Insomnia


Register with Insomnia


Login with Insomnia

Get my account

Login with Insomnia

Get JWT Token

Get JWT by GraphQL with Insomnia

Set Bearer JWT Token

Set JWT Token with Insomnia

Get decoded JWT by the server (for tests purpose)

Get JWT decoded Token by GraphQL with Insomnia

Test authentication with session in GraphQL by getting all users (for tests purpose)

Get all users by GraphQL with Insomnia


Logout with Insomnia

Raw code for Insomnia

############ GraphQL Queries ############
query usersQuery {
  users {

query tokenQuery {
  token {

query decodeTokenQuery {
  decode {

Build release

cargo build --release
cd target/release


Important security considerations

We use session cookies for authentication.

Why not JWT authentication?

Stop Using JWT for sessions and why your solution doesn't work

The use of JWT remains secure only if you use adequate storage. This boilerplate is built for use in a micro-services architecture.

JWT can be use for representing claims to be transferred between two parties.

The private key should only be on this micro-service. public key can be used on all other parties to decode the token.

This boilerplate provides a complete example, so we included JWT also.

Generate RSA keys for JWT

In development mode you can keep the one in /keys folder.

// private key
$ openssl genrsa -out rs256-4096-private.rsa 4096
$ openssl rsa -in rs256-4096-private.rsa -outform DER -out private_rsa_key.der

// public key
$ openssl rsa -in rs256-4096-private.rsa -pubout > rs256-4096-public.pem
$ openssl rsa -in private_rsa_key.der -inform DER -RSAPublicKey_out -outform DER -out public_rsa_key.der
You can’t perform that action at this time.