The future of axum-login now that tower-sessions is here #100
Replies: 9 comments 19 replies
-
/cc @czocher |
Beta Was this translation helpful? Give feedback.
-
Perfect choice, congrats @maxcountryman! |
Beta Was this translation helpful? Give feedback.
-
Here's a sketch I've put together using Notably this is implemented entirely as an extractor. To enable an extractor-only approach, we need to provide auth state which contains the specific user store. This is slightly awkward, but a missing state is a compile-time error and so the compiler will ensure you can't miss this property. I've intentionally left out things like roles, in part because I'm not sure that belongs in this library but also because it complicates the implementation and our current solution seems overly opinionated in ways that restrict application authors. Another issue with this approach is it doesn't do anything to address how you might tie this into an identity provider. Ultimately to address the last two points, it would be nice to find a way to leave these things up to application authors. I'm not sure this sketch provides the required flexibility to make that a reality however. |
Beta Was this translation helpful? Give feedback.
-
i am all in favor of this migration to use |
Beta Was this translation helpful? Give feedback.
-
I just had a deeper look into it and in my opinion we're mixing up two separate responsibilities here. There are three elements of a proper authorization workflow:
There's also a separate responsibility of error handling with distinct operations that can potentially fail:
I strongly believe some kind of middleware approach would potentially benefit us here, since our main responsibility should be authentication and we should leave some way to provide authorization for the user to implement, being it a role-based approach, permissions or something else entirely. |
Beta Was this translation helpful? Give feedback.
-
My input was requested in a discussion over on Reddit, but being new both to Rust and FE dev in general, I'm not qualified to opine on the architecture. I'm just building a proof of concept with a Rust backend exposing data via API, a Next.js FE which talks to the API, and a DB behind Rust, and had assumed there was a standard library for auth & session management. I don't have complex authorization requirements, need to make sure users are authenticated, then will use their id to load the data from the DB. I would like the ability in the future to integrate with Oauth2, FWIW. |
Beta Was this translation helpful? Give feedback.
-
Hi again folks, I've made considerable progress on the |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Thanks! Trying it out now. I have one question (general, not specific to the rewrite). My Rust server will manage sessions and expose JSON APIs. End-user page rendering, routing, and redirects will happen in a Next.js frontend. I'm not sure if it makes sense to use |
Beta Was this translation helpful? Give feedback.
-
Hi folks,
tower-sessions
0.1.0 has been released. It aims to be a replacement foraxum-sessions
.Why release a new crate?
We've been working on
axum-sessions
for a while now but over the last year or so development has been stalled due in large part to its primary dependency,async-session
also not having been updated. At the same time, we've encountered some fundamental design flaws related to my attempt to work around the implementation ofasync-session
.All that to say it seems folks in the
tower
andaxum
ecosystem need a solution that's more tailored to our specific needs.That's exactly that
tower-sessions
is: it brings the implementation of the session itself directly into the crate (in other words, we no longer rely onasync-session
) and follows well-established design patterns of other crates, liketower-cookies
(which incidentally it uses directly). This means we've addressed the major issues related to deadlocking with this new design.What about
axum-login
?Because
axum-login
has relied onaxum-sessions
from the outset, development on it too has stalled. Withtower-sessions
, we can migrate to this crate, and part ways withaxum-sessions
. The biggest drawback to this decisions is that we lose support forasync-session
session stores. That said,tower-sessions
also brings with it its own stores, covering Redis, SQLite, Postgres, and MySQL out-of-the-box.Alternatively, we could consider splitting off from this crate and perhaps creating a
tower-login
. Overall, I think this makes less sense as the authentication pattern is more closely tied toaxum
and may not make as much sense as an independenttower
crate.I would love your feedback before we make a final decision.
Beta Was this translation helpful? Give feedback.
All reactions