Add auth support as contrib library #8
Comments
|
Right now the handlers take arguments that are associated with params in the URL. Presumably you'd want to pass auth-related data to the handler (e.g. I want to get all posts for the currently authenticated user). How could we achieve this given the current structure? |
|
answer: request guards (or something similar) |
|
More specifically, what is the best way to store session information in this manner? Would that just be in some global static manager of some sort? |
|
Possible suggestions would be a global state within the framework (protected by a Mutex?), a directory on the filesystem, Redis, a database... basically anything supported by other popular frameworks. I listed them in order of (my estimation of) difficulty of implementation. The ability to switch between different backends would be nice, but maybe it would be good to start with the simplest implementation first. Edit: Stateless auth (JWT) support would also be nice, but may be a separate issue. |
|
I'll take a shot at this. I'll make an implementation using in-memory state first as a proof of concept. I imagine later implementations can be added and switched between using a config parameter. |
|
Does Rocket currently have a system similar to middleware that would allow the session to automatically set a cookie (containing the session ID) in the response? That is the most common way (from what I am aware) of handling server-side sessions, and may be a blocker for this (unless we tell users to manually set the cookie at the start of a session--probably not what we want). |
#[post("/login", data="<form>")]
fn login_post(cookies: &Cookies,
user: AnonymousUser,
form: Form<LoginForm>)
-> Result<Redirect, Template> {
/* ... */
/* Check credentials */
if ok {
/* Build session ID, insert it in whatever you're using for this (I'm personally using redis) */
let cookie = Cookie::build("uid".to_owned(), uid).path("/").finish();
cookies.add(cookie);
return Ok(Redirect::to("/"));
}
/* ... */I'm personally using that snippet of code for my auth system. Wouldn't something like that work for you ? |
|
Unfortunately that doesn't help me in this case, because I'm trying to implement a contrib module for rocket. |
|
This is something that is very tricky to get right and where I'm likely to decline implementations as too inflexible, too hard to use, or as insecure. I caution anyone wanting to take this on to be open to spending a lot of time on this. This is something that absolutely has to be correct. It also needs to be flexible; it should be usable by most projects with most requirements. @shssoichiro You can get, set, and remove cookies via the |
|
@SergioBenitez Any particular frameworks you think are a good example to model the API of Rocket's auth component after? Or just as a starting point. |
|
@echochamber Flask-Auth seems to try to embody some of the ideals I'm hoping to achieve regarding extensibility. However, I think Rocket provides an array of tools that can be used to obtain greater correctness and security guarantees. And, of course, we have all of Rust at our disposal! Seeing as this is a big target, I'm pushing this to 0.5 for the time being. |
|
FYI: rocket-simpleauth crate could be useful https://github.com/bramvdbogaerde/auth-rs |
|
Just running across this. Having built-in authentication would be great, especially a generic OAuth implementation. @SergioBenitez is there anything we could do to help out? I see you'll be quite picky, so I'd prefer to have a wasted effort. |
|
@jhpratt you may be interested in jebrosen/rocket_oauth2. I wouldn't call it production-ready for several reasons and it is oauth-specific, but its model (good and bad) may serve as inspiration for a more complete solution. EDIT: Links are hard |
|
Building on the crate mentioned by @blackghost1987 i started to implement a "generic" authentication, rocket_auth. It's still early, but functional. I know there is a lot missing, especially docs and tests, but i wanted to hear some opinions about it, before i put in a lot of work and effort to write the docs and tests. |
|
Maybe something like http://python-social-auth.readthedocs.org/ using 3rd party authentication? |
|
Casbin-RS is an authorization library that supports models like ACL, RBAC, ABAC for Rust. Related to RBAC, casbin has several advantages:
And you can even customize your own access control model, for example, mix RBAC and ABAC together by using roles and attributes at the same time. It's very flexible. Can we integrate it into Rocket? |
|
I was wondering how in a pluggable auth library, one would handle external services - would we be able to write custom checkers? (e.g. Auth0, Firebase Auth, Cognito, etc.) |
|
Ok...i'm back with another approach, rocket_airlock. I was inspired by Jeb's rocket_oauth2 crate and tried to find a generic approach that can be used as basis for different authentication approaches. |
|
Looking at this thread and I see that stateless and stateful needs to be supported. trait Principal {
fn name() ->&str
}This should give the flexibility to adopt your own. For example: impl UserPrincipal for Principal {
fn roles(): &[&str];
...
}
impl ApplicationPrincipal for Principal {
...
}This separation could be useful, for example if the application is interacting with users we expect #[get("/v1/any-interaction")]
fn user_interaction(principal: Principal) {}
#[get("/v1/user-interaction")]
fn user_interaction(user: UserPrincipal) {}
#[get("/v1/server-interaction")]
fn server_to_server(application: ApplicationPrincipal) {}Rocket could for example provide several implementations that always use |
|
For the last four days I've been working on my own implementation. I still haven't tested all the features I claim to support on the docs, since I'm just starting up. If you're interested, check it out at https://docs.rs/rocket_auth/0.1.1/rocket_auth/. |
|
See the Rocket Casbin middleware for authorization: https://github.com/casbin-rs/rocket-authz |
|
Hi, in light of 0.5 coming up, I would love to hear some suggestions on how to improve my crate for authentication management https://github.com/tvallotton/rocket_auth. I fear there might be issues I'm missing. |
|
I just released the new version of rocket_auth so it now supports Rocket 0.5-rc, as well as Sqlite3, Postgresql, Mysql and Redis. Check it out if you are interested. |
|
I think it would be better to have something similar to spring's filter chain @SergioBenitez : Does rocket support request filters in any way? |
To some degree, yes, but Rocket isn't Spring, so its mechanisms are different. Of particular relevance, see fairings and guards. |
|
Fairings seem like the feature to use for http security, but they can't return the request early. The docs state that it's better to have guards used for security: but to me it makes more sense to have an application secured by default and then configure unsecured routes manually (with path matchers for example): httpSecurity.build()
.paths(&["/unsecured/**", "/login", "/signup"]).permit()
.paths(&["/unsecured/secret"]).deny()Maybe it's the spring dev in me, but maybe it's more secure to explicitly allow access to a resource in a larger app instead of forgetting to secure it. EDIT: @SergioBenitez How would one go about using a fairing to implement authentication or authorization? |
They can, by diverting the request to any route of its choosing, including routes that it controls.
You can do that with a fairing. Exposing the Request::matches() method would make it trivial to do so (see #1561), but your syntax in particular would be easy to implement even today.
See existing crates like rocket_oauth2 for what they do. |
|
@SergioBenitez would the following idea meet your conception for auth support? Technical details/Modelling:
Example usage in a rocket application: #[get("/")]
async fn index() -> Option<NamedFile> {
NamedFile::open("index.html").await.ok()
}
#[post("/login", format = "json", data = "<credentials>")]
async fn login(
credentials: Json<AccountCredentials>, // user credentials submitted by the web application
account_provider: &State<MemoryAccountProvider>, // interface to the user storage
auth_settings: &State<AuthSettings>, // generic settings required on launch, see main fn
cookies: &CookieJar<'_>,
) -> Status {
match account_provider.login(
credentials.into_inner(),
auth_settings.inner(),
cookies,
) {
Ok(_) => Status::Ok,
Err(e) => {
log::error!("{e}");
Status::Unauthorized
}
}
}
#[get("/private")]
async fn private(user: AccountClaims) -> String { // protected route by the request guard
// your implementation for different roles here
format!("{user:#?}")
}
#[launch]
fn simple_login() -> _ {
// We create an immutable global state containing information with the cookie name, cookie path
// and JWT settings like encryption secret and time validity.
let auth_settings = AuthSettings::new()
.with_cookie_name("rocket_user")
.with_cookie_path("/") // IMO the path does not change in most applications
// JWT encryption key, can also be randomly generated on every launch,
// maybe one could add support for custom secret provider for custom implementations
.with_secret("TOP_SECRET_ENCRYPTION_KEY")
.with_valid_login(TimeDelta::try_weeks(1).unwrap()); // validity of JWT cookie
// create a user storage, can be anything you require, like database connection
// or just in memory storage for development or fast prototypes
let auth_provider = MemoryAccountProvider::from(vec![Account::new(
"simple_user",
"somepassword",
"simple_service", // scope of user
AccountType::Admin, // some presets available, support for custom role like `Custom(String)`
)
.unwrap()]);
rocket::build()
.mount("/", routes![index, private, login])
.manage(auth_settings)
.manage(auth_provider)
}I already have a prototype implementation which is not as flexible as described above yet. But I am happy to get my hands on this if your vision about the auth contrib crate aligns. |
|
So there is cosmodrome now, providing a IMO easy way for auth. Currently implemented methods are Looking forward to your feedback and ideas. |
Create the canonical Rocket authentication and authorization library.
The text was updated successfully, but these errors were encountered: