DEV Community

Practical Rust Web Development - Authentication

Werner Echezuría on May 28, 2019

In this post of the series, I'll be covering authentication. This is based on this one but I'll be using the 1.0 version of actix-web. We're going...
Collapse
 
michaeltharrington profile image
Michael Tharrington

Hey Werner,

Great series here!

Anyway, got a quick tip for ya!

You could edit all of these posts to include "series: whatever name you'd like for your series" in the front matter of each one. This'll connect your posts with a cool little dot scroll option at the top of each post that lets the reader easily flip between posts in the series.

I've no idea what this option is actually called, so we're going with "dot scroll" ... but anyway, it looks like this:

my series

... in my posts here & here. Haha, totally feeling the guilt for abandoning this series, right now. 😔

Anyway, it's not a must-do by any means, just a nice-to-have in case you wanna!

Collapse
 
werner profile image
Werner Echezuría

Thanks!, I was thinking about how to do something like that.

Collapse
 
michaeltharrington profile image
Michael Tharrington

No problem at all! 😀

Collapse
 
ghost profile image
Ghost • Edited

Hi Werner,

Nice series, have you consider making a testing part? I'm having problems testing handlers with the Identity middleware and passing Form data to the TestRequest. I've searched everywhere for this and found nothing; and also the official documentation is very lacking in this regard.

Again, thanks for the good work

Collapse
 
werner profile image
Werner Echezuría

Hi, thanks for your kind words, the testing part is out, if you find it useful, please let me know, if you doesn't please let me know too, :).

Collapse
 
ghost profile image
Ghost

Seriously? It was a coincidence? are you some sort of superhero? are you reading my mind right now? (I wouldn't recommend that)

thanks a lot, plus another lot. I'm gonna check it out right now :)

Thread Thread
 
werner profile image
Werner Echezuría

lol, you made my day, thanks for your words. Yes, it was a coincidence. I'm planning on creating more content and release it as soon as I can, I'm waiting for your comments on that post, even if it's a bad one, :P.

Collapse
 
lightwizzard profile image
Jeffrey Scott Flesher

Not you codes problem, but a problem with csrf-token

Problem with this line:

csrf-token = { git = "ssh://git@github.com/3dom-co-jp/csrf-token.git", branch="v0.2.x" }

It has issues, I am sure someone will fix it soon, seems to be with ssh, it is not set to public, so it asks for credentials.

I tried to use this with the same result, and I am sure this is temporary.

csrf-token = { git = "ssh://git@github.com/future-science-research/csrf-token.git", branch="v0.2.x" }

My question is why not use this instead:

github.com/heartsucker/rust-csrf

Currently, I can not build the project because of this, but great article.

I am looking at converting it just to check it out, thanks.

Collapse
 
werner profile image
Werner Echezuría

csrf-token = { git = "ssh://git@github.com/3dom-co-jp/csrf-token.git", branch="v0.2.x" }

Yeah, sorry, it's fixed in master:

csrf-token = { git = "git@github.com/3dom-co-jp/csrf-tok...", branch="v0.2.x" }

-

My question is why not use this instead:

github.com/heartsucker/rust-csrf

I had not found a way to use it easily with Actix web, it seems a plugin to be used with iron.

Collapse
 
werner profile image
Werner Echezuría

Hi, thanks for reporting this, I'll fix it as soon as possible.

Regards.

Collapse
 
lightwizzard profile image
Jeffrey Scott Flesher

I was reading about security issues with jwt, I am looking at docs.rs/crate/rust-argon2/0.6.0 it uses Argon2i, I know you said you use it for its stateless features, but that is also an exploitable security risk, whereas Cookies are not the best way to stay stateless and be secure, you can use in-memory cookies or even in-memory sessions, you can even encrypt them, but passing them in json is a nightmare for middle man attacks, and in-memory are safer, and faster IMO.

I am working on this now, trying to come up with a better solution.

Collapse
 
henrik41 profile image
Henrik

It would be great to add Oauth2 login to include facebook and google using the Oauth2 library would be a good start.

Collapse
 
ghost profile image
Ghost • Edited

Hi, is there a reason to choose jwt over the default actix-web auth system?

Collapse
 
werner profile image
Werner Echezuría

The default actix-web auth system uses cookies, I wanted to take advantage of all the features that jwt provides, like stateless authentication, so, I don't need to request a token against the database for every action the user does. That's the idea in theory, in a next post I'll try to write a front application that consumes the jwt.