The rust_jwt_auth_pg from pavelkrolevets

rust_jwt_auth_pg's Introduction

Rust WASM restful JWT auth API boilerplate: Rocket.rs + WASM + diesel.rs + Postgresql

An example how to set up Rust server restful API with JWT authentication and ORM under the hood.

User passwords hashed (argon2)

Requirements

Configure Rust to satisfy rocket.rs dependencies (Rust nightly build needed)
Install Diesel ORM CLI and dependencies
```
cargo install diesel_cli
```
Install and create Postgresql database. More info here
Configure project environment variable in .env file taking username and passwork from Posgresql step
```
DATABASE_URL=postgres://username:password@localhost/database_name
```

Installation

First run the migration to create tables and schema
```
diesel migration run
```

Compile wasm front end

cd www
wasm-pack build --target web
cd ..

Compile the code and run
```
cargo run
```
Open WASM front-end at localhost:8001

If everything was installed right and compiles without errors you should see Rocekt server listening at http://localhost:8001

API rout JWT protection

Routs can be protected through JWT check in the message Header

#[get("/sensitive")]
fn sensitive(key: ApiKey) -> String {
    format!("Hello, you have been identified as {}", key.0)
}

API

JWT token life is set to 2 weeks. Can be changed

/user/register

curl -X POST \
  http://localhost:8001/user/register \
  -H 'content-type: application/json' \
  -d '{ "email": "[email protected]",
        "password": "12345"
}'

/auth/login

Get a jwt token for the user

curl -X POST \
  http://localhost:8001/auth/login \
  -H 'content-type: application/json' \
  -d '{ "email": "[email protected]",
        "password": "12345"
}'

/user

Call a protected route with a JWT in the HEADER authentication (use the token returned from the /auth/login API)

curl -X GET \
  http://localhost:8001/user/sensitive \
  -H 'authentication: eyJ0eXAiOiJKV1QiLCJraWQiOm51bGwsImFsZyI6IkhTMjU2In0.eyJpc3MiOm51bGwsInN1YiI6InRlc3QiLCJhdWQiOm51bGwsImV4cCI6MTU3MzAyNzg5MSwibmJmIjpudWxsLCJpYXQiOm51bGwsImp0aSI6bnVsbH0.DJ5tb/ic91oULyMjZMeam9kMU31sxGSxSnTmTppUhdA'

Based on previous work:

rust_jwt_auth_pg's People

Contributors

Stargazers

Watchers

rust_jwt_auth_pg's Issues

Insecure password handling

This is a cool and helpful example for setting up a Rust project with JWT, but as an example for authentication, it is dangerous in the way how it handles passwords.
There are two ways how it can be improved:

For the datatype in the login requests (and wherever the original password is passed around): https://github.com/pavelkrolevets/rust_jwt_auth/blob/master/src/user/mod.rs#L97 instead of having passwords as plain String, it could use, for example, SecUtf8: https://docs.rs/secstr/0.3.2/secstr/ this would prevent accidentally showing passwords in web logs etc.
For the model / data stored in the database: https://github.com/pavelkrolevets/rust_jwt_auth/blob/master/src/user/model.rs#L65 instead of storing plaintext passwords in the database, it could store their salted hashes, for example using Argon2: https://crates.io/crates/rust-argon2

Recommend Projects