LrAU

LrAU is an authentication and permission management system for rust. It uses Argon2id to hash passwords to prevent against rainbow table and brute-forcing.

Example

#[test]
fn generic() {
    // Load from a toml file.
    let permissions: lrau::Permissions =
        toml::from_str(include_str!("./generic.toml")).unwrap();
    
    // Create a password typical of someone who thinks their being clever.
    let mut user = lrau::User::new(
        String::from("john_t"),
        String::from("1234"),
        permissions,
    );

        
    // Valid their password
    assert!(user.validate("1234"));
    // Invalid their password
    assert!(!user.validate("12345"));

    // Permissions

    // See if we have permissions to access contacts without
    // mutable access.  
    assert!(user.get_permission(&["contacts", "name"], false));

    // See if we can change users passwords with mut access.
    assert!(user.get_permission(&["admin", "passwords"], true));

    // Nonexisting paths inherit from paths further up the tree
    assert!(user.get_permission(&["admin", "passwords", "reset"], true));
    
    // Or are nothing if they are completely irrelevant.
    assert!(!user.get_permission(&["notathing"], false));

    // Checks if we have logged in (we haven't)
    assert!(!user.check_login());
    assert!(!user.check_valid_login());

    // User Login
    user.log_in("1234", std::time::Duration::from_secs(1));

    // Checks for logins
    assert!(user.check_login());
    assert!(user.check_valid_login());

    // Timeouts
    std::thread::sleep(std::time::Duration::from_secs(1));
    
    // We are still logged in...
    assert!(user.check_login());
    
    // But not validly.
    assert!(!user.check_valid_login());
    
    // And so getting vaild permissions does not work.
    assert_eq!(
        user.get_valid_permissions(&["admin", "passwords", "reset"], true),
        Err(lrau::user::SessionExpired {}),
    );
}

Serde

Serde is supported through the serde feature. If you configure in toml, you can get something like this:

[[permissions]]
path = ["contacts"]
auth = false

[[permissions]]
path = ["contacts", "name"]
auth = true

[[permissions]]
path = ["contacts", "name", "middle"]
auth = false

[[permissions]]
path = ["contacts", "name", "last"]
auth = true

[[permissions]]
path = ["admin"]
auth = false

[[permissions]]
path = ["admin", "passwords"]
auth = true
mut = true

mut, be default, is assumed to be false, so you only need to write it if you are enabling it.

Features

• Serde serde.
• Diesel diesel-support.
• Sqlx sqlx-support

Note for migrators

0.6.0

Fixed a massive security vulnerability.

0.5.0

In 0.4.0 all panicking functions have been made non-panacking. This decision was made because a web server really shouldn’t crash. This should mainly involve just adding ? to the end of your function calls :)

0.3.0

Since version 0.3.0, instead of paths being strings they are now slices. This will cause issues with legacy code, preventing it to compile, and preventing serde information from being read.