1 unstable release
0.6.0 | Jul 31, 2021 |
---|---|
0.5.0 |
|
0.4.0 |
|
0.3.0 |
|
0.1.0 |
|
#630 in Authentication
23 downloads per month
27KB
338 lines
LrAU
LrAU is an authentication and permission management system for rust. It uses Argon2id to hash passwords to prevent against rainbow table and brute-forcing.
Example
#[test]
fn generic() {
// Load from a toml file.
let permissions: lrau::Permissions =
toml::from_str(include_str!("./generic.toml")).unwrap();
// Create a password typical of someone who thinks their being clever.
let mut user = lrau::User::new(
String::from("john_t"),
String::from("1234"),
permissions,
);
// Valid their password
assert!(user.validate("1234"));
// Invalid their password
assert!(!user.validate("12345"));
// Permissions
// See if we have permissions to access contacts without
// mutable access.
assert!(user.get_permission(&["contacts", "name"], false));
// See if we can change users passwords with mut access.
assert!(user.get_permission(&["admin", "passwords"], true));
// Nonexisting paths inherit from paths further up the tree
assert!(user.get_permission(&["admin", "passwords", "reset"], true));
// Or are nothing if they are completely irrelevant.
assert!(!user.get_permission(&["notathing"], false));
// Checks if we have logged in (we haven't)
assert!(!user.check_login());
assert!(!user.check_valid_login());
// User Login
user.log_in("1234", std::time::Duration::from_secs(1));
// Checks for logins
assert!(user.check_login());
assert!(user.check_valid_login());
// Timeouts
std::thread::sleep(std::time::Duration::from_secs(1));
// We are still logged in...
assert!(user.check_login());
// But not validly.
assert!(!user.check_valid_login());
// And so getting vaild permissions does not work.
assert_eq!(
user.get_valid_permissions(&["admin", "passwords", "reset"], true),
Err(lrau::user::SessionExpired {}),
);
}
Serde
Serde is supported through the serde
feature. If you configure in toml, you can get something like this:
[[permissions]]
path = ["contacts"]
auth = false
[[permissions]]
path = ["contacts", "name"]
auth = true
[[permissions]]
path = ["contacts", "name", "middle"]
auth = false
[[permissions]]
path = ["contacts", "name", "last"]
auth = true
[[permissions]]
path = ["admin"]
auth = false
[[permissions]]
path = ["admin", "passwords"]
auth = true
mut = true
mut
, be default, is assumed to be false
, so you only need to write it if you are enabling it.
Features
- Serde
serde
. - Diesel
diesel-support
. - Sqlx
sqlx-support
Note for migrators
0.6.0
Fixed a massive security vulnerability.
0.5.0
In 0.4.0 all panicking functions have been made non-panacking. This decision was made because a web server really shouldn’t crash. This should mainly involve just adding ?
to the end of your function calls :)
0.3.0
Since version 0.3.0, instead of paths being strings they are now slices. This will cause issues with legacy code, preventing it to compile, and preventing serde information from being read.
Dependencies
~0.9–6.5MB
~138K SLoC