Opinionated Rust authentication library.

Overview

rAuth

Goals

  • Prevent user enumeration. All routes should be protected against user enumeration, for now we should at least protect against basic enumeration based on responses.
  • Prevent phishing attacks.

Usage

Getting started is very simple, create a new instance of the Auth struct and mount it on to Rocket.

use mongodb::Client;
use rocket;
use rauth;

#[tokio::main]
async fn main() {
  let client = Client::with_uri_str("mongodb://localhost:27017/")
    .await.unwrap();

  // Pick a suitable collection, make sure you set it up correctly
  // as written below in "Database Migrations".
  let col = client.database("rauth").collection("accounts");

  // Set any options, such as the public base URL or your email
  // verification options.
  let options = rauth::options::Options::new();

  // Create a new instance of the Auth object.
  let auth = rauth::auth::Auth::new(col, options);
  rocket::ignite()
    .manage(auth) // Mount rAuth state.
    .mount("/", rauth::routes::routes()) // Mount rAuth routes.
    .launch()
    .await
    .unwrap();
}

How does rAuth work?

rAuth uses email / password combinations to authenticate users and nothing else, this might not be what you're looking for but I personally prefer this format.

  • If you need usernames, you need to handle this on your end.

When a user signs in, a new session is created, every single device a user logs in on has a unique session.

  • This means a user can then log themselves out of old sessions or otherwise see where they are logged in.

Example from Revolt App

Internally rAuth stores emails with and without special characters, +..

  • This means we can support plus signing without allowing the same email to sign up multiple times.
  • In the case of Gmail, all emails with dots are forwarded to those without them, this can lead to some unfortunate situations.
    • Generally, we treat all emails with dots as their non-dot counterpart when checking if an email exists.
    • This may inconvenience some users but I would rather avoid situations like above or duplicate accounts.
  • When logging in, the email given is checked against the original email and nothing else.

Database Migrations

You need to manage the database migrations yourself.

Creating the database.

rAuth needs a collection and two indexes to operate optimally.

db.create_collection("accounts", None);
db.run_command(
  doc! {
    "createIndexes": "accounts",
    "indexes": [
      {
        "key": {
          "email": 1
        },
        "name": "email",
        "unique": true,
        "collation": {
          "locale": "en",
          "strength": 2
        }
      },
      {
        "key": {
          "email_normalised": 1
        },
        "name": "email_normalised",
        "unique": true,
        "collation": {
          "locale": "en",
          "strength": 2
        }
      }
    ]
  },
  None,
);

Migrations

Currently no migrations are available, but they will be added here as needed.

You might also like...
JSON Web Token implementation in Rust.

Frank JWT Implementation of JSON Web Tokens in Rust. Algorithms and features supported HS256 HS384 HS512 RS256 RS384 RS512 ES256 ES384 ES512 Sign Veri

Rust templating with Handlebars

handlebars-rust Handlebars templating language implemented in Rust and for Rust. Handlebars-rust is the template engine that renders the official Rust

An Extensible, Concurrent Web Framework for Rust

Iron Extensible, Concurrency Focused Web Development in Rust. Response Timer Example Note: This example works with the current iron code in this repos

An expressjs inspired web framework for Rust

nickel.rs nickel.rs is a simple and lightweight foundation for web applications written in Rust. Its API is inspired by the popular express framework

[OUTDATED] A light HTTP framework for Rust

Rustful A light HTTP framework for Rust, with REST-like features. The main purpose of Rustful is to create a simple, modular and non-intrusive foundat

A web framework for Rust.

Rocket Rocket is an async web framework for Rust with a focus on usability, security, extensibility, and speed. #[macro_use] extern crate rocket; #[g

REST-like API micro-framework for Rust. Works with Iron.

Table of Contents What is Rustless? Usage warning Basic Usage Complex example Mounting Parameters validation and coercion Use JSON Schema Query string

A lightweight web framework built on hyper, implemented in Rust language.

Sapper Sapper, a lightweight web framework, written in Rust. Sapper focuses on ergonomic usage and rapid development. It can work with stable Rust. Sa

Web framework in Rust

Rouille, a Rust web micro-framework Rouille is a micro-web-framework library. It creates a listening socket and parses incoming HTTP requests from cli

Comments
  • Add check for for email validation

    Add check for for email validation

    There doesn't seem to be a check to validate if email has be verified when EmailVerification has been enabled:

    https://github.com/insertish/rauth/blob/157263ffcbd6cb1073e288b215db227634c4c29a/src/logic/auth.rs#L254-L281

    I'm using the latest version of the Revolt Chat app, and email verification does not work. Users are able to login before completing the email verification step: https://github.com/revoltchat/delta/blob/997d1fffc032719bf42632af2805d1f69de8e428/src/main.rs#L88

    I also don't see where UnverifiedAccount Error is being raised within the code:

    https://github.com/insertish/rauth/blob/775a6f3ffb9ffc0e382af32fac2924e9a707e890/src/web/session/login.rs#L36-L86

    Created pull request: https://github.com/insertish/rauth/pull/33

    note: never programmed in Rust before, but hopefully this will shortcut the process of getting this issue resolved

    opened by davidmroth 1
  • Licensing?

    Licensing?

    I assume this is an oversight, but RAuth doesn't currently appear to have a license file in the repository or the Cargo.toml, so I'm unsure as to whether I can use this library in my own projects or not.

    opened by ashhhleyyy 0
  • Two-factor Authentication

    Two-factor Authentication

    Add different MFA methods.

    1FA

    • [ ] Add trusted handover / QR code login.

    1FA (requires email specified)

    • [x] Password
    • [ ] Add email OTP 1FA login.
    • [ ] Add security key 1FA login.

    2FA (requires email + password specified)

    • [ ] Add email OTP 2FA login.
    • [x] #20
    • [ ] Add security key 2FA login.
    enhancement 
    opened by insertish 18
Owner
Paul Makles
Paul Makles
An HTTP library for Rust

hyper A fast and correct HTTP implementation for Rust. HTTP/1 and HTTP/2 Asynchronous design Leading in performance Tested and correct Extensive produ

null 11k Jan 7, 2023
GraphQL server library for Rust

GraphQL server library for Rust GraphQL is a data query language developed by Facebook intended to serve mobile and web application frontends. Juniper

GraphQL Rust 4.9k Jan 5, 2023
Low level HTTP server library in Rust

tiny-http Documentation Tiny but strong HTTP server in Rust. Its main objectives are to be 100% compliant with the HTTP standard and to provide an eas

null 785 Dec 29, 2022
Create, share, fetch and model Atomic Data! This project consists of a graph database + server, a CLI and a rust library.

Create, share, fetch and model Atomic Data! This repo consists of three components: A library, a server and a CLI. atomic-server Status: Beta. Breakin

Joep Meindertsma 195 Dec 28, 2022
Completely OBSOLETE Rust HTTP library (server and client)

OBSOLETION NOTICE This library is DEAD. It was a useful experiment and is now being replaced under the scope of the Teepee (experimentation grounds at

Chris Morgan 390 Dec 1, 2022
A library for simulating mouse and keyboard events

The Fat Controller TFC is a library for simulating mouse and keyboard events. This library was built for use by TFC-server, a server that allows for r

Indiana Kernick 37 Nov 28, 2022
handle some lichess.org/tournament load with rust, while learning rust

lila-http Take some of the HTTP load away from lila. WIP! Arena tournaments Clients connected to a tournament page request new data about the tourname

Thibault Duplessis 22 Jan 2, 2023
Simple http server in Rust (Windows/Mac/Linux)

How it looks like? Screenshot Command Line Arguments Simple HTTP(s) Server 0.6.1 USAGE: simple-http-server [FLAGS] [OPTIONS] [--] [root] FLAGS:

LinFeng Qian 788 Dec 28, 2022
Rust / Hasura / GraphQL

Rust + Hasura This is an example of a Rust server that functions as a remote schema for Hasura. It demonstrates: user login + signup JWT authorization

Rónán 130 Dec 26, 2022
Actix Web is a powerful, pragmatic, and extremely fast web framework for Rust.

Actix Web Actix Web is a powerful, pragmatic, and extremely fast web framework for Rust Features Supports HTTP/1.x and HTTP/2 Streaming and pipelining

Actix 16.3k Jan 8, 2023