Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and additional auth schemes.

Overview

crates.io Released API docs CI

Rust library for HTTP authentication. Parses challenge lists, responds to Basic and Digest challenges. Likely to be extended with server support and additional auth schemes.

HTTP authentication is described in the following documents and specifications:

This framework is primarily used with HTTP, as suggested by the name. It is also used by some other protocols such as RTSP.

Status

Young but well-tested. The API may change to improve ergonomics and functionality. New functionality is likely to be added. PRs welcome!

Goals

In order:

  1. sound. Currently no unsafe blocks in http-auth itself. All dependencies are common, trusted crates.
  2. correct. Precisely implements the specifications except where noted. Fuzz tests verify the hand-written parser never panics and matches a nom-based reference implementation.
  3. light-weight. Minimal dependencies; uses Cargo features so callers can avoid them when undesired. Simple code that minimizes monomorphization bloat. Small data structures; eg http_auth::DigestClient currently weighs in at 48 bytes plus one allocation for all string fields.
  4. complete. Implements both parsing and responding to challenges. (Currently only supports the client side and responding to the most common Basic and Digest schemes; future expansion is likely.)
  5. ergonomic. Creating a client for responding to a password challenge is a one-liner from a string header or a [http::header::GetAll].
  6. fast enough. HTTP authentication is a small part of a real program, and http-auth's CPU usage should never be noticeable. For Digest's cryptographic operations, it uses popular optimized crates. In other respects, http-auth is likely at least as efficient as other HTTP authentication crates, although I have no reason to believe their performance is problematic.

Why a new crate?

There are at least a couple other available crates relating to HTTP authentication. You may prefer them. Here's why http-auth's author decided not to use them.

www-authenticate

  • sound: www-authenticate has some unsound transmutes to static lifetime. (These likely aren't hard to fix though.)
  • light-weight: www-authenticate depends on hyperx and unicase, large dependencies which many useful programs don't include.
  • complete: www-authenticate only supports parsing of challenge lists, not responding to them.

digest_auth

  • complete: digest_auth only supports Digest. It can't parse multiple challenges and will fail if given a list that starts with another scheme. Thus, if the server follows the advice of RFC 7235 section 2.1 and lists another scheme such as Basic first, digest_auth's parsing is insufficient.

www-authenticate + digest_auth together

In addition to the www-authenticate caveats above, responding to password challenges by using both www-authenticate and digest_auth is not complete and ergonomic. The caller must do extra work:

  • explicitly consider both Digest and Basic, rather than using the abstract http_auth::PasswordClient that chooses the challenge for you.
  • when responding to a Digest challenge, construct a matching digest_auth::WwwAuthenticateHeader from the www_authenticate::DigestChallenge.
  • when responding to a Basic challenge, do the encoding manually.

Author

Scott Lamb <[email protected]>

License

SPDX-License-Identifier: MIT OR Apache-2.0

See LICENSE-MIT.txt or LICENSE-APACHE, respectively.

You might also like...
vault client using jwt authentication that define environment variables from vault secrets before executing into something else

envlt envlt, like env, allows you to define environment variables and then execute into something else, but instead of static values, it uses using si

A OAuth2 server library, for use in combination with actix or other frontends, featuring a set of configurable and pluggable backends.

oxide-auth A OAuth2 server library, for use in combination with common web servers, featuring a set of configurable and pluggable backends. About oxid

Authorization Server with Rust using Tonic

authorization-server Authorization Server with Rust using Tonic. Function implemented User registration and profile store Change password Login Token

Extensible, strongly-typed Rust OAuth2 client library

OAuth2 An extensible, strongly-typed implementation of OAuth2 (RFC 6749). Documentation is available on docs.rs. Release notes are available on GitHub

Highly flexible library to manage and orchestrate JWT workflow

JWT Vault Highly flexible library to manage and orchestrate JWT workflow Examples | Website | Chat TODO Add more examples Improve coverage Features Ma

OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.

OpenSK This repository contains a Rust implementation of a FIDO2 authenticator. We developed this as a Tock OS application and it has been successfull

Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust
Tools for manipulating JSON Web Tokens, JWS, JWE, and JWK in Rust

Rusty JWT Tools A collection of JWT utilities. This repository is part of the source code of Wire. You can find more information at wire.com or by con

A set of Rust libraries to interact with apple's private APIs and servers.

apple-private-apis A set of Rust libraries to interact with apple's private APIs and servers, made for use in SideInstaller. Library Description omnis

JWT lib in rust

jsonwebtoken API documentation on docs.rs See JSON Web Tokens for more information on what JSON Web Tokens are. Installation Add the following to Carg

Comments
  • breaking changes for 0.2.x

    breaking changes for 0.2.x

    Things I'm considering fixing:

    • PasswordClient (and its friends plain and digest) return Result<_, String>. They should use a real std::error::Error impl instead.
    • Each digest type should probably be an individual optional dependency, rather than having digest pull in both md5 and sha2 crates. In particular, I think it's rare for servers to use the SHA digest types, and folks might not want to have that dependency.
    • Rename http_auth::digest::Algorithm::Sha512Trunc256 to Sha512_256 to match the change with sha2 version 0.10.0.

    Other suggestions welcome.

    enhancement 
    opened by scottlamb 0
High-level http auth extractors for axum

High-level http auth extractors for axum

Owez 44 Dec 23, 2022
An auth system/library for Rust applications

Rust : Forbidden (WIP) An experimental auth library for Rust applications. Goals This crate is to define a common set of traits and idioms to provide

Mario Montoya 9 Nov 8, 2022
A HTTP Filter checking for OIDC Authentication, made for Envoy Plugins, written in Rust

WASM OIDC Plugin A plugin for Envoy written in Rust. It is a HTTP Filter, that implements the OIDC Authorization Code Flow. Requests sent to the filte

Anton Engelhardt 5 Jul 7, 2023
Command line login for SRun Auth Gateway

SRun Login for Rust Command line login for SRun Auth Gateway. Usage ./srun_login AUTH_GW_ENDPOINT AC_ID LOCAL_IP USERNAME PASSWORD eg: ./srun_login "h

lookas 1 Oct 20, 2021
Fast, simple and REST compliant file-server with public/private key authentication written in Rust

stormi Stormi is a fast and simple file-server with public/private key authentication How does it work? Stormi accepts multipart/form-data form with m

Polygon 2 Dec 8, 2022
Example application using a Vue frontend with Rust backend that has authentication + authorization.

This project contains a Rust server that serves a single page application and has authentication + JWT-based authorization.

null 43 Dec 9, 2022
Authenticate to Minecraft using the Microsoft Authentication Scheme from Rust.

Authenticating to Minecraft with the Microsoft Authentication Scheme from Rust This program showcases an implementation of the microsoft authenticatio

ALinuxPerson 17 Dec 22, 2022
🔥 Firebase authentication for Rust 🦀

Fire Auth Rust wrapper for Firebase Authentication REST API Installation Add the following to Cargo.toml: fireauth = "0.1.5" How to use First you need

UwU 11 Nov 12, 2022
Xbox live authentication flow for Minecraft with Rust.

MC Auth Xbox live authentication flow for Minecraft in Rust. Why? In order to create tools for Minecraft based on rust that implement the user profile

Minecraft Rust 3 Jan 15, 2023
An implementation for an authentication API for Rocket applications.

rocket_auth rocket_auth provides a ready-to-use backend agnostic API for authentication management. For more information visit the documentation at ht

null 62 Dec 19, 2022