I have been hoping to replace my custom/fragile middleware I built around axum-sessions with axum-login. One of the things I cannot figure out with this library is how to redirect an unauthenticated user to the login page.

• user tries to go to "example.com/requires_auth"
• user is redirected to "example.com/login?next_url=/requires_auth"
• user logs in
• user is redirected back to "example.com/requries_auth"

Right now, because of how "requries_auth" attempts to extract a user, there is no way to redirect when there is no user available.

Do you have a recommendation or am I going about this all wrong?

use axum::async_trait;
use axum_login::{secrecy::SecretVec, AuthUser};

#[derive(Clone, Debug, PartialEq, PartialOrd, sqlx::Type)]
pub enum UserRole {
    Standard,
    Admin,
}

#[derive(Clone, Debug, sqlx::FromRow, sqlx::Decode)]
pub struct User {
    id: i32,
    username: String,
    password_hash: String,
    role: UserRole,
}

impl AuthUser<UserRole> for User {
    fn get_id(&self) -> String {
        format!("{}", self.id)
    }

    fn get_password_hash(&self) -> SecretVec<u8> {
        SecretVec::new(self.password_hash.clone().into())
    }

    fn get_role(&self) -> Option<UserRole> {
        Some(self.role.clone())
    }
}

#[async_trait]
impl axum_login::UserStore<UserRole> for axum_login::PostgresStore<User> {
    type User = User;

    async fn load_user(&self, user_id: &str) -> Result<Option<Self::User>, eyre::Report> {
        let mut connection = self.pool.acquire() ...
    }
}

When I try to use self.pool.acquire in the load_user, I get error that self.pool is private. How can I implement load_user without access to the database pool

The layer should not only check the login and password, but also if the user has the right role.

@maxcountryman I understand that your idea is a RequireAuthorizarionLayer separate from the normal login one - the difference being it would also check the role of the user?

There seems to be a problem when using async_sqlx_session. When using jbr/async_sqlx_session, the sqlx version is up to date but one can only use async_std whereas axum uses tokio. When using CyrusAlbright/async_sqlx_session, it's possible to use tokio but the sqlx version is not up to date and for instance the PostgresSessionStore cannot be instanciated through the from_client() function. Do you know if there is a way to solve this problem ? Thanks a lot for your answer and for your awesome work.

Firstly, thank you for creating this library!

I'm implementing an OAuth flow where the provider redirects back to our server, we exchange the code for a token, login the user, then redirect to another internal route e.g.:

async fn oauth_callback(mut auth: AuthContext) -> impl IntoResponse {
     // I've omitted the oauth details such as code exchange for the token
     let user = find_user_somehow();

    // login the user
    auth.login(&user).await.unwrap();
    
    // This redirect causes the session to be lost, I think we need to pass along the headers that contain the cookie?
    Redirect::to("/")
}

// in main
let app = Router::new()
   .route("/auth/google/callback", get(oauth_callback))

Axum has an example of the OAuth flow, which looks like this:

    // Create a new session filled with user data
    let mut session = Session::new();
    session.insert("user", &user).unwrap();

    // Store session and get corresponding cookie
    let cookie = store.store_session(session).await.unwrap().unwrap();

    // Build the cookie
    let cookie = format!("{}={}; SameSite=Lax; Path=/", COOKIE_NAME, cookie);

    // Set cookie
    let mut headers = HeaderMap::new();
    headers.insert(SET_COOKIE, cookie.parse().unwrap());

    // Redirect with headers
    (headers, Redirect::to("/"))

How can we redirect and preserve the session? Can we get the headers after the auth.login(...) call?

I'm using Sea-ORM for a project of mine and I wanted use axum-login to handle authentication. I'm using postgres as the database so I know I can use the postgres feature. But I was wondering if I can create my own store using Sea-ORM. If so, how would I go about doing that?

I tried implementing it on my own using memory_store.rs and sql_store.rs as examples but the compiler keeps complaining about AuthUser not being satisfied for my User struct (even though I believe I've implemented it). Can you give me some pointers? Thanks.

• major: directory structure rework to allow for easy installation of the package for testing purposes
• docker-compose file with Postgres and Mysql
• migrations creating test users table
• fixture with random user to use in tests

This PR doesn't really contain a lot of tests, the paramount goal was to setup a framework of sorts to allow writing such tests in the first place.

I recently came across Sled when I searched for other possibilities for persistent application state. I think it would be nice to support it as an alternative for sqlx.

Hi, sorry for long title. I switched my graphql api on my personal project to a rest api and wrote this for describing authorization using AND/OR logic like graphql. It's not very ergonomic, also I use BoxFuture because I couldn't quite figure out how to write the future by hand. But, I was wondering if you were interested in a similar feature for axum-login or if one already exists. I think it would be good for the ecosystem to have one broad axum auth toolset, that let users describe authorization in a varied way. https://github.com/sjud/axum_guard_logic Warm regards, thank you for your FOSS contribution

Currently AuthUser requires the Clone trait to be implemented on the User struct. This is not bad per-say but is not good in terms of secret management hygiene.

I suggest the AuthUser should handle the password hash very carefully and require the password field to be Zeroizable, so that the password is not cloned nor left in memory. Returning a &str instead would possibly also be beneficial rather than String.

This is possibly a breaking change.

Idea: AuthUser can return a SecretString of the password.

The oauth callback -> login -> redirect to /protected is not currently working as expected: we print that the user has logged in but get a 401 on /protected.

You will need to set up your own Google OAuth Credentials to get this example working. I tried using https://testoauth.com/ but the token exchange endpoint seems non-standard so the oauth client cannot parse the response.

Currently, axum-login locks users into the tokio & rustls runtime (runtime-tokio-rustls). This PR lets them specify their own, removing the sqlx feature and introducing six new ones in its stead:

• sqlx-runtime-actix-native-tls
• sqlx-runtime-async-std-native-tls
• sqlx-runtime-tokio-native-tls
• sqlx-runtime-actix-rustls
• sqlx-runtime-async-std-rustls
• sqlx-runtime-tokio-rustls

This should solve https://github.com/maxcountryman/axum-login/issues/5.

Note: I tested omitting the runtime feature and my project, a consumer of axum-login, still compiled, which is strange. I've only just begun to integrate axum-login, so it might break once I use more of it, but it bears exploring.

Update: It still compiled because my project uses sqlx as well. Referencing axum-login without specifying a runtime in a project that doesn't fails as expected. Perhaps this ought to be mentioned in the documentation somewhere.

SqlX docs:

Bind parameters in the SQL string are specific to the database backend:
    Postgres: $N where N is the 1-based positional argument index
    MySQL: ? which matches arguments in order that it appears in the query

Hi, Im looking to use the crate with an Ldap backend, however, there is mismatch with the current design.

As I understand it a UserStore expects to do a lookup using the user_id which provides the User struct with the password hash, which then gets compared by the login function.

Ldap works differently , the username and password are sent to the server and tested against the stored password server side and a response is returned.

Im not an LDAP expert but if I remember correctly there is a way to configure the Ldap server to return passwords, however, I believe it is not a recommended practice, also this means you have to connect to the server as a privileged user, not a good idea.

changing UserStore to have the function something like async fn load_user(&self, user_id: &str, password: Option<&str>)

Would there be a way to support this different way of authentication?

Code sample using the ldap3 crate

ldap.simple_bind(&dn, &password).await

this then returns a result code (int) and a possibly empty result string.

let ldap_url=std::env::var("LDAP")
        .unwrap_or("ldap://localhost:3389".to_string());
    //ldaps 3636
    let connect= LdapConnAsync::new(&ldap_url).await;
    match connect {
        Ok((conn, mut ldap)) => {
            ldap3::drive!(conn);
            let dn = format!("uid={},ou=people,dc=example,dc=com", username);
            match ldap.simple_bind(&dn, &password).await {
                Ok(res) => {
                    if res.rc==0 {
                        println!("Login Success");
                        println!("Code {} Message {}", res.rc, res.text.len());
                    } else {
                        //Code 49 bad user or password
                        //Code 53 account inactivated
                        println!("Code {} Message {}", res.rc, res.text);
                    }
                }
                Err(err) => {
                    info!("Ldap Search Error {:?}",err);
                }
            }
        },
        Err(err) => {
            info!("Ldap Connect Error {:?}",err);
        }
    }

Sea-ORM is a popular async ORM that uses sqlx under the hood. There is a discussion about creating a store for it, but it would be awesome if axum-login supports this out of the box.

Rustqlite seems like a good alternative for the sqlx sqlite one since it supports sqlite on a far better level. I believe it would be beneficial to support it separately.