As you probably did not have time to fix these problems, i did it myself in a fork to use in my own project. You can merge this PR if this is useful to you

I am currently implementing a feature to change a users password and email. To do that the user has to reenter the password, even if he is logged in. After that i want to hash the password and compare it to the current one. My Problem is: I can't find a method to easily hash a String with the same salt as the current password. For now i can try to use the argon2 crate as you do and hash it that way, but It would be nice to have a function to compare the hashed password to a string. Maybe you can add that in the next release :)

This commit removes depending exactly on rusqlite 0.25.3 (which has been yanked btw).

From quick testing, depending on the latest version (0.27.0) works too, so alternatively, you could change the version to be 0.27.0 rather than this commit's suggestion.

As an alternative, running cargo upgrade to update all dependencies to latest versions, it seems like everything builds fine (and the tests seem to produce some minor fixable suggestions), so maybe if making a new release, it might be good to update all dependencies. Happy to make a separate PR if you think it would be useful.

Thanks for this project btw! :)

I have now implemented a method called compare_password(). It is located both in the Auth and User guard. I implemented it in both, so that you can decide where it is more useful. I myself think it is better to have it in the User guard, because that makes sure that a logged in user exists, but that is up to you to decide. The function was also tested in one of my projects, where i temporary used my fork of rocket_auth as a dependencie. The documentation and function name is just an idea, feel free to change it :)

If you think it should be implemented otherwise, write a comment i will fix it

Heya, I'm using this crate for my project: https://github.com/knarkzel/elixir, where I'm using rusqlite instead of sqlx. Could you add rusqlite to this crate? I have forked it and added needed changes here: https://github.com/knarkzel/rocket_auth/blob/master/src/db/sqlite/mod.rs.

Thanks!

So the next crate does not compile anymore, because i can't find the id, as id is not a filed anymore. It can be fixed by changing line 316 in auth.rs from let user: User = self.users.get_by_id(session.id).await?; to let user: User = self.users.get_by_id(session.id()?).await?;. I tried to fix it myself, it works locally, but i can't update my fork

rust 1.60 stable rocket_auth = { version = "0.4.0", features = ["sqlx-postgres"] } rocket = { git = "https://github.com/SergioBenitez/Rocket/", features = ["json", "secrets", "uuid"]} rocket_dyn_templates = { git = "https://github.com/SergioBenitez/Rocket/", features = ["tera"]}

I see the traits in the rocket_auth lib.......so, obviously, I'm doing something silly. Looking for input on what I'm doing wrong.

use rocket_auth::{Users, Error, Auth, Signup, Login, User, AdminUser};

#[get("/admin-panel")] fn admin_panel(user: AdminUser) -> String { format!("Hello {}.", user.email()) }

error[E0277]: the trait bound rocket_auth::AdminUser: FromRequest<'_> is not satisfied --> src/admin/bp_user.rs:27:22 | 27 | fn admin_panel(user: AdminUser) -> String { | ^^^^^^^^^ the trait FromRequest<'_> is not implemented for rocket_auth::AdminUser

I saw that @julien-me added french language support, so i thought that i could add german language support. Hope it is ok for you. And if you don't like "de" for german, i can change it to "ger" or something like that

Also, this is my first PR ever, so please tell me if i did something wrong

I'm using sailfish for templates, and I don't wanna serialize the type because of overhead, and I only need the email field of User. This should probably be public, unless there's a specific security reason for it not to be.

This is the same issue as with #47 and #45. This issue probably also exists for the other database implementations, as the have the same pattern. I did not change it for those, because i don't have them installed and can't test it. If you want i can change those as well.

Some error messages aren't very clear or are outright empty. Such as when you try to sign up, and the email is already taken, there is no helpful error message.

Hello i have a form with a dropdown select where i chose a date, when a date is chosen i would like to have the chosen value to a rust variable.

main.rs:

#![feature(proc_macro_hygiene, decl_macro)]
#[macro_use] extern crate rocket;
use rocket::{State, form::*, get, post, response::Redirect, routes, response::content};
use rocket_auth::{prelude::Error, *};
use rocket_dyn_templates::Template;
use serde_json::json;
use sqlx::*;
mod api;
use api::{call_api, db_fill, query_select, ResultsStruct};
use std::result::Result;
use std::*;
use serde::{Deserialize, Serialize};
use rocket::serde::json::Json;

#[get("/style.css")]              // <- route attribute
fn style() -> content::RawCss<&'static str> {
content::RawCss(include_str!("style.css"))
}

#[get("/show_on_click")]              // <- route attribute
fn show_on_click() -> content::RawJavaScript<&'static str> {
content::RawJavaScript(include_str!("showOnClick.js"))
}

#[get("/login")]
fn get_login() -> Template {
Template::render("login", json!({}))
}

#[post("/login", data = "<form>")]
async fn post_login(auth: Auth<'_>, form: Form<Login>) -> Result<Redirect, Error> {
let result = auth.login(&form).await;
println!("login attempt: {:?}", result);
result?;
Ok(Redirect::to("/"))
}

#[get("/signup")]
async fn get_signup() -> Template {
Template::render("signup", json!({}))
}

#[post("/signup", data = "<form>")]
async fn post_signup(auth: Auth<'_>, form: Form<Signup>) -> Result<Redirect, Error> {
auth.signup(&form).await?;
auth.login(&form.into()).await?;

Ok(Redirect::to("/"))
}

#[get("/")]
async fn index(user: Option<User>) -> Template {
let color = "";
/*let c_api = thread::spawn( move || {
    let call_api = call_api().unwrap();
    call_api
}).join().expect("Thread panicked");*/

let query_result_fn = thread::spawn( move || {
    let query_result = query_select();
    query_result
}).join().expect("Thread panicked");
let query_result = query_result_fn.await.unwrap();

Template::render("index", json!({ "user": user, /*"c_api": c_api,*/ "query_result": query_result }))
}

#[derive(FromForm, Deserialize, Serialize)]
struct Time {
commence_time: String
}

#[get("/time")]
async fn time_get(user: Option<User>) -> Template {
let date_chosen= ""; // here i would like to have the chosen date in string.

let query_result_fn = thread::spawn( move || {
    let query_result = query_select();
    query_result
}).join().expect("Thread panicked");
let query_result = query_result_fn.await.unwrap();

Template::render("time", json!({ "user": user, /*"c_api": c_api,*/ "query_result": query_result }))
}

#[post("/time", format="json", data="<user>")]
fn post_time(user: Json<Time>) -> String {
String::from(format!(
    "Created user: {}", user.commence_time))
}


#[get("/logout")]
fn logout(auth: Auth<'_>) -> Result<Template, Error> {
auth.logout()?;
Ok(Template::render("logout", json!({})))
}
#[get("/delete")]
async fn delete(auth: Auth<'_>) -> Result<Template, Error> {
auth.delete().await?;
Ok(Template::render("deleted", json!({})))
}

#[get("/show_all_users")]
async fn show_all_users(conn: &State<SqlitePool>, user: Option<User>) -> Result<Template, Error> {
let users: Vec<User> = query_as("select * from users;").fetch_all(&**conn).await?;
println!("{:?}", users);
Ok(Template::render(
    "users",
    json!({"users": users, "user": user}),
))
}

#[tokio::main]
async fn main() -> Result<(), Error> {

let conn = SqlitePool::connect("/home/erty/Programming/rocket_app/users.db").await?;
let users: Users = conn.clone().into();
users.create_table().await?;

/*thread::spawn( move || {
    let db_fill = db_fill().unwrap();
    db_fill
}).join().expect("Thread panicked");*/

let _ = rocket::build()
    .mount(
        "/",
        routes![
            index,
            style,
            show_on_click,
            get_login,
            post_signup,
            get_signup,
            post_login,
            logout,
            delete,
            show_all_users,
            time_get
        ],
    )
    .manage(conn)
    .manage(users)
    .attach(Template::fairing())
    .launch()
    .await
    .unwrap();
Ok(())
}

index.html.tera

{% extends "base" %}

{% block body %}

    {% if not user %}

        <h1 class="text">Please login!</h1>
        <h3 class="text">For the use of this site you need to create an account or login</h3>
        <br>
        <div class="container">
            <a href="/login"><button id="Cbutton" type="Button" class="Cbutton btn btn-primary w-100">Login</button></a>
        </div>
            
    {% endif %}

    {% if user %}
        <script src="/show_on_click"></script>
        <h1 class="text">Welcome to My Website Index! </h1>
        <br>
        <h3 class="text">You are logged in as {{ user.email }}</h3>
        <br>
            <form action="/time" method="post">
                <select>
                    {% set vec_num = 0 -%}
                    {% for i in query_result %}
                        {% set_global commence_time = query_result[vec_num].commence_time %} 
                        <option value = {{ commence_time }} > {{ commence_time }} </option>
                        {% set_global vec_num = vec_num + 1 %}
                    {% endfor %}
                </select>
                <div class="mb-3 row">
                    <button id="Cbutton" type="Button submit" class="Cbutton btn btn-primary">Submit</button>
                </div>
            </form>
    </div>
        
    {% endif %}

{% endblock body %}

if i submit i get this error

No matching routes for POST /time application/x-www-form-urlencoded.

Hi,

while using the sqlite backend I noticed that there are direct messages that are bypassing my logging configuration. It seems some prinln statements were the cause of this, that are not found in other backends.

And thank you for this wonderful crate, it works like a charm. Have a nice day!

Hi,

I am attempting to use rocket_auth within a project already using Sqlx 0.6.1 and getting the following error:

error: one of the features ['runtime-actix-native-tls', 'runtime-async-std-native-tls', 'runtime-tokio-native-tls', 'runtime-actix-rustls', 'runtime-async-std-rustls', 'runtime-tokio-rustls'] must be enabled
  --> /Users/george/.cargo/registry/src/github.com-1ecc6299db9ec823/sqlx-rt-0.5.13/src/lib.rs:9:1
   |
9  | / compile_error!(
10 | |     "one of the features ['runtime-actix-native-tls', 'runtime-async-std-native-tls', \
11 | |      'runtime-tokio-native-tls', 'runtime-actix-rustls', 'runtime-async-std-rustls', \
12 | |      'runtime-tokio-rustls'] must be enabled"
13 | | );
   | |_^

I was able to fix this error by locally cloning the rocket_auth repository and adding in the following to the SQLX dependency section

[dependencies.sqlx]
version = "0.6.0"
optional = true
features = ["runtime-tokio-rustls"]

This is my dependencies (edited for brevity):

[dependencies]
rocket = {version = "0.5.0-rc.1", features = ["json"]}
rocket_auth = {path = "../rocket_auth", features = ["sqlx-sqlite"]}
serde = {version = "1.0", features = ["derive"]}
serde_json = "1.0"
tokio = {version = "1.17", features = ["full"]}
sqlx = {version = "0.6", features = ["runtime-tokio-rustls", "sqlite"]}

Just wondering if this is some perculiarity in the way my project is set up or is this a new bug?

I noticed in my app that after I delete a user, when I create a new user, the new user has the same id as the deleted user.

This behavior is not expected. It can be avoided if this line is changed to include AUTOINCREMENT: https://github.com/tvallotton/rocket_auth/blob/ef445dfe22c6738e95c21f5710f85ab1136bdb06/src/db/sqlite/sql.rs#L3

When singing up a user with a password, that does not meet the requirements, the error message leaks the password that was used in the signup. I don't know if this is intended. I narrowed it down to the ValidationError::new(...) function. The error message is inserted into the code and the actual message is left empty. Then in the Display implementation for ValidationError there is a check if the error message is empty, which is always the case. Then it skips printing the actual error message, and instead prints the code (which contains the error message, because it is set wrongly) and only shows "Validation error: " with the params (which is the password). I am showing these errors to my api response directly. This way the password pops up on screen, even though it is supposed to be hidden in the signup page. i know this is actually an issue of the validator page, but i have an idea to avoid this. You could instead of using the display method to show the message, print the actual "code" field of the error. If you don't have enough time to fix this, i could create a pr