#actix #security #codegen #proc-macro #grants

actix-grants-proc-macro

A proc-macro way to validate user permissions for actix-web-grants crate

11 releases (4 stable)

2.0.0-beta.3 Oct 11, 2021
2.0.0-beta.2 Aug 11, 2021
2.0.0-beta.1 Apr 7, 2021
1.2.0 Oct 11, 2021
0.1.3 Jan 17, 2021

#70 in Authentication

Download history 96/week @ 2021-07-06 79/week @ 2021-07-13 123/week @ 2021-07-20 147/week @ 2021-07-27 158/week @ 2021-08-03 186/week @ 2021-08-10 151/week @ 2021-08-17 144/week @ 2021-08-24 79/week @ 2021-08-31 151/week @ 2021-09-07 283/week @ 2021-09-14 276/week @ 2021-09-21 151/week @ 2021-09-28 175/week @ 2021-10-05 112/week @ 2021-10-12 182/week @ 2021-10-19

688 downloads per month
Used in actix-web-grants

MIT/Apache

9KB
143 lines

actix-web-grants

actix-web-grants

Extension for actix-web to validate user permissions.

CI Crates.io Downloads Badge crates.io Documentation dependency status Apache 2.0 or MIT licensed

To check user access to specific services, you can use built-in proc-macro, PermissionGuard or manual.

The library can also be integrated with third-party solutions (like actix-web-httpauth).

Example of proc-macro way protection

use actix_web_grants::proc_macro::{has_permissions};

#[get("/secure")]
#[has_permissions("OP_READ_SECURED_INFO")]
async fn macro_secured() -> HttpResponse {
    HttpResponse::Ok().body("ADMIN_RESPONSE")
}

Example of Guard way protection

use actix_web_grants::{PermissionGuard, GrantsMiddleware};

App::new()
    .wrap(GrantsMiddleware::with_extractor(extract))
    .service(web::resource("/admin")
            .to(|| async { HttpResponse::Ok().finish() })
            .guard(PermissionGuard::new("ROLE_ADMIN".to_string())))
    .service(web::resource("/admin") // fallback endpoint if you want to return a 403 HTTP code 
            .to(|| async { HttpResponse::Forbidden().finish() }))
Example of custom fallback endpoint for `Scope` with `Guard`

Since Guard is intended only for routing, if the user doesn't have permissions, it returns a 404 HTTP code. But you can override the behavior like this:

use actix_web_grants::{PermissionGuard, GrantsMiddleware};
use actix_web::http::header;

App::new()
    .wrap(GrantsMiddleware::with_extractor(extract))
    .service(web::scope("/admin")
        .guard(PermissionGuard::new("ROLE_ADMIN_ACCESS".to_string()))
        .service(web::resource("/users")
            .to(|| async { HttpResponse::Ok().finish() }))
    ).service(
        web::resource("/admin{regex:$|/.*?}").to(|| async { 
            HttpResponse::TemporaryRedirect().append_header((header::LOCATION, "/login")).finish()
        }))

When Guard lets you in the Scope (meaning you have "ROLE_ADMIN_ACCESS"), the redirect will be unreachable for you. Even if you will request /admin/some_undefined_page.

Note: regex is a Path variable containing passed link.

Example of manual way protection

use actix_web_grants::permissions::{AuthDetails, PermissionsCheck};

async fn manual_secure(details: AuthDetails) -> HttpResponse {
    if details.has_permission(ROLE_ADMIN) {
        return HttpResponse::Ok().body("ADMIN_RESPONSE");
    }
    HttpResponse::Ok().body("OTHER_RESPONSE")
}

You can find more examples in the git repository folder and documentation.

Dependencies

~300–720KB
~18K SLoC