2 stable releases
| new 1.1.0 | Sep 14, 2024 |
|---|---|
| 1.0.0 | Aug 23, 2024 |
#48 in Authentication
268 downloads per month
81KB
348 lines
AKAS: API Key Authorization Server
A server written in Rust to authorize HTTP requests that include an authorization bearer in their header.
Authorization: Bearer <token>
The file of the list of the tokens to be used for authorization should contain one token per line in plain or sha256 format:
- plain (default)
mykey-3532dceb-f38a-491b-814d-9607bc9a947a
mykey-c2d79a40-388e-4709-9e4b-903035b0e71e
...
- sha256 (not yet implemented)
8b89600015b273c28f966f368456e45e01df239a36bf939ff72a16881f775679
fb22be500af1ef0479745bbbce847854da33f5e910361ad278e0282995b95f4d
...
Usage
AKAS: API Key Authorization Server
Usage: akas [OPTIONS] --file <FILE>
Options:
-f, --file <FILE> File path of the tokens list
-p, --port <PORT> Port of the server [default: 5001]
--format <FORMAT> Format of the token in the file <plain|sha256> [default: plain]
--length <LENGTH> Length of the token [optional] [default: 0]
--prefix <PREFIX> Prefix of the token [optional] [default: ]
-h, --help Print help
-V, --version Print version
- Start akas server with the default port
5001and a file containing plain tokens:
./akas --file plain-tokens.txt
- Example of configuration of a Nginx server:
server {
listen 80;
server_name _;
location / {
auth_request /auth;
auth_request_set $auth_status $upstream_status;
root /usr/share/nginx/html;
index index.html index.htm;
}
location = /auth {
internal;
proxy_pass http://localhost:5001/auth;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-Remote-Addr $remote_addr;
}
}
More details of Nginx configuration can be found in the configuring subrequest authentication* documentation
- Authorized request:
curl -H "Authorization: Bearer <token>" http://<host>/
Endpoints URIs
/auth: default endpoint./auth-ok: always return200 OKwithout checking the token (for testing purposes)./auth-unauthorized: always return401 Unauthorizedwithout checking the token (for testing purposes or disable access).
Features & Limitations
- Authorization by HTTP Bearer Token.
- Configuration via command line arguments.
- plain input tokens file (plain text).
- hashed input tokens file (hashed - SHA-256).
- Plain or hashed tokens loaded and saved in a Rust HashSet for a fast authorization check.
- Check of the token format during the loading process of the file based tokens storage:
- prefix and length for plain tokens file.
- SHA-256 for hashed tokens file.
- Initial check of the input token format in the header (length and prefix) [optional].
- Endpoints:
-
/auth: default endpoint. -
/auth-ok: always return200 OKwithout checking the token. -
/auth-unauthorized: always return401 Unauthorizedwithout checking the token.
-
- Binaries compatibility for Linux with no dependencies:
- x86-64 and arm64.
- glibc (debian, ubuntu, fedora...) and musl libc (alpine ...).
- AKAS packaged in an Alpine Docker image.
- Log requests [optional]:
- All requests
- Only unauthorized requests (401).
- Cache implementation for faster access to token authorization without SHA-256 operation (LRU Cache).
Installation
-
Direct installation via the GitLab package registry of the project:
- 2 architecture (x86-64 and arm64) with no dependencies,
- glibc (Debian, Ubuntu, Fedora...) and musl libc (Alpine).
-
With a Rust environment, running this command will globally install the akas binary:
cargo install akas
Development
-
Clone the source repository:
git clone https://gitlab.com/op_so/projects/akas.git -
To format and lint:
cargo fmt # cargo fmt -- --check
cargo clippy
- To test:
cargo test
cargo tarpaulin --ignore-tests
cargo audit
- To run:
cargo run -- --file tests/files/plain_token.txt
Authors
- FX Soubirou - Initial work - GitLab repositories
License
This program is free software: you can redistribute it and/or modify it under the terms of the MIT License (MIT). See the LICENSE for details.
Dependencies
~15–26MB
~466K SLoC