3 stable releases

1.2.0 Oct 13, 2024
1.1.0 Sep 14, 2024
1.0.0 Aug 23, 2024

#151 in HTTP server

38 downloads per month

MIT license

90KB
354 lines

AKAS: API Key Authorization Server

Software License semantic-release: angular crates.io Pipeline Status

A server written in Rust to authorize HTTP requests that include an authorization bearer in their header.

Authorization: Bearer <token>

The file of the list of the tokens to be used for authorization should contain one token per line in plain or SHA-256 format:

  • plain (default)
mykey-3532dceb-f38a-491b-814d-9607bc9a947a
mykey-c2d79a40-388e-4709-9e4b-903035b0e71e
...
  • sha256 (not yet implemented)
8b89600015b273c28f966f368456e45e01df239a36bf939ff72a16881f775679
fb22be500af1ef0479745bbbce847854da33f5e910361ad278e0282995b95f4d
...

Usage

AKAS: API Key Authorization Server

Usage: akas [OPTIONS] --file <FILE>

Options:
  -f, --file <FILE>      File path of the tokens list
  -p, --port <PORT>      Port of the server [default: 5001]
      --format <FORMAT>  Format of the token in the file <plain|sha256> [default: plain]
      --length <LENGTH>  Length of the token [optional] [default: 0]
      --prefix <PREFIX>  Prefix of the token [optional] [default: ]
  -h, --help             Print help
  -V, --version          Print version
  • Start akas server with the default port 5001 and a file containing plain tokens:
./akas --file plain-tokens.txt
  • Example of configuration of a Nginx server:
server {
    listen     80;
    server_name _;

    location / {
      auth_request     /auth;
      auth_request_set $auth_status $upstream_status;
      root             /usr/share/nginx/html;
      index            index.html index.htm;
    }

    location = /auth {
      internal;
      proxy_pass              http://localhost:5001/auth;
      proxy_pass_request_body off;
      proxy_set_header        content-length         "";
      proxy_set_header        x-forwarded-for        $proxy_add_x_forwarded_for;
      proxy_set_header        x-original-host        $host;
      proxy_set_header        x-original-uri         $request_uri;
      proxy_set_header        x-original-remote-addr $remote_addr;
    }
}

More details of Nginx configuration can be found in the configuring subrequest authentication* documentation

  • Authorized request: curl -H "Authorization: Bearer <token>" http://<host>/

Endpoints URIs

  • /auth: default endpoint.
  • /auth-ok: always return 200 OK without checking the token (for testing purposes).
  • /auth-unauthorized: always return 401 Unauthorized without checking the token (for testing purposes or disable access).

Features & Limitations

  • Authorization by HTTP Bearer Token.
  • Configuration:
    • via command line arguments.
    • via environment variables.
  • plain input tokens file (plain text).
  • hashed input tokens file (hashed - sha256).
  • Plain or hashed tokens loaded and saved in a Rust HashSet for a fast authorization check.
  • Check of the token format during the loading process of the file based tokens storage:
    • prefix and length for plain tokens file.
    • SHA-256 for hashed tokens file.
  • Initial check of the input token format in the header (length and prefix) [optional].
  • Endpoints:
    • /auth: default endpoint.
    • /auth-ok: always return 200 OK without checking the token.
    • /auth-unauthorized: always return 401 Unauthorized without checking the token.
  • Binaries compatibility for Linux with no dependencies:
    • x86-64 and arm64.
    • glibc (debian, ubuntu, fedora...) and musl libc (alpine ...).
  • Tests:
    • Unit tests (Rust).
    • Integration tests (actix_web::test).
    • Functional tests (Robot Framework).
  • Gitlab CI/CD Pipeline to auto-publish new versions.
  • Renovate Bot auto-update dependencies.
  • AKAS packaged in an Alpine Docker image.
  • Log requests [optional]:
    • All requests
    • Only unauthorized requests (401).
  • Cache implementation for faster access to token authorization without SHA-256 operation (LRU Cache).

akas diagram

Installation

  • Binary file installation on Linux via the GitLab package registry of the project:

    • 2 architectures:
      • akas-x86_64-linux-<gnu|musl>.tar.gz : x86_64 (Intel, Amd).
      • akas-aarch64-linux-<gnu|musl>.tar.gz : arm64
    • 2 C standard library with no dependencies:
      • akas-<x86_64|aarch64>-linux-gnu.tar.gz : glibc for Debian, Ubuntu, Fedora...
      • akas-<x86_64|aarch64>-linux-musl.tar.gz : musl libc for Alpine
  • With a Rust environment, running this command will globally install the akas binary:

cargo install akas

Development

  • Clone the source repository: git clone https://gitlab.com/op_so/projects/akas.git

  • To format and lint:

cargo fmt  # cargo fmt -- --check
cargo clippy
  • To test:
cargo test
cargo tarpaulin --ignore-tests
cargo audit
  • To run: cargo run -- --file tests/files/plain_token.txt

  • To build:

cargo build            # Debug binary target/debug/akas
cargo build --release  # Release binary target/release/akas

Authors

License

This program is free software: you can redistribute it and/or modify it under the terms of the MIT License (MIT). See the LICENSE for details.

Dependencies

~16–26MB
~450K SLoC