Lib.rs

Web programming
#actix-web #token #http-header #authorization #biscuit #http #actix-middleware

biscuit-actix-middleware

Biscuit middleware for actix-web

Owned by Clément Delafargue, Tipnos.

3 unstable releases

0.2.0 Aug 31, 2023
0.1.1 Jun 14, 2023
0.1.0 Jun 14, 2023

#1326 in Web programming

Download history 16/week @ 2024-01-01 19/week @ 2024-01-15 50/week @ 2024-01-22 49/week @ 2024-01-29 25/week @ 2024-02-05 5/week @ 2024-02-12 27/week @ 2024-02-19 15/week @ 2024-02-26 8/week @ 2024-03-04 20/week @ 2024-03-11 4/week @ 2024-03-18 13/week @ 2024-03-25 42/week @ 2024-04-01

80 downloads per month

Apache-2.0

24KB
285 lines

Biscuit actix middleware

This middleware allows service-wide extraction and parsing of biscuit tokens.

Authorization itself still need to be handled from within endpoint handlers.

The middleware expects a base64-encoded token through the bearer token HTTP authorization scheme (an Authorization: Bearer <token> HTTP header). This token is deserialized and its cryptographic signatures verified with the provided public key.

  • Requests without a bearer token are rejected with a HTTP 401 Unauthorized error;
  • Requests with tokens that fail parsing or cryptographic verification are rejected with a HTTP 403 Forbidden error.

Token extraction logic and error handling are configurable (see Configuration example).

Working example

Here is a web server exposing GET /hello, only to tokens containing the role("admin") fact. The public key used for verifying tokens is provided through the BISCUIT_PUBLIC_KEY environment variable.

A complete, runnable example can be found in examples/readme.rs, and can be run with BISCUIT_PUBLIC_KEY=<public key> cargo run --example readme.

Optionally, you can enable tracing by running BISCUIT_PUBLIC_KEY=<public key> cargo run --example readme --features tracing to observe middleware traces as logs in the console.

use actix_web::{get, web, App, HttpResponse, HttpServer};
use biscuit_actix_middleware::BiscuitMiddleware;
use biscuit_auth::{macros::*, Biscuit, PublicKey};

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    let public_key = PublicKey::from_bytes_hex(
        &std::env::var("BISCUIT_PUBLIC_KEY")
            .expect("Missing BISCUIT_PUBLIC_KEY environment variable"),
    )
    .expect("Couldn't parse public key");

    HttpServer::new(move || {
        App::new()
            .wrap(BiscuitMiddleware::new(public_key))
            .service(hello)
    })
    .bind(("127.0.0.1", 8080))?
    .run()
    .await
}

#[get("/hello")]
async fn hello(biscuit: web::ReqData<Biscuit>) -> HttpResponse {
    let mut authorizer = authorizer!(
        r#"
      allow if role("admin");
    "#
    );

    authorizer.add_token(&biscuit).unwrap();
    if authorizer.authorize().is_err() {
        return HttpResponse::Forbidden().finish();
    }

    HttpResponse::Ok().body("Hello admin!")
}

Dependencies

~21–35MB
~627K SLoC