#permissions #password #access #login #user-login

lrau

LrAU is an authentication and permission management system

1 unstable release

0.6.0 Jul 31, 2021
0.5.0 Jul 16, 2021
0.4.0 Jun 26, 2021
0.3.0 Jun 21, 2021
0.1.0 Apr 3, 2021

#630 in Authentication

23 downloads per month

AGPL-3.0

27KB
338 lines

LrAU

LrAU is an authentication and permission management system for rust. It uses Argon2id to hash passwords to prevent against rainbow table and brute-forcing.

Example

#[test]
fn generic() {
    // Load from a toml file.
    let permissions: lrau::Permissions =
        toml::from_str(include_str!("./generic.toml")).unwrap();
    
    // Create a password typical of someone who thinks their being clever.
    let mut user = lrau::User::new(
        String::from("john_t"),
        String::from("1234"),
        permissions,
    );

        
    // Valid their password
    assert!(user.validate("1234"));
    // Invalid their password
    assert!(!user.validate("12345"));

    // Permissions

    // See if we have permissions to access contacts without
    // mutable access.  
    assert!(user.get_permission(&["contacts", "name"], false));

    // See if we can change users passwords with mut access.
    assert!(user.get_permission(&["admin", "passwords"], true));

    // Nonexisting paths inherit from paths further up the tree
    assert!(user.get_permission(&["admin", "passwords", "reset"], true));
    
    // Or are nothing if they are completely irrelevant.
    assert!(!user.get_permission(&["notathing"], false));

    // Checks if we have logged in (we haven't)
    assert!(!user.check_login());
    assert!(!user.check_valid_login());

    // User Login
    user.log_in("1234", std::time::Duration::from_secs(1));

    // Checks for logins
    assert!(user.check_login());
    assert!(user.check_valid_login());

    // Timeouts
    std::thread::sleep(std::time::Duration::from_secs(1));
    
    // We are still logged in...
    assert!(user.check_login());
    
    // But not validly.
    assert!(!user.check_valid_login());
    
    // And so getting vaild permissions does not work.
    assert_eq!(
        user.get_valid_permissions(&["admin", "passwords", "reset"], true),
        Err(lrau::user::SessionExpired {}),
    );
}

Serde

Serde is supported through the serde feature. If you configure in toml, you can get something like this:

[[permissions]]
path = ["contacts"]
auth = false

[[permissions]]
path = ["contacts", "name"]
auth = true

[[permissions]]
path = ["contacts", "name", "middle"]
auth = false

[[permissions]]
path = ["contacts", "name", "last"]
auth = true

[[permissions]]
path = ["admin"]
auth = false

[[permissions]]
path = ["admin", "passwords"]
auth = true
mut = true

mut, be default, is assumed to be false, so you only need to write it if you are enabling it.

Features

  • Serde serde.
  • Diesel diesel-support.
  • Sqlx sqlx-support

Note for migrators

0.6.0

Fixed a massive security vulnerability.

0.5.0

In 0.4.0 all panicking functions have been made non-panacking. This decision was made because a web server really shouldn’t crash. This should mainly involve just adding ? to the end of your function calls :)

0.3.0

Since version 0.3.0, instead of paths being strings they are now slices. This will cause issues with legacy code, preventing it to compile, and preventing serde information from being read.

Dependencies

~0.9–6.5MB
~138K SLoC