5 unstable releases
0.3.0 | Aug 21, 2024 |
---|---|
0.2.0 | Apr 6, 2024 |
0.1.0 | Apr 24, 2023 |
0.1.0-beta.1 | Aug 29, 2022 |
0.1.0-beta.0 | Aug 28, 2022 |
#215 in Cryptography
20,260 downloads per month
Used in 2 crates
45KB
773 lines
A Rust implementation of Prefixed API Key
This library is a Rust implementation of the Prefixed API Key typescript library. Though its interface differs slightly from the typescript version, this library provides the same set of features and functionality as the typescript version.
Prefixed API Key (Seam-style)
Example key:
mycompany_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG
Seam-style API Keys have many advantages:
- Double clicking the api key selects the entire api key
- The alphabet is standard across languages thanks to the base58 RFC and its usage in cryptocurrencies
- They are shorter than hex and base32 api keys
- They have prefixes allowing secret scanning by github
- They have a hashed component so the server doesn't need to store the api key (reducing attack surface)
- They have unhashed short tokens which can be mutually used by the server and key bearer/customer to identify the api key
- They default to roughly the same number of entropy bits as UUIDv4
The Format
Seam-style api keys look like this:
mycompany_BRTRKFsL_51FwqftsmMDHHbJAMEXXHCgG
Let's break down each component of the API key...
mycompany ..._... BRTRKFsL ..._... 51FwqftsmMDHHbJAMEXXHCgG
^ ^ ^
Prefix Short Token Long Token
- The Prefix is used to identify the company or service creating the API Key. This is very helpful in secret scanning.
- The Short Token is stored by both the server and the key bearer/customer, it can be used to identify an API key in logs or displayed on a customer's dashboard. A token can be blocklisted by its short token.
- The Long Token is how we authenticate this key. The long token is never stored
on the server, but a hash of it is stored on the server. When we receive an
incoming request, we search our database for
short_token
andhash(long_token)
.
Getting Started
The original Typescript implementation of Prefixed API Keys has a few technical decisions hardcoded, but this crates aims to give full control over which hashing algorithm and random number generator are used. However this adds more complexity than may be desirable, so helpers are available to make configuration relatively painless.
By installing the crate with the sha2
feature flag, you can create an almost-entirely configured
PrefixedApiKeyController
instance using the seam_defaults
function, which configures the
controller the same way as Seam's Typescript implementation.
use prefixed_api_key::PrefixedApiKeyController;
fn main() {
// A controller using `rand::rng::OsRng` as the RNG source, and
// `sha2::Sha256` as the hashing algorithm.
let builder_result = PrefixedApiKeyController::configure()
.prefix("mycompany".to_owned())
.seam_defaults()
.finalize();
assert!(builder_result.is_ok());
let controller = builder_result.unwrap();
// Generate a new PrefixedApiKey
let (pak, hash) = controller.try_generate_key_and_hash().unwrap();
// Assert that the returned key matches the hash
assert!(controller.check_hash(&pak, &hash));
// Stringify the key to be sent to the user. This creates a string from the
// PrefixedApiKey which follows the `<prefix>_<short token>_<long token>` convention
let pak_string = pak.to_string();
}
Using the seam_defaults()
function with the sha2
feature flag is equivalent to doing
the following without using the sha2
feature:
use sha2::Sha256;
use prefixed_api_key::PrefixedApiKeyController;
fn main() {
let controller = PrefixedApiKeyController::<_, Sha256>::configure()
.prefix("mycompany".to_owned())
.rng_osrng()
.short_token_length(8)
.long_token_length(24)
.finalize();
}
Testing
Library tests:
cargo test --all-features
Verify minimum supported rust version (MSRV):
cargo install cargo-msrv
cargo msrv verify
Testing code hygiene requires clippy
and rustfmt
components:
cargo fmt --all -- --check
cargo clippy -- -D warnings
The library and hygiene tests will be run for all examples too
Dependencies
~770KB
~15K SLoC