#rocket #authz #security #grants #permissions


Authorization extension for rocket to validate user permissions

2 releases

Uses new Rust 2021

0.5.0-rc.2 Jun 20, 2022
0.5.0-beta.1 Feb 23, 2022

#205 in Authentication

39 downloads per month


152 lines



Extension for rocket to validate user permissions.

CI Crates.io Downloads Badge crates.io Documentation dependency status Apache 2.0 or MIT licensed

To check user access to specific services, you can use built-in proc-macro, PermissionGuard or manual.

Provides a complete analogue of the actix-web-grants and poem-grants.

How to use

  1. Declare your own permission extraction function

The easiest way is to declare a function with the following signature:

// You can use custom type instead of String
async fn extract(req: &rocket::Request<'_>) -> Option<Vec<String>>
  1. Add fairing to your application using the extraction function defined in step 1
    rocket::build().mount("/api", rocket::routes![endpoint])
         .attach(GrantsFairing::with_extractor_fn(|req| {
             Box::pin(extract(req)) // example with a separate async function, but you can write a closure right here

Steps 1 and 2 can be replaced by integration with your custom fairing.

  1. Protect your endpoints in any convenient way from the examples below:

Example of proc-macro way protection

async fn macro_secured() -> &'static str {
Example of ABAC-like protection and custom permission type

Here is an example using the type and secure attributes. But these are independent features.

secure allows you to include some checks in the macro based on function params.

type allows you to use a custom type for the roles and permissions (then the fairing needs to be configured). Take a look at an enum-role example

use enums::Role::{self, ADMIN};
use dto::User;

#[rocket_grants::has_roles("USER", secure = "user_id == user.id")]
#[rocket::post("/secure/<user_id>", data = "<user>")]
async fn role_macro_secured_with_params(user_id: i32, user: Json<User>) -> &'static str {
   "some secured info with parameters"

Example of manual way protection

use rocket_grants::permissions::{AuthDetails, PermissionsCheck};

async fn manual_secure(details: AuthDetails) -> &'static str {
    if details.has_permission("ROLE_ADMIN") {
        return "ADMIN_RESPONSE"

You can find more examples in the git repository folder and documentation.

Error customization

Custom error responses can be specified using Rocket catchers. See the Rocket documentation for catchers.

You can set up custom responses for:

401 Unauthorized - when it wasn't possible to obtain authorization data from the request in your extractor.

403 Forbidden - when the permissions did not match the specified for the endpoint.

Supported rocket versions

  • For rocket-grants: 0.5.* supported version of rocket is 0.5.*


~417K SLoC