Import JWT Authentication middleware #296
Conversation
|
Here you go, @colinbankier. I hope everyone else approves. 👍 |
|
Great, thanks @secretfader. At a quick first scan this looks great.
I haven't looked in detail what can be done about that. @nyarly @whitfin - any issues with including this once all checks pass? |
|
I'm not sure what's going on with the Windows |
|
As I read reports from around the Rust community, it seems the most common recommendation is to rely on the Windows MSVC toolchain primarily because its ABI produces better interop support for standard Windows applications. Rustup's documentation addresses this, even. My question then is: whether to allow failures on what is considered a lower-tier support level for most of the Rust community? |
|
I'm totally fine with switching to the MSVC toolchain if that fixes the issue easily, unless there's a good reason not to. I'd be nice to understand a little more what the issue is before switching though (if it doesn't become a rabbit hole digging into it). |
|
@colinbankier as a general, I don't mind liberally merging things like middleware which are self contained and don't affect the general codebase. However... I'm not sure if we want to take ownership of things like JWT rather than having it separately owned. I don't know enough about JWT to know if this implementation covers the entire surface area of JWT auth - I'm thinking about the case where something is missing and @secretfader doesn't have time to update it and we're left with an incomplete implementation. I guess I'm saying that I'm not really the right person to give a sign off on this :p It might be fine just on the premise that this will be a separate crate rather than shipping with core. I know @nyarly had some thoughts on middleware distribution a while ago so I'm interested in hearing from them. Aside from the above, I'll give the code itself a quick pass anyway! Edit: forgot to mention; I'd be against merging with a failing Windows build without doing everything we can to fix it. |
|
Thanks for the feedback @whitfin. One motivator for including it was simply for discoverability. There are other ways to help this though, and might not be a good reason. |
|
Maybe the solution isn't, as I proposed, moving middleware into core. This thread has me wondering if I should've suggested a document of known middlewares or a link to the If there's serious interest in moving this PR forward, then I'll fix the issues raised by @whitfin and we can proceed to merge at will. (In fact, most of the changes are already made over at the old repo, and just need to be synced to this PR.) But I have the distinct hunch that going through this process has raised better ideas than the original. I'd hate to waste your time if there are better approaches on the table. |
|
I think that we are yet to determine exactly what we're doing with middleware. The current state of things is that "general" middleware (i.e. loggers and such) as in core itself, and ship in the There is a Diesel based middleware which lives in this repo, but ships as a separate middleware. This predates me on this project, but I believe it was done this way to enable iteration separately. That makes sense to me (because you can fix bugs in that without shipping the entire codebase). However! A lot of people seem to enjoy when things "just work", so I've been thinking about a model where we basically carry on as we're currently doing (and as such, this would move into the core repository in the same way the Diesel one exists). We could them add dependencies to them and re-expose them from the The only downside is what I said before; there's a notion that because it lives in this repository, it is owned by this team. I don't mind this (especially enough to block merging this PR), but it was mainly just a note for the future. So really, what I'm saying is pretty much summed up as: merge away! If we decide something later we can always change it up (there are middlewares in three places already, so we'd have to change something anyway). @secretfader I'm very unfamiliar with JWT, but could this implementation be considered "complete"? Is there some validation document we can compare against? JWT is so general that this might actually be worth moving into the core crate itself, but I'm unsure exactly what is in this PR vs. what could be in this PR. If this is complete, I'd vote for moving it into the |
|
This middleware is only a portion of your authentication system where JWTs are concerned, but to answer your primary question, yes, I believe it represents the most secure approach. By default, it adopts the default JWT validation from the While it will only allow tokens that validate to pass (checking that both the crypto hasn't been tampered with before checking validity of the issuer and time of any expiration keys), you'll still need to implement logic for generating and storing new JWTs, purging expired tokens, and linking them to accounts inside your system. But this module provides assurances that when you look up a user from the parsed values inside the token, those values haven't been tampered with during transport. I have tinkered with the idea of implementing a turn-key auth platform on top of Gotham, and this crate would be a vital piece whether in core or not. For what it's worth, I think the module should probably always be distributed as a separate crate even if it lives in this repo. While authentication is a general need among web apps, not all require it (and even fewer require a specific implementation like JWT). That's the main story, @whitfin and @colinbankier. I'd be happy to finish this up and get it ready to go if that's what you want. |
|
I updated the PR in case it's decided to place the code in this repo. Alternatively, we could also have most of the middlewares (at least first party ones) hosted on the Gotham organization, too. |
|
Thanks for updating things @secretfader. I think, based all the discussion above, we're pretty much ready to merge it 👍 It'd be nice to allow the rest of Gotham to still build on |
|
@colinbankier I've read over the AppVeyor documentation, and it seems relatively easy to allow failures on certain targets, but that feels overly broad. The original plan of mine was to take a different approach and set different |
Codecov Report
@@ Coverage Diff @@
## master #296 +/- ##
=========================================
+ Coverage 79.23% 79.44% +0.2%
=========================================
Files 92 93 +1
Lines 4508 4602 +94
=========================================
+ Hits 3572 3656 +84
- Misses 936 946 +10
Continue to review full report at Codecov.
|
|
Ok, after several minutes wrestling with AppVeyor configuration, I didn't find a way to successfully exclude crates to build/test only on a single I'd like to find a way to re-enable |
|
Thanks @secretfader - I'll have poke at it too when I can, and if not successful either, will go with what you've got here. |
There was a problem hiding this comment.
Great work, thanks @secretfader !
Let's go with removing the gnu toolchain for windows for now.
If this is important to any windows users down the line, this can easily be re-assessed.
|
Thanks for handling this, @colinbankier. I also appreciated the helpful review, @whitfin. Here's to making Gotham even more awesome. 👍 |
This PR imports the JWT Authentication middleware I was chatting about earlier in #289. The current version is set up to work with Gotham 0.3.