Authentication in Tide #99
Comments
|
New here and rust in general but interested in tide. Anyway, I guess your first question is asking whether Tide just wants to support sessions, which I presume would be built on top of cookies, or provide some full authentication on top of sessions like Django. Another question is whether to support other authentication strategies such as a token-based one. Personally I find myself getting confused when reading django authentication documentation. There's too many different parts to it that it feels overwhelming just to get something working. I think providing something barebones/lightweight that can be further built upon would be the goal to strive for (however possible that actually is). About approaches, another one other than |
To be fair, it is a very complete solution. By providing sessions by default, session management becomes extremely easy. You can hook into external stores for sessions simply thorough configuration and everything just works. With something like flask on the other hand you have to maintain your own code for this. I haven't used Rocket, but I am guessing it is similar to Flask in this regard. |
This is something I dislike. If this is required, it can be supported with a extractor but auth is something a Middleware can handle very well. For rocket I have raised an issue to support middleware like functionality specifically for authentication(rwf2/Rocket#749). |
|
I think authentication support implementation should be delayed until the framework is more stable. most of the authentication related functionality can be written on top of tide initially to try different approaches. And possibly merge once there is some good consensus. There is also authorisation functionality that need to be thought of when designing authentication. |
Perhaps a useful challenge would be for people to try and develop a password/email cookie authentication flow, in separate repos. I think having some simple, tangible examples of what authentication flows can look like with Tide might help inform the design space, and allow us direct the discussions a bit more. |
|
I've been toying around with tide for a basic REST api and I think most of the pieces for a basic auth flow are already here. Use middleware to authenticate the request and stuff the session data into the request extension, use a Computed extractor in a handler to make that data accessible to your function. |
|
I was thinking something along the same lines but extract the session handling into a separate So you have let auth_middleware: AuthenticationMiddleware<auth::SessionStrategry, MyAuthHandler> = AuthenticationMiddleware::new(
auth::SessionStrategy::new(/* ... */),
MyAuthHandler,
);
struct MyAuthHandler;
impl AuthenticationHandler for MyAuthHandler {
verify_user(/* ... */) -> Result<NotSure, AuthError> {
/* ... */
}
}I'm kinda just spitballing so I haven't really thought of what the actual implementation would look like though |
|
Tide 0.0.1 has been released, so if people would want to start on sketching examples it should be a bit more convenient now! |
|
I already mentioned it in the session design issue, and it's not a full authentication solution, but I just published a rough prototype for a session management middleware in this repo. It's only cookie-based, so not as generic as what @petejodo suggested. Any form of feedback is greatly appreciated. |
|
@prasannavl @fairingrey @Nemo157 the repo linked in the comment above contains a really well thought out authentication scheme including sessions for tide. I we should look into bringing this into the tide ecosystem. There can be further discussion as to whether or not we want to include this in |
|
It feels we could probably put out an RFC for the design in this so we can discuss the API before implementing it. We've done an RFC before in https://github.com/rustasync/tide/blob/master/rfcs/001-app-new.md, but modeling it after https://github.com/rustwasm/gloo/blob/master/rfcs/001-mid-level-file-api.md is probably better. @bIgBV would you want to start the process of drafting an RFC for authentication? |
|
@yoshuawuyts I'll open an RFC by tomorrow. |
|
@bIgBV - This is great to think about! Personally I think both auth and sessions should purely implemented as middleware with some extensions as helpers, and other than the fact that The way I see it, is similar to how Regardless of how great an auth story we provide with tide, I think something to be careful about is to be able to keep it optional and be swappable as opposed to forcing an auth story down the throat, regardless of how good, integrated or secure it feels - I've seen weird, custom requirements for auth so often that it can almost never be satisfied on the framework level. Personally, as far as default story goes, I like how .NET Core does it - https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-2.2&tabs=visual-studio - they key here is in focusing on the common interface for things like Again, we've also been talking "auth" - but not looked into "authentication" and "authorization" specifically as well - both are again different things that has to dealt with for a complete auth story. |
|
@prasannavl those are all some great points. The initial proposal that I came up with was something very similar to what you are proposing here. Having a trait definition in Tide and each authentication backend having its own adaptor fitting to this trait. I did not fleshed out the details, but having this separation of concerns would allow us to be flexible in the kind of schemes that could be supported. I agree with your idea of having a separate And yes, authorization is something which we will have to consider as well. In the web frameworks I have used, authorization is generally modeled as the next step after authentication with the code generally residing in the same module. So we will have to consider if we want to integrate authentication and authorization into the same library or keep them as separate libraries. |
|
Just a few thoughts on that matter. I'm on the same page with @prasannavl. It makes perfect sense to separate authentication and authorization for the following reasons:
Authn and sessions shouldn't be mixed neither. That only may simplify development of basic applications, but for high load web services we usually don't want to be dependent on any global state and prefer to have an implementation of authn as light as possible. For our web services we use tower-web with:
|
Currently we don't have a story for authentication in Tide. I hoped that this issue would help start some discussion around the topic. A few questions that come to mind:
Middleware, but is this the best approach?The text was updated successfully, but these errors were encountered: