vivlim
/
rsbb
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
18 Commits 2 Branches 0 Tags 260 KiB
Rust 79.8%
HTML 14.7%
SCSS 5.5%
Go to file
Vivian Lim 9a784af4f2 admin forum list that can only be viewed when logged in 2018-10-21 01:07:51 -07:00
migrations Add very simple forum view and debug insertion route 2018-10-20 00:01:58 -07:00
res Implement logout. 2018-08-21 21:41:18 +02:00
src admin forum list that can only be viewed when logged in 2018-10-21 01:07:51 -07:00
templates move forum stuff to separate file 2018-10-21 00:30:47 -07:00
.gitignore Basic user management 2018-08-18 16:40:05 +02:00
.rustfmt.toml Handle database-backed sessions. 2018-08-19 18:00:43 +02:00
.travis.yml Add travis build. 2018-08-20 18:07:27 +02:00
Cargo.toml WIP: use sqlite 2018-10-17 22:35:28 -07:00
README.md Minor edits to the readme to mention sqlite. 2018-10-17 23:07:03 -07:00
diesel.toml Basic user management 2018-08-18 16:40:05 +02:00

README.md

Web example: Login with warp, ructe, and diesel with sqlite

This application is intended as an example of a web service handling a login session. It uses the warp web framework, the ructe template engine and the diesel database layer, using the sqlite backend.

Build Status

A Session object is created for each request (except for static resources), containing a handle to a database connection pool and an Option<User> that is set if the user is logged in.

The authentication are done with bcrypt verification of hashed passwords (the hashes are stored in the database, passwords are never stored or logged in plain text).

When authenticated, the user gets a cookie (httponly, strict samesite) containing a session key, which is used for authentication through the remainder of the session.

Things that could use improvement:

  • The routing provieded by warp is very nice, but it would be nice to be able to define routers and subrouters in a more tree-like way. Perhaps it is possible, and I just havn't found out how yet?

  • I have probably missed something in how errors are supposed to be handled in warp. It feels like I am wrapping Results in Results, and I use more .map_err(...) than I like.

  • Database is not really handled asyncronously yet, so database accesses blocks the worker. See https://github.com/diesel-rs/diesel/issues/399 for information.

Things that remains to be done:

  • Session keys should have a limited age. Maybe doing a request after half that time should generate a new session key?

  • The code that handles the authentication and sessions should be externalized to a separate crate, but the session data should remain application-specific. Generating and verifying the bcrypt hashes and session keys should be done by the external crate, but actually storing them in the database, including migrations to create the tables, should be done by the application.

  • CSRF protection is not yet implemented.

This project was partially inspired by https://github.com/rust-lang-nursery/wg-net/issues/44 ; go there for more example projects.

Issue reports and pull requests and welcomed.