{"id":22656896,"url":"https://github.com/icelk/kvarn-auth","last_synced_at":"2025-04-12T04:53:45.422Z","repository":{"id":58152306,"uuid":"520660952","full_name":"Icelk/kvarn-auth","owner":"Icelk","description":"Authentication extension for Kvarn for performant, secure, and transparent authentication for the web's future.","archived":false,"fork":false,"pushed_at":"2024-10-21T16:14:22.000Z","size":97,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-12T04:53:37.746Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Icelk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-02T21:59:37.000Z","updated_at":"2024-10-21T16:14:25.000Z","dependencies_parsed_at":"2024-10-21T21:43:13.980Z","dependency_job_id":null,"html_url":"https://github.com/Icelk/kvarn-auth","commit_stats":{"total_commits":49,"total_committers":1,"mean_commits":49.0,"dds":0.0,"last_synced_commit":"065884a8b106da202f7d215c0821df263f17ac50"},"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Icelk%2Fkvarn-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Icelk%2Fkvarn-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Icelk%2Fkvarn-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Icelk%2Fkvarn-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Icelk","download_url":"https://codeload.github.com/Icelk/kvarn-auth/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248519472,"owners_count":21117757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-09T10:16:50.502Z","updated_at":"2025-04-12T04:53:45.400Z","avatar_url":"https://github.com/Icelk.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# kvarn-auth\n\nA fast, simple, and customizable authentication extension for use in [Kvarn](https://kvarn.org).\nIt's impossible to shot yourself in your foot!\n\nProvides an easy-to-use [JWT](https://wikipedia.org/wiki/JSON_Web_Token)-based authentication helper with support for persistent logins and validation servers.\n\nYou provide an async callback which gives the user a level of authorization.\nYou can return any structured data based on serde.\nThe JWT is automatically renewed, as the server stores a credentials cookie (encrypted using the server's private key).\nEverything is configurable.\n\n**⚠️ Warning: This crate has not been audited. All dependencies I use have. Use at your own risk.**\n\n\u003e I do however personally use this for production systems.\n\n# Front-end usage\n\nA small [JS library](lib.mjs) is provided for logging in and out and to get the current status of the user.\nSee it and it's docs for more details.\n\n# Validation servers\n\nAn important feature of this library is validation servers.\nThis enables a deployment of `kvarn-auth` to multiple different physical servers,\nwithout sharing the private key which can sign anybody in.\nThis is achieved by using fast asymmetric cryptography.\nSee [`ecdsa_sk`] for more info.\n\n# Persistent logins\n\nAlong with the usual JWT cookie, `kvarn-auth` sends a credentials cookie.\nIt contains the user's credentials encrypted using the secret/private key of the server.\nThis allows for automatic renewal (using Kvarn's excellent extension system) when the JWT has\nexpired. The credentials cookie is encrypted to avoid XSS attacks stealing the user's password,\nwhich the user probably reused on other websites; this is an effort to help users.\n\nYou can enable [`Builder::with_force_relog_on_ip_change`] to make any cookie stealing useless.\nWe embed the user's IP in the JWT and credentials and only allow them if the IP is the same.\nThis may be annoying for the users (especially if your user-base is predominantly on mobile),\nbut greatly decreases the risk of account theft. So probably use it for banking :)\n\n# Versions\n\n-   0.1.x - `kvarn v0.5`\n-   0.2.x - `kvarn v0.6`\n\n# Example\n\n```rust\n# use kvarn::prelude::*;\n// please use a strong random secret (\u003e1024bits of entropy to be safe)\nlet secret = b\"this secret protects all the JWTs and the credentials\".to_vec();\nlet mut accounts: HashMap\u003cString, String\u003e = HashMap::new();\naccounts.insert(\"icelk\".into(), \"password\".into());\nlet auth_config = kvarn_auth::Builder::new()\n    // the authentication's scope is limited to routes starting with `/demo/`.\n    .with_cookie_path(\"/demo/\")\n    .with_auth_page_name(\"/demo/auth\")\n    // according to Kvarn's internal redirects, `/demo/login.` is shorthand for `/demo/login.html`\n    .with_show_auth_page_when_unauthorized(\"/demo/login.\")\n    .build::\u003c(), _, _\u003e(\n        move |user, password, _addr, _req| {\n            let v = if accounts.get(user).map_or(false, |pass| pass == password) {\n                kvarn_auth::Validation::Authorized(kvarn_auth::AuthData::None)\n            } else {\n                kvarn_auth::Validation::Unauthorized\n            };\n            core::future::ready(v)\n        },\n        kvarn_auth::CryptoAlgo::EcdsaP256 { secret },\n    );\n\nlet mut extensions = kvarn::Extensions::new();\n\nauth_config.mount(\u0026mut extensions);\nlet login_status = auth_config.login_status();\n\nextensions.add_prepare_single(\n    \"/demo/api\",\n    prepare!(\n    req,\n    host,\n    _path,\n    addr,\n    move |login_status: kvarn_auth::LoginStatusClosure\u003c()\u003e| {\n        let auth_data =\n            if let kvarn_auth::Validation::Authorized(ad) =\n                login_status(req, addr)\n        {\n            ad\n        } else {\n            return default_error_response(\n                StatusCode::UNAUTHORIZED,\n                host,\n                Some(\"log in at `/demo/login.html`\"),\n            )\n            .await;\n        };\n        // continue with your API, with a guarantee\n        FatResponse::no_cache(Response::new(Bytes::new()))\n    }),\n);\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficelk%2Fkvarn-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ficelk%2Fkvarn-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ficelk%2Fkvarn-auth/lists"}