{"id":13546041,"url":"https://github.com/neoeinstein/aliri","last_synced_at":"2025-05-15T11:03:14.696Z","repository":{"id":37632316,"uuid":"260801493","full_name":"neoeinstein/aliri","owner":"neoeinstein","description":"Web API access control for Rust","archived":false,"fork":false,"pushed_at":"2025-03-19T07:34:48.000Z","size":575,"stargazers_count":125,"open_issues_count":10,"forks_count":19,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-06T18:54:56.023Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neoeinstein.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE-APACHE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-03T00:39:14.000Z","updated_at":"2025-04-06T15:17:04.000Z","dependencies_parsed_at":"2024-04-17T06:31:10.803Z","dependency_job_id":"6e1d959f-2d08-4e69-b606-9be0caeeea96","html_url":"https://github.com/neoeinstein/aliri","commit_stats":{"total_commits":235,"total_committers":8,"mean_commits":29.375,"dds":"0.13617021276595742","last_synced_commit":"cb817c17218523dc3427282081804bf3a183c51b"},"previous_names":[],"tags_count":61,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neoeinstein%2Faliri","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neoeinstein%2Faliri/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neoeinstein%2Faliri/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neoeinstein%2Faliri/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neoeinstein","download_url":"https://codeload.github.com/neoeinstein/aliri/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248912240,"owners_count":21182239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:00:30.477Z","updated_at":"2025-04-14T15:54:58.916Z","avatar_url":"https://github.com/neoeinstein.png","language":"Rust","funding_links":[],"categories":["Web and Cloud Security"],"sub_categories":["Authorization \u0026 Authentication Frameworks"],"readme":"# Aliri\n\n\u003c!-- markdownlint-disable MD036 --\u003e\n_Esperanto for \"access\"_\n\u003c!-- markdownlint-enable MD036 --\u003e\n\n![CI](https://github.com/neoeinstein/aliri/workflows/CI/badge.svg?branch=master\u0026event=push)\n\n_Aliri_ is a family of crates intended to help build access control,\nparticularly of web APIs, where a token is the primary means of providing\naccess.\n\n## Features\n\nThe [`aliri`][] crate provides primary support for the _JavaScript/JSON\nObject Signing and Encryption (JOSE)_ standard. For more information about the\nRFCs relating to this standard, see the\n[crate's documentation][aliri:doc].\n\nThe [`aliri_oauth2`][] crate provides some support for incorporating checks to\nensure a bearer of a token has sufficient _scopes_ to permit access. It also\nprovides some functionality for using a local or remote _JSON Web Key Set\n(JWKS)_ as an authority to authenticate tokens. Some of this functionality maybe\nbroken off as part of planned _OpenID Connect (OIDC)_ functionality.\n\nThe [`aliri_actix`][] crate provides some useful bindings to create scope guards\nfor the [`actix-web`][] web server.\n\nSimilarly, the [`aliri_warp`][] crate provides bindings to the [`warp`][] web\nserver, and includes filters useful for authenticating access to endpoints.\n\nOther crates under the `aliri` header provide supporting functionality to these\nprimary crates.\n\n  [`aliri`]: https://crates.io/crates/aliri\n  [aliri:doc]: https://docs.rs/aliri\n  [`aliri_oauth2`]: https://crates.io/crates/aliri_oauth2\n  [`aliri_actix`]: https://crates.io/crates/aliri_actix\n  [`actix-web`]: https://crates.io/crates/actix-web\n  [`aliri_warp`]: https://crates.io/crates/aliri_warp\n  [`warp`]: https://crates.io/crates/warp\n\n### _JSON Web Signature (JWS)_ operations\n\nSupported algorithms\n\nFeature `hmac`:\n\n* HS256, HS384, HS512\n\nFeature `rsa`:\n\n* RS256, RS384, RS512\n* PS256, PS384, PS512\n\nFeature `ec`:\n\n* ES256, ES384\n\nNote: `none` is explicitly not supported by this library due to the security\nholes that algorithm raises when improperly accepted.\n\nSupport for private keys, to allow for signing operations and to generate new\nkeys, is provided by the `private-keys` feature.\n\nDue to limitations in the ability to import and export generated keys in the\nrequired JWK form, `openssl` is used to extract or handle the required\nparameters. In addition, `ring` does not support RSA private keys that are\nmissing the `p`, `q`, `dmp1`, `dmq1`, or `iqmp` values. These parameters are\n_highly recommended_ as they speed up signature calculation, but according to\nthe JWA specification are technically optional.\n\n### Supported checks\n\n* `iss` exact string match\n* `aud` exact string match (list)\n* `sub` regex match\n* `jti` predicate function\n* `nbf` against current time\n* `exp` against current time\n* `iat` max age check\n* `alg` exact match (list)\n\n## Future plans\n\n* Support JWE\n* Support OpenID Connect as a relying party\n* Support obtaining tokens and token management\n\n## Alternatives\n\nThis set of crates grew out of my prior use of `jsonwebtoken`, and was expanded\nto fit larger goals of implementing the full JOSE suite. Further inspiration was\ntaken from `jsonwebtokens`, in particular the `Verifier` type.\n\n* [`jsonwebtoken`](https://crates.io/crates/jsonwebtoken)\n* [`jsonwebtokens`](https://crates.io/crates/jsonwebtokens)\n* [`frank_jwt`](https://crates.io/crates/frank_jwt)\n* [`biscuit`](https://crates.io/crates/biscuit)\n\n## Unsafe code\n\n_Aliri_ does make use of very limited unsafe code. This unsafe code is limited\nto a single function defined in macros that is used to generate strongly-typed\nwrappers for `String` and `Vec\u003cu8\u003e` values. Unsafe is necessary here for the\nreference types, in order to reinterpret the `\u0026str` as `\u0026MyTypeRef` or `\u0026[u8]`\nas `\u0026Base64Ref`. This reinterpretation is safe because the wrappers around `str`\nuse `#[repr(transparent)]`, which means that the wrappers share the exact same\nrepresentation as the underlying slice.\n\nFor the above reason, some included crates use `#![deny(unsafe_code)]`\nrather than `#![forbid(unsafe_code)]`. The only `#![allow(unsafe_code)]` in\nthe code base can be found in the `typed_string!` and `b64_builder!` macros.\n\nI have made this choice because of my preference for _strongly-typed_ APIs over\n_stringly-typed_ APIs. I believe that consumers of this library will benefit\nfrom this choice, as it will help them to prevent silly bugs.\n\nNote that, because `cargo-geiger` has difficulty parsing out unsafe usage from\nwithin macros, that tool won't report these crates as \"radioactive\", but\nprobably should. _Do your due diligence._\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneoeinstein%2Faliri","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneoeinstein%2Faliri","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneoeinstein%2Faliri/lists"}