Comments (6)
So the simple solution here is to turn your string into a & 'static str
like so:
let id : &'static str = Box::leak(identity.into_boxed_str());
let claim = SubjectClaim::from(id);
However I don't recommend building a token for every request in a policy like this. I'd suggest using a middleware to validate an existing token (or you could create a policy that only validates).
The reason for this is because encrypting a token is IO heavy on the CPU. If you attempt to encrypt a token on every single request you'll rapidly get bogged down. Instead, I recommend creating a token when the user has been authenticated and storing that in a cookie (or passing it to a client to be used in subsequent requests) so that the policy or middleware can be used to validate the token on each request which is a much quicker process.
I've added an example to the repository which does this. However, I think a cleaner solution would be to use a middleware instead of a policy but I've created it as a policy since that's what you're attempting to do. Good luck and have fun!
from rusty_paseto.
Yes, I should have been more clear. Box::leak
is safe, however, as indicated in the name, it leaks the memory which is what you would expect when you make a value live as 'static
since it will live for the life of the program. Given that it looks like you're writing a server, this is probably not what you want to do if you're going to be calling this repeatedly. The correct way would for me to just get rid of the need for the value to live for 'static
so I've done that and uploaded version 0.4.0 and updated the example so you no longer need to use Box::leak and your original implementation should now work. Thanks!
from rusty_paseto.
Eike,
Thanks for the kind words. I sincerely apologize for the late reply. I'm in the middle of moving my family and a job search. Can you provide a full code example showing the issue?
Thanks and again, I apologize for the delay.
Best regards,
Roland
from rusty_paseto.
Hey Roland,
thanks for you reply!
So I'm trying to implement the IdentityPolicy
Trait of actix_identity to store a paseto token in a Cookie.
pub struct PasetoCookieIdentityPolicy {}
impl IdentityPolicy for PasetoCookieIdentityPolicy {
type Future = Ready<Result<Option<String>, Error>>;
type ResponseFuture = Ready<Result<(), Error>>;
fn from_request(&self, request: &mut ServiceRequest) -> Self::Future {
ready(Ok({
request
.cookie(&EnvVar::TokenCookieName.get_expect())
.and_then(|cookie| {
let key = PasetoSymmetricKey::<V4, Local>::from(
request.app_data::<AppData>().unwrap().paseto_key.clone(),
);
let token: &str = cookie.value();
PasetoParser::<V4, Local>::default()
.parse(token, &key)
.ok()
.map(|token| token["sup"].to_string())
})
}))
}
fn to_response<B>(
&self,
identity: Option<String>,
changed: bool,
response: &mut ServiceResponse<B>,
) -> Self::ResponseFuture {
if changed {
let id = match identity {
None => return ready(Ok(())),
Some(id) => id,
};
let key = PasetoSymmetricKey::<V4, Local>::from(
response
.request()
.app_data::<AppData>()
.unwrap()
.paseto_key
.clone(),
);
let claim = SubjectClaim::from(SubjectClaim::from(&id[..])); <-- failing here because string slice of id can not have a 'static lifetime
let token = PasetoBuilder::<V4, Local>::default()
.set_claim(claim)
.build(&key)
.unwrap();
let mut cookie = Cookie::new(EnvVar::TokenCookieName.get_expect().to_owned(), &token);
cookie.set_expires(OffsetDateTime::now_utc() + Duration::hours(1));
cookie.set_secure(true);
cookie.set_http_only(true);
cookie.set_same_site(SameSite::Strict);
let val = HeaderValue::from_str(&cookie.to_string()).unwrap();
response.headers_mut().append(header::SET_COOKIE, val);
}
ready(Ok(()))
}
}
Will try to get the repo up for a full code example if this snippet is not sufficient.
from rusty_paseto.
Thank you for the advice and the great example!
from rusty_paseto.
Is the usage of https://doc.rust-lang.org/std/boxed/struct.Box.html#method.leak save? From the description it sounds like using it will cause a memory leak as the box will never be released.
Was not planning to create a token on each request, but only to it on the login case, need to figure out how this is signaled to the policy, possibly with the changed
flag.
from rusty_paseto.
Related Issues (16)
- Add closure to claim validation API
- Validate ExpirationClaim in PasetoTokenParser
- Validate NotBeforeClaim in PasetoTokenParser
- Implement Paseto Token Builder
- v2.Public Basic Encryption
- Implement v2.public test vectors
- Swap out chronos implementation for time 0.3
- plans for v3.public HOT 2
- Docs PasetoParser::<V4, Local> HOT 5
- Implement Paseto Token Parser
- Document v2.local public APIs
- Implement Non-Expiring Token
- De-dupe claim keys in builder
- Add default ExpirationClaim to PasetoTokenBuilder
- Add Default IssuedAtClaim to PasetoTokenBuilder
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rusty_paseto.