owez / axum-auth Goto Github PK

Currently it just fails with a Bad Request.

It would be useful if one could change it to set the header WWW-Authorization with Basic and status UNAUTHORIZED to trigger the client to specify the missing Authorization header.

I'd like to add some fuzzing to tests and get CI done with this as well; add some automatic checks to try to make sure nothing has holes.

error:

the trait Handler<_, _, _> is not implemented for fn(Extension<NotifyApplication>, HeaderMap, AuthBasic, axum::Json<Notification>) -> impl Future<Output = impl IntoResponse> {push}

Support for axum 0.6 was implemented in #9, there are some final featured I'd like to add before publishing 4.0:

• Integration testing
• Split out decoding & traits
• Possibly #8 here
• Better documentation for errors

Guys! I'm very appreciative your work, but...

You need to understand. This library will be used probably as the most entry level simple login for beginners. But its actually the hardest.

1. please, add some notes on http basic auth standart.

2. TypedHeader<Authorization<..>> is not clear for me at all. its undocumented, its something I dont want to use when I just want to secure some handlers, and there is no place in axum documentation where it says "oh, use me for auth"

3. You not must, but you probably should introduce to newbies strategies of login "at all". As I understand you offer user to use BasicAuth as extractor to any protected handler? Where I, as newbie developer can know is it good practice? Or should I better secure my handler by middleware?
   Why dont you write about this option, just like, oh, its simple as

  let (mut parts, _) = req.into_parts();
  let auth = AuthBasic::from_request_parts(&mut parts, &()).await.unwrap();

4. There is actually no any login story in examples. I dont see redirect from protected page, I dont see login page, which should write the token, nor place where this token must be written from frontend side.

Sorry, I know this crate is in maintaince mode, but there are many reasons for me to not use axum-login because of its macroses everywhere. I wanted simplicity, but must see any examples and solutions to actually use simple basic auth in a whole infrastructure

on documentation we cannot found how use axum-auth to protect routes !!!

I’m not a security expert or anything, bit your example looks susceptible to timing attacks: if let Some(password) = password {. This comparison should better run in constant time.

In the real world there may be used hashing anyway, but there is still a chance that someone just copies this and so this should be improved in my opinion.

I'm trying to use axum-auth in an Axum handler like this:

async fn root_handler(
    ww: Extension<WorkstateWrapper>,
    AuthBasic((user_id, password)): AuthBasic
) -> Result<Html<String>, StatusCode> {
...

But as there is no authentication header yet, I simply end up with a

400 Bad Request: "`Authorization` header is missing

I'm looking for some way to test if the authorization header exists, and if not, send an 401 response along with a WWW-Authenticate header. Should the test somehow happen before the handler is called by the Router? - If so: How?

Can some more example code be added which shows how to use axum-auth in a slightly more real-world scenario?