Build an API in Rust with JWT Authentication using actix-web

bachi.degli-innocent · April 14, 2020, 3:56pm

Learn how to implement a simple REST API with JWT Authentication in Rust using the actix web framework and Diesel.

konrad.sopala · April 15, 2020, 5:06pm

Hey everyone! Once the article is here let us know what you think and contribute to the discussion!

kent.daleng · April 19, 2020, 1:07pm

Thanks a lot for the article! Amazing timing too, as I literally yesterday felt like I wanted to start writing this hobby project of mine. I had chosen to use Hyper as a “framework” for my API, a lot of what was written here ended up being easily transferrable.

One thing that got me a little stuck was this bit in the code:

    let domain = std::env::var("DOMAIN").expect("DOMAIN must be set");
    let jwks = fetch_jwks(&format!("{}{}", domain.as_str(), ".well-known/jwks.json"))
        .expect("failed to fetch jwks");

From skimming the article, it felt to me like the DOMAIN variable from .env was supposed to match the audience from the token/identifier URL in my API details on the dashboard.

Firstly, the format! given the example would result in https://example.com.well-known/jwks.json. Second, I ended up using what would be the authority/domain in my application from the dashboard (https://dev-00-abcde.eu.auth0.com/) in place of the DOMAIN, which did result in an authentication success.

Given that I’m pretty much entirely green when it comes to JWT and the concepts of implementing this, I might have reached some faulty conclusion however… I wouldn’t know!

The points of interest in my source code can be found here (Sorry, it’s not amazingly pretty).

github.com

chinatsu/blog-api/blob/52aa6b885e9192be060601539020579f05468296/src/auth.rs

use super::Result;
use alcoholic_jwt::{token_kid, validate, Validation, JWKS};
use serde::{Deserialize, Serialize};
use hyper::{Request, Client, body};
use hyper_tls::HttpsConnector;

#[derive(Debug, Serialize, Deserialize)]
struct Claims {
    sub: String,
    company: String,
    exp: usize,
}

pub async fn validate_token(token: &str) -> Result<bool> {
    let authority = std::env::var("AUTHORITY").expect("AUTHORITY must be set");
    let jwks = fetch_jwks(&format!("{}{}", authority.as_str(), ".well-known/jwks.json")).await?;
    let validations = vec![Validation::Issuer(authority), Validation::SubjectPresent];
    let kid = match token_kid(&token) {
        Ok(res) => res.expect("failed to decode kid"),
        Err(_) => return Err("JWKS fetch error".into()),

This file has been truncated. show original

github.com

chinatsu/blog-api/blob/52aa6b885e9192be060601539020579f05468296/src/routes.rs#L68-L100


      
          async fn add_post(req: Request<Body>) -> Result<Response<Body>> {
              let headers = req.headers();
              let auth_header: String = match headers.contains_key(header::AUTHORIZATION) {
                  true => match headers[header::AUTHORIZATION].to_str() {
                      Ok(s) => s.into(),
                      Err(_) => {
                          return Ok(server_error(MALFORMED_HEADER))
                      }
                  },
                  false => return Ok(Response::builder()
                      .status(StatusCode::UNAUTHORIZED)
                      .body("".into())
                      .unwrap()
                  )
              };
              
              let valid = match auth::validate_token(&auth_header[7..]).await {
                  Ok(valid) => valid,
                  Err(_) => return Ok(server_error(VALIDATION_ERROR))
              };

This file has been truncated. show original

konrad.sopala · April 20, 2020, 6:58am

Just pinged article author about that!

abhishek.chanda · April 20, 2020, 9:08am

Hi @kent.daleng thanks for pointing that out. You are right that the given example will not work since the URL is wrongly generated. I tested using an actual tenant but forgot the trailing slash while publishing. Here is what we will change in the blog post:

Rename DOMAIN to AUTHORITY
Put a trailing slash in the .env file
Clarify that the trailing slash is required in this case

konrad.sopala · April 20, 2020, 9:13am

Thanks a lot for the headsup @abhishek.chanda!

vjousse · May 7, 2020, 8:45pm

Hello,

Just some nits while reading the blog post:

the diesel print-schema command doesn’t work out of the box. I had first to call diesel migration run to make it work.
the link to the source code is broken: GitHub - auth0-blog/actix-diesel-auth: A demo of using actix, disel for authentication using Auth0 returns a 404

Thanks for the awesome work!

dan-auth0 · May 7, 2020, 11:27pm

Welcome to our Auth0 Community, Vincent!

Thank you for reading the post and for your feedback I fixed the 404, the repo was not public yet

I am rusty in Rust So, I’ll let @abhishek.chanda drive the other question

vjousse · May 8, 2020, 8:20am

Thanks for your answer, but the repo is still private

Cheers

dan-auth0 · May 8, 2020, 1:49pm

Ah, yes! The one that I opened is different. Let me double-check with the author and I’ll get back to you on that one

konrad.sopala · May 11, 2020, 8:49am

Thanks for reporting that @Bordelons!

I’m sure @abhishek.chanda (the article author) will look at that once he’s online.

dan-auth0 · May 11, 2020, 5:17pm

Howdy, the repo should be public now

Btw, we are looking to push an update that uses SQLite instead of PostegreSQL for easier setup. What do you think about this change?

dan-auth0 · May 11, 2020, 5:19pm

Hello, Manuel. Thanks for reading and welcome to our Community. Are you providing us insight on your use case or would you like guidance on how to achieve that integration of a frontend Single Page App with a Rust Actix API?

kyasu1 · May 21, 2020, 10:59am

Hi Thank you for the very helpful tutorial !

While playing with the code I encountered to the following problem.

As mentioned in https://tools.ietf.org/html/rfc7519#section-4.1.3, aud claims can contain array of strings. And Auth0 sometimes returns such JWT but the validation function of alcoholic_jwt does not take into account about that.

Since the gihub repo was moved to the author’s personal server, I could not find a way to raise an issue there.

I am rather newbie and not sure if I could find a workaround by myself. Anyway I am going to look into a fix, or rewrite with jsonwebtoken…

zwennesm · July 11, 2020, 6:31pm

Great article, very nice!

I did find 1 nitpick (not 100% sure though). But in the handlers you are mapping the errors like this:

.map_err(|_| HttpResponse::InternalServerError())

But should it not be:

.map_err(|_| ServiceError::InternalServerError)

Both will definitely work but since you took the effort of defining a custom error handler, it might be nice to use it in the handlers as well.

Thanks for writing the article.

konrad.sopala · July 13, 2020, 12:47pm

Tagging article author for visibility - @abhishek.chanda

twiclo · September 10, 2020, 8:06pm

If you left out the date_created would you be able to get a post done with only two structs instead of three? (User, NewUser, and InputUser)

Or is there something in diesel that is preventing a struct from being insertable, queryable, derserialize, and serialize?

konrad.sopala · September 11, 2020, 6:54am

Thanks for asking the question @twiclo! cc: @abhishek.chanda

abhishek.chanda · September 11, 2020, 12:42pm

Hi @twiclo you are right there. There is no inherent problem for a struct being insertable, queryable, serialize, and deserialize. This is more of a design choice to track the creation date. This often comes up as an auditing requirement, so it makes sense to include it right from the start.

mantissaman · December 8, 2020, 10:35pm

Hi @abhishek.chanda - Thanks for this neat article. One question though - how can i extract the claims from the token in the handler function?