Authentication in Tide

[bIgBV]

Currently we don't have a story for authentication in Tide. I hoped that this issue would help start some discussion around the topic. A few questions that come to mind:

• How much support do we want to provide? Something as involved as Django and Rails? Or something more lightweight like Flask?
• It most likely will be a Middleware, but is this the best approach?
• How will it hook into configuration? As discussed in Add configuration (for extractors and middleware) #5 per route configuration could change the way authentication would work for that route.

[petejodo]

New here and rust in general but interested in tide. Anyway, I guess your first question is asking whether Tide just wants to support sessions, which I presume would be built on top of cookies, or provide some full authentication on top of sessions like Django. Another question is whether to support other authentication strategies such as a token-based one.

Personally I find myself getting confused when reading django authentication documentation. There's too many different parts to it that it feels overwhelming just to get something working. I think providing something barebones/lightweight that can be further built upon would be the goal to strive for (however possible that actually is).

About approaches, another one other than Middleware is doing how Rocket does it with request guards where a struct User can implement FromRequest which is where it makes the db request or whatever is needed and then all the handler needs to do is just have User as a parameter.

[bIgBV]

Personally I find myself getting confused when reading django authentication documentation. There's too many different parts to it that it feels overwhelming just to get something working. I think providing something barebones/lightweight that can be further built upon would be the goal to strive for (however possible that actually is).

To be fair, it is a very complete solution. By providing sessions by default, session management becomes extremely easy. You can hook into external stores for sessions simply thorough configuration and everything just works. With something like flask on the other hand you have to maintain your own code for this. I haven't used Rocket, but I am guessing it is similar to Flask in this regard.

[mmrath]

About approaches, another one other than Middleware is doing how Rocket does it with request guards where a struct User can implement FromRequest which is where it makes the db request or whatever is needed and then all the handler needs to do is just have User as a parameter.

This is something I dislike. If this is required, it can be supported with a extractor but auth is something a Middleware can handle very well. For rocket I have raised an issue to support middleware like functionality specifically for authentication(rwf2/Rocket#749).

[mmrath]

I think authentication support implementation should be delayed until the framework is more stable. most of the authentication related functionality can be written on top of tide initially to try different approaches. And possibly merge once there is some good consensus. There is also authorisation functionality that need to be thought of when designing authentication.

[yoshuawuyts]

I think authentication support implementation should be delayed until the framework is more stable. most of the authentication related functionality can be written on top of tide initially to try different approaches.

Perhaps a useful challenge would be for people to try and develop a password/email cookie authentication flow, in separate repos.

I think having some simple, tangible examples of what authentication flows can look like with Tide might help inform the design space, and allow us direct the discussions a bit more.

[markbahnman]

I've been toying around with tide for a basic REST api and I think most of the pieces for a basic auth flow are already here. Use middleware to authenticate the request and stuff the session data into the request extension, use a Computed extractor in a handler to make that data accessible to your function.

[petejodo]

I was thinking something along the same lines but extract the session handling into a separate AuthenticationStrategy trait which would handle the session stuff or another could use JWT or OAuth. Taking it further, there could be another trait, AuthenticationHandler, that the user implements which would be the actual code that verifies against their specific database or whatever.

So you have AuthenticationMiddleware<AuthenticationStrategy, AuthenticationHandler> and the user would do something like

let auth_middleware: AuthenticationMiddleware<auth::SessionStrategry, MyAuthHandler> = AuthenticationMiddleware::new(
    auth::SessionStrategy::new(/* ... */),
    MyAuthHandler,
);

struct MyAuthHandler;

impl AuthenticationHandler for MyAuthHandler {
    verify_user(/* ... */) -> Result<NotSure, AuthError> {
        /* ... */
    }
}

I'm kinda just spitballing so I haven't really thought of what the actual implementation would look like though

[yoshuawuyts]

Tide 0.0.1 has been released, so if people would want to start on sketching examples it should be a bit more convenient now!

[tomhoule]

I already mentioned it in the session design issue, and it's not a full authentication solution, but I just published a rough prototype for a session management middleware in this repo. It's only cookie-based, so not as generic as what @petejodo suggested. Any form of feedback is greatly appreciated.

[bIgBV]

@prasannavl @fairingrey @Nemo157 the repo linked in the comment above contains a really well thought out authentication scheme including sessions for tide. I we should look into bringing this into the tide ecosystem. There can be further discussion as to whether or not we want to include this in tide-core or not, but I feel that tide requires a solid sessions and authentication story.

[yoshuawuyts]

It feels we could probably put out an RFC for the design in this so we can discuss the API before implementing it.

We've done an RFC before in https://github.com/rustasync/tide/blob/master/rfcs/001-app-new.md, but modeling it after https://github.com/rustwasm/gloo/blob/master/rfcs/001-mid-level-file-api.md is probably better.

@bIgBV would you want to start the process of drafting an RFC for authentication?

[bIgBV]

@yoshuawuyts I'll open an RFC by tomorrow.