warp icon indicating copy to clipboard operation
warp copied to clipboard

Published 20 hours ago verified publisher icon seanmonstar

Add warp::auth::basic() filter

Open 586837r opened this issue 3 years ago • 2 comments

You use it like this:

use warp::Filter;

let auth = warp::auth::basic()
    .realm("access")
    .allow("user", "1234");

let route = warp::any()
    .map(warp::reply)
    .with(auth);

#751 also implements basic authentication.

Contrary to theirs, mine:

  • is very simple and limited
  • returns an impl Reply instead of a rejection on authorization failure
  • uses an immutable set of authorizations
  • realm is optional

586837r avatar Mar 16 '21 03:03 586837r

I like the implementation using builder pattern and usage as a with() filter.

Only objections are

  • the user/password storage is not encrypted, therefore insecure (also not sure this should be part of warp, something that can for example authenticate against htpasswd files could/should be an extra crate)
  • no way to use a custom lookup function for e.g. a user/pass database (or when used for Bearer auth to verify tokens)

mike-kfed avatar Mar 18 '21 10:03 mike-kfed

Just an additional thought: the password comparison is not constant-time and might therefore be vulnerable to timing attacks.

gralpli avatar Oct 25 '22 09:10 gralpli