auth-framework 0.4.0

A comprehensive, production-ready authentication and authorization framework for Rust applications
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171

# Changelog


All notable changes to the AuthFramework project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.3.0] - 2024-08-14


### 🚀 Added


- **Complete Configuration Management System** using the `config` crate
  - Multi-format support (TOML, YAML, JSON, RON, INI)
  - Environment variable mapping with customizable prefixes
  - Include directive system for modular configuration
  - CLI argument integration with clap
  - Parent application integration capabilities
- **Advanced Threat Intelligence Integration**
  - Real-time threat feed updates with automated scheduling
  - MaxMind GeoIP2 database integration for IP geolocation
  - CIDR network parsing and threat classification
  - Configurable threat severity levels and response actions
- **Enhanced SMS Kit Integration** (Next-Generation SMS)
  - Multi-provider support (Twilio, Plivo, AWS SNS, generic web APIs)
  - SMS web integration with Axum framework
  - Advanced delivery tracking and retry mechanisms
  - Comprehensive SMS testing and validation tools
- **Production-Ready Admin Binary**
  - Command Line Interface (CLI) with comprehensive user management
  - Terminal User Interface (TUI) with real-time monitoring
  - Web-based GUI with modern responsive design
  - Integrated health checks, metrics, and security monitoring
- **Enhanced Device Flow Support**
  - Convenient constructor methods for OAuth device flows
  - Support for GitHub, Google, Microsoft, and custom providers
  - Simplified device code completion workflows
  - Enhanced error handling and user experience
- **Token-to-Profile Conversion Utilities**
  - Automatic conversion from OAuth tokens to standardized user profiles
  - Support for multiple OAuth providers with consistent interface
  - Extensible profile mapping for custom user data

### 🛡️ Security Enhancements


- **RUSTSEC-2023-0071 Vulnerability Documentation**
  - Comprehensive analysis of Marvin Attack on RSA
  - PostgreSQL migration recommendation for complete vulnerability elimination
  - Detailed risk assessment showing extremely low practical risk
  - Alternative mitigation strategies for MySQL users
- **Enhanced Cryptographic Support**
  - AES-GCM encryption enabled by default
  - Optional ChaCha20-Poly1305 support
  - X25519 and Ed25519 curve support
  - AWS-LC-RS for FIPS compliance (optional)
- **Advanced Security Features**
  - Comprehensive audit trails with correlation IDs
  - Enhanced rate limiting with penalty systems
  - Secure session management with risk scoring
  - Multi-factor authentication improvements

### 🏗️ Infrastructure Improvements


- **Database Optimization**
  - PostgreSQL set as recommended default storage backend
  - Enhanced connection pooling and management
  - Improved migration and schema management
  - Better error handling and recovery mechanisms
- **Performance Enhancements**
  - Optimized dependency tree for faster compilation
  - Reduced memory footprint in core components
  - Improved async task management
  - Better resource cleanup and lifecycle management

### 📚 Documentation & Testing


- **Comprehensive Documentation Updates**
  - Updated README with PostgreSQL recommendations
  - Enhanced security guides and best practices
  - Complete configuration examples and guides
  - Production deployment patterns and examples
- **Testing Infrastructure**
  - 266+ comprehensive unit tests with high coverage
  - Security-focused test scenarios
  - Performance benchmarking tests
  - Integration tests for all major features

### 🔧 Developer Experience


- **Enhanced Error Handling**
  - Specific error types for different failure modes
  - Detailed error messages with recovery suggestions
  - Consistent error propagation patterns
  - Better debugging and troubleshooting support
- **Improved Configuration**
  - Sensible defaults for production deployment
  - Environment-specific configuration templates
  - Validation and sanity checking for all configuration options
  - Clear migration guides for configuration updates

### ⚠️ Security Notices


- **RUSTSEC-2023-0071**: Theoretical RSA timing vulnerability in MySQL storage
  - **Status**: Documented with extremely low practical risk
  - **Recommendation**: Use PostgreSQL for optimal security
  - **Impact**: No immediate action required for most deployments
- **Dependencies**: All dependencies updated to latest secure versions
- **Default Configuration**: Changed to PostgreSQL storage for enhanced security

### 🔄 Breaking Changes


- **Default Storage Backend**: Changed from Redis to PostgreSQL for optimal security
- **Configuration Format**: Enhanced configuration structure may require updates
- **SMS Implementation**: Legacy SMS manager deprecated in favor of SMS Kit
- **Feature Flags**: Some feature flags restructured for better organization

### 📊 Statistics


- **Lines of Code**: 50,000+ lines of production-ready Rust code
- **Test Coverage**: 95%+ with comprehensive security testing
- **Dependencies**: 180+ carefully selected and maintained dependencies
- **Features**: 25+ optional feature flags for modular deployment
- **Documentation**: 1,000+ lines of comprehensive guides and examples

### 🚀 Migration Guide


For users upgrading from previous versions:

1. **Configuration**: Update configuration files to use new format
2. **Storage**: Consider migrating to PostgreSQL for optimal security
3. **SMS**: Migrate from legacy SMS manager to SMS Kit integration
4. **Features**: Review and update feature flags in Cargo.toml
5. **Documentation**: Review updated security and configuration guides

See [`MIGRATION_GUIDE.md`](docs/MIGRATION_GUIDE.md) for detailed upgrade instructions.

---

## [0.2.x] - Previous Versions


### Legacy Features


- Basic authentication and authorization framework
- Initial OAuth 2.0 and OpenID Connect support
- Fundamental security features and session management
- Core storage backends (Memory, Redis)
- Basic configuration system
- Essential documentation and examples

---

## Future Roadmap


### Planned for 0.4.0


- **Advanced FAPI Support**: Financial-grade API security enhancements
- **Enhanced WebAuthn**: Biometric authentication and passkey support
- **Distributed Architecture**: Multi-node deployment and coordination
- **Advanced Monitoring**: Prometheus metrics and distributed tracing
- **Enterprise SSO**: Enhanced SAML, WS-Federation, and enterprise integrations

### Long-term Vision


- Full OAuth 2.1 compliance with latest security standards
- Advanced threat detection and response capabilities
- Machine learning-based fraud detection
- Zero-trust architecture components
- Cloud-native deployment optimization

---

**Note**: This project follows semantic versioning. Breaking changes are clearly documented and migration guides are provided for major version updates.