auth-framework 0.5.0-rc18

A comprehensive, production-ready authentication and authorization framework for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

//! Request Validation Middleware
//!
//! Provides comprehensive request validation and sanitization

use axum::{
    extract::Request,
    http::{HeaderMap, StatusCode},
    middleware::Next,
    response::Response,
};

/// Security headers to validate
/// Note: Only user-agent is required. The accept header is omitted because
/// many legitimate clients (curl, automated tools, health checks) don't send it.
const REQUIRED_SECURITY_HEADERS: &[&str] = &["user-agent"];

const SUSPICIOUS_PATTERNS: &[&str] = &[
    "<script",
    "javascript:",
    "onload=",
    "onerror=",
    "eval(",
    "alert(",
];

/// Request validation middleware
pub async fn validate_request_middleware(
    request: Request,
    next: Next,
) -> Result<Response, StatusCode> {
    let headers = request.headers();

    // Validate security headers
    validate_security_headers(headers)?;

    // Validate request size
    if let Some(content_length) = headers.get("content-length")
        && let Ok(length_str) = content_length.to_str()
        && let Ok(length) = length_str.parse::<usize>()
        && length > 10_000_000
    {
        // 10MB limit
        return Err(StatusCode::PAYLOAD_TOO_LARGE);
    }

    // Check for suspicious patterns in headers
    for (name, value) in headers.iter() {
        if let Ok(value_str) = value.to_str()
            && contains_suspicious_content(value_str)
        {
            tracing::warn!(
                "Suspicious content detected in header {}: {}",
                name,
                value_str
            );
            return Err(StatusCode::BAD_REQUEST);
        }
    }

    Ok(next.run(request).await)
}

/// Validate required security headers
fn validate_security_headers(headers: &HeaderMap) -> Result<(), StatusCode> {
    let missing_headers: Vec<&str> = REQUIRED_SECURITY_HEADERS
        .iter()
        .filter(|&&header| !headers.contains_key(header))
        .copied()
        .collect();

    if !missing_headers.is_empty() {
        tracing::warn!("Missing required headers: {:?}", missing_headers);
        return Err(StatusCode::BAD_REQUEST);
    }

    Ok(())
}

/// Check for suspicious content patterns
fn contains_suspicious_content(content: &str) -> bool {
    let content_lower = content.to_lowercase();
    SUSPICIOUS_PATTERNS
        .iter()
        .any(|&pattern| content_lower.contains(pattern))
}

/// Rate limiting by IP
pub struct IpRateLimiter {
    requests: std::sync::Mutex<std::collections::HashMap<String, (u32, std::time::Instant)>>,
    max_requests: u32,
    window_duration: std::time::Duration,
}

impl IpRateLimiter {
    pub fn new(max_requests: u32, window_minutes: u64) -> Self {
        Self {
            requests: std::sync::Mutex::new(std::collections::HashMap::new()),
            max_requests,
            window_duration: std::time::Duration::from_secs(window_minutes * 60),
        }
    }

    pub fn check_rate_limit(&self, ip: &str) -> Result<(), StatusCode> {
        let mut requests = self
            .requests
            .lock()
            .map_err(|_| StatusCode::INTERNAL_SERVER_ERROR)?;
        let now = std::time::Instant::now();

        // Clean expired entries
        requests.retain(|_, (_, timestamp)| now.duration_since(*timestamp) < self.window_duration);

        // Check current IP
        match requests.get_mut(ip) {
            Some((count, timestamp)) => {
                if now.duration_since(*timestamp) < self.window_duration {
                    if *count >= self.max_requests {
                        return Err(StatusCode::TOO_MANY_REQUESTS);
                    }
                    *count += 1;
                } else {
                    *count = 1;
                    *timestamp = now;
                }
            }
            None => {
                requests.insert(ip.to_string(), (1, now));
            }
        }

        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_suspicious_content_detection() {
        assert!(contains_suspicious_content("<script>alert('xss')</script>"));
        assert!(contains_suspicious_content("javascript:void(0)"));
        assert!(contains_suspicious_content("onload=malicious()"));
        assert!(!contains_suspicious_content("normal content"));
        assert!(!contains_suspicious_content("user@example.com"));
    }

    #[test]
    fn test_rate_limiter() {
        let limiter = IpRateLimiter::new(5, 1);

        // Should allow first 5 requests
        for _ in 0..5 {
            assert!(limiter.check_rate_limit("192.168.1.1").is_ok());
        }

        // Should block 6th request
        assert!(limiter.check_rate_limit("192.168.1.1").is_err());
    }
}