auth-framework 0.4.2

A comprehensive, production-ready authentication and authorization framework for Rust applications
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

# ADR-004: Security-by-Default Approach


## Status


Accepted

## Context


Authentication and authorization systems are high-value targets for attackers, requiring comprehensive security measures:

- **Common Vulnerabilities**: Timing attacks, token leakage, session hijacking
- **Compliance Requirements**: SOC 2, GDPR, PCI DSS, HIPAA standards
- **Industry Standards**: OAuth 2.1, OpenID Connect, FAPI security profiles
- **Threat Landscape**: Sophisticated attacks targeting authentication systems
- **Enterprise Needs**: Security-first design for enterprise deployments

Many authentication libraries have security vulnerabilities due to insecure defaults or optional security features.

## Decision


Implement security-by-default throughout the framework with no insecure fallback options:

- **Secure Defaults**: All configuration defaults prioritize security over convenience
- **Constant-Time Operations**: All security-sensitive comparisons use constant-time algorithms
- **Mandatory Encryption**: All tokens and sensitive data encrypted in transit and at rest
- **No Downgrades**: Reject insecure connections rather than downgrade security
- **Comprehensive Validation**: All inputs validated with security-focused validation
- **Audit Logging**: All security events logged by default

## Rationale


Security-by-default provides critical protection:

- **Prevent Common Vulnerabilities**: Eliminate entire classes of security issues
- **Compliance Ready**: Meet enterprise and regulatory security requirements
- **Trust**: Build user confidence through demonstrable security practices
- **Future-Proof**: Resist emerging attack vectors through defense-in-depth
- **Industry Leadership**: Set high security standards for the Rust ecosystem

This approach follows security engineering best practices and regulatory guidance.

## Consequences


### Positive Consequences


- **Strong Security Posture**: Resistant to common and sophisticated attacks
- **Compliance Ready**: Meets enterprise and regulatory requirements
- **User Trust**: Demonstrable commitment to security
- **Future-Proof**: Defense-in-depth protects against emerging threats
- **Industry Leadership**: Sets high security standards for authentication libraries
- **Reduced Security Debt**: Secure foundations prevent future vulnerabilities

### Negative Consequences


- **Performance Overhead**: Constant-time operations and encryption have costs
- **Configuration Complexity**: Security options require careful configuration
- **Integration Challenges**: Some environments may not support all security features
- **Learning Curve**: Developers must understand security implications

### Neutral Consequences


- **Documentation Requirements**: Security features require comprehensive documentation
- **Testing Complexity**: Security features require specialized testing

## Alternatives Considered


### Alternative 1: Configurable Security


- **Description**: Make security features optional with insecure defaults for convenience
- **Why Not Chosen**: Risk of production deployments with insecure configuration
- **Trade-offs**: Easier initial setup but significant security risks

### Alternative 2: Security Profiles


- **Description**: Predefined security levels (basic, standard, high)
- **Why Not Chosen**: Confusion about appropriate level, risk of choosing insecure profiles
- **Trade-offs**: Simplified configuration but potential for misuse

### Alternative 3: Opt-in Security


- **Description**: Basic security by default with advanced features requiring explicit enablement
- **Why Not Chosen**: Advanced threats target basic security implementations
- **Trade-offs**: Gradual security adoption but vulnerability windows

## Implementation


Security-by-default was implemented through:

1. **Secure Configuration Defaults**: All default values prioritize security
2. **Constant-Time Cryptography**: All comparisons use timing-attack-resistant algorithms
3. **Mandatory TLS**: No plaintext communication allowed in production
4. **Token Security**: JWT tokens with strong signing, short expiration, secure storage
5. **Input Validation**: Comprehensive validation with security-focused rules
6. **Audit Logging**: All authentication events logged with security context
7. **Error Handling**: Security-safe error messages that don't leak information

Key security features:

- Constant-time string comparison for all sensitive operations
- Mandatory HTTPS for all OAuth redirects
- Secure random generation for all tokens and nonces
- PBKDF2/Argon2 for password hashing with appropriate cost factors
- JWT signature validation with algorithm whitelisting
- Session security with httpOnly, secure, sameSite flags
- CSRF protection for all state-changing operations

## References


- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)
- [RFC 8725: JWT Best Current Practices](https://tools.ietf.org/html/rfc8725)
- [OAuth 2.1 Security Best Practices](https://tools.ietf.org/html/draft-ietf-oauth-security-topics)
- [Security Testing Documentation](../../testing/security-tests.md)
- Related ADRs: ADR-005 (JWT Token Management), ADR-006 (Error Handling)

---

**Decision Date**: 2025-08-17
**Decision Maker(s)**: AuthFramework Development Team
**Review Date**: 2026-02-17