axum-security
A security toolkit for Axum.
Features
axum-security is modular -- enable only what you need.
| Feature | Description |
|---|---|
cookie |
Server-side session management with pluggable stores |
jwt |
JWT authentication (header or cookie) |
basic-auth |
HTTP Basic Authentication |
oauth2 |
OAuth 2.0 authorization code flow |
oidc |
OpenID Connect (auto-discovery, ID token verification) |
rbac |
Role-based access control |
pbac |
Policy-based access control |
headers |
Security response headers (CSP, HSTS, etc.) |
Additional features: macros, tracing.
Time crate integration: jiff, chrono, time.
Installation
Pick the features you need. No features are enabled by default.
Cookie sessions
The cookie feature provides server-side session management. Sessions are stored in a pluggable store (an in-memory store is included for development).
use ;
// Build the cookie service
let cookie_service = builder
.cookie
.dev_cookie
.use_dev_cookie
.store
.expires_max_age
.;
let router = new
.route
.route
.layer
.with_state;
Create sessions via CookieContext and extract them with CookieSession:
async
async
// Use Option<CookieSession<User>> for optional authentication.
JWT
The jwt feature adds JWT-based authentication. By default, tokens are read from the Authorization header.
use ;
let jwt_service = builder
.jwt_secret
.;
let router = new
.route
.route
.layer
.with_state;
Encode tokens via JwtContext and extract them with Jwt:
async
async
Basic auth
The basic-auth feature provides HTTP Basic Authentication via a BasicAuthenticator trait.
use ;
;
let router = new
.route
.layer;
Extract with BasicAuth<User> or Option<BasicAuth<User>>:
async
OAuth 2.0
The oauth2 feature handles the authorization code flow. Implement OAuth2Handler to process the token response after a successful login.
use ;
let oauth2_service = github
.client_id_env
.client_secret_env
.redirect_url
.login_path
.build;
let router = new
.route
.layer
.with_oauth2;
OIDC
The oidc feature adds OpenID Connect with auto-discovery and ID token verification. PKCE and nonce replay protection are always enabled.
use ;
let oidc_context = google
.await?
.client_id_env
.client_secret_env
.redirect_url
.login_path
.logout_path
.scopes
.build;
let router = new
.route
.layer
.with_oidc;
RBAC
The rbac feature provides role-based access control. Implement the RBAC trait to tell the library how to extract roles from your user type.
use RBAC;
Protect routes with the #[requires] macro (needs the macros feature):
async
Or use the RBACExt methods on routes: .requires(), .requires_all(), .allows().
PBAC
The pbac feature adds policy-based access control. Policies are composable -- combine them with .and(), .or(), and .not().
use ;
let admin_policy = new.and;
let mod_policy = new
.or
.and;
let router = new
.route
.route
.layer;
Any Fn(&User) -> bool works as a policy. Use AsyncPolicy or AsyncFalliblePolicy for async checks.
Security headers
The headers feature adds a Tower layer that sets security response headers. Use SecurityHeaders::recommended() for sensible defaults, or apply individual headers.
use ;
let security_layer = recommended
.use_dev_headers
.add;
let coop_layer = SAME_ORIGIN;
let router = new
.route
.layer
.layer;
Examples
See the examples/ directory for complete, runnable examples of each feature.
Roadmap
- CSP nonce support
- OIDC logout support
- Eager/lazy session loading
License
This project is licensed under the MIT license.