oxidite-security 2.0.0

Security utilities for Oxidite (CSRF, XSS protection, encryption)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331

# oxidite-security

Security utilities and primitives for the Oxidite web framework. Provides cryptographic functions, secure random generation, input sanitization, and security best practices.

<div align="center">

[![Crates.io](https://img.shields.io/crates/v/oxidite-security.svg)](https://crates.io/crates/oxidite-security)
[![Docs.rs](https://docs.rs/oxidite-security/badge.svg)](https://docs.rs/oxidite-security)
[![License](https://img.shields.io/badge/license-MIT-blue.svg)](../../LICENSE)

</div>

## Overview

`oxidite-security` provides a comprehensive set of security utilities and primitives for the Oxidite web framework. It includes cryptographic functions, secure random generation, input sanitization, and other security-related utilities that follow best practices and industry standards.

## Installation

Add this to your `Cargo.toml`:

```toml
[dependencies]
oxidite-security = "0.1"
```

## Features

- **Cryptographic functions** - Secure hashing, encryption, and digital signatures
- **Password hashing** - Industry-standard password hashing with Argon2, bcrypt, or scrypt
- **Secure random generation** - Cryptographically secure random number and token generation
- **Input sanitization** - Protection against XSS, SQL injection, and other injection attacks
- **Token generation** - Secure JWT and custom token creation
- **Hashing utilities** - Various hashing algorithms for different use cases
- **Data encryption** - Symmetric and asymmetric encryption utilities
- **Security headers** - Helper functions for setting security headers
- **Rate limiting** - Protection against brute-force and DoS attacks
- **CSP utilities** - Content Security Policy helper functions

## Usage

### Password Hashing

Securely hash and verify passwords:

```rust
use oxidite_security::hash::{Hasher, Algorithm};

// Create a hasher with Argon2 algorithm (recommended)
let hasher = Hasher::new(Algorithm::Argon2);

// Hash a password
let password_hash = hasher.hash("user_password")?;

// Verify a password against its hash
let is_valid = hasher.verify(&password_hash, "user_password")?;
if is_valid {
    println!("Password is valid!");
} else {
    println!("Invalid password!");
}

// You can also use bcrypt or scrypt
let bcrypt_hasher = Hasher::new(Algorithm::Bcrypt);
let bcrypt_hash = bcrypt_hasher.hash("another_password")?;
```

### Secure Random Generation

Generate cryptographically secure random values:

```rust
use oxidite_security::random::*;

// Generate a secure random token
let token = generate_secure_token(32); // 32 bytes = 256 bits
println!("Secure token: {}", token);

// Generate secure random bytes
let random_bytes = generate_random_bytes(16);
println!("Random bytes: {:?}", random_bytes);

// Generate a secure random number in range
let random_num = generate_random_u32_in_range(1, 100);
println!("Random number between 1-100: {}", random_num);

// Generate a secure random hex string
let hex_string = generate_random_hex(32); // 32 bytes in hex
println!("Random hex: {}", hex_string);
```

### Cryptographic Hashing

Compute secure hashes:

```rust
use oxidite_security::crypto::*;

// SHA-256 hashing
let sha256_hash = hash_sha256("data to hash");
println!("SHA-256: {}", sha256_hash);

// Blake3 hashing (faster alternative)
let blake3_hash = hash_blake3("data to hash");
println!("Blake3: {}", blake3_hash);

// HMAC with secret key
let hmac = compute_hmac_sha256("secret_key", "message");
println!("HMAC: {}", hmac);

// PBKDF2 for password stretching
let pbkdf2_hash = pbkdf2_hash("password", "salt", 100000);
println!("PBKDF2 hash: {}", pbkdf2_hash);
```

### Input Sanitization

Protect against XSS and injection attacks:

```rust
use oxidite_security::sanitize::*;

// HTML escape user input
let user_input = "<script>alert('xss')</script>";
let safe_html = html_escape(user_input);
println!("Safe HTML: {}", safe_html); // &lt;script&gt;alert(&#x27;xss&#x27;)&lt;/script&gt;

// Sanitize user input for database queries
let user_search = "'; DROP TABLE users; --";
let sanitized = sql_sanitize(user_search);
println!("Sanitized: {}", sanitized);

// URL encode user input
let unsafe_url = "https://example.com/search?q=user input & more";
let encoded = url_encode(unsafe_url);
println!("Encoded: {}", encoded);

// Sanitize file names
let unsafe_filename = "../../../etc/passwd";
let safe_filename = sanitize_filename(unsafe_filename);
println!("Safe filename: {}", safe_filename);
```

### JWT Token Creation and Verification

Create and verify JSON Web Tokens:

```rust
use oxidite_security::crypto::{JwtSigner, JwtVerifier, Algorithm};

// Create a signer with HS256 algorithm
let signer = JwtSigner::new("your-secret-key".to_string(), Algorithm::HS256);

// Create claims
let claims = serde_json::json!({
    "sub": "user-id",
    "exp": chrono::Utc::now().timestamp() + 3600, // 1 hour from now
    "iat": chrono::Utc::now().timestamp(),
});

// Sign the token
let token = signer.sign(&claims)?;
println!("JWT: {}", token);

// Verify the token
let verifier = JwtVerifier::new("your-secret-key".to_string(), Algorithm::HS256);
let verified_claims = verifier.verify(&token)?;

println!("Verified claims: {:?}", verified_claims);
```

### Content Security Policy

Generate Content Security Policy headers:

```rust
use oxidite_security::sanitize::csp::*;

let mut csp = CspBuilder::new();

// Restrict sources
csp.default_src(CspSource::None)
   .script_src(vec![CspSource::SelfSrc])
   .style_src(vec![CspSource::SelfSrc, CspSource::UnsafeInline])
   .img_src(vec![CspSource::SelfSrc, CspSource::Https])
   .font_src(vec![CspSource::SelfSrc]);

let csp_header = csp.build();
println!("CSP Header: {}", csp_header);
// Output: "default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' https:; font-src 'self'"
```

### Rate Limiting Utilities

Implement rate limiting to prevent abuse:

```rust
use oxidite_security::rate_limit::*;

// Create a rate limiter (100 requests per minute per IP)
let mut limiter = RateLimiter::new(100, std::time::Duration::from_secs(60));

// Check if a request should be allowed
let client_ip = "192.168.1.1";
if limiter.is_allowed(client_ip) {
    println!("Request allowed");
    limiter.record_request(client_ip);
} else {
    println!("Rate limit exceeded");
}
```

### Encryption Utilities

Encrypt and decrypt data:

```rust
use oxidite_security::crypto::*;

// Generate a key for symmetric encryption
let key = generate_aes_key();
let iv = generate_iv();

// Encrypt data
let plaintext = "Sensitive data";
let ciphertext = encrypt_aes_gcm(plaintext.as_bytes(), &key, &iv)?;

// Decrypt data
let decrypted = decrypt_aes_gcm(&ciphertext, &key, &iv)?;
let decrypted_str = String::from_utf8(decrypted)?;

println!("Decrypted: {}", decrypted_str);
```

### Security Headers

Helper functions for setting security headers:

```rust
use oxidite_security::sanitize::headers::*;

// Create security headers
let security_headers = SecurityHeaders::new()
    .strict_transport_security("max-age=31536000; includeSubDomains; preload")
    .x_frame_options("SAMEORIGIN")
    .x_content_type_options("nosniff")
    .x_xss_protection("1; mode=block")
    .referrer_policy("strict-origin-when-cross-origin");

// Apply to HTTP response (integration with your framework)
// response.headers_mut().extend(security_headers.into_iter());
```

## Integration with Oxidite

The security utilities integrate seamlessly with Oxidite applications:

```rust
use oxidite::prelude::*;
use oxidite_security::hash::Hasher;

async fn register_user(
    Json(payload): Json<RegisterRequest>
) -> Result<OxiditeResponse> {
    // Hash the password securely
    let hasher = Hasher::new(oxidite_security::hash::Algorithm::Argon2);
    let password_hash = hasher.hash(&payload.password)?;
    
    // Sanitize user input
    let username = oxidite_security::sanitize::sanitize_username(&payload.username)?;
    
    // Create the user with hashed password
    // ... save to database ...
    
    Ok(response::json(serde_json::json!({
        "message": "User registered successfully"
    })))
}

async fn login(
    Json(payload): Json<LoginRequest>
) -> Result<OxiditeResponse> {
    // Retrieve user from database (assuming we have the stored hash)
    // let stored_hash = get_password_hash_from_db(&payload.username).await?;
    
    // Verify password
    let hasher = Hasher::new(oxidite_security::hash::Algorithm::Argon2);
    // let is_valid = hasher.verify(&stored_hash, &payload.password)?;
    
    if is_valid {
        // Generate secure JWT token
        let token = oxidite_security::crypto::JwtSigner::new(
            std::env::var("JWT_SECRET").unwrap_or("fallback_secret".to_string()),
            oxidite_security::crypto::Algorithm::HS256
        ).sign(&serde_json::json!({
            "sub": "user-id",
            "exp": chrono::Utc::now().timestamp() + 3600
        }))?;
        
        Ok(response::json(serde_json::json!({
            "token": token,
            "message": "Login successful"
        })))
    } else {
        Err(OxiditeError::Unauthorized("Invalid credentials".to_string()))
    }
}
```

## Security Best Practices

The library implements security best practices:

- **Defense in depth**: Multiple layers of protection
- **Principle of least privilege**: Minimal permissions by default
- **Secure defaults**: Safe configurations out of the box
- **Constant-time operations**: Protection against timing attacks
- **Proper entropy**: High-quality randomness for security-sensitive operations
- **Memory safety**: No memory leaks or buffer overflows

## Performance Considerations

Security operations are optimized for performance:

- Asynchronous operations where appropriate
- Efficient algorithms that balance security and performance
- Proper resource management
- Minimal overhead for security checks

## License

MIT