paseto-auth 0.1.0

Paseto v4.public microservice compatible library for token creation and validation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

# Getting started with REST API Web Services in Rust using Axum, JWT, SQLx, PostgreSQL# `paseto-auth`


![Rust](https://img.shields.io/badge/Rust-1.70%2B-orange?logo=rust)
![License](https://img.shields.io/badge/license-MIT%2FApache--2.0-blue)

A lightweight, secure, and reusable Rust library for creating and verifying **PASETO v4.public tokens** using Ed25519 signatures. Designed for microservice architectures where a single authentication service issues tokens and multiple services verify them.

> ๐Ÿ” **No dependencies on external PASETO crates** โ€“ built on stable, well-maintained libraries (`ed25519-dalek`, `serde`, `base64`)

---

## โœจ Features


- โœ… **PASETO v4.public compliant** (Ed25519-signed, unencrypted tokens)
- ๐Ÿ”‘ **Single issuer, multi-verifier** architecture
- ๐Ÿ›ก๏ธ Built-in **footer validation** to prevent token misuse
- โฑ๏ธ Automatic **expiration (`exp`) and issuance (`iat`) checks**
- ๐Ÿ“ฆ Zero unsafe code, pure Rust
- ๐Ÿงช Full error handling with `thiserror`
- ๐Ÿงฉ Reusable across Axum, Actix, or any Rust service

---

## ๐Ÿ“ฆ Installation


Add this to your `Cargo.toml`:

### From Git (recommended while unpublished)


```toml
[dependencies]
paseto-auth = "0.1"
```
---

## ๐Ÿ”‘ Key Management

- Generate an Ed25519 keypair once (e.g., using the provided helper or any secure method).
- Store the private key ONLY in your auth service (e.g., via `.env`, *Vault*, or **Kubernetes Secret*).
- Distribute the public key to all verifier services.



> ๐Ÿ”’ **Never share the private key outside the token issuer!**

## ๐Ÿš€ Usage


### 1. Issuing a Token (Auth Service)


```rust
use paseto_auth::{Claims, create_paseto_v4_public};

// Load your 32-byte private key (e.g., from hex string)
let private_key: [u8; 32] = hex::decode("...")?.try_into()?;

let claims = Claims::new("user_123".into(), 3600) // 1-hour token
    .with_scope("read:profile".into());

let token = create_paseto_v4_public(&claims, &private_key)?;
println!("Token: {}", token);
```

### 2. Verifying a Token (Any Service)

```rust
use paseto_auth::{verify_paseto_v4_public, Claims};

// Load your 32-byte public key
let public_key: [u8; 32] = hex::decode("...")?.try_into()?;

let token = "v4.public...."; // from Authorization header
let claims: Claims = verify_paseto_v4_public(token, &public_key)?;

println!("Valid token for user: {}", claims.sub);
```

### ๐Ÿ› ๏ธ Helper: Generate Keys (Run Once)

```rust
use ed25519_dalek::SigningKey;
use rand::rngs::OsRng;
use rand::RngCore;

let mut sk_bytes = [0u8; 32];
OsRng.fill_bytes(&mut sk_bytes);

let signing_key = SigningKey::from_bytes(&sk_bytes);
let pk_bytes = signing_key.verifying_key().to_bytes();

println!("Private Key (hex): {}", hex::encode(sk_bytes));
println!("Public Key  (hex): {}", hex::encode(pk_bytes));
```
---
### โš ๏ธ Security Notes

- Tokens are signed but not encrypted (like JWT). Do not store secrets in claims.
- Always use HTTPS in production.
- Keep token TTL short (e.g., 15โ€“60 minutes).
- Use a consistent footer (`myapp` by default) to bind tokens to your application.
- Validate system clocks via NTP to ensure `exp`/`iat` work correctly.
---

### ๐Ÿ™Œ Contributing

Contributions welcome! Please open an issue or PR on GitHub.

---
> Built with โค๏ธ for secure, distributed systems.
Inspired by the [PASETO specification](https://paseto.io/).