Expand description
Authentication for Purwa: Argon2id passwords, tower-sessions + axum_login, and stubs
for API tokens and struct-based policies.
§Escape hatches
- Sessions: use
session::memory_session_layerfor dev; swap the store passed totower_sessions::SessionManagerLayer::newfor Redis or another backend. Handlers can useaxum_login::AuthSessiondirectly for full control. - Password cost: tune
password::DEFAULT_M_COST_KIB/password::hash_password_withfor production vs tests (password::hash_password_fastis for tests only).
Macros§
- login_
required - Login predicate middleware.
- permission_
required - Permission predicate middleware.
Structs§
- Auth
Manager Layer Builder - Builder for the
AuthManagerLayer. - Auth
Session - A specialized session for identification, authentication, and authorization of users associated with a backend.
- Authz
Error - Authorization failure (minimal stub).
- Current
User - Authenticated user: fails with 401 if the session has no user.
- Gate
- Gate carrying the current subject; extend with resource-specific checks.
- Memory
Store - A session store that lives only in memory.
- Session
Manager Layer - A layer for providing
Sessionas a request extension.
Enums§
- Password
Error - Password hashing or verification failure.
Constants§
- DEFAULT_
M_ COST_ KIB - Memory cost in kibibytes (KiB). OWASP suggests large values for production; ~19 MiB is a
common baseline (
19 * 1024KiB). - DEFAULT_
P_ COST - Parallelism lanes.
- DEFAULT_
T_ COST - Time cost (iterations).
Traits§
- ApiToken
Store - Resolve a raw secret token to a user identifier (e.g. database lookup of a hashed token).
- Auth
User - A user which can be identified, authenticated, and authorized.
- Authn
Backend - A backend which can authenticate users.
- Authz
Backend - A backend which can authorize users.
- Policy
- Optional trait for richer policy objects.
Functions§
- argon2_
default - Production-oriented Argon2id hasher.
- argon2_
fast - Low-cost hasher for tests.
- authorization_
bearer - Return the bearer token from
Authorization: Bearer <token>, if present and well-formed. - hash_
password - Hash a plaintext password to a PHC string (
$argon2id$...) using default costs. - hash_
password_ fast - Hash with
argon2_fast(tests / CI only). - hash_
password_ with - Hash using explicit Argon2 instance (e.g.
argon2_fastin tests). - memory_
session_ layer - Build a
SessionManagerLayerbacked by in-memory storage (dev/tests; data lost on restart). - verify_
password - Verify
plainagainst a stored PHC string. - verify_
password_ with - Verify using the same Argon2 base as used for hashing; verification reads parameters from the PHC string, so this mainly selects algorithm/version.
Type Aliases§
- UserId
- Type alias for the backend user’s ID.