actix-web-grants

Extension for actix-web to validate user permissions.

Apache 2.0 or MIT licensed

To check user access to specific services, you can use built-in proc-macro, PermissionGuard or manual.

The library can also be integrated with third-party solutions (like [actix-web-httpauth]).

How to use

Declare your own permission extractor

The easiest way is to declare a function with the following signature (trait is already implemented for such Fn): ```rust use actix_web::{dev::ServiceRequest, Error};

async fn extract(req: &ServiceRequest) -> Result, Error> ```

Add middleware to your application using the extractor defined in step 1

rust App::new() .wrap(GrantsMiddleware::with_extractor(extract))

Steps 1 and 2 can be replaced by custom middleware or integration with another libraries. Look at jwt-httpauth example

Protect your endpoints in any convenient way from the examples below:

Example of `proc-macro` way protection

```rust use actixwebgrants::procmacro::{haspermissions};

[get("/secure")]

[haspermissions("OPREADSECUREDINFO")]

async fn macrosecured() -> HttpResponse { HttpResponse::Ok().body("ADMINRESPONSE") } ```

Example of `Guard` way protection

```rust use actixwebgrants::{PermissionGuard, GrantsMiddleware};

App::new() .wrap(GrantsMiddleware::withextractor(extract)) .service(web::resource("/admin") .to(|| async { HttpResponse::Ok().finish() }) .guard(PermissionGuard::new("ROLEADMIN".to_string()))) .service(web::resource("/admin") // fallback endpoint if you want to return a 403 HTTP code .to(|| async { HttpResponse::Forbidden().finish() })) ```

Example of custom fallback endpoint for Scope with Guard

Since Guard is intended only for routing, if the user doesn't have permissions, it returns a 404 HTTP code. But you can override the behavior like this:

```rust use actixwebgrants::{PermissionGuard, GrantsMiddleware}; use actix_web::http::header;

App::new() .wrap(GrantsMiddleware::withextractor(extract)) .service(web::scope("/admin") .guard(PermissionGuard::new("ROLEADMINACCESS".tostring())) .service(web::resource("/users") .to(|| async { HttpResponse::Ok().finish() })) ).service( web::resource("/admin{regex:$|/.*?}").to(|| async { HttpResponse::TemporaryRedirect().appendheader((header::LOCATION, "/login")).finish() })) ``WhenGuardlets you in theScope(meaning you have"ROLEADMINACCESS"), the redirect will be unreachable for you. Even if you will request/admin/someundefined_page`.

Note: regex is a Path variable containing passed link.

Example of manual way protection

```rust use actixwebgrants::permissions::{AuthDetails, PermissionsCheck};

async fn manualsecure(details: AuthDetails) -> HttpResponse { if details.haspermission(ROLEADMIN) { return HttpResponse::Ok().body("ADMINRESPONSE"); } HttpResponse::Ok().body("OTHER_RESPONSE") } ```

You can find more [examples] in the git repository folder and [documentation].

Supported `actix-web` versions

For actix-web-grants: 2.* supported version of actix-web is 3.*
For actix-web-grants: 3.* supported version of actix-web is 4.*