Biscuit actix middleware

This middleware allows service-wide extraction and parsing of biscuit tokens.

Authorization itself still need to be handled from within endpoint handlers.

The middleware expects a base64-encoded token through the bearer token HTTP authorization scheme (an Authorization: Bearer <token> HTTP header). This token is deserialized and its cryptographic signatures verified with the provided public key.

Token extraction logic and error handling are configurable (see Configuration example).

Working example

Here is a web server exposing GET /hello, only to tokens containing the role("admin") fact. The public key used for verifying tokens is provided through the BISCUIT_PUBLIC_KEY environment variable.

A complete, runnable example can be found in examples/readme.rs, and can be run with BISCUIT_PUBLIC_KEY=<public key> cargo run --example readme.

Optionally, you can enable tracing by running BISCUIT_PUBLIC_KEY=<public key> cargo run --example readme --features tracing to observe middleware traces as logs in the console.

```rust use actixweb::{get, web, App, HttpResponse, HttpServer}; use biscuitactixmiddleware::BiscuitMiddleware; use biscuitauth::{macros::*, Biscuit, PublicKey};

[actix_web::main]

async fn main() -> std::io::Result<()> { let publickey = PublicKey::frombyteshex( &std::env::var("BISCUITPUBLICKEY") .expect("Missing BISCUITPUBLIC_KEY environment variable"), ) .expect("Couldn't parse public key");

HttpServer::new(move || {
    App::new()
        .wrap(BiscuitMiddleware::new(public_key))
        .service(hello)
})
.bind(("127.0.0.1", 8080))?
.run()
.await

}

[get("/hello")]

async fn hello(biscuit: web::ReqData) -> HttpResponse { let mut authorizer = authorizer!( r#" allow if role("admin"); "# );

authorizer.add_token(&biscuit).unwrap();
if authorizer.authorize().is_err() {
    return HttpResponse::Forbidden().finish();
}

HttpResponse::Ok().body("Hello admin!")

}

```