Rust Rest API Stack with User Management

A secure-by-default rest api stack implemented with hyper, tokio, bb8 and postgres. This project is focused on providing end-to-end encryption by default for 12-factor applications looking to customize functionality using environment variables as needed. Includes a working user management and authentication backend written in postgresql with async S3 uploading for POST-ed data files.

Overview

User

Auth

Database

TLS Encryption

Ingress

Component | Status ---------------- | ------ Rest API Server | Listening for encrypted client connections on tcp port 3000 Postgres | Listening for encrypted client connections on tcp port 5432 (tls Certificate Authority required) pgAdmin | Listening for encrypted HTTP client connections on tcp port 5433

Getting Started

Clone the repo

bash git clone https://github.com/jay-johnson/restapi cd restapi

Generate TLS Assets

The repository restapi includes default tls assets, but for security purposes you should generate your own. Please refer to the Generate TLS Assets doc for more information.

Here's how to generate them under the ./certs directory:

bash cd certs ./generate-tls-assets.sh -f -c ./configs/dev-network.yml cd ..

Generate JWT Keys

This repo includes default JWT signing keys, but you should generate your own signing keys under the ./jwt directory with these commands:

bash cd jwt openssl ecparam -name prime256v1 -genkey -out private-key.pem openssl pkcs8 -topk8 -nocrypt -in private-key.pem -out private-key-pkcs8.pem openssl ec -in private-key.pem -pubout -out public-key.pem cd ..

Please refer to the How to build JWT private and public keys for the jsonwebtokens crate doc for more information.

Build the Postgres docker image

Please refer to the Build and Deploy a Secured Postgres backend doc for more information.

Build API Server

bash cargo build --example server

Run API Server

bash export RUST_BACKTRACE=1 && export RUST_LOG=info && ./target/debug/examples/server

Supported APIs

Here are the supported json contracts for each Request and Response based off the url. Each client request is handled by the ./src/handle_requests.rs module and returned as a response back to the client (serialization using serde_json)

User APIs

Create User

Create a single users record for the new user

Update User

Update supported users fields (including change user email and password)

Get User

Get a single user by users.id - by default, a user can only get their own account details

Delete User

Delete a single users record (note: this does not delete the db record, just sets the users.state to inactive 1)

Search Users in the db

Search for matching users records in the db

Create One-Time-Use Password Reset Token (OTP)

Create a one-time-use password reset token that allows a user to change their users.password value by presenting the token

Consume a One-Time-Use Password Reset Token (OTP)

Consume a one-time-use password and change the user's users.password value to the new argon2-hashed password

Verify a User's email

Consume a one-time-use verification token and change the user's users.verified value verified (1)

User S3 APIs

Upload a file asynchronously to AWS S3 and store a tracking record in the db

Upload a local file on disk to AWS S3 asynchronously and store a tracking record in the users_data table. The documentation refers to this as a user data or user data file record.

Update an existing user data file record for a file stored in AWS S3

Update the users_data tracking record for a file that exists in AWS S3

Search for existing user data files from the db

Search for matching records in the users_data db based off the request's values

User Authentication APIs

User Login

Log the user in and get a json web token (jwt) back for authentication on subsequent client requests

Integration Tests

This project focused on integration tests for v1 instead of only rust tests (specifically everything has been tested with curl):

Please refer to the Integration Tests Using curl Guide