Awesome, thank you! As a subscriber I already love your content. I do feel your work though is massively undervalued - you should have many more subscribers than you currently do. Many other Rust tutorials are either rock bottom basic, or assume you've memorised the Standard Library. Or they're just a summary of Rust's capabilities, without fleshing out the substance. It's great to see your process of finding the right crate for a particular purpose, explaining why you've chosen it, and then feel your way through the documentation to land at working examples. I believe cloning is bad practice (an anti-pattern if you will), but it's nice to see its use to get things moving. I have a couple of questions regarding security, and performance. I don't know the internals of JWTs so maybe these aren't relevant to more experienced devs: 1. Security wise, if you aren't adding any additional details to the "claim" struct during token generation to differentiate one user from another, and you're using the same key material from the .env file, wouldn't that produce the same token values if two tokens were requested at the same instant in time? (The same UNIX time EPOCH) 2. Performance wise, your system appeared to "hang" briefly when testing the API at the token creation step. That suggests the process of refreshing a token is an expensive one. Generating new tokens, flushing them to the client browser and database for every user action, is going to feel like wading through quicksand in concrete shoes. Can you do a performance test of, perhaps using the wrk utility, or better yet a pure Rust load generation tool of some kind? (I think the phrase you're looking for to encourage us to try to extend your code as we learn is, "I'll leave that as an exercise for the viewer" 😉). Thanks again - Mark
Thanks for the kind words! That's a good question about JWT's, I always assumed that they are different due to some algorithm's in the background, but I haven't truthfully tested it myself. I'll add this to my list to test. As for the slowness, that is due to having too large of a hashing cost. If that is lowered then there won't be a visible slowdown for the end user.
Yeah, I don’t believe I’m using JWTs quite correctly in this unfortunately. My next version I’m going to be getting an expert in auth to help design this part.
you are right but maybe we can sign the users secret answer for forgot password, sign and save it to db and when user clicks forgot password we ask user's answer for "favourite pet name" and compare with the token in the db. in this case for authorization you are right but "tokens are not for db" is not that right in general.
Awesome, this was really cool. Man you earned a sub, I always watch a auth video of anyone who's teaching how to use a framework, and this has been. really concise and to the point one. 🤩
hey brooks, in your vscode setup, how are you getting all the auto-imports of the using statements? Or are you doing some keyboard wizardry as your typing new methods to get the use statements to appear? I get the intellisense, but I have to go to each item and CTRL+. to import it. Also, new sub on your twitch account and I fully agree with the other commenter here, you are one of the most undervalued resources I have seen regarding learning Rust, and you are the first person I have ever sought out to "subscribe" to (I'm not a user on twitch, but I went there just to sub). Keep up the awesome work!
Thanks! I don’t think I did anything special besides install Rust Anayzer. I did notice that if there are any errors in the project that the auto import breaks and doesn’t work well so I would check that first.
Another thing that I do is make sure that the file I’m working on is added to the project, either with a use statement from the lib.rs file, or the mod.rs file. Without that barely anything seems to work.
@@BrooksBuilds Thanks, definitely noticed that. Also noticed after posting this that if I slow down and use Tab when typing the class/method name for the first time the autocomplete will add the use statement for me. Not my normal flow but atleast I'm not having to go back and CTRL+. each entry afterwards :) Thanks again for your work!
You shouldn't be teaching people if you haven't done your homework. You have to validate your token (the function you wanted to use in the first place). A token is invalid not only when it's expired, but also when its signature is invalid and a bunch of other conditions. Also, no one should really reinvent the wheel when it comes to security (especially not when you're not a security expert) and rather use a 3rd party auth service. Thanks nonetheless, for your time and effort.
Doesnt decode check those other conditions? Just because he only handling the expired error it still should catch everything else, if you check the ErrorKind enum the rest the errors are there
Awesome, thank you!
As a subscriber I already love your content. I do feel your work though is massively undervalued - you should have many more subscribers than you currently do. Many other Rust tutorials are either rock bottom basic, or assume you've memorised the Standard Library. Or they're just a summary of Rust's capabilities, without fleshing out the substance.
It's great to see your process of finding the right crate for a particular purpose, explaining why you've chosen it, and then feel your way through the documentation to land at working examples. I believe cloning is bad practice (an anti-pattern if you will), but it's nice to see its use to get things moving.
I have a couple of questions regarding security, and performance. I don't know the internals of JWTs so maybe these aren't relevant to more experienced devs:
1. Security wise, if you aren't adding any additional details to the "claim" struct during token generation to differentiate one user from another, and you're using the same key material from the .env file, wouldn't that produce the same token values if two tokens were requested at the same instant in time? (The same UNIX time EPOCH)
2. Performance wise, your system appeared to "hang" briefly when testing the API at the token creation step. That suggests the process of refreshing a token is an expensive one. Generating new tokens, flushing them to the client browser and database for every user action, is going to feel like wading through quicksand in concrete shoes. Can you do a performance test of, perhaps using the wrk utility, or better yet a pure Rust load generation tool of some kind?
(I think the phrase you're looking for to encourage us to try to extend your code as we learn is, "I'll leave that as an exercise for the viewer" 😉).
Thanks again - Mark
Thanks for the kind words!
That's a good question about JWT's, I always assumed that they are different due to some algorithm's in the background, but I haven't truthfully tested it myself. I'll add this to my list to test.
As for the slowness, that is due to having too large of a hashing cost. If that is lowered then there won't be a visible slowdown for the end user.
I thought the whole point of using JWT was not to use a database for authentication, but here we are checking if the token is in the database
Yeah, I don’t believe I’m using JWTs quite correctly in this unfortunately. My next version I’m going to be getting an expert in auth to help design this part.
@@BrooksBuilds Glad you didn't take it the wrong way, great videos btw!
Thanks again for the message! I’m always striving to improve things so feedback on what I’m doing wrong is really important to me
you are right but maybe we can sign the users secret answer for forgot password, sign and save it to db and when user clicks forgot password we ask user's answer for "favourite pet name" and compare with the token in the db. in this case for authorization you are right but "tokens are not for db" is not that right in general.
Awesome, this was really cool. Man you earned a sub, I always watch a auth video of anyone who's teaching how to use a framework, and this has been. really concise and to the point one.
🤩
Thanks! I’m glad it was helpful!
where is the refresh token
I created the simplest authentication system I could think of, so no refresh tokens, only authenticating.
route_layer can be ONLY ONE. set_custom_middleware from previous videos has to be removed
I believe in the update to 0.6 videos the middleware gets completely re-written
hey brooks, in your vscode setup, how are you getting all the auto-imports of the using statements? Or are you doing some keyboard wizardry as your typing new methods to get the use statements to appear? I get the intellisense, but I have to go to each item and CTRL+. to import it. Also, new sub on your twitch account and I fully agree with the other commenter here, you are one of the most undervalued resources I have seen regarding learning Rust, and you are the first person I have ever sought out to "subscribe" to (I'm not a user on twitch, but I went there just to sub). Keep up the awesome work!
Thanks!
I don’t think I did anything special besides install Rust Anayzer. I did notice that if there are any errors in the project that the auto import breaks and doesn’t work well so I would check that first.
Another thing that I do is make sure that the file I’m working on is added to the project, either with a use statement from the lib.rs file, or the mod.rs file. Without that barely anything seems to work.
@@BrooksBuilds Thanks, definitely noticed that. Also noticed after posting this that if I slow down and use Tab when typing the class/method name for the first time the autocomplete will add the use statement for me. Not my normal flow but atleast I'm not having to go back and CTRL+. each entry afterwards :) Thanks again for your work!
You shouldn't be teaching people if you haven't done your homework. You have to validate your token (the function you wanted to use in the first place).
A token is invalid not only when it's expired, but also when its signature is invalid and a bunch of other conditions.
Also, no one should really reinvent the wheel when it comes to security (especially not when you're not a security expert) and rather use a 3rd party auth service.
Thanks nonetheless, for your time and effort.
That’s very true, I’m thinking in my next go around I might just use a third party service and teach the integration
So which function should we use for the authentication/validation? jsonwebtoken::decode or jsonwebtoken::crypto::verify?
Doesnt decode check those other conditions? Just because he only handling the expired error it still should catch everything else, if you check the ErrorKind enum the rest the errors are there