rivulet_auth - authentication framework/server

I worked on creating an deployment at https://rivulet-auth.jayden295.hackclub.app/

This was a great project, I didn't finish it yet but I learned a lot, learned about OAuth2, JWT's, lots of things about APIs in general. This is also my first real project in Rust and I'm fairly proud of it.

API Documentation

POST /accounts (you will get errors telling you what is missing) creates an oauth link allowing you to authenticate (WILL CHANGE IN THE FUTURE)
GET /oauth/github the github oauth callback url, you dont really need to use it yourself
POST /oauth/applications allows you to create an oauth application, right now not required to interact with the API (WILL CHANGE IN THE FUTURE)
POST /oauth/refreshtoken allows you to exchange a code for an refreshtoken, that implements the oauth explicit flow which is more secure then implicit flow
POST /oauth/applications/clientsecret allows you to generate a clientsecret from a refreshtoken, also returns a new refreshtoken because of refresh token rotation

I worked on polishing the generateclientsecret function and publishing it, it generates a new clientsecret using a refreshtoken (decided to make this fully OAuth2 compliant and we need a way to create OAuth applications).

I am seriously getting burned out and tired from working on this...

Didn't work much, I hate procrastination.

Continued to work on the createclientsecret function, only one thing in the function left to do, generating a new refresh token as well since I implement refresh token rotation.

Tried to write less fluff this time, cause that's probably not what everyone cares about.

Yep I took a 4 day break because school is taking too much time..
Also because I played a lot with some online friends (very cool)

So what did I do?
I created an API endpoint to create new oauth applications...
I'll try to make my authentication framework comply with OAuth2 with all the features off it...

Yep turns out I had too big of a scope to make this 3 projects...

So now it's an authentication framework 100%!!!

I'm currently working (but didn't push that commit yet) on making an clientsecret generation API endpoint, right now we only create refreshtokens which will allow to create client_secrets in the future.

I know I won't be able to finish all the things I want and it's fine, however I learned so much.

Anyways I should write that part for the last day of journey, not when we start to reach it!

Have fun everyone, kinda sorry if I disappointed you by not even doing the three projects, turns out I had too big of an idea.

Okay people at this point this is turning into an authentication server lol

What did I do?
- forgot to run git push
- made all my authentication things use JWTs so it's simpler and queries the database less (but still does it)

I'm very happy about it, tomorrow I'll be reading the oauth guide and will be making sure my authentication server is fully compliant.

For now this is turning into an authentication framework until I actually start working on the other projects!

Another follower cool!

I think that at this point it's going to turn into an authentication framework..

So let's see what we have in store! Decided to rewrite the /accounts endpoint to use JWTs for the state value, which means we use the database less since everything is contained inside of the JWT.

We still use the database to store a nonce to prevent the same JWT being used multiple times.

Hopefully I can get to work on the ressource API eventually (right now it's the auth API)

Hi again!!

This will sound really nerdy, and I probably explained it badly, however don't hesitate to message me on Slack if you want me to try to explain it to you (will probably be better then a blog post explanation btw!).

how will the project be divided

I have decided to divide this project into 3 things (if I'm able to finish the entirety of that!)
- authentication server (rivuletauth, i will rename rivuletapi to rivulet_auth soon): will generate JWT so that the ressource server doesn't need to have the same database, it just needs to check the JWT! The JWT is a json web token, it basically contains information about the user and the token that is signed by the auth server. This way, the resource server just needs to check the token itself, the database is less queried since we check the token directly and not the database.
- resource server: will be with the accounts and the blog posts and everything
- front end: will be a web front end, let's not get too far, just one web frontend

what was done

Finished the refresh_token generation part of the API. Generates a JWT token this way we don't need to have a common database between the authentication server and the ressource server!

Also started reworking some things to use JWTs instead of random strings (like the state), this way I won't need to use a database.

funny bug moment: I forgot to automatically delete the keys once they are used in my authentication server so you can use it multiple times (however the JWT refactor should fix this bug!)

Learning

I'm learning a lot with this, I'm learning about OAuth, Json Web Tokens, APIs in general, and also Rust (it's my first actual project in Rust). I'm really happy because I am learning so much and it's really making my head think (me in french class thinking about my API instead of doing the french work:)

10 updates wooohooo!!

Today did more research on JWT, really learning a lot about APIS and authentification in this project.

I have decided to use JWT's, more specifically we'll have refresh tokens and authentification tokens!

Refresh tokens will be tokens that take a long time to expire. (also only used to generate authentification toekens so it has lower chances of leaking). And authentification tokens are short lived tokens, but are kinda used everywhere we need authentification (so higher chance of leaking, but it's short lived so it's fine).

But oh god I am really making this system more and more complex, thought this would be the last account creation api but nope, we'll need the authentification token generation API and probably refresh_token refreshing api.

Fortunately soon we will have a 4 day break so I'll have time to crunch!

Here is code that isn't really bad, just placeholder code!

Worked on the account creation part, decided to not use .unwrap() in my code anymore unless the errors are logically impossible (example: we previously handled errors, so it can't be an error). I also thinked about what to use as an access_token, a simple bearer token like what github does? In the end I think I will use json web tokens cuz it's the most technical and more secure or something.

I'm not sure if I'll have time for everything, I guess this could turn into some kind of oauth provider instead :thonk:

I got my first stonkers!!!

I'll try not to disappoint you!!!

No critically awful looking code so you just get a normal screenshot today!

Coudln't work much today because of theater... Which was actually amazing!

However worked on the last part of the account creation!
The API route is not fully finished yet (I only created the account table in the database and made the function make sure there was a valid account creation token).

So no commit today!

Here is also a screenshot of the worst code I wrote today!

What did I do?
Added a github oauth callback endpoint to my API at /oauth/github
Now using connection pools to access the database (should theorically be more performant)
Require documentation/Ban unsafe code in the rivulet_api project (rust)

I'll be honest, I am starting to doubt I'll be able to finish the API AND the frontend, however this is definitely a great learning experience for interacting and implementating oauth apis.

Though I really hope I can finish it.

Current deadlines:
- this week: creating/logging in (basically the whole account system)
- next week: finish the API
- next next week: finish the frontend (didnt even start yet lol)

Anyways, are those deadlines realistic? No idea, probably not unfurtunately :3

Also here is a screenshot of maybe awful/confusing looking code.

Still no commit

I've worked on the oauth callback, it works now, however the code is not perfect so I'll be fixing things here and there. But the core logic is there.

Yipee!!

I was finally able to do a commit, we now have the first part of creating an account, generating the oauth link to login with github.

I also worked on the next part where we handle the github oauth response.

I hope I can finish the creating account part by the end of the week. Which doesn't give me much time for everything...

Please, please, by the next day I want to push 1 commit.

Well so I worked on the settings part, originally wanted to handle it by env vars, then toml config files, then both of them. (Private stuff like keys by env vars, and general config in toml config files).

Next day I'll try to either do a commit on the configuration of the program or the creating account part (most likely config).

Now I'll be polishing up code (please I do not want to refactor anything else).

Alright, kinda annoyed that I still didn't finish the first part of the account creation, heres how it will work cuz I rethinked how it should work.

Stage 1: Post request at /accounts -> Get a oauth link
Stage 2: Oauth authentification success -> Now the user has to set a email and username
Stage 3: User has set username and email and is now a fully fledged account!

I still didn't finish stage 1. Right now the code should be working, next day I will clean the code up make it good enough.

Also, here's another screenshot of absolutely confusing code.

Surprised I got 2 new followers, I guess that screenshots/images really help you get followers.

Yes, I'll try doing an update every day

Most of the day was filled with troubleshooting my very young and new Linux system...

Tomorrow should be fine, I'm tired of working on things other then the actual code.

I was able to work for 20 minutes and did some progress. The account creation part of the
API will use Oauth, which is a bit of a challenge. Heres how it will work.

Frontend -> Asks for the backend to create an account -> Backend gives out a oauth link for github to create the account -> Frontend redirects to Oauth -> Oauth redirects to backend -> backend does something like github -> frontend then fetches the api key

Basically the backend will implement some kind of Oauth like authentification, this way anyone can write a frontend for it!

I know this isn't very clear, I really need to try to make sense, just like the code I currently have! (embeded below or above, idk)

Maybe this is completely fine code but I do not like it.

Alright I'll make this short because it's getting really late

Create the initial repository for Rivulet and brainstormed what was I going to make for journey.

Rivulet is going to basically be a blog post platform, but one where multiple creators can be present. Basically youtube, but with blog posts.

I'm implementing this in Rust because Rust and, it's kinda challenging right now.
I.. Also had to switch to another CachyOS because of NixOS not following the FHS standard...

I've done progress on the creating account section of the API, which will use Oauth because passwords are not a very good idea. Once the whole creating account part is done, I'll push it as a commit, and hopefully other parts of the API will be faster and less confusing.