FelixKLG
commented
7 months ago I recommend using JWTs to contain some basic user info but keep the session information in Redis on the server. This would require a way to store it in the client, optimally cookies. Axum extra's cookie jar is kinda shit and requires it to be sent back in the response type which I strongly dislike, that shouldn't work like that; hopefully there's a better way around that.
I'd suggest looking into this crate for cookies: https://crates.io/crates/tower-cookies (check it's code for mutexes/RwLocks and stuff, we don't want too many of those)
The sessions should expire after a set duration, not be valid before a certain duration. yada yada yada standard JWT shit, try use either EC256 or some kind of symmetric system, depending on how well it goes into the config.toml file. The config file is large as it is already, try not to make it explode) Also think about how easy it is to deploy the server, it shouldn't be horrendously complicated.
If you wanna make an EC256 keypair that works with JWTs you can use the just command generate-keypair. It's still there from my testing as of a0a7fd661634ffb18ab464cb9406cafc5bc722ca.
Reconfigure how clients authenticate with the panel to prevent access to the application API using client tokens. To prevent token grabbing exploits and abuse of API endpoints.
There will be a separate section for site administrators to configure usage of the API and permit or deny client access to the API.
Prob cookies & JWTs EC256 or some other alg; depends on what I wanna put in the config.