Based on node-openid and tries to be at least a tiny (🤏) bit spec compliant.
- Always using the
checkid_setupmode (not using immediate mode) - No extensions are implemented
- I think the
strictmode ofnode-openidcorresponds to enforcing encryption which we do- The constructed
reqwest::Clientuses at leastTLSv1.2and is set to HTTPS only.
- The constructed
- The user visits
/api/auth/steam/login - A random nonce
Nis generated and saved - The user is redirected to Steam to log in
- Where steam redirects the user after a successful login is encoded in the URL
- Steam includes the nonce
Nwhen redirecting the user back to us
- The user signs in to his Steam account and accepts the authentication request
- The user is redirected to
/api/auth/steam/callback - We check the validity of the info encoded in the URL parameters
- We check that the nonce matches the nonce
Nand is not replayed - We send a request to Steam to validate the info encoded in the URL parameters
- Steam approves the info (signature is correct)
- The user successfully authenticated through Steam
- Generate N bytes of random data as a base64 string
echo $(openssl rand -base64 64 | tr -d '\n ')
- openid.net/specs/openid-authentication-2_0.html or .txt
- docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-V2.0-cd-02.html
- actix.rs/docs
- serde.rs
- docs.rs/tokio/latest/tokio/#feature-flags
- Better names for packages, e. g.,
openid/xmlis not a good name at all - Move some of the constants in
openid/constantsinto an enum or something - Implement full serde serializer and deserializer for key values
- See
src/openid/util/comma_separated_serde.rs - openid.net/specs/openid-authentication-2_0.html#rfc.section.4.1.1
- github.com/nox/serde_urlencoded
- See
actix_weberror handlingserdeserialize_withanddeserialize_withexamples- Echoing HTTP requests
- Actor pattern with Tokio
- Don't unconditionally use
tokio::sync::Mutex
- actix-web: Web framework.
- anyhow: Simplifies error handling.
- base64: Encode and decode data in Base64 format.
- chrono: Date and time library.
- chrono-humanize: Formats time in a human-readable way.
- log: Logging facade.
- rand: Random number generation.
- reqwest: HTTP client for making web requests.
- roxmltree: Fast and efficient XML library.
- serde: Serialization framework.
- serde_json: JSON serialization and deserialization using Serde.
- serde_urlencoded: URL encoding and decoding using Serde.
- simplelog: Simple logging library.
- tokio: Asynchronous runtime.
And all other in the Cargo.toml! Descriptions above are generated using ChatGPT
