I was reading about security issues with jwt, I am looking at docs.rs/crate/rust-argon2/0.6.0 it uses Argon2i, I know you said you use it for its stateless features, but that is also an exploitable security risk, whereas Cookies are not the best way to stay stateless and be secure, you can use in-memory cookies or even in-memory sessions, you can even encrypt them, but passing them in json is a nightmare for middle man attacks, and in-memory are safer, and faster IMO.
I am working on this now, trying to come up with a better solution.
Not you codes problem, but a problem with csrf-token
Problem with this line:
csrf-token = { git = "ssh://git@github.com/3dom-co-jp/csrf-token.git", branch="v0.2.x" }
It has issues, I am sure someone will fix it soon, seems to be with ssh, it is not set to public, so it asks for credentials.
I tried to use this with the same result, and I am sure this is temporary.
csrf-token = { git = "ssh://git@github.com/future-science-research/csrf-token.git", branch="v0.2.x" }
My question is why not use this instead:
github.com/heartsucker/rust-csrf
Currently, I can not build the project because of this, but great article.
I am looking at converting it just to check it out, thanks.
Hi, thanks for reporting this, I'll fix it as soon as possible.
Regards.
I was reading about security issues with jwt, I am looking at docs.rs/crate/rust-argon2/0.6.0 it uses Argon2i, I know you said you use it for its stateless features, but that is also an exploitable security risk, whereas Cookies are not the best way to stay stateless and be secure, you can use in-memory cookies or even in-memory sessions, you can even encrypt them, but passing them in json is a nightmare for middle man attacks, and in-memory are safer, and faster IMO.
I am working on this now, trying to come up with a better solution.
Yeah, sorry, it's fixed in master:
-
I had not found a way to use it easily with Actix web, it seems a plugin to be used with iron.