Rust library for HTTP authentication. Parses challenge lists, responds
to Basic
and Digest
challenges. Likely to be extended with server
support and additional auth schemes.
HTTP authentication is described in the following documents and specifications:
- MDN documentation.
- RFC 7235: Hypertext Transfer Protocol (HTTP/1.1): Authentication.
- RFC 7617: The 'Basic' HTTP Authentication Scheme
- RFC 7616: HTTP Digest Access Authentication
This framework is primarily used with HTTP, as suggested by the name. It is also used by some other protocols such as RTSP.
Well-tested, suitable for production. The API may change to improve ergonomics and functionality. New functionality is likely to be added. PRs welcome!
In order:
- sound. Currently no
unsafe
blocks inhttp-auth
itself. All dependencies are common, trusted crates. - correct. Precisely implements the specifications except where noted. Fuzz tests verify the hand-written parser never panics and matches a nom-based reference implementation.
- light-weight. Minimal dependencies; uses Cargo features so callers can
avoid them when undesired. Simple code that minimizes monomorphization
bloat. Small data structures; eg
http_auth::DigestClient
currently weighs in at 32 bytes plus one allocation for all string fields. - complete. Implements both parsing and responding to challenges.
(Currently only supports the client side and responding to the most common
Basic
andDigest
schemes; future expansion is likely.) - ergonomic. Creating a client for responding to a password challenge is
a one-liner from a string header or a
http::header::GetAll
. - fast enough. HTTP authentication is a small part of a real program, and
http-auth
's CPU usage should never be noticeable. ForDigest
's cryptographic operations, it uses popular optimized crates. In other respects,http-auth
is likely at least as efficient as other HTTP authentication crates, although I have no reason to believe their performance is problematic.
Scott Lamb <[email protected]>
SPDX-License-Identifier: MIT OR Apache-2.0
See LICENSE-MIT.txt or LICENSE-APACHE, respectively.