This isnt the full code, as the entire code would just be alot to read and go out of the scope of what I am asking, I am using bcrypt, axum, axum-login and jsonwebtoken, is this so far a good attempt and authentication? I know I will probably need to impliment a sql backend but some direction on where to go from here or if there are any issues would be much appreicated.
The goal of this is to impliment basic authentication so the login page can be accessed, and upon accessing it, you are given a JWT, which hopefully axum_login can handle, and lets you have access to the rest of the pages as long as that JWT is present in the header or however axum_login handles it
You might want to use a middleware for the authentication as a next step.
As for your example code, it definitely can be improved. For example, you are using the String type for sensitive values (the secret key and the password), which would leak in logs in a production server. Use a proven, robust solution for this such as this crate instead.
I had to revamp alot of the authentication stuff, I will look into the Secrecy crate for my final solution (and post it again here), I just wanted to ask, is there any glaring insecurities on my second attempt?
The client will make one request, which will take the username and password, idk if it has to be encrypted during transmission but im thinking no, and then, its given a JWK, then if it wants to go to another page, it will make a request to authenticate, which will take the jwk and the next location. although the next location might not need to be handled by authenticate, as axum_login seems to setup a session, I also want to know, is there any added value of re-asking authenticate every time the user wants to go somewhere? I want a permission system, which was one of my rational behind it, but I dont know if i made it overly complex