Using JWTs - Introduction to Axum

Awesome, thank you!

As a subscriber I already love your content. I do feel your work though is massively undervalued - you should have many more subscribers than you currently do. Many other Rust tutorials are either rock bottom basic, or assume you've memorised the Standard Library. Or they're just a summary of Rust's capabilities, without fleshing out the substance.

It's great to see your process of finding the right crate for a particular purpose, explaining why you've chosen it, and then feel your way through the documentation to land at working examples. I believe cloning is bad practice (an anti-pattern if you will), but it's nice to see its use to get things moving.

I have a couple of questions regarding security, and performance. I don't know the internals of JWTs so maybe these aren't relevant to more experienced devs:

1. Security wise, if you aren't adding any additional details to the "claim" struct during token generation to differentiate one user from another, and you're using the same key material from the .env file, wouldn't that produce the same token values if two tokens were requested at the same instant in time? (The same UNIX time EPOCH)

2. Performance wise, your system appeared to "hang" briefly when testing the API at the token creation step. That suggests the process of refreshing a token is an expensive one. Generating new tokens, flushing them to the client browser and database for every user action, is going to feel like wading through quicksand in concrete shoes. Can you do a performance test of, perhaps using the wrk utility, or better yet a pure Rust load generation tool of some kind?

(I think the phrase you're looking for to encourage us to try to extend your code as we learn is, "I'll leave that as an exercise for the viewer" 😉).

Thanks again - Mark

IndigoVFX

I thought the whole point of using JWT was not to use a database for authentication, but here we are checking if the token is in the database

parker

Awesome, this was really cool. Man you earned a sub, I always watch a auth video of anyone who's teaching how to use a framework, and this has been. really concise and to the point one.
🤩

ME_rohitkulkarni

hey brooks, in your vscode setup, how are you getting all the auto-imports of the using statements? Or are you doing some keyboard wizardry as your typing new methods to get the use statements to appear? I get the intellisense, but I have to go to each item and CTRL+. to import it. Also, new sub on your twitch account and I fully agree with the other commenter here, you are one of the most undervalued resources I have seen regarding learning Rust, and you are the first person I have ever sought out to "subscribe" to (I'm not a user on twitch, but I went there just to sub). Keep up the awesome work!

MikeM

route_layer can be ONLY ONE. set_custom_middleware from previous videos has to be removed

meka

You shouldn't be teaching people if you haven't done your homework. You have to validate your token (the function you wanted to use in the first place).
A token is invalid not only when it's expired, but also when its signature is invalid and a bunch of other conditions.

Also, no one should really reinvent the wheel when it comes to security (especially not when you're not a security expert) and rather use a 3rd party auth service.

Thanks nonetheless, for your time and effort.

samedhamma