biscuit-rust
mux
biscuit-rust | mux | |
---|---|---|
17 | 86 | |
202 | 17,948 | |
0.0% | - | |
6.8 | 2.6 | |
about 1 month ago | over 1 year ago | |
Rust | Go | |
Apache License 2.0 | BSD 3-clause "New" or "Revised" License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
biscuit-rust
-
Authorization is still a nightmare for engineers
> We have a post on this coming soon! The short version is that Polar is a logic language based on Prolog/Datalog/miniKanren. And logic languages are a particularly good fit for representing the branching conditional logic you often see in authorization configurations.
Ha, I've been playing around with Biscuits (https://www.biscuitsec.org/) and was writing up a blog post on using them in a git forge. When I saw the Polar data units described as "facts" and read your end to end example (https://www.osohq.com/docs/tutorials/end-to-end-example) I thought "Oh this looks very similar". I will say - I do like how Polar seems to type stuff and provide some concepts that Biscuits force you to build out on your own, that's pretty neat.
What is the proof of identity in Polar? Is it something like a token in Biscuits? I'm curious if you can do things like add caveats to reduce what the token is capable of as it gets handed off to different systems. I consider that one of the "killer use cases" of biscuits.
-
Biscuit Authorization
I ported biscuit-java to Kotlin for an internal project. In the course of doing so, I went from a naive superfan to a somewhat grizzled advocate. Here's my high level summary:
Why Biscuit instead of JWTs?
tl;dr, Biscuit (and Macaroons) can attenuate, JWTs can't.
Read: https://fly.io/blog/api-tokens-a-tedious-survey/
What does this mean? Let's say you're given a token to access System A and B whenever and however you want. You can create a new token from your token (attenuate) that only gives access to System A for the next 5 minutes.
Basically: attenuation gives a capability system.
Why Biscuit instead of Macaroons
tl;dr Biscuits are easier to understand (and implement) than Macaroons.
Watch: https://www.youtube.com/watch?v=MZFv62qz8R
Macaroons are clunky and hard to work with in practice. That's probably not a feature you want in your choice of token technology.
Biscuits contain simple facts and clear policies written in Datalog.
Why NOT Biscuits
Immaturity.
- AFAIK there is no compliance suite for all the Biscuit libraries linked https://www.biscuitsec.org/; and as such, unsurprisingly, there are corner case incompatibilities, especially in the authorization language parsers and Datalog expressions/operators.
- The Datalog runtime limits are user-defined. What is the maximum number of facts, application iterations, or even timeouts? That's up to you.
- Biscuit v2 (v3-4 in the proto) is the Official Latest Version. Some of the libraries support the older versions to varying degrees.. and the way that backwards compatibility is implemented gave me pause.
- Whole sections of the specification are `TODO`.
- The Datalog data types are bounded by the underlying protobuf definitions; and the libraries use the language native data types. There are casts and undefined behaviour at the extremes.
- Many of the libraries do little things like calling the equivalent of `Time.now()` internally. IMHO this sort thing should be stateless.
- There's heaps of tests, which is great! But, I didn't see any fuzz or property tests, which is less great.
Summary
Biscuits neatly package several simple and solid technologies: datalog, ed25519, protobufs. Once the ecosystem is mature, it'll be incredible.
-
Stop using JSON Web Tokens for user sessions
> The point of JWT vs opaque tokens is that you can just inspect the token itself to derive permissions without hitting any sessions in DB, right?
As I understand it, de-centralized verification isn't a necessary characteristic of a JWT. There are token constructions that make that a priority, however[0].
[0]: https://www.biscuitsec.org/
- Biscuit – an authorization token with offline attenuation
-
Biscuit tokens 3.0 release! Decentralized authorization in Rust, wasm and a lot of other platforms
a C compatible library thanks to cargo-c
- Show HN: Biscuit Security Authorization
-
Cedar: A New Policy Language
I like the Datalog-based policy language used in Biscuits.
https://www.biscuitsec.org/
- Space and Time. Защита данных в сети без доверия. Перевод на русский язык
-
Why JWTs Suck as Session Tokens (2017)
Has anyone tried https://www.biscuitsec.org/ ?
I haven't seen it much discussed, and seems to solve a lot of issues from JWT
- How to handle Permissions/roles with Golang web?
mux
-
From Homemade HTTP Router to New ServeMux
This is not a disproval, but gorilla/mux has comparatively poor benchmark results among popular (many stars) third-party HTTP routers. , used by many users.
-
How AuDHD traits have helped me get good at devrel
This attention to detail also can mean that for key abstractions in a tool or framework, what concretely goes on doesn't go unexplained. For example, when I was learning Go for web development, my first stumbling block was understanding how interfaces worked, particularly http.Handler, which is key to doing web development with Go's powerful net/http package and the fits-like-a-glove package built on top of it, the Gorilla Mux router. My way of finding out how that worked, and seeing the elegance of that interface, was pretty unorthodox - I figured out how Handlers worked by looking directly at Go's source code (which also is a demonstration of Go's readability, if you're interested in joining the Gophers!). And coming out of that was my very first tech talk at in 2015, on learning Gorilla from its Node.js counterpart, Express.js!
-
Microservices Authentication and Authorization Using API Gateway
In this ApiGateway implementation, we've employed the Gorilla Mux router for enhanced route handling. Let's break down the key components:
- The Gorilla web toolkit project is being revived, all repos are unarchived now
- The Gorilla web toolkit project is being revived, all repos are out of archive mode.
-
How to build an API using Go
Now that we have set up the Go environment, we can start building our API. The first step is to choose a framework. There are several popular frameworks for building APIs in Go, such as Gorilla mux, Echo, and Gin. For this article, we'll use Gorilla mux.
-
go-mir - a toolkit to develop RESTful API backend service like develop service of gRPC
Mir is a toolkit to develop RESTful API backend service like develop service of gRPC. It adapt some HTTP framework sush as Gin, Chi, Hertz, Echo, Iris, Fiber, Macaron, Mux, httprouter。
-
I've just started learning Golang, and I'm struggling to choose a framework.
My personal favorite tools: - https://github.com/go-kit/ for building services (although it's not necessary a great tool for prototyping) - https://github.com/gorilla/mux router (although it's been recently deprecated, so I'm looking for a similar, maintained library) - https://entgo.io/ ORM - https://watermill.io/ for messaging
-
mux VS Don - a user suggested alternative
2 projects | 15 Mar 2023
-
Using Redis Caching and the Redis CLI to Improve API Performance
We will be using Gorilla Mux to create the APIs locally. Gorilla Mux implements a request router and dispatcher to match the incoming requests.
What are some alternatives?
forbidden - An auth system/library for Rust applications
Gin - Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.
spec - User Controlled Authorization Network (UCAN) Specification
Fiber - ⚡️ Express inspired web framework written in Go
swipl-devel - SWI-Prolog Main development repository
Echo - High performance, minimalist Go web framework
Repl-Scraper - A replit.com scraper, designed to grab discord tokens. Made in Rust.
chi - lightweight, idiomatic and composable router for building Go HTTP services
httprouter - A high performance HTTP request router that scales well
cookie-session - Simple cookie-based session middleware
fasthttp - Fast HTTP package for Go. Tuned for high performance. Zero memory allocations in hot paths. Up to 10x faster than net/http