El malabarista

One of the missing pieces of the Rust ecosystem is a decent auth system. I'm tired to wait (and considering that my current options mean I need to integrate with big dependencies like keycloak, making my life complicated) I start to work in a WIP design for it.

The crate is called "Forbidden" and is here:

https://crates.io/crates/forbidden.

I'm in an "enterprise" space for small businesses, so I have more diverse auth needs, meaning I need a lot of flexibility in what I can do. So:

I need to plug any "user/group/etc" definition
I need to plug any IDP (Identity Provider) and/or be able to make my own
I need auth for all kinds of apps (web, CLI utilities, mobile apps, ...)
But also, I wish to be lazy and hopefully use something already done. Most of the above are so simple in practice (like the "users" are in a file with plain-text passwords) that the main thing is how to provide a "safe" facade on top of whatever.

The idea of Forbidden is to build a set of idioms that allow to implement auth systems as "Lego blocks" + create some pre-made solutions to integrate into popular libraries like actix/rocket. Is a stepping stone to get "auth like in Django/AuthBoss/etc".

A few highlights of what I hope to get from this:

Have some research links to sketch the design.
Separation between "User", "Credential", "Forms", "Tokens" so we can send/return with enough flexibility (all of these are not the same!).
Proudly use of unsafe: Wanna create passwords like "123"? Go aheah an do it as: let p = unsafe{ Password::hash_unsafe("123").unwrap() };
But wanna assert that password was validated as safe (like is > 8 chars long, enough entropy, etc)? Send a checker.
The password is a PHC string and so will never store it as plain-text

Some samples are available at:

https://github.com/mamcx/forbidden/tree/master/examples

I am open to tips that allow building a robust system, and also members that have experience building this kind of stuff.