rhythm/rhythm-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
51 Commits 3 Branches 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Dmitri ed7fff4983
Some checks are pending
Build and Push Docker Image / build-and-push (push) Waiting to run
Details
cache
2026-05-03 22:39:22 +02:00
.gitea/workflows
cache
2026-05-03 22:39:22 +02:00
.sqlx
sqlx prepare
2026-05-03 22:34:54 +02:00
http_client
initial auth stuff
2026-05-03 19:26:29 +02:00
migrations
added creation of access token and table for refresh token
2026-04-28 20:36:54 +02:00
src
authentication for the backend
2026-05-03 22:23:11 +02:00
tests
authentication for the backend
2026-05-03 22:23:11 +02:00
.dockerignore
docker compose
2026-04-24 20:27:12 +02:00
.gitignore
migration and db pool
2026-04-24 21:05:40 +02:00
BACKEND_BLUEPRINT.md
initial db interactions
2026-04-27 23:05:27 +02:00
Cargo.lock
authentication for the backend
2026-05-03 22:23:11 +02:00
Cargo.toml
authentication for the backend
2026-05-03 22:23:11 +02:00
compose.prod.yaml
added example .env
2026-04-28 19:13:52 +02:00
compose.yaml
docker compose
2026-04-24 20:27:12 +02:00
Dockerfile
cache
2026-05-03 22:39:22 +02:00
example.env
added example .env
2026-04-28 19:13:52 +02:00
LICENSE
Initial commit
2026-03-28 13:39:05 +00:00
Makefile
initial db interactions
2026-04-27 23:05:27 +02:00
README.md
anti enumeration adn rate limit
2026-05-02 14:06:54 +02:00

README.md

Rhythm Backend API Documentation

Authentication System Overview

The authentication system is built with a security-first approach, featuring multi-layered protection against common web vulnerabilities.

Security Layers (Middleware)

  1. Rate Limiting (Anti-Spam Bucket)

    • Mechanism: Token Bucket (in-memory DashMap).
    • Logic: Identifies users via the X-Client-IP header (trusted from proxy).
    • Config: 5 attempts per minute, refilling 1 token every 12 seconds.
    • Response: 429 Too Many Requests.

  2. Anti-Enumeration (Timing Protection)

    • Mechanism: Variable response delay.
    • Logic: Ensures every authentication request takes between 150ms and 300ms.
    • Purpose: Hides whether an account exists or a password was correct from timing analysis.

Current API Endpoints

POST /api/v1/auth/register

Registers a new user.

  • Payload: RegisterRequest { email, password }
  • Response: 200 OK with AuthResponse { access_token }
  • Side Effect: Sets an HttpOnly, Secure, SameSite=Strict cookie named refresh_token.

POST /api/v1/auth/login

Authenticates a user.

  • Payload: LoginRequest { email, password }
  • Response: 200 OK with AuthResponse { access_token }
  • Side Effect: Sets a new refresh_token cookie.

POST /api/v1/auth/refresh

Rotates tokens for an active session.

  • Requirement: Valid refresh_token cookie.
  • Response: 200 OK with new access_token.
  • Rotation Logic: Revokes the old refresh token and issues a completely new one (Rotation) to prevent session hijacking.

POST /api/v1/auth/logout

Invalidates the current session.

  • Requirement: Valid refresh_token cookie.
  • Response: 200 OK.
  • Logic: Revokes the refresh token in the database and clears the HttpOnly cookie.

Security Features Detail

1. Rate Limiting (Anti-Spam)

Protects against brute-force and DoS attacks by limiting requests per IP address. Uses an in-memory Token Bucket algorithm.

2. Anti-Enumeration (Timing Protection)

Ensures that the time taken to process an auth request is independent of the result (e.g., whether a user exists or not). This prevents attackers from using timing differences to discover valid emails.

3. Password Strength (zxcvbn)

Uses Dropbox's zxcvbn algorithm to estimate password entropy. Registration requires a score of at least 3/4.

4. Refresh Token Rotation

Every time a refresh token is used to get a new access token, the old refresh token is invalidated and a new one is issued. This limits the window of opportunity if a refresh token is leaked.

Description
No description provided
Readme GPL-3.0 8.5 MiB
Languages
Rust 98.4%
Dockerfile 1.3%
Makefile 0.3%