Heya’ll. So I have a pet project whose scope has grown wildly larger than I ever intended (as they often do), to the point where I’m rewriting a static site to run on a webserver with SQL databases and somesuch. This is the first time I’m making a project of this scale and requirements, so it’s a lot of fun, and I’m right now learning Rust to run the server. (Wanted to learn it for a while and this is a great excuse.)
Now here’s the question - I am thinking of making a user system, where people can log in and do things like comment or make posts. I heard this is fresh hell, especially when it comes to security. I’ve decided I’d offload the password headache to someone else using Oauth2 and some other app that allows login (like discord), but I imagine there’s still plenty of potholes I’m about to blindly run into.
Are there any specific tips you could give me, or any resources you could point me towards, to help keep me and my users’ content safe? (Or even just preemptively stop me from getting a headache later on?)
What sort of laws governing user-generated content and data privacy does Israel have? Will you be subject to these laws if you go ahead with this project? Can you afford to get it wrong?
I… actually did not check that. Good point, I’ll go check, thx.
For the most part this is a project I’m making for a group of friends who I all know personally so I don’t think this is something that’s going to become a problem, but I should probably double check anyways.
(To clarify - I want to set up an public-facing archive of content for a writing project we’re doing, and I want to make it so other people can also easily upload stuff instead of having to go through me for everything. There might be comments but like, it’s probably not a social media analogue)
If you know all users, it not that hard. You can just store password-hashed in the database and to password resets manually. At a small scale, rusqlite (an SQLite crate) is probably fine. You should still encapsulate the DB stuff into an own module so you can migrate to another DB more easily.
I don’t know with http library you are using, but if you are using actix-web, I can recommend the actix-session and actix-identity crate for session management.