Debug School

rakesh kumar
rakesh kumar

Posted on

Rust programming checklist

Create a /api/register endpoint
Add a register handler that inserts a new user into DB, then returns success JSON.

Hash the password during login and registration
Replace plain-text comparison with hashed password verification (store hashed password in DB).

Add remember_me option in login
If remember_me=true, set a longer session expiry; otherwise keep it short.

Create an auth_guard() helper
Build a helper that returns (user_id, role, username) from session in one call.

Protect /api/dashboard fully using session guard
Ensure dashboard returns 401 if user is not logged in.

Add role-based route protection (Admin only)
Create /api/admin/users and allow only users with role admin.

Create middleware RequireLogin
Instead of adding session checks in every handler, build a middleware that blocks unauthenticated requests.

Apply middleware only to a route group
Use web::scope("/api") and inside it apply auth middleware only to a child scope like /api/private.

Create /api/logout-all behavior
Implement logic to invalidate session across devices (server-side session store OR token version in DB).

Implement session timeout
Store last_activity timestamp in session and auto-logout after X minutes inactivity.

Create a /api/me endpoint
Return {user_id, username, role} from session; if missing return 401.

Add vendor_id based data filtering
In shops/vehicles handlers, ensure DB queries use session user_id and do not allow user to access others’ records.

Prevent ID tampering
For /api/shops/{id}, verify that shop belongs to logged-in vendor before returning it.

Standardize API error responses
Create a JsonError struct and always return same error format for 401/403/500.

Add CSRF protection basics
Generate CSRF token on login, store in session, require it for POST/PUT/DELETE requests.

Fix CORS for production domain
Replace localhost origins with your real domain and ensure supports_credentials() remains enabled.

Enable secure cookie in production only
Use env variable like APP_ENV=production to set .cookie_secure(true) only in production.

Add audit logging
Log every login attempt (success/failure) with username + IP + user-agent.

Create a protected file upload endpoint
Add /api/vehicles/upload-partner-image protection so only logged-in users can upload.

Add route test cases
Write integration tests:

login sets session

protected route works after login

protected route fails without login

logout clears session

prompt

Top comments (0)