I am building a simple REST API for an application, and I wonder if there is ready-to-use middleware to handle user authentication. This application is internal and will only be used by developers, but I want to approach security with due diligence. List of the requirements:
Nothing fancy, minimalism is preferred. The number of users for the REST API will vary between 0 and 1. To paraphrase Joe Armstrong, I only need a banana, not the entire jungle.
Support for HTTP basic auth, JWT is a bonus
Prevention of brute-force attacks
It can use Mnesia as a storage backend (I don’t want my service to depend on an external database for such a low-volume data)
Ideally I would prefer to use cowboy web server, but I am open to other lightweight alternatives if they do the job.
I did a brief search on hex/github and didn’t find anything of that nature, but I want to double-check if I missed something before “rolling out my own crypto”.
httpd has built-in authentication mechanism via mod_auth module, but I haven’t used that module. Mnesia can be used as a storage backend. You can even partially prevent brute-force via max_retries, max_keep_alive_request and similar properties. It doesn’t support HTTP basic nor JWT.
Read the user guide before setting up httpd. I use it for internal purposes and it is indeed a banana.
After all, its still part of the OTP, so any feedback is welcome
I took a brief look at mod_auth source code, but unfortunately it doesn’t follow what I would consider modern security practices. Not sure if it’s comme-il-faut to point out any specifics on a public forum without providing a patch first, but it’s pretty obvious. So the search continues.
