About anonymous, authenticated and protected routes

[mainrs]

I have a use-case where I want users to be able to submit and modify data anonymously. During submission, I generate a random password that is tied to the data they want to modify later on. During each modification request, they send that password alongside the modifications. I check against the hash I store in my DB to see if they are allowed to modify it. It's basically an account system without real accounts so to say. Or an API key, depends on your interpretation.

I am looking into integration with axum-login. To me it is not entirely clear if I can leverage this crate to simplify my implementation. I also wrote custom layers and extractors to apply to protected routes. However, axum-login seems to rely on session storage, where as my solution does not use session at all. All operations are oneshot and authenticated against the random password they send over.

Thanks for this awesome crate! I also use it for normal logins! :)

[maxcountryman]

However, axum-login seems to rely on session storage, where as my solution does not use session at all.

There's some prior discussions about using axum-login in an API or mobile context where you wouldn't use a session in the traditional sense (but would still use a cookie). If that might fit your use case, it could be worth checking out.

That said, axum-login is a user session management crate and so if you want a completely stateless or cookie-less solution, it might not be the best fit for your use case.

[mainrs]

Thanks for mentioning the API-related discussions!