Rocket
Type-safe, async Rust web framework with compile-time request validation via request guards
Details
RustRules
balanced
- Implement `FromRequest` on custom types to create request guards that encode authorization as a compile-time contract — handler parameters of a guard type are rejected before the handler runs, eliminating runtime auth checks inside handlers: `#[rocket::async_trait] impl<'r> FromRequest<'r> for ApiKey { type Error = ApiKeyError; async fn from_request(req: &'r Request<'_>) -> Outcome<Self, Self::Error> { ... } }`
- Derive `FromForm` on validated request structs and use `#[field(validate = ...)]` for field-level rules — use `Form<T>` for lenient parsing (ignores unknown fields) and `Form<Strict<T>>` when unknown fields must be rejected: `#[derive(FromForm)] struct Signup<'r> { #[field(validate = len(3..))] username: &'r str }`
- Register typed error catchers with `#[catch(404)]` and `#[catch(422)]` returning `Json<ErrorResponse>` — never rely on Rocket's default HTML error pages in APIs.
- Inject application-wide shared state with `.manage()` at launch and retrieve it in handlers via `&State<T>` — all managed types must be `Send + Sync` (enforced at compile time); use `Arc<Mutex<T>>` only for interior mutability, preferring atomics or `DashMap` for high-contention counters.
- Use `rocket_db_pools` with `#[database("name")]` and inject `Connection<Db>` as a request guard for database access — this provides connection pooling, automatic lifecycle management, and per-request connections without global `Mutex` contention.
- Reserve fairings for globally applicable concerns like CORS headers, request timing, or security headers — never use fairings for per-route authentication; request guards are the correct abstraction for route-specific validation.