
Rust for the Web - huydotnet
https://thefullsnack.com/en/rust-for-the-web.html
======
modalduality
Web developers may be also interested in
[https://gotham.rs/](https://gotham.rs/), which was released very recently and
looks to be a promising competitor to Rocket.

~~~
runevault
And for those who care, unlike Rocket it runs on stable rust. IMO that is
useful as I personally prefer running on stable than nightly.

------
pankajdoharey
Man Rust is super hard already! I mean people told me it would be harder to
think functionally but after clojure, i think lisps are super easy. But i feel
Rust is way harder than anything. Infact i feel Haskell is comparatively
easier than Rust. So i am not sure why one wants to use it for web. I think
Rust has a place and that is to replace C++ for system software, possibly even
C for writing Kernels because why not? But definitely not for web. Go is
probably the right choice for that sort of performance scenario in the
backend. But for frontend neither Go or Rust are good simply because of the
huge size of the runtimes. Clojure-script comparatively has a smaller runtime
than either Go or Rust runtimes compiled to JS.

~~~
mathw
I disagree. I think Rust is pretty easy once you've spent a bit of time
learning about lifetimes.

It should be substantially less surprising when it's got non-lexical
lifetimes, though.

Rust seems to me eminently suited to write high-performance web applications.

~~~
naasking
Let's be serious, Rust will never be as easy to use as a language with GC. It
will perform better on many metrics, but you have to pay that cost.

~~~
sqeaky
Unless you care about resources other than memory. GC doesn't help to make
sure mutexes don't deadlock and files are closed. As far as I know there is no
general purpose algorithm for those.

~~~
naasking
Even still, you can opt-in to those features in a GC language when you need
it, but the contrary is not the case in Rust at the moment.

~~~
sqeaky
But you can't opt out of the problems with garbage collectors without dropping
the language.

~~~
naasking
Most common GC "problems" have fairly simple solutions. If we're talking about
50GB+ heaps, then we're already talking about a problem that's getting
significant engineering investment, so custom solutions become warranted, ie.
a special purpose library that manages its own resources that plugs into the
safe runtime, similar to unsafe Rust, just less integrated.

------
jbg_
I built [https://dtmf.io/](https://dtmf.io/) using Rust. The first prototype
was using the Iron framework but then after fighting some parts of Iron, I
pared it back to just using async hyper & handlebars-rs directly for the HTTP
and templating. The glue to put them together is really minimal. Overall, I've
been really impressed with Rust.

------
vvanders
Nice overview, it might be worth mentioning that Emscripten isn't a tier 1
platform[1]. We've seen some asserts thrown in LLVM when building debug but go
away when build release.

I've been trying to isolate it down to a reproducible sample but haven't
nailed down exactly what's causing it yet.

Even with that issue it's been great to work with. I find myself so much more
productive with Rust compared to C/C++.

[1] [https://forge.rust-lang.org/platform-support.html](https://forge.rust-
lang.org/platform-support.html)

~~~
dbaupp
If you've got something large that asserts consistently, you could consider
throwing some CPU time at it via creduce. It is designed for C, but Rust is
close enough that a lot of its heuristics still work just fine.

Alternatively, since setting up/running creduce can be bit fiddly, if the code
is open source, I suspect that someone would do it for you if you filed a bug
against Rust pointing to an exact commit that demonstrates the problem with
`cargo build --target=...` (or xargo) and requested/suggested creduce.

~~~
vvanders
Thanks, I'll give that a shot. Unfortunately the code which is why I was
trying to pair it down to a simple sample.

------
IshKebab
> NamedFile::open(Path::new("www/").join(file)).ok()

Is this vulnerable to the classic "../../../../../../../etc/passwd"?

~~~
rahkiin
I was thinking the exact same thing. Rust being a more memory-safe language
does not mean it is a secure one. Still needs proper input validation.

EDIT: I opened the documentation and found
[https://api.rocket.rs/rocket/request/trait.FromSegments.html](https://api.rocket.rs/rocket/request/trait.FromSegments.html)
I don't fully understand if the checking they do on '..' fixes the attack
vector here.

~~~
anonova
Slashes aren't allowed, so wouldn't be able to do any path traversals:
[https://api.rocket.rs/src/rocket/request/param.rs.html#298](https://api.rocket.rs/src/rocket/request/param.rs.html#298)

~~~
DiThi
> On Windows, decoded segment contains any of: '\'

And on Japanese and Korean windows? It uses the yen symbol as path separator.
Depending on how the path is read or interpreted, filtering the yen may be
necessary.

[https://msdn.microsoft.com/en-
us/library/dd374047(v=vs.85).a...](https://msdn.microsoft.com/en-
us/library/dd374047\(v=vs.85\).aspx)

------
RussianCow
Just a small nitpick, but #3 is not actually an isomorphic app, it's just a
regular server-rendered one. Isomorphic typically means that the app is
rendered in the same way (e.g. via React) on both the frontend and backend,
and the frontend degrades gracefully when JS isn't enabled.

More on-topic: I just recently started a new web app using Rust on the
backend. Though there is definitely a lot still missing, it's amazing how far
the language and its ecosystem have come in the past year or so. I expect that
within a couple years, Rust will be a viable alternative to Python and Ruby
for backend web development.

~~~
Drdrdrq
> I expect that within a couple years, Rust will be a viable alternative to
> Python and Ruby for backend web development

I like Rust, but I don't see this happening. Python, Ruby and PHP/Node.js
languages became popular (and thus useful) because their learning curve is not
steep - which is not something one can say about Rust. I consider myself
capable developer but I struggled with many concepts. It's true that I didn't
use it for a real project though, it might have been easier if I had clear
goal in my mind.

~~~
RussianCow
That's true, and I don't mean to imply that I think it will replace
Python/Ruby/etc. But I think Rust may find a sizeable niche as a high-
performance, lower-level backend programming language for the web, sort of
like Elixir. I've personally found the learning curve to be a lot smaller for
web development than other projects because you don't have to learn everything
at once; web development doesn't typically call for things like manual
threading, so the borrow checker and other advanced features don't come up
nearly as much or as early as they might for other codebases.

------
Animats
It's cool that you can do this, but it's probably not something you want to do
unless you have an unusual application. A reasonable application might be a
heavily used API at the HTTP level, where the web-facing part is really a
subroutine call interface, performance may be a big issue, and safety against
bad parameters is a big issue.

------
EugeneOZ
You are cool, and it's all is amazing work. I bet it was very interesting to
implement. But reading comments I think people don't understand that it's just
demonstration of how much Rust evolved, not a tutorial of what they should do
to use Rust for the Web. Kind of overkill :)

------
thinbeige
The 'Client-sode JS in Rust' part is a promising showcase for WebAssembly and
I hope to see more languages compiling to WebAssembly soon. But looking closer
at the code which does not a lot compared to its size I rather prefer the JS
version.

~~~
ryan-allen
I do believe big change is coming over the next few years, as we can develop
reliable solutions on Web Assembly we're going to be able to use better
languages.

It's going to be glorious!

------
spankalee
This makes no mention of the size of these applications. Given the recent
focus on shipping less JavaScript to the browser to better support mobile and
slow networks, I wonder how feasible this project even is?

~~~
anotherbrownguy
Well, that focus is if you are looking to market your apps in those markets.
If your market has ubiquitous fast affordable internet, shipping more
javascript is not that much of an issue, specially if it makes your web
application faster and easier to run or develop or provides other benefits.

------
roywiggins
I can't help thinking something like Wt, but in Rust, would be an awfully
handy way to write webapps.

------
Siilwyn
Nice blog! Do you have a RSS feed? Can't find any...

------
jackblack8989
This is all good and dandy but I don't like the webpage font-color! Can we
have more of black on black so that it's even more modern and minimal? Or
white-on-white which is more of a trend these days?

~~~
huydotnet
;(

~~~
jackblack8989
Lol, I'm sorry it was a bit snarky! You've obviously done a great job but if
anything the jab was not at you but at the trend...

------
anhtran
Rust is cool. But I don't think it's good for web backend at this time. I will
try it when working with WebAssembly.

~~~
littlestymaar
I don't understand why you are downvoted : that's absolutely true, Rust isn't
quite the best choice for web backend ATM, by far.

It's way better than last summer though, rocket and the recently announced
gotham framework look great, and I'm really excited to see how it evolves in
the next few months.

