get async-session working with tide

Author: jbr

Cargo.toml

@@ -17,9 +17,19 @@ authors = [
 
 [dependencies]
 async-trait = "0.1.24"
-async-std = "1.5.0"
-cookie = "0.13.3"
-uuid = {version = "0.8.1", features = ["v4"] }
+async-std = "1.6.0"
+serde = { version = "1.0.114", features = ["rc", "derive"] }
+rand = "0.7.3"
+base64 = "0.12.3"
+sha2 = "0.9.1"
+hmac = "0.8.1"
+serde_json = "1.0.56"
+kv-log-macro = "1.0.7"
+bincode = "1.3.1"
+chrono = { version = "0.4.13", features = ["serde"] }
+anyhow = "1.0.31"
+blake3 = "0.3.5"
+
 
 [dev-dependencies]
-tide = "0.6.0"
+async-std = { version = "1.6.2", features = ["attributes"] }

src/cookie_store.rs

@@ -0,0 +1,137 @@
+use crate::{async_trait, Result, Session, SessionStore};
+
+/// A session store that serializes the entire session into a Cookie.
+///
+/// # ***This is not recommended for most production deployments.***
+///
+/// This implementation uses [`bincode`](::bincode) to serialize the
+/// Session to decrease the size of the cookie. Note: There is a
+/// maximum of 4093 cookie bytes allowed _per domain_, so the cookie
+/// store is limited in capacity.
+///
+/// **Note:** Currently, the data in the cookie is only signed, but *not
+/// encrypted*. If the contained session data is sensitive and
+/// should not be read by a user, the cookie store is not an
+/// appropriate choice.
+///
+/// Expiry: `SessionStore::destroy_session` and
+/// `SessionStore::clear_store` are not meaningful for the
+/// CookieStore, and noop. Destroying a session must be done at the
+/// cookie setting level, which is outside of the scope of this crate.
+
+#[derive(Debug, Clone, Copy)]
+pub struct CookieStore;
+
+impl CookieStore {
+    /// constructs a new CookieStore
+    pub fn new() -> Self {
+        Self
+    }
+}
+
+#[async_trait]
+impl SessionStore for CookieStore {
+    async fn load_session(&self, cookie_value: String) -> Result<Option<Session>> {
+        let serialized = base64::decode(&cookie_value)?;
+        let session: Session = bincode::deserialize(&serialized)?;
+        Ok(session.validate())
+    }
+
+    async fn store_session(&self, session: Session) -> Result<Option<String>> {
+        let serialized = bincode::serialize(&session)?;
+        Ok(Some(base64::encode(serialized)))
+    }
+
+    async fn destroy_session(&self, _session: Session) -> Result {
+        Ok(())
+    }
+
+    async fn clear_store(&self) -> Result {
+        Ok(())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use async_std::task;
+    use std::time::Duration;
+    #[async_std::test]
+    async fn creating_a_new_session_with_no_expiry() -> Result {
+        let store = CookieStore::new();
+        let mut session = Session::new();
+        session.insert("key", "Hello")?;
+        let cloned = session.clone();
+        let cookie_value = store.store_session(session).await?.unwrap();
+        let loaded_session = store.load_session(cookie_value).await?.unwrap();
+        assert_eq!(cloned.id(), loaded_session.id());
+        assert_eq!("Hello", &loaded_session.get::<String>("key").unwrap());
+        assert!(!loaded_session.is_expired());
+        assert!(loaded_session.validate().is_some());
+        Ok(())
+    }
+
+    #[async_std::test]
+    async fn updating_a_session() -> Result {
+        let store = CookieStore::new();
+        let mut session = Session::new();
+
+        session.insert("key", "value")?;
+        let cookie_value = store.store_session(session).await?.unwrap();
+
+        let mut session = store.load_session(cookie_value.clone()).await?.unwrap();
+        session.insert("key", "other value")?;
+
+        let new_cookie_value = store.store_session(session).await?.unwrap();
+        let session = store.load_session(new_cookie_value).await?.unwrap();
+        assert_eq!(&session.get::<String>("key").unwrap(), "other value");
+
+        Ok(())
+    }
+
+    #[async_std::test]
+    async fn updating_a_session_extending_expiry() -> Result {
+        let store = CookieStore::new();
+        let mut session = Session::new();
+        session.expire_in(Duration::from_secs(1));
+        let original_expires = session.expiry().unwrap().clone();
+        let cookie_value = store.store_session(session).await?.unwrap();
+
+        let mut session = store.load_session(cookie_value.clone()).await?.unwrap();
+
+        assert_eq!(session.expiry().unwrap(), &original_expires);
+        session.expire_in(Duration::from_secs(3));
+        let new_expires = session.expiry().unwrap().clone();
+        let cookie_value = store.store_session(session).await?.unwrap();
+
+        let session = store.load_session(cookie_value.clone()).await?.unwrap();
+        assert_eq!(session.expiry().unwrap(), &new_expires);
+
+        task::sleep(Duration::from_secs(3)).await;
+        assert_eq!(None, store.load_session(cookie_value).await?);
+
+        Ok(())
+    }
+
+    #[async_std::test]
+    async fn creating_a_new_session_with_expiry() -> Result {
+        let store = CookieStore::new();
+        let mut session = Session::new();
+        session.expire_in(Duration::from_secs(3));
+        session.insert("key", "value")?;
+        let cloned = session.clone();
+
+        let cookie_value = store.store_session(session).await?.unwrap();
+
+        let loaded_session = store.load_session(cookie_value.clone()).await?.unwrap();
+        assert_eq!(cloned.id(), loaded_session.id());
+        assert_eq!("value", &*loaded_session.get::<String>("key").unwrap());
+
+        assert!(!loaded_session.is_expired());
+
+        task::sleep(Duration::from_secs(3)).await;
+        assert_eq!(None, store.load_session(cookie_value).await?);
+
+        Ok(())
+    }
+}

src/lib.rs

@@ -1,185 +1,70 @@
 //! Async HTTP sessions.
 //!
-//! This crate provides a generic interface between cookies and storage
-//! backends to create a concept of sessions. It provides an interface that
-//! can be used to encode and store sessions, and decode and load sessions
-//! generating cookies in the process.
+//! This crate provides a generic interface between cookie values and
+//! storage backends to create a concept of sessions. It provides an
+//! interface that can be used to encode and store sessions, and
+//! decode and load sessions generating cookies in the process.
 //!
-//! # Security
-//!
-//! This module has not been vetted for security purposes, and in particular
-//! the in-memory storage backend is wildly insecure. Please thoroughly
-//! validate whether this crate is a match for your intended use case before
-//! relying on it in any sensitive context.
-//!
-//! # Examples
+//! # Example
 //!
 //! ```
-//! use async_session::mem::MemoryStore;
-//! use async_session::{Session, SessionStore};
-//! use cookie::CookieJar;
+//! use async_session::{Session, SessionStore, MemoryStore};
 //!
-//! # fn main() -> std::io::Result<()> {
+//! # fn main() -> async_session::Result {
 //! # async_std::task::block_on(async {
 //! #
 //! // Init a new session store we can persist sessions to.
 //! let mut store = MemoryStore::new();
 //!
 //! // Create a new session.
-//! let sess = store.create_session();
+//! let mut session = Session::new();
+//! session.insert("user_id", 1)?;
+//! assert!(session.data_changed());
 //!
-//! // Persist the session to our backend, and store a cookie
-//! // to later access the session.
-//! let mut jar = CookieJar::new();
-//! let sess = store.store_session(sess, &mut jar).await?;
+//! // retrieve the cookie value to store in a session cookie
+//! let cookie_value = store.store_session(session).await?.unwrap();
 //!
 //! // Retrieve the session using the cookie.
-//! let sess = store.load_session(&jar).await?;
-//! println!("session: {:?}", sess);
+//! let session = store.load_session(cookie_value).await?.unwrap();
+//! assert_eq!(session.get::<usize>("user_id").unwrap(), 1);
+//! assert!(!session.data_changed());
 //! #
 //! # Ok(()) }) }
 //! ```
 
-#![forbid(unsafe_code, future_incompatible, rust_2018_idioms)]
-#![deny(missing_debug_implementations, nonstandard_style)]
-#![warn(missing_docs, missing_doc_code_examples, unreachable_pub)]
-
-use async_trait::async_trait;
-use std::collections::HashMap;
-
-/// An async session backend.
-#[async_trait]
-pub trait SessionStore: Send + Sync + 'static + Clone {
-    /// The type of error that can occur when storing and loading errors.
-    type Error;
-
-    /// Get a session from the storage backend.
-    ///
-    /// The input should usually be the content of a cookie. This will then be
-    /// parsed by the session middleware into a valid session.
-    async fn load_session(&self, jar: &cookie::CookieJar) -> Result<Session, Self::Error>;
-
-    /// Store a session on the storage backend.
-    ///
-    /// This method should return a stringified representation of the session so
-    /// that it can be sent back to the client through a cookie.
-    async fn store_session(
-        &mut self,
-        session: Session,
-        jar: &mut cookie::CookieJar,
-    ) -> Result<(), Self::Error>;
-}
-
-/// The main session type.
-#[derive(Clone, Debug)]
-pub struct Session {
-    inner: HashMap<String, String>,
-}
-
-impl Session {
-    /// Create a new session.
-    pub fn new() -> Self {
-        Self {
-            inner: HashMap::new(),
-        }
-    }
-
-    /// Insert a new value into the Session.
-    pub fn insert(&mut self, k: String, v: String) -> Option<String> {
-        self.inner.insert(k, v)
-    }
-
-    /// Get a value from the session.
-    pub fn get(&self, k: &str) -> Option<&String> {
-        self.inner.get(k)
-    }
-}
-
-/// In-memory session store.
-pub mod mem {
-    use async_std::io::{Error, ErrorKind};
-    use async_std::sync::{Arc, RwLock};
-    use cookie::Cookie;
-    use std::collections::HashMap;
-
-    use async_trait::async_trait;
-    use uuid::Uuid;
-
-    use crate::{Session, SessionStore};
-
-    /// An in-memory session store.
-    ///
-    /// # Security
-    ///
-    /// This store *does not* generate secure sessions, and should under no
-    /// circumstance be used in production. It's meant only to quickly create
-    /// sessions.
-    #[derive(Debug)]
-    pub struct MemoryStore {
-        inner: Arc<RwLock<HashMap<String, Session>>>,
-    }
-
-    impl MemoryStore {
-        /// Create a new instance of MemoryStore.
-        pub fn new() -> Self {
-            Self {
-                inner: Arc::new(RwLock::new(HashMap::new())),
-            }
-        }
-
-        /// Generates a new session by generating a new uuid.
-        ///
-        /// This is *not* a secure way of generating sessions, and is intended for debug purposes only.
-        pub fn create_session(&self) -> Session {
-            let mut sess = Session::new();
-            sess.insert("id".to_string(), uuid::Uuid::new_v4().to_string());
-            sess
-        }
-    }
-
-    impl Clone for MemoryStore {
-        fn clone(&self) -> Self {
-            Self {
-                inner: self.inner.clone(),
-            }
-        }
-    }
-
-    #[async_trait]
-    impl SessionStore for MemoryStore {
-        /// The type of error that can occur when storing and loading errors.
-        type Error = std::io::Error;
-
-        /// Get a session from the storage backend.
-        async fn load_session(&self, jar: &cookie::CookieJar) -> Result<Session, Self::Error> {
-            let id = match jar.get("session") {
-                Some(cookie) => Uuid::parse_str(cookie.value()),
-                None => return Err(Error::new(ErrorKind::Other, "No session cookie found")),
-            };
-
-            let id = id
-                .map_err(|_| Error::new(ErrorKind::Other, "Cookie content was not a valid uuid"))?
-                .to_string();
-
-            let inner = self.inner.read().await;
-            let sess = inner.get(&id).ok_or(Error::from(ErrorKind::Other))?;
-            Ok(sess.clone())
-        }
-
-        /// Store a session on the storage backend.
-        ///
-        /// The data inside the session will be url-encoded so it can be stored
-        /// inside a cookie.
-        async fn store_session(
-            &mut self,
-            sess: Session,
-            jar: &mut cookie::CookieJar,
-        ) -> Result<(), Self::Error> {
-            let mut inner = self.inner.write().await;
-            let id = sess.get("id").unwrap().to_string();
-            inner.insert(id.clone(), sess);
-            jar.add(Cookie::new("session", id));
-            Ok(())
-        }
-    }
-}
+// #![forbid(unsafe_code, future_incompatible)]
+// #![deny(missing_debug_implementations, nonstandard_style)]
+// #![warn(missing_docs, missing_doc_code_examples, unreachable_pub)]
+#![forbid(unsafe_code, future_incompatible)]
+#![deny(
+    missing_debug_implementations,
+    nonstandard_style,
+    missing_docs,
+    unreachable_pub,
+    missing_copy_implementations,
+    unused_qualifications
+)]
+
+pub use anyhow::Error;
+/// An anyhow::Result with default return type of ()
+pub type Result<T = ()> = std::result::Result<T, Error>;
+
+mod cookie_store;
+mod memory_store;
+mod session;
+mod session_store;
+
+pub use cookie_store::CookieStore;
+pub use memory_store::MemoryStore;
+pub use session::Session;
+pub use session_store::SessionStore;
+
+pub use async_trait::async_trait;
+pub use base64;
+pub use blake3;
+pub use chrono;
+pub use hmac;
+pub use kv_log_macro as log;
+pub use serde;
+pub use serde_json;
+pub use sha2;