From 8d635f71fb7a0ed9a151a9b0e965923612e04cd8 Mon Sep 17 00:00:00 2001
From: "Juan J. Jimenez-Anca" <cortopy@users.noreply.github.com>
Date: Sat, 6 Mar 2021 19:26:06 +0000
Subject: [PATCH] allow session-only cookies (#161)

Co-authored-by: Rob Ede <robjtede@icloud.com>
---
 actix-redis/CHANGES.md                        |  3 ++
 actix-redis/src/session.rs                    | 36 +++++++++++++++++--
 .../src/headers/authorization/scheme/basic.rs |  2 +-
 3 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/actix-redis/CHANGES.md b/actix-redis/CHANGES.md
index a44213503..07fb6dd12 100644
--- a/actix-redis/CHANGES.md
+++ b/actix-redis/CHANGES.md
@@ -2,6 +2,9 @@
 
 ## Unreleased - 2020-xx-xx
 * Implement `std::error::Error` for `Error` [#135]
+* Allow the removal of Max-Age for session-only cookies. [#161]
+
+[#161]: https://github.com/actix/actix-extras/pull/161
 
 ## 0.9.1 - 2020-09-12
 * Enforce minimum redis-async version of 0.6.3 to workaround breaking patch change.
diff --git a/actix-redis/src/session.rs b/actix-redis/src/session.rs
index 773a3e491..8253c3f26 100644
--- a/actix-redis/src/session.rs
+++ b/actix-redis/src/session.rs
@@ -80,8 +80,9 @@ impl RedisSession {
     }
 
     /// Set custom cookie max-age
-    pub fn cookie_max_age(mut self, max_age: Duration) -> Self {
-        Rc::get_mut(&mut self.0).unwrap().max_age = Some(max_age);
+    /// Use `None` for session-only cookies
+    pub fn cookie_max_age(mut self, max_age: impl Into<Option<Duration>>) -> Self {
+        Rc::get_mut(&mut self.0).unwrap().max_age = max_age.into();
         self
     }
 
@@ -450,6 +451,7 @@ mod test {
         // Step 1:  GET index
         //   - set-cookie actix-session will be in response (session cookie #1)
         //   - response should be: {"counter": 0, "user_id": None}
+        //   - cookie should have default max-age of 7 days
         // Step 2:  GET index, including session cookie #1 in request
         //   - set-cookie will *not* be in response
         //   - response should be: {"counter": 0, "user_id": None}
@@ -510,6 +512,7 @@ mod test {
                 counter: 0
             }
         );
+        assert_eq!(cookie_1.max_age(), Some(Duration::days(7)));
 
         // Step 2:  GET index, including session cookie #1 in request
         //   - set-cookie will *not* be in response
@@ -667,4 +670,33 @@ mod test {
             .unwrap();
         assert_ne!(cookie_5.value(), cookie_2.value());
     }
+
+    #[actix_rt::test]
+    async fn test_max_age_session_only() {
+        //
+        // Test that removing max_age results in a session-only cookie
+        //
+        let srv = test::start(|| {
+            App::new()
+                .wrap(
+                    RedisSession::new("127.0.0.1:6379", &[0; 32])
+                        .cookie_name("test-session")
+                        .cookie_max_age(None),
+                )
+                .wrap(middleware::Logger::default())
+                .service(resource("/").route(get().to(index)))
+        });
+
+        let req = srv.get("/").send();
+        let resp = req.await.unwrap();
+        let cookie = resp
+            .cookies()
+            .unwrap()
+            .clone()
+            .into_iter()
+            .find(|c| c.name() == "test-session")
+            .unwrap();
+
+        assert_eq!(cookie.max_age(), None);
+    }
 }
diff --git a/actix-web-httpauth/src/headers/authorization/scheme/basic.rs b/actix-web-httpauth/src/headers/authorization/scheme/basic.rs
index 5ee983e2e..9c17d9acf 100644
--- a/actix-web-httpauth/src/headers/authorization/scheme/basic.rs
+++ b/actix-web-httpauth/src/headers/authorization/scheme/basic.rs
@@ -115,7 +115,7 @@ impl IntoHeaderValue for Basic {
         let encoded = base64::encode(&credentials);
         let mut value = BytesMut::with_capacity(6 + encoded.len());
         value.put(&b"Basic "[..]);
-        value.put(&encoded.as_bytes()[..]);
+        value.put(encoded.as_bytes());
 
         HeaderValue::from_maybe_shared(value.freeze())
     }