allow user to set the cookie HttpOnly policy for the redis session (#36)

* allow user to set the cookie HttpOnly policy for the redis session Signed-off-by: Bart Willems <bwillems@protonmail.com>
2025-02-17 08:33:30 +01:00 · 2020-03-29 14:36:01 +02:00 · 2020-03-29 14:36:01 +02:00 · f4bcebdecd
commit f4bcebdecd
parent f878889627
4 changed files with 112 additions and 1 deletions
--- a/actix-redis/CHANGES.md
+++ b/actix-redis/CHANGES.md
@ -1,5 +1,10 @@
 # Changes

+## [Unreleased]
+
+* Added `cookie_http_only` functionality to RedisSession builder, setting this
+  to false allows JavaScript to access cookies. Defaults to true.
+
 ## [0.9.0-alpha.1]

 * Update `actix` to 0.10.0-alpha.2
--- a/actix-redis/Cargo.toml
+++ b/actix-redis/Cargo.toml
@ -48,3 +48,5 @@ serde_json = { version = "1.0.40", optional = true }

 [dev-dependencies]
 env_logger = "0.7"
+serde_derive = "1.0"
+serde_json = "1.0"
--- a/actix-redis/examples/authentication.rs
+++ b/actix-redis/examples/authentication.rs
@ -0,0 +1,96 @@
+#[macro_use]
+extern crate serde_derive;
+
+use actix_redis::RedisSession;
+use actix_session::Session;
+use actix_web::{
+    cookie, middleware, web, App, Error, HttpResponse, HttpServer, Responder,
+};
+
+#[derive(Deserialize)]
+struct Credentials {
+    username: String,
+    password: String,
+}
+
+#[derive(Serialize)]
+struct User {
+    id: i64,
+    username: String,
+    password: String,
+}
+
+impl User {
+    fn authenticate(credentials: Credentials) -> Result<Self, actix_http::Response> {
+        // TODO: figure out why I keep getting hacked
+        if &credentials.password != "hunter2" {
+            return Err(HttpResponse::Unauthorized().json("Unauthorized"));
+        }
+
+        Ok(User {
+            id: 42,
+            username: credentials.username,
+            password: credentials.password,
+        })
+    }
+}
+
+pub fn validate_session(session: &Session) -> Result<i64, actix_http::Response> {
+    let user_id: Option<i64> = session.get("user_id").unwrap_or(None);
+
+    match user_id {
+        Some(id) => {
+            // keep the user's session alive
+            session.renew();
+            Ok(id)
+        }
+        None => Err(HttpResponse::Unauthorized().json("Unauthorized")),
+    }
+}
+
+async fn login(
+    credentials: web::Json<Credentials>,
+    session: Session,
+) -> Result<impl Responder, actix_http::Response> {
+    let credentials = credentials.into_inner();
+
+    match User::authenticate(credentials) {
+        Ok(user) => session.set("user_id", user.id).unwrap(),
+        Err(_) => return Err(HttpResponse::Unauthorized().json("Unauthorized")),
+    };
+
+    Ok("Welcome!")
+}
+
+/// some protected resource
+async fn secret(session: Session) -> Result<impl Responder, Error> {
+    // only allow access to this resource if the user has an active session
+    validate_session(&session)?;
+
+    Ok("secret revealed")
+}
+
+#[actix_rt::main]
+async fn main() -> std::io::Result<()> {
+    std::env::set_var("RUST_LOG", "actix_web=info,actix_redis=info");
+    env_logger::init();
+
+    HttpServer::new(|| {
+        App::new()
+            // enable logger
+            .wrap(middleware::Logger::default())
+            // cookie session middleware
+            .wrap(
+                RedisSession::new("127.0.0.1:6379", &[0; 32])
+                    // allow the cookie to be accessed from javascript
+                    .cookie_http_only(false)
+                    // allow the cookie only from the current domain
+                    .cookie_same_site(cookie::SameSite::Strict),
+            )
+            .route("/login", web::post().to(login))
+            .route("/secret", web::get().to(secret))
+    })
+    .bind("0.0.0.0:8080")?
+    .run()
+    .await
+}
--- a/actix-redis/src/session.rs
+++ b/actix-redis/src/session.rs
@ -42,6 +42,7 @@ impl RedisSession {
            secure: false,
            max_age: Some(Duration::days(7)),
            same_site: None,
+            http_only: Some(true),
        }))
    }

@ -89,6 +90,12 @@ impl RedisSession {
        self
    }

+    /// Set custom cookie HttpOnly policy
+    pub fn cookie_http_only(mut self, http_only: bool) -> Self {
+        Rc::get_mut(&mut self.0).unwrap().http_only = Some(http_only);
+        self
+    }
+
    /// Set a custom cache key generation strategy, expecting session key as input
    pub fn cache_keygen(mut self, keygen: Box<dyn Fn(&str) -> String>) -> Self {
        Rc::get_mut(&mut self.0).unwrap().cache_keygen = keygen;
@ -205,6 +212,7 @@ struct Inner {
    secure: bool,
    max_age: Option<Duration>,
    same_site: Option<SameSite>,
+    http_only: Option<bool>,
 }

 impl Inner {
@ -278,7 +286,7 @@ impl Inner {
            let mut cookie = Cookie::new(self.name.clone(), value.clone());
            cookie.set_path(self.path.clone());
            cookie.set_secure(self.secure);
-            cookie.set_http_only(true);
+            cookie.set_http_only(self.http_only.unwrap_or(true));

            if let Some(ref domain) = self.domain {
                cookie.set_domain(domain.clone());