allow user to set the cookie HttpOnly policy for the redis session (#36)

* allow user to set the cookie HttpOnly policy for the redis session Signed-off-by: Bart Willems <bwillems@protonmail.com>
2025-06-27 02:37:42 +02:00 · 2020-03-29 14:36:01 +02:00
parent f878889627
commit f4bcebdecd
4 changed files with 112 additions and 1 deletions
--- a/actix-redis/examples/authentication.rs
+++ b/actix-redis/examples/authentication.rs
@ -0,0 +1,96 @@
+#[macro_use]
+extern crate serde_derive;
+
+use actix_redis::RedisSession;
+use actix_session::Session;
+use actix_web::{
+    cookie, middleware, web, App, Error, HttpResponse, HttpServer, Responder,
+};
+
+#[derive(Deserialize)]
+struct Credentials {
+    username: String,
+    password: String,
+}
+
+#[derive(Serialize)]
+struct User {
+    id: i64,
+    username: String,
+    password: String,
+}
+
+impl User {
+    fn authenticate(credentials: Credentials) -> Result<Self, actix_http::Response> {
+        // TODO: figure out why I keep getting hacked
+        if &credentials.password != "hunter2" {
+            return Err(HttpResponse::Unauthorized().json("Unauthorized"));
+        }
+
+        Ok(User {
+            id: 42,
+            username: credentials.username,
+            password: credentials.password,
+        })
+    }
+}
+
+pub fn validate_session(session: &Session) -> Result<i64, actix_http::Response> {
+    let user_id: Option<i64> = session.get("user_id").unwrap_or(None);
+
+    match user_id {
+        Some(id) => {
+            // keep the user's session alive
+            session.renew();
+            Ok(id)
+        }
+        None => Err(HttpResponse::Unauthorized().json("Unauthorized")),
+    }
+}
+
+async fn login(
+    credentials: web::Json<Credentials>,
+    session: Session,
+) -> Result<impl Responder, actix_http::Response> {
+    let credentials = credentials.into_inner();
+
+    match User::authenticate(credentials) {
+        Ok(user) => session.set("user_id", user.id).unwrap(),
+        Err(_) => return Err(HttpResponse::Unauthorized().json("Unauthorized")),
+    };
+
+    Ok("Welcome!")
+}
+
+/// some protected resource
+async fn secret(session: Session) -> Result<impl Responder, Error> {
+    // only allow access to this resource if the user has an active session
+    validate_session(&session)?;
+
+    Ok("secret revealed")
+}
+
+#[actix_rt::main]
+async fn main() -> std::io::Result<()> {
+    std::env::set_var("RUST_LOG", "actix_web=info,actix_redis=info");
+    env_logger::init();
+
+    HttpServer::new(|| {
+        App::new()
+            // enable logger
+            .wrap(middleware::Logger::default())
+            // cookie session middleware
+            .wrap(
+                RedisSession::new("127.0.0.1:6379", &[0; 32])
+                    // allow the cookie to be accessed from javascript
+                    .cookie_http_only(false)
+                    // allow the cookie only from the current domain
+                    .cookie_same_site(cookie::SameSite::Strict),
+            )
+            .route("/login", web::post().to(login))
+            .route("/secret", web::get().to(secret))
+    })
+    .bind("0.0.0.0:8080")?
+    .run()
+    .await
+}