actix/actix-extras
1
0
Fork 0
mirror of https://github.com/actix/actix-extras.git synced 2025-02-20 01:34:22 +01:00
Code Issues Releases Wiki Activity

allow user to set the cookie HttpOnly policy for the redis session (#36)

Browse Source 
* allow user to set the cookie HttpOnly policy for the redis session

Signed-off-by: Bart Willems <bwillems@protonmail.com>
This commit is contained in:
Bart Willems 2020-03-29 14:36:01 +02:00 committed by GitHub
parent f878889627
commit f4bcebdecd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
actix-redis/CHANGES.md
View File

@ -1,5 +1,10 @@
# Changes # Changes
## [Unreleased]
* Added `cookie_http_only` functionality to RedisSession builder, setting this
to false allows JavaScript to access cookies. Defaults to true.
## [0.9.0-alpha.1] ## [0.9.0-alpha.1]
* Update `actix` to 0.10.0-alpha.2 * Update `actix` to 0.10.0-alpha.2

2
actix-redis/Cargo.toml
View File

@ -48,3 +48,5 @@ serde_json = { version = "1.0.40", optional = true }
[dev-dependencies] [dev-dependencies]
env_logger = "0.7" env_logger = "0.7"
serde_derive = "1.0"
serde_json = "1.0"

96
actix-redis/examples/authentication.rs Normal file
View File

@ -0,0 +1,96 @@
#[macro_use]
extern crate serde_derive;
use actix_redis::RedisSession;
use actix_session::Session;
use actix_web::{
cookie, middleware, web, App, Error, HttpResponse, HttpServer, Responder,
};
#[derive(Deserialize)]
struct Credentials {
username: String,
password: String,
}
#[derive(Serialize)]
struct User {
id: i64,
username: String,
password: String,
}
impl User {
fn authenticate(credentials: Credentials) -> Result<Self, actix_http::Response> {
// TODO: figure out why I keep getting hacked
if &credentials.password != "hunter2" {
return Err(HttpResponse::Unauthorized().json("Unauthorized"));
}
Ok(User {
id: 42,
username: credentials.username,
password: credentials.password,
})
}
}
pub fn validate_session(session: &Session) -> Result<i64, actix_http::Response> {
let user_id: Option<i64> = session.get("user_id").unwrap_or(None);
match user_id {
Some(id) => {
// keep the user's session alive
session.renew();
Ok(id)
}
None => Err(HttpResponse::Unauthorized().json("Unauthorized")),
}
}
async fn login(
credentials: web::Json<Credentials>,
session: Session,
) -> Result<impl Responder, actix_http::Response> {
let credentials = credentials.into_inner();
match User::authenticate(credentials) {
Ok(user) => session.set("user_id", user.id).unwrap(),
Err(_) => return Err(HttpResponse::Unauthorized().json("Unauthorized")),
};
Ok("Welcome!")
}
/// some protected resource
async fn secret(session: Session) -> Result<impl Responder, Error> {
// only allow access to this resource if the user has an active session
validate_session(&session)?;
Ok("secret revealed")
}
#[actix_rt::main]
async fn main() -> std::io::Result<()> {
std::env::set_var("RUST_LOG", "actix_web=info,actix_redis=info");
env_logger::init();
HttpServer::new(|| {
App::new()
// enable logger
.wrap(middleware::Logger::default())
// cookie session middleware
.wrap(
RedisSession::new("127.0.0.1:6379", &[0; 32])
// allow the cookie to be accessed from javascript
.cookie_http_only(false)
// allow the cookie only from the current domain
.cookie_same_site(cookie::SameSite::Strict),
)
.route("/login", web::post().to(login))
.route("/secret", web::get().to(secret))
})
.bind("0.0.0.0:8080")?
.run()
.await
}

10
actix-redis/src/session.rs
View File

@ -42,6 +42,7 @@ impl RedisSession {
secure: false, secure: false,
max_age: Some(Duration::days(7)), max_age: Some(Duration::days(7)),
same_site: None, same_site: None,
http_only: Some(true),
})) }))
} }
@ -89,6 +90,12 @@ impl RedisSession {
self self
} }
/// Set custom cookie HttpOnly policy
pub fn cookie_http_only(mut self, http_only: bool) -> Self {
Rc::get_mut(&mut self.0).unwrap().http_only = Some(http_only);
self
}
/// Set a custom cache key generation strategy, expecting session key as input /// Set a custom cache key generation strategy, expecting session key as input
pub fn cache_keygen(mut self, keygen: Box<dyn Fn(&str) -> String>) -> Self { pub fn cache_keygen(mut self, keygen: Box<dyn Fn(&str) -> String>) -> Self {
Rc::get_mut(&mut self.0).unwrap().cache_keygen = keygen; Rc::get_mut(&mut self.0).unwrap().cache_keygen = keygen;
@ -205,6 +212,7 @@ struct Inner {
secure: bool, secure: bool,
max_age: Option<Duration>, max_age: Option<Duration>,
same_site: Option<SameSite>, same_site: Option<SameSite>,
http_only: Option<bool>,
} }
impl Inner { impl Inner {
@ -278,7 +286,7 @@ impl Inner {
let mut cookie = Cookie::new(self.name.clone(), value.clone()); let mut cookie = Cookie::new(self.name.clone(), value.clone());
cookie.set_path(self.path.clone()); cookie.set_path(self.path.clone());
cookie.set_secure(self.secure); cookie.set_secure(self.secure);
cookie.set_http_only(true); cookie.set_http_only(self.http_only.unwrap_or(true));
if let Some(ref domain) = self.domain { if let Some(ref domain) = self.domain {
cookie.set_domain(domain.clone()); cookie.set_domain(domain.clone());