<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `actix-session/src/middleware.rs`."><title>middleware.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceSerif4-Regular-46f98efaafac5295.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/FiraSans-Regular-018c141bf0843ffd.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/FiraSans-Medium-8f9a781e4970d388.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceCodePro-Regular-562dcc5011b6de7d.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../static.files/SourceCodePro-Semibold-d899c5a5c4aeb14a.ttf.woff2"><link rel="stylesheet" href="../../static.files/normalize-76eba96aa4d2e634.css"><link rel="stylesheet" href="../../static.files/rustdoc-e935ef01ae1c1829.css"><meta name="rustdoc-vars" data-root-path="../../" data-static-root-path="../../static.files/" data-current-crate="actix_session" data-themes="" data-resource-suffix="" data-rustdoc-version="1.78.0-nightly (2bf78d12d 2024-02-18)" data-channel="nightly" data-search-js="search-dd67cee4cfa65049.js" data-settings-js="settings-4313503d2e1961c2.js" ><script src="../../static.files/storage-4c98445ec4002617.js"></script><script defer src="../../static.files/src-script-e66d777a5a92e9b2.js"></script><script defer src="../../src-files.js"></script><script defer src="../../static.files/main-c37d3936c59ababd.js"></script><noscript><link rel="stylesheet" href="../../static.files/noscript-04d5337699b92874.css"></noscript><link rel="icon" href="https://actix.rs/favicon.ico"></head><body class="rustdoc src"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><div class="src-sidebar-title">
<h2>Files</h2></div></nav><div class="sidebar-resizer"></div>
<main><nav class="sub"><form class="search-form"><span></span><div id="sidebar-button" tabindex="-1"><a href="../../actix_session/all.html" title="show sidebar"></a></div><input class="search-input" name="search" aria-label="Run search in the documentation" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" tabindex="-1"><a href="../../help.html" title="help">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../static.files/wheel-7b819b6101059cd0.svg"></a></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><div data-nosnippet><pre class="src-line-numbers"><a href="#1" id="1">1</a>
<a href="#2" id="2">2</a>
<a href="#3" id="3">3</a>
<a href="#4" id="4">4</a>
<a href="#5" id="5">5</a>
<a href="#6" id="6">6</a>
<a href="#7" id="7">7</a>
<a href="#8" id="8">8</a>
<a href="#9" id="9">9</a>
<a href="#10" id="10">10</a>
<a href="#11" id="11">11</a>
<a href="#12" id="12">12</a>
<a href="#13" id="13">13</a>
<a href="#14" id="14">14</a>
<a href="#15" id="15">15</a>
<a href="#16" id="16">16</a>
<a href="#17" id="17">17</a>
<a href="#18" id="18">18</a>
<a href="#19" id="19">19</a>
<a href="#20" id="20">20</a>
<a href="#21" id="21">21</a>
<a href="#22" id="22">22</a>
<a href="#23" id="23">23</a>
<a href="#24" id="24">24</a>
<a href="#25" id="25">25</a>
<a href="#26" id="26">26</a>
<a href="#27" id="27">27</a>
<a href="#28" id="28">28</a>
<a href="#29" id="29">29</a>
<a href="#30" id="30">30</a>
<a href="#31" id="31">31</a>
<a href="#32" id="32">32</a>
<a href="#33" id="33">33</a>
<a href="#34" id="34">34</a>
<a href="#35" id="35">35</a>
<a href="#36" id="36">36</a>
<a href="#37" id="37">37</a>
<a href="#38" id="38">38</a>
<a href="#39" id="39">39</a>
<a href="#40" id="40">40</a>
<a href="#41" id="41">41</a>
<a href="#42" id="42">42</a>
<a href="#43" id="43">43</a>
<a href="#44" id="44">44</a>
<a href="#45" id="45">45</a>
<a href="#46" id="46">46</a>
<a href="#47" id="47">47</a>
<a href="#48" id="48">48</a>
<a href="#49" id="49">49</a>
<a href="#50" id="50">50</a>
<a href="#51" id="51">51</a>
<a href="#52" id="52">52</a>
<a href="#53" id="53">53</a>
<a href="#54" id="54">54</a>
<a href="#55" id="55">55</a>
<a href="#56" id="56">56</a>
<a href="#57" id="57">57</a>
<a href="#58" id="58">58</a>
<a href="#59" id="59">59</a>
<a href="#60" id="60">60</a>
<a href="#61" id="61">61</a>
<a href="#62" id="62">62</a>
<a href="#63" id="63">63</a>
<a href="#64" id="64">64</a>
<a href="#65" id="65">65</a>
<a href="#66" id="66">66</a>
<a href="#67" id="67">67</a>
<a href="#68" id="68">68</a>
<a href="#69" id="69">69</a>
<a href="#70" id="70">70</a>
<a href="#71" id="71">71</a>
<a href="#72" id="72">72</a>
<a href="#73" id="73">73</a>
<a href="#74" id="74">74</a>
<a href="#75" id="75">75</a>
<a href="#76" id="76">76</a>
<a href="#77" id="77">77</a>
<a href="#78" id="78">78</a>
<a href="#79" id="79">79</a>
<a href="#80" id="80">80</a>
<a href="#81" id="81">81</a>
<a href="#82" id="82">82</a>
<a href="#83" id="83">83</a>
<a href="#84" id="84">84</a>
<a href="#85" id="85">85</a>
<a href="#86" id="86">86</a>
<a href="#87" id="87">87</a>
<a href="#88" id="88">88</a>
<a href="#89" id="89">89</a>
<a href="#90" id="90">90</a>
<a href="#91" id="91">91</a>
<a href="#92" id="92">92</a>
<a href="#93" id="93">93</a>
<a href="#94" id="94">94</a>
<a href="#95" id="95">95</a>
<a href="#96" id="96">96</a>
<a href="#97" id="97">97</a>
<a href="#98" id="98">98</a>
<a href="#99" id="99">99</a>
<a href="#100" id="100">100</a>
<a href="#101" id="101">101</a>
<a href="#102" id="102">102</a>
<a href="#103" id="103">103</a>
<a href="#104" id="104">104</a>
<a href="#105" id="105">105</a>
<a href="#106" id="106">106</a>
<a href="#107" id="107">107</a>
<a href="#108" id="108">108</a>
<a href="#109" id="109">109</a>
<a href="#110" id="110">110</a>
<a href="#111" id="111">111</a>
<a href="#112" id="112">112</a>
<a href="#113" id="113">113</a>
<a href="#114" id="114">114</a>
<a href="#115" id="115">115</a>
<a href="#116" id="116">116</a>
<a href="#117" id="117">117</a>
<a href="#118" id="118">118</a>
<a href="#119" id="119">119</a>
<a href="#120" id="120">120</a>
<a href="#121" id="121">121</a>
<a href="#122" id="122">122</a>
<a href="#123" id="123">123</a>
<a href="#124" id="124">124</a>
<a href="#125" id="125">125</a>
<a href="#126" id="126">126</a>
<a href="#127" id="127">127</a>
<a href="#128" id="128">128</a>
<a href="#129" id="129">129</a>
<a href="#130" id="130">130</a>
<a href="#131" id="131">131</a>
<a href="#132" id="132">132</a>
<a href="#133" id="133">133</a>
<a href="#134" id="134">134</a>
<a href="#135" id="135">135</a>
<a href="#136" id="136">136</a>
<a href="#137" id="137">137</a>
<a href="#138" id="138">138</a>
<a href="#139" id="139">139</a>
<a href="#140" id="140">140</a>
<a href="#141" id="141">141</a>
<a href="#142" id="142">142</a>
<a href="#143" id="143">143</a>
<a href="#144" id="144">144</a>
<a href="#145" id="145">145</a>
<a href="#146" id="146">146</a>
<a href="#147" id="147">147</a>
<a href="#148" id="148">148</a>
<a href="#149" id="149">149</a>
<a href="#150" id="150">150</a>
<a href="#151" id="151">151</a>
<a href="#152" id="152">152</a>
<a href="#153" id="153">153</a>
<a href="#154" id="154">154</a>
<a href="#155" id="155">155</a>
<a href="#156" id="156">156</a>
<a href="#157" id="157">157</a>
<a href="#158" id="158">158</a>
<a href="#159" id="159">159</a>
<a href="#160" id="160">160</a>
<a href="#161" id="161">161</a>
<a href="#162" id="162">162</a>
<a href="#163" id="163">163</a>
<a href="#164" id="164">164</a>
<a href="#165" id="165">165</a>
<a href="#166" id="166">166</a>
<a href="#167" id="167">167</a>
<a href="#168" id="168">168</a>
<a href="#169" id="169">169</a>
<a href="#170" id="170">170</a>
<a href="#171" id="171">171</a>
<a href="#172" id="172">172</a>
<a href="#173" id="173">173</a>
<a href="#174" id="174">174</a>
<a href="#175" id="175">175</a>
<a href="#176" id="176">176</a>
<a href="#177" id="177">177</a>
<a href="#178" id="178">178</a>
<a href="#179" id="179">179</a>
<a href="#180" id="180">180</a>
<a href="#181" id="181">181</a>
<a href="#182" id="182">182</a>
<a href="#183" id="183">183</a>
<a href="#184" id="184">184</a>
<a href="#185" id="185">185</a>
<a href="#186" id="186">186</a>
<a href="#187" id="187">187</a>
<a href="#188" id="188">188</a>
<a href="#189" id="189">189</a>
<a href="#190" id="190">190</a>
<a href="#191" id="191">191</a>
<a href="#192" id="192">192</a>
<a href="#193" id="193">193</a>
<a href="#194" id="194">194</a>
<a href="#195" id="195">195</a>
<a href="#196" id="196">196</a>
<a href="#197" id="197">197</a>
<a href="#198" id="198">198</a>
<a href="#199" id="199">199</a>
<a href="#200" id="200">200</a>
<a href="#201" id="201">201</a>
<a href="#202" id="202">202</a>
<a href="#203" id="203">203</a>
<a href="#204" id="204">204</a>
<a href="#205" id="205">205</a>
<a href="#206" id="206">206</a>
<a href="#207" id="207">207</a>
<a href="#208" id="208">208</a>
<a href="#209" id="209">209</a>
<a href="#210" id="210">210</a>
<a href="#211" id="211">211</a>
<a href="#212" id="212">212</a>
<a href="#213" id="213">213</a>
<a href="#214" id="214">214</a>
<a href="#215" id="215">215</a>
<a href="#216" id="216">216</a>
<a href="#217" id="217">217</a>
<a href="#218" id="218">218</a>
<a href="#219" id="219">219</a>
<a href="#220" id="220">220</a>
<a href="#221" id="221">221</a>
<a href="#222" id="222">222</a>
<a href="#223" id="223">223</a>
<a href="#224" id="224">224</a>
<a href="#225" id="225">225</a>
<a href="#226" id="226">226</a>
<a href="#227" id="227">227</a>
<a href="#228" id="228">228</a>
<a href="#229" id="229">229</a>
<a href="#230" id="230">230</a>
<a href="#231" id="231">231</a>
<a href="#232" id="232">232</a>
<a href="#233" id="233">233</a>
<a href="#234" id="234">234</a>
<a href="#235" id="235">235</a>
<a href="#236" id="236">236</a>
<a href="#237" id="237">237</a>
<a href="#238" id="238">238</a>
<a href="#239" id="239">239</a>
<a href="#240" id="240">240</a>
<a href="#241" id="241">241</a>
<a href="#242" id="242">242</a>
<a href="#243" id="243">243</a>
<a href="#244" id="244">244</a>
<a href="#245" id="245">245</a>
<a href="#246" id="246">246</a>
<a href="#247" id="247">247</a>
<a href="#248" id="248">248</a>
<a href="#249" id="249">249</a>
<a href="#250" id="250">250</a>
<a href="#251" id="251">251</a>
<a href="#252" id="252">252</a>
<a href="#253" id="253">253</a>
<a href="#254" id="254">254</a>
<a href="#255" id="255">255</a>
<a href="#256" id="256">256</a>
<a href="#257" id="257">257</a>
<a href="#258" id="258">258</a>
<a href="#259" id="259">259</a>
<a href="#260" id="260">260</a>
<a href="#261" id="261">261</a>
<a href="#262" id="262">262</a>
<a href="#263" id="263">263</a>
<a href="#264" id="264">264</a>
<a href="#265" id="265">265</a>
<a href="#266" id="266">266</a>
<a href="#267" id="267">267</a>
<a href="#268" id="268">268</a>
<a href="#269" id="269">269</a>
<a href="#270" id="270">270</a>
<a href="#271" id="271">271</a>
<a href="#272" id="272">272</a>
<a href="#273" id="273">273</a>
<a href="#274" id="274">274</a>
<a href="#275" id="275">275</a>
<a href="#276" id="276">276</a>
<a href="#277" id="277">277</a>
<a href="#278" id="278">278</a>
<a href="#279" id="279">279</a>
<a href="#280" id="280">280</a>
<a href="#281" id="281">281</a>
<a href="#282" id="282">282</a>
<a href="#283" id="283">283</a>
<a href="#284" id="284">284</a>
<a href="#285" id="285">285</a>
<a href="#286" id="286">286</a>
<a href="#287" id="287">287</a>
<a href="#288" id="288">288</a>
<a href="#289" id="289">289</a>
<a href="#290" id="290">290</a>
<a href="#291" id="291">291</a>
<a href="#292" id="292">292</a>
<a href="#293" id="293">293</a>
<a href="#294" id="294">294</a>
<a href="#295" id="295">295</a>
<a href="#296" id="296">296</a>
<a href="#297" id="297">297</a>
<a href="#298" id="298">298</a>
<a href="#299" id="299">299</a>
<a href="#300" id="300">300</a>
<a href="#301" id="301">301</a>
<a href="#302" id="302">302</a>
<a href="#303" id="303">303</a>
<a href="#304" id="304">304</a>
<a href="#305" id="305">305</a>
<a href="#306" id="306">306</a>
<a href="#307" id="307">307</a>
<a href="#308" id="308">308</a>
<a href="#309" id="309">309</a>
<a href="#310" id="310">310</a>
<a href="#311" id="311">311</a>
<a href="#312" id="312">312</a>
<a href="#313" id="313">313</a>
<a href="#314" id="314">314</a>
<a href="#315" id="315">315</a>
<a href="#316" id="316">316</a>
<a href="#317" id="317">317</a>
<a href="#318" id="318">318</a>
<a href="#319" id="319">319</a>
<a href="#320" id="320">320</a>
<a href="#321" id="321">321</a>
<a href="#322" id="322">322</a>
<a href="#323" id="323">323</a>
<a href="#324" id="324">324</a>
<a href="#325" id="325">325</a>
<a href="#326" id="326">326</a>
<a href="#327" id="327">327</a>
<a href="#328" id="328">328</a>
<a href="#329" id="329">329</a>
<a href="#330" id="330">330</a>
<a href="#331" id="331">331</a>
<a href="#332" id="332">332</a>
<a href="#333" id="333">333</a>
<a href="#334" id="334">334</a>
<a href="#335" id="335">335</a>
<a href="#336" id="336">336</a>
<a href="#337" id="337">337</a>
<a href="#338" id="338">338</a>
<a href="#339" id="339">339</a>
<a href="#340" id="340">340</a>
<a href="#341" id="341">341</a>
<a href="#342" id="342">342</a>
<a href="#343" id="343">343</a>
<a href="#344" id="344">344</a>
<a href="#345" id="345">345</a>
<a href="#346" id="346">346</a>
<a href="#347" id="347">347</a>
<a href="#348" id="348">348</a>
<a href="#349" id="349">349</a>
<a href="#350" id="350">350</a>
<a href="#351" id="351">351</a>
<a href="#352" id="352">352</a>
<a href="#353" id="353">353</a>
<a href="#354" id="354">354</a>
<a href="#355" id="355">355</a>
<a href="#356" id="356">356</a>
<a href="#357" id="357">357</a>
<a href="#358" id="358">358</a>
<a href="#359" id="359">359</a>
<a href="#360" id="360">360</a>
<a href="#361" id="361">361</a>
<a href="#362" id="362">362</a>
<a href="#363" id="363">363</a>
<a href="#364" id="364">364</a>
<a href="#365" id="365">365</a>
<a href="#366" id="366">366</a>
<a href="#367" id="367">367</a>
<a href="#368" id="368">368</a>
<a href="#369" id="369">369</a>
<a href="#370" id="370">370</a>
<a href="#371" id="371">371</a>
<a href="#372" id="372">372</a>
<a href="#373" id="373">373</a>
<a href="#374" id="374">374</a>
<a href="#375" id="375">375</a>
<a href="#376" id="376">376</a>
<a href="#377" id="377">377</a>
<a href="#378" id="378">378</a>
<a href="#379" id="379">379</a>
<a href="#380" id="380">380</a>
<a href="#381" id="381">381</a>
<a href="#382" id="382">382</a>
<a href="#383" id="383">383</a>
<a href="#384" id="384">384</a>
<a href="#385" id="385">385</a>
<a href="#386" id="386">386</a>
<a href="#387" id="387">387</a>
<a href="#388" id="388">388</a>
<a href="#389" id="389">389</a>
<a href="#390" id="390">390</a>
<a href="#391" id="391">391</a>
<a href="#392" id="392">392</a>
<a href="#393" id="393">393</a>
<a href="#394" id="394">394</a>
<a href="#395" id="395">395</a>
<a href="#396" id="396">396</a>
<a href="#397" id="397">397</a>
<a href="#398" id="398">398</a>
<a href="#399" id="399">399</a>
<a href="#400" id="400">400</a>
<a href="#401" id="401">401</a>
<a href="#402" id="402">402</a>
<a href="#403" id="403">403</a>
<a href="#404" id="404">404</a>
<a href="#405" id="405">405</a>
<a href="#406" id="406">406</a>
<a href="#407" id="407">407</a>
<a href="#408" id="408">408</a>
<a href="#409" id="409">409</a>
<a href="#410" id="410">410</a>
<a href="#411" id="411">411</a>
<a href="#412" id="412">412</a>
<a href="#413" id="413">413</a>
<a href="#414" id="414">414</a>
<a href="#415" id="415">415</a>
<a href="#416" id="416">416</a>
<a href="#417" id="417">417</a>
<a href="#418" id="418">418</a>
<a href="#419" id="419">419</a>
<a href="#420" id="420">420</a>
<a href="#421" id="421">421</a>
<a href="#422" id="422">422</a>
<a href="#423" id="423">423</a>
<a href="#424" id="424">424</a>
<a href="#425" id="425">425</a>
<a href="#426" id="426">426</a>
<a href="#427" id="427">427</a>
<a href="#428" id="428">428</a>
<a href="#429" id="429">429</a>
<a href="#430" id="430">430</a>
<a href="#431" id="431">431</a>
<a href="#432" id="432">432</a>
<a href="#433" id="433">433</a>
<a href="#434" id="434">434</a>
<a href="#435" id="435">435</a>
<a href="#436" id="436">436</a>
<a href="#437" id="437">437</a>
<a href="#438" id="438">438</a>
<a href="#439" id="439">439</a>
<a href="#440" id="440">440</a>
<a href="#441" id="441">441</a>
<a href="#442" id="442">442</a>
<a href="#443" id="443">443</a>
<a href="#444" id="444">444</a>
<a href="#445" id="445">445</a>
<a href="#446" id="446">446</a>
<a href="#447" id="447">447</a>
<a href="#448" id="448">448</a>
<a href="#449" id="449">449</a>
<a href="#450" id="450">450</a>
<a href="#451" id="451">451</a>
<a href="#452" id="452">452</a>
<a href="#453" id="453">453</a>
<a href="#454" id="454">454</a>
<a href="#455" id="455">455</a>
<a href="#456" id="456">456</a>
<a href="#457" id="457">457</a>
<a href="#458" id="458">458</a>
<a href="#459" id="459">459</a>
<a href="#460" id="460">460</a>
<a href="#461" id="461">461</a>
<a href="#462" id="462">462</a>
<a href="#463" id="463">463</a>
<a href="#464" id="464">464</a>
<a href="#465" id="465">465</a>
</pre></div><pre class="rust"><code><span class="kw">use </span>std::{collections::HashMap, fmt, future::Future, pin::Pin, rc::Rc};
<span class="kw">use </span>actix_utils::future::{ready, Ready};
<span class="kw">use </span>actix_web::{
body::MessageBody,
cookie::{Cookie, CookieJar, Key},
dev::{forward_ready, ResponseHead, Service, ServiceRequest, ServiceResponse, Transform},
http::header::{HeaderValue, SET_COOKIE},
HttpResponse,
};
<span class="kw">use </span>anyhow::Context;
<span class="kw">use crate</span>::{
config::{
<span class="self">self</span>, Configuration, CookieConfiguration, CookieContentSecurity, SessionMiddlewareBuilder,
TtlExtensionPolicy,
},
storage::{LoadError, SessionKey, SessionStore},
Session, SessionStatus,
};
<span class="doccomment">/// A middleware for session management in Actix Web applications.
///
/// [`SessionMiddleware`] takes care of a few jobs:
///
/// - Instructs the session storage backend to create/update/delete/retrieve the state attached to
/// a session according to its status and the operations that have been performed against it;
/// - Set/remove a cookie, on the client side, to enable a user to be consistently associated with
/// the same session across multiple HTTP requests.
///
/// Use [`SessionMiddleware::new`] to initialize the session framework using the default parameters.
/// To create a new instance of [`SessionMiddleware`] you need to provide:
///
/// - an instance of the session storage backend you wish to use (i.e. an implementation of
/// [`SessionStore`]);
/// - a secret key, to sign or encrypt the content of client-side session cookie.
///
/// # How did we choose defaults?
/// You should not regret adding `actix-session` to your dependencies and going to production using
/// the default configuration. That is why, when in doubt, we opt to use the most secure option for
/// each configuration parameter.
///
/// We expose knobs to change the default to suit your needs—i.e., if you know what you are doing,
/// we will not stop you. But being a subject-matter expert should not be a requirement to deploy
/// reasonably secure implementation of sessions.
///
/// # Examples
/// ```no_run
/// use actix_web::{web, App, HttpServer, HttpResponse, Error};
/// use actix_session::{Session, SessionMiddleware, storage::RedisActorSessionStore};
/// use actix_web::cookie::Key;
///
/// // The secret key would usually be read from a configuration file/environment variables.
/// fn get_secret_key() -> Key {
/// # todo!()
/// // [...]
/// }
///
/// #[actix_web::main]
/// async fn main() -> std::io::Result<()> {
/// let secret_key = get_secret_key();
/// let redis_connection_string = "127.0.0.1:6379";
/// HttpServer::new(move ||
/// App::new()
/// // Add session management to your application using Redis for session state storage
/// .wrap(
/// SessionMiddleware::new(
/// RedisActorSessionStore::new(redis_connection_string),
/// secret_key.clone()
/// )
/// )
/// .default_service(web::to(|| HttpResponse::Ok())))
/// .bind(("127.0.0.1", 8080))?
/// .run()
/// .await
/// }
/// ```
///
/// If you want to customise use [`builder`](Self::builder) instead of [`new`](Self::new):
///
/// ```no_run
/// use actix_web::{App, cookie::{Key, time}, Error, HttpResponse, HttpServer, web};
/// use actix_session::{Session, SessionMiddleware, storage::RedisActorSessionStore};
/// use actix_session::config::PersistentSession;
///
/// // The secret key would usually be read from a configuration file/environment variables.
/// fn get_secret_key() -> Key {
/// # todo!()
/// // [...]
/// }
///
/// #[actix_web::main]
/// async fn main() -> std::io::Result<()> {
/// let secret_key = get_secret_key();
/// let redis_connection_string = "127.0.0.1:6379";
/// HttpServer::new(move ||
/// App::new()
/// // Customise session length!
/// .wrap(
/// SessionMiddleware::builder(
/// RedisActorSessionStore::new(redis_connection_string),
/// secret_key.clone()
/// )
/// .session_lifecycle(
/// PersistentSession::default()
/// .session_ttl(time::Duration::days(5))
/// )
/// .build(),
/// )
/// .default_service(web::to(|| HttpResponse::Ok())))
/// .bind(("127.0.0.1", 8080))?
/// .run()
/// .await
/// }
/// ```
</span><span class="attr">#[derive(Clone)]
</span><span class="kw">pub struct </span>SessionMiddleware<Store: SessionStore> {
storage_backend: Rc<Store>,
configuration: Rc<Configuration>,
}
<span class="kw">impl</span><Store: SessionStore> SessionMiddleware<Store> {
<span class="doccomment">/// Use [`SessionMiddleware::new`] to initialize the session framework using the default
/// parameters.
///
/// To create a new instance of [`SessionMiddleware`] you need to provide:
/// - an instance of the session storage backend you wish to use (i.e. an implementation of
/// [`SessionStore`]);
/// - a secret key, to sign or encrypt the content of client-side session cookie.
</span><span class="kw">pub fn </span>new(store: Store, key: Key) -> <span class="self">Self </span>{
<span class="self">Self</span>::builder(store, key).build()
}
<span class="doccomment">/// A fluent API to configure [`SessionMiddleware`].
///
/// It takes as input the two required inputs to create a new instance of [`SessionMiddleware`]:
/// - an instance of the session storage backend you wish to use (i.e. an implementation of
/// [`SessionStore`]);
/// - a secret key, to sign or encrypt the content of client-side session cookie.
</span><span class="kw">pub fn </span>builder(store: Store, key: Key) -> SessionMiddlewareBuilder<Store> {
SessionMiddlewareBuilder::new(store, config::default_configuration(key))
}
<span class="kw">pub</span>(<span class="kw">crate</span>) <span class="kw">fn </span>from_parts(store: Store, configuration: Configuration) -> <span class="self">Self </span>{
<span class="self">Self </span>{
storage_backend: Rc::new(store),
configuration: Rc::new(configuration),
}
}
}
<span class="kw">impl</span><S, B, Store> Transform<S, ServiceRequest> <span class="kw">for </span>SessionMiddleware<Store>
<span class="kw">where
</span>S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = actix_web::Error> + <span class="lifetime">'static</span>,
S::Future: <span class="lifetime">'static</span>,
B: MessageBody + <span class="lifetime">'static</span>,
Store: SessionStore + <span class="lifetime">'static</span>,
{
<span class="kw">type </span>Response = ServiceResponse<B>;
<span class="kw">type </span>Error = actix_web::Error;
<span class="kw">type </span>Transform = InnerSessionMiddleware<S, Store>;
<span class="kw">type </span>InitError = ();
<span class="kw">type </span>Future = Ready<<span class="prelude-ty">Result</span><<span class="self">Self</span>::Transform, <span class="self">Self</span>::InitError>>;
<span class="kw">fn </span>new_transform(<span class="kw-2">&</span><span class="self">self</span>, service: S) -> <span class="self">Self</span>::Future {
ready(<span class="prelude-val">Ok</span>(InnerSessionMiddleware {
service: Rc::new(service),
configuration: Rc::clone(<span class="kw-2">&</span><span class="self">self</span>.configuration),
storage_backend: Rc::clone(<span class="kw-2">&</span><span class="self">self</span>.storage_backend),
}))
}
}
<span class="doccomment">/// Short-hand to create an `actix_web::Error` instance that will result in an `Internal Server
/// Error` response while preserving the error root cause (e.g. in logs).
</span><span class="kw">fn </span>e500<E: fmt::Debug + fmt::Display + <span class="lifetime">'static</span>>(err: E) -> actix_web::Error {
<span class="comment">// We do not use `actix_web::error::ErrorInternalServerError` because we do not want to
// leak internal implementation details to the caller.
//
// `actix_web::error::ErrorInternalServerError` includes the error Display representation
// as body of the error responses, leading to messages like "There was an issue persisting
// the session state" reaching API clients. We don't want that, we want opaque 500s.
</span>actix_web::error::InternalError::from_response(
err,
HttpResponse::InternalServerError().finish(),
)
.into()
}
<span class="attr">#[doc(hidden)]
#[non_exhaustive]
</span><span class="kw">pub struct </span>InnerSessionMiddleware<S, Store: SessionStore + <span class="lifetime">'static</span>> {
service: Rc<S>,
configuration: Rc<Configuration>,
storage_backend: Rc<Store>,
}
<span class="kw">impl</span><S, B, Store> Service<ServiceRequest> <span class="kw">for </span>InnerSessionMiddleware<S, Store>
<span class="kw">where
</span>S: Service<ServiceRequest, Response = ServiceResponse<B>, Error = actix_web::Error> + <span class="lifetime">'static</span>,
S::Future: <span class="lifetime">'static</span>,
Store: SessionStore + <span class="lifetime">'static</span>,
{
<span class="kw">type </span>Response = ServiceResponse<B>;
<span class="kw">type </span>Error = actix_web::Error;
<span class="attr">#[allow(clippy::type_complexity)]
</span><span class="kw">type </span>Future = Pin<Box<<span class="kw">dyn </span>Future<Output = <span class="prelude-ty">Result</span><<span class="self">Self</span>::Response, <span class="self">Self</span>::Error>>>>;
<span class="macro">forward_ready!</span>(service);
<span class="kw">fn </span>call(<span class="kw-2">&</span><span class="self">self</span>, <span class="kw-2">mut </span>req: ServiceRequest) -> <span class="self">Self</span>::Future {
<span class="kw">let </span>service = Rc::clone(<span class="kw-2">&</span><span class="self">self</span>.service);
<span class="kw">let </span>storage_backend = Rc::clone(<span class="kw-2">&</span><span class="self">self</span>.storage_backend);
<span class="kw">let </span>configuration = Rc::clone(<span class="kw-2">&</span><span class="self">self</span>.configuration);
Box::pin(<span class="kw">async move </span>{
<span class="kw">let </span>session_key = extract_session_key(<span class="kw-2">&</span>req, <span class="kw-2">&</span>configuration.cookie);
<span class="kw">let </span>(session_key, session_state) =
load_session_state(session_key, storage_backend.as_ref()).<span class="kw">await</span><span class="question-mark">?</span>;
Session::set_session(<span class="kw-2">&mut </span>req, session_state);
<span class="kw">let </span><span class="kw-2">mut </span>res = service.call(req).<span class="kw">await</span><span class="question-mark">?</span>;
<span class="kw">let </span>(status, session_state) = Session::get_changes(<span class="kw-2">&mut </span>res);
<span class="kw">match </span>session_key {
<span class="prelude-val">None </span>=> {
<span class="comment">// we do not create an entry in the session store if there is no state attached
// to a fresh session
</span><span class="kw">if </span>!session_state.is_empty() {
<span class="kw">let </span>session_key = storage_backend
.save(session_state, <span class="kw-2">&</span>configuration.session.state_ttl)
.<span class="kw">await
</span>.map_err(e500)<span class="question-mark">?</span>;
set_session_cookie(
res.response_mut().head_mut(),
session_key,
<span class="kw-2">&</span>configuration.cookie,
)
.map_err(e500)<span class="question-mark">?</span>;
}
}
<span class="prelude-val">Some</span>(session_key) => {
<span class="kw">match </span>status {
SessionStatus::Changed => {
<span class="kw">let </span>session_key = storage_backend
.update(
session_key,
session_state,
<span class="kw-2">&</span>configuration.session.state_ttl,
)
.<span class="kw">await
</span>.map_err(e500)<span class="question-mark">?</span>;
set_session_cookie(
res.response_mut().head_mut(),
session_key,
<span class="kw-2">&</span>configuration.cookie,
)
.map_err(e500)<span class="question-mark">?</span>;
}
SessionStatus::Purged => {
storage_backend.delete(<span class="kw-2">&</span>session_key).<span class="kw">await</span>.map_err(e500)<span class="question-mark">?</span>;
delete_session_cookie(
res.response_mut().head_mut(),
<span class="kw-2">&</span>configuration.cookie,
)
.map_err(e500)<span class="question-mark">?</span>;
}
SessionStatus::Renewed => {
storage_backend.delete(<span class="kw-2">&</span>session_key).<span class="kw">await</span>.map_err(e500)<span class="question-mark">?</span>;
<span class="kw">let </span>session_key = storage_backend
.save(session_state, <span class="kw-2">&</span>configuration.session.state_ttl)
.<span class="kw">await
</span>.map_err(e500)<span class="question-mark">?</span>;
set_session_cookie(
res.response_mut().head_mut(),
session_key,
<span class="kw-2">&</span>configuration.cookie,
)
.map_err(e500)<span class="question-mark">?</span>;
}
SessionStatus::Unchanged => {
<span class="kw">if </span><span class="macro">matches!</span>(
configuration.ttl_extension_policy,
TtlExtensionPolicy::OnEveryRequest
) {
storage_backend
.update_ttl(<span class="kw-2">&</span>session_key, <span class="kw-2">&</span>configuration.session.state_ttl)
.<span class="kw">await
</span>.map_err(e500)<span class="question-mark">?</span>;
<span class="kw">if </span>configuration.cookie.max_age.is_some() {
set_session_cookie(
res.response_mut().head_mut(),
session_key,
<span class="kw-2">&</span>configuration.cookie,
)
.map_err(e500)<span class="question-mark">?</span>;
}
}
}
};
}
}
<span class="prelude-val">Ok</span>(res)
})
}
}
<span class="doccomment">/// Examines the session cookie attached to the incoming request, if there is one, and tries
/// to extract the session key.
///
/// It returns `None` if there is no session cookie or if the session cookie is considered invalid
/// (e.g., when failing a signature check).
</span><span class="kw">fn </span>extract_session_key(req: <span class="kw-2">&</span>ServiceRequest, config: <span class="kw-2">&</span>CookieConfiguration) -> <span class="prelude-ty">Option</span><SessionKey> {
<span class="kw">let </span>cookies = req.cookies().ok()<span class="question-mark">?</span>;
<span class="kw">let </span>session_cookie = cookies
.iter()
.find(|<span class="kw-2">&</span>cookie| cookie.name() == config.name)<span class="question-mark">?</span>;
<span class="kw">let </span><span class="kw-2">mut </span>jar = CookieJar::new();
jar.add_original(session_cookie.clone());
<span class="kw">let </span>verification_result = <span class="kw">match </span>config.content_security {
CookieContentSecurity::Signed => jar.signed(<span class="kw-2">&</span>config.key).get(<span class="kw-2">&</span>config.name),
CookieContentSecurity::Private => jar.private(<span class="kw-2">&</span>config.key).get(<span class="kw-2">&</span>config.name),
};
<span class="kw">if </span>verification_result.is_none() {
<span class="macro">tracing::warn!</span>(
<span class="string">"The session cookie attached to the incoming request failed to pass cryptographic \
checks (signature verification/decryption)."
</span>);
}
<span class="kw">match </span>verification_result<span class="question-mark">?</span>.value().to_owned().try_into() {
<span class="prelude-val">Ok</span>(session_key) => <span class="prelude-val">Some</span>(session_key),
<span class="prelude-val">Err</span>(err) => {
<span class="macro">tracing::warn!</span>(
error.message = %err,
error.cause_chain = <span class="question-mark">?</span>err,
<span class="string">"Invalid session key, ignoring."
</span>);
<span class="prelude-val">None
</span>}
}
}
<span class="kw">async fn </span>load_session_state<Store: SessionStore>(
session_key: <span class="prelude-ty">Option</span><SessionKey>,
storage_backend: <span class="kw-2">&</span>Store,
) -> <span class="prelude-ty">Result</span><(<span class="prelude-ty">Option</span><SessionKey>, HashMap<String, String>), actix_web::Error> {
<span class="kw">if let </span><span class="prelude-val">Some</span>(session_key) = session_key {
<span class="kw">match </span>storage_backend.load(<span class="kw-2">&</span>session_key).<span class="kw">await </span>{
<span class="prelude-val">Ok</span>(state) => {
<span class="kw">if let </span><span class="prelude-val">Some</span>(state) = state {
<span class="prelude-val">Ok</span>((<span class="prelude-val">Some</span>(session_key), state))
} <span class="kw">else </span>{
<span class="comment">// We discard the existing session key given that the state attached to it can
// no longer be found (e.g. it expired or we suffered some data loss in the
// storage). Regenerating the session key will trigger the `save` workflow
// instead of the `update` workflow if the session state is modified during the
// lifecycle of the current request.
</span><span class="macro">tracing::info!</span>(
<span class="string">"No session state has been found for a valid session key, creating a new \
empty session."
</span>);
<span class="prelude-val">Ok</span>((<span class="prelude-val">None</span>, HashMap::new()))
}
}
<span class="prelude-val">Err</span>(err) => <span class="kw">match </span>err {
LoadError::Deserialization(err) => {
<span class="macro">tracing::warn!</span>(
error.message = %err,
error.cause_chain = <span class="question-mark">?</span>err,
<span class="string">"Invalid session state, creating a new empty session."
</span>);
<span class="prelude-val">Ok</span>((<span class="prelude-val">Some</span>(session_key), HashMap::new()))
}
LoadError::Other(err) => <span class="prelude-val">Err</span>(e500(err)),
},
}
} <span class="kw">else </span>{
<span class="prelude-val">Ok</span>((<span class="prelude-val">None</span>, HashMap::new()))
}
}
<span class="kw">fn </span>set_session_cookie(
response: <span class="kw-2">&mut </span>ResponseHead,
session_key: SessionKey,
config: <span class="kw-2">&</span>CookieConfiguration,
) -> <span class="prelude-ty">Result</span><(), anyhow::Error> {
<span class="kw">let </span>value: String = session_key.into();
<span class="kw">let </span><span class="kw-2">mut </span>cookie = Cookie::new(config.name.clone(), value);
cookie.set_secure(config.secure);
cookie.set_http_only(config.http_only);
cookie.set_same_site(config.same_site);
cookie.set_path(config.path.clone());
<span class="kw">if let </span><span class="prelude-val">Some</span>(max_age) = config.max_age {
cookie.set_max_age(max_age);
}
<span class="kw">if let </span><span class="prelude-val">Some</span>(<span class="kw-2">ref </span>domain) = config.domain {
cookie.set_domain(domain.clone());
}
<span class="kw">let </span><span class="kw-2">mut </span>jar = CookieJar::new();
<span class="kw">match </span>config.content_security {
CookieContentSecurity::Signed => jar.signed_mut(<span class="kw-2">&</span>config.key).add(cookie),
CookieContentSecurity::Private => jar.private_mut(<span class="kw-2">&</span>config.key).add(cookie),
}
<span class="comment">// set cookie
</span><span class="kw">let </span>cookie = jar.delta().next().unwrap();
<span class="kw">let </span>val = HeaderValue::from_str(<span class="kw-2">&</span>cookie.encoded().to_string())
.context(<span class="string">"Failed to attach a session cookie to the outgoing response"</span>)<span class="question-mark">?</span>;
response.headers_mut().append(SET_COOKIE, val);
<span class="prelude-val">Ok</span>(())
}
<span class="kw">fn </span>delete_session_cookie(
response: <span class="kw-2">&mut </span>ResponseHead,
config: <span class="kw-2">&</span>CookieConfiguration,
) -> <span class="prelude-ty">Result</span><(), anyhow::Error> {
<span class="kw">let </span>removal_cookie = Cookie::build(config.name.clone(), <span class="string">""</span>)
.path(config.path.clone())
.secure(config.secure)
.http_only(config.http_only)
.same_site(config.same_site);
<span class="kw">let </span><span class="kw-2">mut </span>removal_cookie = <span class="kw">if let </span><span class="prelude-val">Some</span>(<span class="kw-2">ref </span>domain) = config.domain {
removal_cookie.domain(domain)
} <span class="kw">else </span>{
removal_cookie
}
.finish();
removal_cookie.make_removal();
<span class="kw">let </span>val = HeaderValue::from_str(<span class="kw-2">&</span>removal_cookie.to_string())
.context(<span class="string">"Failed to attach a session removal cookie to the outgoing response"</span>)<span class="question-mark">?</span>;
response.headers_mut().append(SET_COOKIE, val);
<span class="prelude-val">Ok</span>(())
}
</code></pre></div></section></main></body></html>