From de5e6eecc0a80014c113dffca9a49d06df0b0a0e Mon Sep 17 00:00:00 2001 From: Rob Ede Date: Tue, 3 Jan 2023 14:04:10 +0000 Subject: [PATCH] improve prod advice in cookie-auth --- Cargo.lock | 2 ++ auth/cookie-auth/Cargo.toml | 2 ++ auth/cookie-auth/src/main.rs | 61 +++++++++++++++++++++++------------- 3 files changed, 44 insertions(+), 21 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index a11f0cc4..7d504544 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2050,7 +2050,9 @@ dependencies = [ "actix-identity", "actix-session", "actix-web", + "actix-web-lab", "env_logger", + "log", "rand 0.8.5", ] diff --git a/auth/cookie-auth/Cargo.toml b/auth/cookie-auth/Cargo.toml index 8c0f9fb3..b5c386cc 100644 --- a/auth/cookie-auth/Cargo.toml +++ b/auth/cookie-auth/Cargo.toml @@ -5,8 +5,10 @@ edition = "2021" [dependencies] actix-web.workspace = true +actix-web-lab.workspace = true actix-identity.workspace = true actix-session = { workspace = true, features = ["cookie-session"] } env_logger.workspace = true +log.workspace = true rand.workspace = true diff --git a/auth/cookie-auth/src/main.rs b/auth/cookie-auth/src/main.rs index 4cb62ece..83dda709 100644 --- a/auth/cookie-auth/src/main.rs +++ b/auth/cookie-auth/src/main.rs @@ -1,55 +1,74 @@ use actix_identity::{Identity, IdentityMiddleware}; -use actix_session::{storage::CookieSessionStore, SessionMiddleware}; +use actix_session::{config::PersistentSession, storage::CookieSessionStore, SessionMiddleware}; use actix_web::{ - cookie::Key, middleware, web, App, HttpMessage as _, HttpRequest, HttpResponse, HttpServer, + cookie::{time::Duration, Key}, + error, + http::StatusCode, + middleware, web, App, HttpMessage as _, HttpRequest, HttpServer, Responder, }; -async fn index(id: Identity) -> String { - format!( - "Hello {}", - id.id().unwrap_or_else(|_| "Anonymous".to_owned()) - ) +use actix_web_lab::web::Redirect; + +const ONE_MINUTE: Duration = Duration::minutes(1); + +async fn index(identity: Option) -> actix_web::Result { + let id = match identity.map(|id| id.id()) { + None => "anonymous".to_owned(), + Some(Ok(id)) => id, + Some(Err(err)) => return Err(error::ErrorInternalServerError(err)), + }; + + Ok(format!("Hello {id}")) } -async fn login(req: HttpRequest) -> HttpResponse { +async fn login(req: HttpRequest) -> impl Responder { Identity::login(&req.extensions(), "user1".to_owned()).unwrap(); - HttpResponse::Found() - .insert_header(("location", "/")) - .finish() + Redirect::to("/").using_status_code(StatusCode::FOUND) } -async fn logout(id: Identity) -> HttpResponse { +async fn logout(id: Identity) -> impl Responder { id.logout(); - HttpResponse::Found() - .insert_header(("location", "/")) - .finish() + Redirect::to("/").using_status_code(StatusCode::FOUND) } #[actix_web::main] async fn main() -> std::io::Result<()> { - std::env::set_var("RUST_LOG", "actix_web=info"); - env_logger::init(); + env_logger::init_from_env(env_logger::Env::new().default_filter_or("info")); // Generate a random secret key. Note that it is important to use a unique // secret key for every project. Anyone with access to the key can generate // authentication cookies for any user! + // + // If the secret key is read from a file or the environment, make sure it is generated securely. + // For example, a secure random key (in base64 format) can be generated with the OpenSSL CLI: + // ``` + // openssl rand -base64 64 + // ``` + // + // Then decoded and used converted to a Key: + // ``` + // let secret_key = Key::from(base64::decode(&private_key_base64).unwrap()); + // ``` let secret_key = Key::generate(); + log::info!("starting HTTP server at http://localhost:8080"); + HttpServer::new(move || { App::new() + .service(web::resource("/login").route(web::post().to(login))) + .service(web::resource("/logout").route(web::post().to(logout))) + .service(web::resource("/").route(web::get().to(index))) .wrap(IdentityMiddleware::default()) .wrap( SessionMiddleware::builder(CookieSessionStore::default(), secret_key.clone()) .cookie_name("auth-example".to_owned()) .cookie_secure(false) + .session_lifecycle(PersistentSession::default().session_ttl(ONE_MINUTE)) .build(), ) - // enable logger - always register Actix Web Logger middleware last + .wrap(middleware::NormalizePath::trim()) .wrap(middleware::Logger::default()) - .service(web::resource("/login").route(web::post().to(login))) - .service(web::resource("/logout").to(logout)) - .service(web::resource("/").route(web::get().to(index))) }) .bind(("127.0.0.1", 8080))? .run()