migrate to tower-sessions (#14)

This migrates from axum-sessions to tower-sessions.

Some notable differences:

1. Readable and writable sessions are replaced with a single session
   type.
2. Sessions no longer contain data and instead are a pointer to a
   session; this means we don't need a secret key anymore.
3. serde_json::Value is accessible directly.
4. The session layer itself is fallible, so we use handle error layer to
   ensure compatibility with axum.

Closes #13.

Author: maxcountryman

Cargo.lock

@@ -11,10 +11,12 @@ readme = "README.md"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-axum = { version="0.6.20", features = ["headers"] }
+axum = { version = "0.6.20", features = ["headers"] }
+tower = "0.4.13"
 tower-http = { version = "0.4", features = ["full"] }
-axum-sessions = "0.5"
+tower-sessions = "0.2.2"
 tokio = { version = "1.24", features = ["full"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0.107"

back_end/Cargo.toml

@@ -4,9 +4,9 @@
 #![allow(missing_docs)]
 
 use axum::Router;
-use axum_sessions::{async_session::MemoryStore, SessionLayer};
 use std::net::SocketAddr;
 use std::{env, sync::Arc};
+use tower_sessions::{MemoryStore, SessionManagerLayer};
 use tracing::log::warn;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 
@@ -35,7 +35,7 @@ async fn main() {
         .init();
 
     // configure server from environmental variables
-    let (port, host, secret) = from_env();
+    let (port, host) = from_env();
 
     let addr: SocketAddr = format!("{}:{}", host, port)
         .parse()
@@ -45,8 +45,8 @@ async fn main() {
     let shared_state = Arc::new(store::Store::new("123456789"));
 
     // setup up sessions and store to keep track of session information
-    let session_layer = SessionLayer::new(MemoryStore::new(), secret.as_bytes())
-        .with_cookie_name(SESSION_COOKIE_NAME);
+    let session_store = MemoryStore::default();
+    let session_layer = SessionManagerLayer::new(session_store).with_name(SESSION_COOKIE_NAME);
 
     // combine the front and backend into server
     let app = Router::new()
@@ -73,7 +73,7 @@ async fn shutdown_signal() {
 
 // Variables from Environment or default to configure server
 // port, host, secret
-fn from_env() -> (String, String, String) {
+fn from_env() -> (String, String) {
     if env::var("SERVER_SECRET").is_err() {
         warn!("env var SERVER_SECRET should be set and unique (64 bytes long)");
     }
@@ -84,9 +84,5 @@ fn from_env() -> (String, String, String) {
         env::var("SERVER_HOST")
             .ok()
             .unwrap_or_else(|| SERVER_HOST.to_string()),
-        env::var("SERVER_SECRET").ok().unwrap_or_else(|| {
-            "this needs to be 64bytes. recommended that you set Secret instead of fixed value"
-                .to_string()
-        }),
     )
 }

back_end/src/main.rs

@@ -3,16 +3,18 @@ use axum::{
     middleware::Next,
     response::Response,
 };
-use axum_sessions::extractors::ReadableSession;
+use tower_sessions::Session;
 
 #[allow(clippy::missing_errors_doc)]
 pub async fn user_secure<B: Send>(
-    session: ReadableSession,
+    session: Session,
     req: Request<B>,
     next: Next<B>,
 ) -> Result<Response, StatusCode> {
     tracing::info!("Middleware: checking if user exists");
-    let user_id = session.get_raw("user_id").ok_or(StatusCode::UNAUTHORIZED)?;
+    let user_id = session
+        .get_value("user_id")
+        .ok_or(StatusCode::UNAUTHORIZED)?;
     tracing::debug!("user_id Extracted: {}", user_id);
 
     // accepts all user but you could add a check here to match user access

back_end/src/middlewares/usersecure.rs

@@ -1,5 +1,5 @@
 use axum::{response::IntoResponse, Json};
-use axum_sessions::async_session::serde_json::json;
+use serde_json::json;
 
 /// imitating an API response
 #[allow(clippy::unused_async)]

back_end/src/routes/api.rs

@@ -1,11 +1,12 @@
 use axum::{response::IntoResponse, Json};
-use axum_sessions::{async_session::serde_json::json, extractors::WritableSession};
 use serde::Deserialize;
+use serde_json::json;
+use tower_sessions::Session;
 
 /// route to handle log in
 #[allow(clippy::unused_async)]
 #[allow(clippy::missing_panics_doc)]
-pub async fn login(mut session: WritableSession, Json(login): Json<Login>) -> impl IntoResponse {
+pub async fn login(session: Session, Json(login): Json<Login>) -> impl IntoResponse {
     tracing::info!("Logging in user: {}", login.username);
 
     if check_password(&login.username, &login.password) {
@@ -18,11 +19,11 @@ pub async fn login(mut session: WritableSession, Json(login): Json<Login>) -> im
 
 /// route to handle log out
 #[allow(clippy::unused_async)]
-pub async fn logout(mut session: WritableSession) -> impl IntoResponse {
-    let user = session.get_raw("user_id").unwrap_or_default();
+pub async fn logout(session: Session) -> impl IntoResponse {
+    let user = session.get_value("user_id").unwrap_or_default();
     tracing::info!("Logging out user: {}", user);
     // drop session
-    session.destroy();
+    session.flush();
     Json(json!({"result": "ok"}))
 }
 

back_end/src/routes/auth.rs

@@ -1,19 +1,20 @@
 // print out session
 
 use axum::{response::IntoResponse, Json};
-use axum_sessions::{async_session::serde_json::json, extractors::ReadableSession};
+use serde_json::json;
+use tower_sessions::Session;
 
 /// output entire session object
 #[allow(clippy::unused_async)]
-pub async fn handler(session: ReadableSession) -> impl IntoResponse {
+pub async fn handler(session: Session) -> impl IntoResponse {
     tracing::info!("Seeking session info");
     Json(json!({ "session": format!("{:?}", session) }))
 }
 
 /// output session data in json
 #[allow(clippy::unused_async)]
-pub async fn data_handler(session: ReadableSession) -> impl IntoResponse {
+pub async fn data_handler(session: Session) -> impl IntoResponse {
     tracing::info!("Seeking session data");
-    let user_id = session.get("user_id").unwrap_or_else(|| "".to_string());
+    let user_id = session.get_value("user_id").unwrap_or_else(|| "".into());
     Json(json!({ "user_id": user_id }))
 }

back_end/src/routes/session.rs

@@ -1,12 +1,15 @@
 use axum::{
+    error_handling::HandleErrorLayer,
+    handler::HandlerWithoutStateExt,
     http::StatusCode,
     middleware,
     routing::{get, post},
-    Router, handler::HandlerWithoutStateExt,
+    BoxError, Router,
 };
-use axum_sessions::{async_session::SessionStore, SessionLayer};
 use std::sync::Arc;
+use tower::ServiceBuilder;
 use tower_http::{services::ServeDir, trace::TraceLayer};
+use tower_sessions::{SessionManagerLayer, SessionStore};
 
 use crate::{
     middlewares, routes,
@@ -20,7 +23,9 @@ use crate::{
 // Front end to server svelte build bundle, css and index.html from public folder
 pub fn front_public_route() -> Router {
     Router::new()
-        .fallback_service(ServeDir::new(FRONT_PUBLIC).not_found_service(handle_error.into_service()))
+        .fallback_service(
+            ServeDir::new(FRONT_PUBLIC).not_found_service(handle_error.into_service()),
+        )
         .layer(TraceLayer::new_for_http())
 }
 
@@ -37,16 +42,22 @@ async fn handle_error() -> (StatusCode, &'static str) {
 // ********
 // Back end server built form various routes that are either public, require auth, or secure login
 pub fn backend<Store: SessionStore>(
-    session_layer: SessionLayer<Store>,
+    session_layer: SessionManagerLayer<Store>,
     shared_state: Arc<store::Store>,
 ) -> Router {
+    let session_service = ServiceBuilder::new()
+        .layer(HandleErrorLayer::new(|_: BoxError| async {
+            StatusCode::BAD_REQUEST
+        }))
+        .layer(session_layer);
+
     // could add tower::ServiceBuilder here to group layers, especially if you add more layers.
     // see https://docs.rs/axum/latest/axum/middleware/index.html#ordering
     Router::new()
         .merge(back_public_route())
         .merge(back_auth_route())
         .merge(back_token_route(shared_state))
-        .layer(session_layer)
+        .layer(session_service)
 }
 
 // *********