[WIP] Added RequestContextStore, RequestContext and SignedPrivateCookieJar #633
Conversation
|
@jondot @schungx Here is my current development plan and the key points I've summarized from the discussion. Please don't hesitate to correct me if I've missed anything that might lead to security issues. |
src/boot.rs
Outdated
| @@ -205,6 +206,7 @@ pub async fn create_context<H: Hooks>(environment: &Environment) -> Result<AppCo | |||
| queue: connect_redis(&config).await, | |||
| storage: Storage::single(storage::drivers::null::new()).into(), | |||
| cache: cache::Cache::new(cache::drivers::null::new()).into(), | |||
| request_context: create_request_context_store(&config.request_context)?.into(), | |||
There was a problem hiding this comment.
what happens to request context when there is no request involved? for example tasks, workers ?
There was a problem hiding this comment.
hmm, that is a good point
|
Looks like a fantastic plan! |
I wonder if we can do something wrt cookie-based instead of just disallowing it for production. It is just the case that the hash resides on the client instead of on the server. If the server needs to read the hash, then obviously it'll fail -- not supported. If the server needs to write to the hash, for example to force-expire it, then it can potentially be queued up (Redis?) and replayed during the next response to be sent to the client (which will include the relevant cookie header to set the hash values). Would this be possible? EDIT: Come to think of it ... this may not be very useful. If I can store commands in Redis, I might as well put the session store there. Or in an in memory store. In this case, why not just make the in-memory store the default and be done with it? |
Cookie sessions can be useful across multiple servers, the pros and cons should be around the same as arguments between JWT tokens and session tokens |
Added SignedPrivateCookieJar for encrypting/decrypting and signing data between outcoming/incoming headers. Added testing for both functionality
# Conflicts: # Cargo.toml
I believe if the hash is on the client and is stored on the browser, it is still being sent, and received as-is, so if the server wants, it can access the hash via incoming cookie header. |
… middleware for external access
… middleware for external access
…ed request context functionality on demo layer
|
@jondot Sorry for postponing this ticket. I was trying out Ruby on Rails and experimenting it to get a better idea about how the request context being used and the feels in the framework. I am going to continue this ticket this week 👍. |
# Conflicts: # src/errors.rs
|
@yinho999 please note that we just pushed a request_id implementation to master (including some improvement in middleware run order), so that takes some effort off from your PR |
No worries, gonna remove my current implementation right now |
# Conflicts: # src/controller/app_routes.rs
…text - Updated imports and references to use `LocoRequestId` instead of `RequestId`. - Removed unused `request_id` module. - Adjusted `RequestContext` struct and methods to accommodate the new `LocoRequestId`. - Cleaned up unnecessary imports in `boot.rs`.
…text - Updated imports and references to use `LocoRequestId` instead of `RequestId`. - Removed unused `request_id` module. - Adjusted `RequestContext` struct and methods to accommodate the new `LocoRequestId`. - Cleaned up unnecessary imports in `boot.rs`.
- Introduced `create_request_context` and updated `get_request_context` in `mysession.rs` for managing request context data. - Added tests for setting and getting request context data in `mysession.rs`. - Updated `test.yaml` and `teste2e.yaml` to include request context configuration. - Minor refactoring and cleanup in `cookie.rs` and other test files.
… `DerefMut` traits
- Added `insert`, `get`, `remove`, and `clear` methods to `RequestContext` for session management. - Introduced `RequestContextError::DriverError` to handle driver-related errors. - Updated `create_request_context` and `get_request_context` functions in `mysession.rs` to use the new `RequestContext` methods.
# Conflicts: # Cargo.toml # src/controller/app_routes.rs
…uration - Introduced `CustomSessionStore` to support custom session management. - Updated `AppRoutes` to include session store configuration. - Refactored `RequestContextMiddleware` to handle different session store types. - Added detailed session configuration options in YAML files. - Improved documentation and comments for better clarity on session management.
# Conflicts: # src/controller/app_routes.rs
…es.rs and request_context/layer/mod.rs
# Conflicts: # Cargo.toml
- Introduced `SessionCookieConfig` to manage cookie attributes such as `name`, `http_only`, `same_site`, `secure`, `path`, `domain`, and `expiry`. - Updated `SignedPrivateCookieJar` to support configurable cookie attributes. - Added methods to `SessionCookieConfig` for extracting and applying cookie configurations. - Modified `RequestContextStore` to include `SessionCookieConfig`. - Enhanced middleware setup in `app_routes` to utilize `SessionCookieConfig`. - Updated tests to cover new session cookie configurations and scenarios. - Improved documentation and comments for better clarity and maintainability.
# Conflicts: # examples/demo/Cargo.lock # src/config.rs # src/controller/app_routes.rs # src/tests_cfg/config.rs
…dcoded private cookie name
…ramework tests. Also cargo fmt
# Conflicts: # examples/demo/config/development.yaml # src/controller/middleware/cors.rs # src/controller/middleware/mod.rs # src/controller/middleware/powered_by.rs # src/controller/middleware/timeout.rs
# Conflicts: # Cargo.toml # examples/demo/Cargo.toml
# Conflicts: # Cargo.toml # examples/demo/Cargo.toml # src/scheduler.rs
# Conflicts: # Cargo.toml
Goal
Configurability
Session
ctxtoreqin function signatures:Cookies Store (Cookie)
PrivateCookieJar) RailsCookies Security
Session Store (In Memory or Other Database)
Default Behavior
Documentation and Tooling
Additional Considerations Rails
Flash Messages(Optional)
Plan
Template