Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tide sessions #646

Merged
merged 1 commit into from
Jul 27, 2020
Merged

tide sessions #646

merged 1 commit into from
Jul 27, 2020

Conversation

jbr
Copy link
Member

@jbr jbr commented Jul 14, 2020
edited
Loading

this is an initial implementation of a session middleware in tide, using a somewhat modified async-sessions crate. this is implemented as a sessions feature, which is enabled by default.

this pr reuses some of the signed cookie behavior from the cookie crate without requiring the entire application use signed cookies. this is to ensure that all users of sessions have signed cookies regardless of the rest of their application settings.

closes: #9
blocked on: http-rs/async-session#2 Publishing async-session 2.0.0 (@yoshuawuyts) @Fishrock123 clarifying change request
related: #541

as part of exploring this approach, I've fully implemented these session stores:

@jbr jbr marked this pull request as draft July 14, 2020 23:25
@jbr jbr requested review from yoshuawuyts and Fishrock123 July 14, 2020 23:35
Fishrock123
Fishrock123 reviewed Jul 15, 2020
View reviewed changes
examples/sessions.rs Outdated Show resolved Hide resolved
@Fishrock123
Copy link
Member

We should probably also provide a CookieSession by default.

@jbr
Copy link
Member Author

jbr commented Jul 15, 2020
edited
Loading

I agree about CookieSessionStore, but think we maybe need secure cookies first? Not sure about that. I figured I'd implement an external datastore-backed cookie store first to see if all of the pieces are in place for that (they weren't — Session needs to be Deserialize as well as Serialize)

update: https://github.com/jbr/async-redis-session (not published yet)
further update: there's now a cookie session store that i believe to be about as secure as cookie session stores are going to get

Fishrock123
Fishrock123 requested changes Jul 18, 2020
View reviewed changes
examples/sessions.rs Outdated
tide::log::start();
let mut app = tide::new();

app.middleware(tide::sessions::SessionMiddleware::memory_store(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Imo show with cookie store instead.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think there's anything wrong with starting people out on the memory store, since its flaws are more obvious (losing data on server restart). we want to strongly encourage people not to use either of them, and i think the sled store will probably be the recommended choice for apps that don't already have an external db

src/request.rs Outdated Show resolved Hide resolved
src/sessions/middleware.rs Outdated
/// set on the outbound response and signed with an HKDF key derived
/// from the `secret` provided on creation of the SessionMiddleware.
/// The configurable session store uses a SHA256 digest of the cookie
/// value and stores the session along with a potential expiry.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// value and stores the session along with a potential expiry.
/// value as an id and stores the session along with a potential expiry.

src/sessions/middleware.rs Outdated Show resolved Hide resolved
src/sessions/middleware.rs Outdated Show resolved Hide resolved
src/sessions/middleware.rs Outdated Show resolved Hide resolved
src/sessions/middleware.rs Show resolved Hide resolved
src/sessions/middleware.rs Outdated Show resolved Hide resolved
src/sessions/middleware.rs Show resolved Hide resolved
src/sessions/middleware.rs Show resolved Hide resolved
@Fishrock123 Fishrock123 self-requested a review July 19, 2020 03:47
@jbr jbr force-pushed the sessions branch 4 times, most recently from a4bb48d to f1cbfa8 Compare July 24, 2020 02:08
yoshuawuyts
yoshuawuyts approved these changes Jul 25, 2020
View reviewed changes
Copy link
Member

@yoshuawuyts yoshuawuyts left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is so incredibly good! One nit, but otherwise 💯

src/request.rs Outdated Show resolved Hide resolved
@jbr jbr marked this pull request as ready for review July 26, 2020 01:05
@jbr
Copy link
Member Author

jbr commented Jul 26, 2020

@Fishrock123 Have your concerns been addressed? This is otherwise ready to merge, but you still have a change request on this

@jbr jbr force-pushed the sessions branch 3 times, most recently from 7b0a320 to 2090f07 Compare July 26, 2020 01:55
@jbr jbr mentioned this pull request Jul 26, 2020
Closed
Fishrock123
Fishrock123 approved these changes Jul 27, 2020
View reviewed changes
Copy link
Member

@Fishrock123 Fishrock123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good enough to go, anything more seems to be addressable after merge.

@jbr jbr merged commit fa7d7fa into http-rs:master Jul 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aka-bash0r aka-bash0r aka-bash0r left review comments

@Fishrock123 Fishrock123 Fishrock123 approved these changes

@yoshuawuyts yoshuawuyts yoshuawuyts approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Session management
4 participants
@jbr @Fishrock123 @yoshuawuyts @aka-bash0r