update to tower-sessions

daly4 · daly4 · commit cb42003dff24 · 2023-11-14T23:00:28.000-07:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,16 +16,17 @@ edition = "2021"
 maintenance = { status = "actively-developed" }
 
 [dependencies]
-axum = "0.6.16"
+axum = "0.6.20"
 axum-core = "0.3.4"
-axum-sessions = "0.5.0"
-base64 = "0.21.0"
+base64 = "0.21.5"
 rand = "0.8.5"
 thiserror = "1.0.40"
-tokio = { version = "1.27.0", features = ["macros", "rt", "rt-multi-thread"] }
 tower = "0.4.13"
-tracing = "0.1.37"
+tower-cookies = "0.9.0"
+tower-sessions = "0.4.3"
+tracing = "0.1.40"
 
 [dev-dependencies]
+tokio = { version = "1.27.0", features = ["macros", "rt", "rt-multi-thread"] }
 tokio-test = "0.4.2"
 tower-http = { version = "0.4.0", features = ["cors"] }
diff --git a/README.md b/README.md
@@ -28,9 +28,9 @@ Consider as well to use the [crate unit tests](https://github.com/LeoniePhiline/
 
 This middleware implements token transfer via [custom request headers](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers).
 
-The middleware requires and is built upon [`axum_sessions`](https://docs.rs/axum-sessions/), which in turn uses [`async_session`](https://docs.rs/async-session/).
+The middleware requires and is built upon [`tower_sessions`](https://docs.rs/tower-sessions/).
 
-The current version is built for and works with `axum 0.6.x`, `axum-sessions 0.5.x` and `async_session 3.x`.
+The current version is built for and works with `axum 0.6.x`, `tower-sessions 0.4.x`.
 
 There will be support for `axum 0.7` and later versions.
 
@@ -67,7 +67,7 @@ See ["Our RNGs"](https://rust-random.github.io/book/guide-rngs.html#cryptographi
 
 The security of the underlying session is paramount - the CSRF prevention methods applied can only be as secure as the session carrying the server-side token.
 
-- When creating your [SessionLayer](https://docs.rs/axum-sessions/latest/axum_sessions/struct.SessionLayer.html), make sure to use at least 64 bytes of cryptographically secure randomness.
+- When creating your [SessionManagerLayer](https://docs.rs/tower-sessions/latest/tower_sessions/struct.SessionManagerLayer.html)
 - Do not lower the secure defaults: Keep the session cookie's `secure` flag **on**.
 - Use the strictest possible same-site policy.
 
@@ -105,16 +105,15 @@ Configure your session and CSRF protection layer in your backend application:
 
 ```rust
 use axum::{
+    BoxError,
     body::Body,
     http::StatusCode,
     routing::{get, Router},
+    error_handling::HandleErrorLayer,
 };
+use tower::ServiceBuilder;
 use axum_csrf_sync_pattern::{CsrfLayer, RegenerateToken};
-use axum_sessions::{async_session::MemoryStore, SessionLayer};
-use rand::RngCore;
-
-let mut secret = [0; 64];
-rand::thread_rng().try_fill_bytes(&mut secret).unwrap();
+use tower_sessions::{MemoryStore, SessionManagerLayer};
 
 async fn handler() -> StatusCode {
     StatusCode::OK
@@ -136,7 +135,12 @@ let app = Router::new()
      // Default: "_csrf_token"
      .session_key("_custom_session_key")
  )
- .layer(SessionLayer::new(MemoryStore::new(), &secret));
+ .layer(ServiceBuilder::new()
+    .layer(HandleErrorLayer::new(|_: BoxError| async {
+        StatusCode::BAD_REQUEST
+    }))
+    .layer(SessionManagerLayer::new(MemoryStore::default())));
+
 
 // Use hyper to run `app` as service and expose on a local port or socket.
 ```
@@ -175,37 +179,41 @@ Configure your CORS layer, session and CSRF protection layer in your backend app
 
 ```rust
 use axum::{
+    BoxError,
     body::Body,
     http::{header, Method, StatusCode},
     routing::{get, Router},
+    error_handling::HandleErrorLayer,
 };
+use tower::ServiceBuilder;
 use axum_csrf_sync_pattern::{CsrfLayer, RegenerateToken};
-use axum_sessions::{async_session::MemoryStore, SessionLayer};
-use rand::RngCore;
+use tower_sessions::{MemoryStore, SessionManagerLayer};
 use tower_http::cors::{AllowOrigin, CorsLayer};
 
-let mut secret = [0; 64];
-rand::thread_rng().try_fill_bytes(&mut secret).unwrap();
-
 async fn handler() -> StatusCode {
     StatusCode::OK
 }
 
 let app = Router::new()
- .route("/", get(handler).post(handler))
- .layer(
-     // See example above for custom layer configuration.
-     CsrfLayer::new()
- )
- .layer(SessionLayer::new(MemoryStore::new(), &secret))
- .layer(
-     CorsLayer::new()
-         .allow_origin(AllowOrigin::list(["https://www.example.com".parse().unwrap()]))
-         .allow_methods([Method::GET, Method::POST])
-         .allow_headers([header::CONTENT_TYPE, "X-CSRF-TOKEN".parse().unwrap()])
-         .allow_credentials(true)
-         .expose_headers(["X-CSRF-TOKEN".parse().unwrap()]),
-);
+  .route("/", get(handler).post(handler))
+  .layer(
+      // See example above for custom layer configuration.
+      CsrfLayer::new()
+  )
+  .layer(ServiceBuilder::new()
+      .layer(HandleErrorLayer::new(|_: BoxError| async {
+          StatusCode::BAD_REQUEST
+      }))
+      .layer(SessionManagerLayer::new(MemoryStore::default()))
+      .layer(
+          CorsLayer::new()
+              .allow_origin(AllowOrigin::list(["https://www.example.com".parse().rap()]))
+              .allow_methods([Method::GET, Method::POST])
+              .allow_headers([header::CONTENT_TYPE, "X-CSRF-TOKEN".parse().unwrap()])
+              .allow_credentials(true)
+              .expose_headers(["X-CSRF-TOKEN".parse().unwrap()]),
+      )
+  );
 
 // Use hyper to run `app` as service and expose on a local port or socket.
 ```
diff --git a/examples/cross-site/Cargo.toml b/examples/cross-site/Cargo.toml
@@ -8,9 +8,8 @@ publish = false
 [dependencies]
 axum = "0.6.16"
 axum-csrf-sync-pattern = { path = "../../" }
-axum-sessions = "0.5.0"
+tower-sessions = "0.4.3"
 color-eyre = "0.6.2"
-rand = "0.8.5"
 tokio = { version = "1.27.0", features = ["macros", "rt", "rt-multi-thread"] }
 tower = "0.4.13"
 tower-http = { version = "0.4.0", features = ["cors"] }
diff --git a/examples/cross-site/src/main.rs b/examples/cross-site/src/main.rs
@@ -1,15 +1,17 @@
 use std::net::SocketAddr;
 
 use axum::{
+    BoxError,
     http::{header, Method, StatusCode},
     response::IntoResponse,
     routing::{get, Router},
+    error_handling::HandleErrorLayer,
     Server,
 };
+use tower::ServiceBuilder;
 use axum_csrf_sync_pattern::CsrfLayer;
-use axum_sessions::{async_session::MemoryStore, SessionLayer};
+use tower_sessions::{MemoryStore, SessionManagerLayer};
 use color_eyre::eyre::{self, eyre, WrapErr};
-use rand::RngCore;
 use tower_http::cors::{AllowOrigin, CorsLayer};
 
 #[tokio::main]
@@ -33,41 +35,41 @@ async fn main() -> eyre::Result<()> {
     };
 
     let backend = async {
-        let mut secret = [0; 64];
-        rand::thread_rng()
-            .try_fill_bytes(&mut secret)
-            .wrap_err("Failed to generate session seed.")?;
-
         let app = Router::new()
             .route("/", get(get_token).post(post_handler))
             .layer(CsrfLayer::new())
-            .layer(SessionLayer::new(MemoryStore::new(), &secret))
-            .layer(
-                CorsLayer::new()
-                    .allow_origin(AllowOrigin::list([
-                        // Allow CORS requests from our frontend.
-                        "http://127.0.0.1:3000"
-                            .parse()
-                            .wrap_err("Failed to parse socket address.")?,
-                    ]))
-                    // Allow GET and POST methods. Adjust to your needs.
-                    .allow_methods([Method::GET, Method::POST])
-                    .allow_headers([
-                        // Allow incoming CORS requests to use the Content-Type header,
-                        header::CONTENT_TYPE,
-                        // as well as the `CsrfLayer` default request header.
-                        "X-CSRF-TOKEN"
+            .layer(ServiceBuilder::new()
+                .layer(HandleErrorLayer::new(|_: BoxError| async {
+                    StatusCode::BAD_REQUEST
+                }))
+                .layer(SessionManagerLayer::new(MemoryStore::default()))
+                .layer(
+                    CorsLayer::new()
+                        .allow_origin(AllowOrigin::list([
+                            // Allow CORS requests from our frontend.
+                            "http://127.0.0.1:3000"
+                                .parse()
+                                .wrap_err("Failed to parse socket address.")?,
+                        ]))
+                        // Allow GET and POST methods. Adjust to your needs.
+                        .allow_methods([Method::GET, Method::POST])
+                        .allow_headers([
+                            // Allow incoming CORS requests to use the Content-Type header,
+                            header::CONTENT_TYPE,
+                            // as well as the `CsrfLayer` default request header.
+                            "X-CSRF-TOKEN"
+                                .parse()
+                                .wrap_err("Failed to parse token header.")?,
+                        ])
+                        // Allow CORS requests with session cookies.
+                        .allow_credentials(true)
+                        // Instruct the browser to allow JavaScript on the configured origin
+                        // to read the `CsrfLayer` default response header.
+                        .expose_headers(["X-CSRF-TOKEN"
                             .parse()
-                            .wrap_err("Failed to parse token header.")?,
-                    ])
-                    // Allow CORS requests with session cookies.
-                    .allow_credentials(true)
-                    // Instruct the browser to allow JavaScript on the configured origin
-                    // to read the `CsrfLayer` default response header.
-                    .expose_headers(["X-CSRF-TOKEN"
-                        .parse()
-                        .wrap_err("Failed to parse token header.")?]),
-            );
+                            .wrap_err("Failed to parse token header.")?]),
+                ));
+           
 
         serve(app, 4000).await?;
 
diff --git a/examples/same-site/Cargo.toml b/examples/same-site/Cargo.toml
@@ -8,9 +8,8 @@ publish = false
 [dependencies]
 axum = "0.6.16"
 axum-csrf-sync-pattern = { path = "../../" }
-axum-sessions = "0.5.0"
+tower-sessions = "0.4.3"
 color-eyre = "0.6.2"
-rand = "0.8.5"
 tokio = { version = "1.27.0", features = ["macros", "rt", "rt-multi-thread"] }
 tower = "0.4.13"
 tracing-subscriber = "0.3.16"
diff --git a/examples/same-site/src/main.rs b/examples/same-site/src/main.rs
@@ -1,13 +1,15 @@
 use axum::{
+    BoxError,
     http::{header, StatusCode},
     response::IntoResponse,
     routing::get,
+    error_handling::HandleErrorLayer,
     Server,
 };
+use tower::ServiceBuilder;
 use axum_csrf_sync_pattern::CsrfLayer;
-use axum_sessions::{async_session::MemoryStore, SessionLayer};
+use tower_sessions::{MemoryStore, SessionManagerLayer};
 use color_eyre::eyre::{self, eyre, WrapErr};
-use rand::RngCore;
 
 #[tokio::main]
 async fn main() -> eyre::Result<()> {
@@ -20,15 +22,14 @@ async fn main() -> eyre::Result<()> {
         .map_err(|e| eyre!(e))
         .wrap_err("Failed to initialize tracing-subscriber.")?;
 
-    let mut secret = [0; 64];
-    rand::thread_rng()
-        .try_fill_bytes(&mut secret)
-        .wrap_err("Failed to generate session seed.")?;
-
     let app = axum::Router::new()
         .route("/", get(index).post(handler))
         .layer(CsrfLayer::new())
-        .layer(SessionLayer::new(MemoryStore::new(), &secret));
+        .layer(ServiceBuilder::new()
+            .layer(HandleErrorLayer::new(|_: BoxError| async {
+                StatusCode::BAD_REQUEST
+            }))
+            .layer(SessionManagerLayer::new(MemoryStore::default())));
 
     // Visit "http://127.0.0.1:3000/" in your browser.
     Server::try_bind(
diff --git a/src/lib.rs b/src/lib.rs
