rune_axum_stack/

lib.rs

//! All-in-one security middleware stack for Axum.
//!
//! Composes up to six [`tower::Layer`]s from the `rune-axum-*` family into a single
//! [`SecurityStack::apply`] call: security headers, CSRF protection, rate limiting, IP
//! filtering, HTTPS redirect, and body size limiting. Every layer is individually
//! configurable or removable via builder methods.
//!
//! Re-exports the configuration types from each component crate — you only need
//! `rune-axum-stack` in `[dependencies]`.
//!
//! # Default stack
//!
//! [`SecurityStack::default()`] enables five layers with safe defaults:
//!
//! | Layer | Default |
//! |-------|---------|
//! | [`HelmetLayer`] | Standard security headers (no HSTS/CSP — opt-in) |
//! | [`RedirectHttpsLayer`] | 308 permanent redirect for HTTP requests |
//! | [`RateLimitLayer`] | 100 requests per 60 s keyed by `X-Forwarded-For` |
//! | [`BodyLimitLayer`] | 1 MiB `Content-Length` limit |
//! | [`CsrfLayer`] | Double-submit cookie on POST / PUT / PATCH / DELETE |
//!
//! IP filtering ([`IpFilterLayer`]) is **not** included by default — it requires explicit
//! CIDR configuration via [`.ipfilter()`][SecurityStack::ipfilter].
//!
//! # Features
//!
//! - Six `rune-axum-*` layers composed into one [`SecurityStack::apply`] call.
//! - Every layer is individually configurable or removable — use only what you need.
//! - Outermost-first ordering: security headers wrap all rejection responses (rate-limit
//!   `429`, CSRF `403`, IP-filter `403`, etc.).
//! - Re-exports all config types — one crate in `[dependencies]` is enough.
//! - Works with any Axum router state (`Router<S>`).
//!
//! # Quick Start
//!
//! ```rust,no_run
//! use axum::{routing::get, Router};
//! use rune_axum_stack::SecurityStack;
//!
//! let app: Router = SecurityStack::default().apply(
//!     Router::new().route("/", get(|| async { "ok" })),
//! );
//! ```
//!
//! # Custom Configuration
//!
//! ```rust,no_run
//! use std::time::Duration;
//! use axum::{routing::get, Router};
//! use rune_axum_stack::{
//!     FilterMode, Helmet, IpFilterConfig, RateLimitConfig, SecurityStack, XFrameOptions,
//! };
//!
//! let app: Router = SecurityStack::new()
//!     .helmet(Helmet::new().frame_options(XFrameOptions::Deny))
//!     .ratelimit(RateLimitConfig::new().requests(200).window(Duration::from_secs(30)))
//!     .ipfilter(IpFilterConfig::new().mode(FilterMode::Blocklist).cidr("10.0.0.0/8"))
//!     .without_csrf()
//!     .apply(Router::new().route("/", get(|| async { "ok" })));
//! ```

pub use rune_axum_csrf::{CsrfConfig, CsrfLayer, CsrfService};
pub use rune_axum_helmet::{
    CrossOriginEmbedderPolicy, CrossOriginOpenerPolicy, CrossOriginResourcePolicy, Helmet,
    HelmetLayer, Hsts, ReferrerPolicy, XFrameOptions,
};
pub use rune_axum_ipfilter::{FilterMode, IpFilterConfig, IpFilterLayer, IpFilterService, IpSource};
pub use rune_axum_ratelimit::{KeyExtractor, RateLimitConfig, RateLimitLayer, RateLimitService};
pub use rune_axum_redirect_https::{RedirectHttps, RedirectHttpsLayer};
pub use rune_axum_size::{BodyLimit, BodyLimitLayer, BodyLimitService};

/// Composable security middleware stack for Axum.
///
/// Holds an optional configuration for each supported layer. Layers set to `None` are
/// skipped in [`apply`][SecurityStack::apply]. Start from [`SecurityStack::default()`]
/// for safe production defaults, or [`SecurityStack::new()`] for the same starting point
/// and chain builder methods to customise or disable individual layers.
///
/// # Layer application order
///
/// Layers are applied outermost-first in the following order, so each layer's rejection
/// response is still wrapped by the layers before it (e.g. security headers appear on
/// rate-limit rejections):
///
/// `helmet` → `redirect_https` → `ipfilter` → `ratelimit` → `body_limit` → `csrf` → handler
///
/// # Examples
///
/// ```rust,no_run
/// use axum::{routing::get, Router};
/// use rune_axum_stack::SecurityStack;
///
/// // Five-layer default stack
/// let app: Router = SecurityStack::default().apply(
///     Router::new().route("/api", get(|| async { "ok" })),
/// );
/// ```
///
/// ```rust,no_run
/// use axum::{routing::post, Router};
/// use rune_axum_stack::SecurityStack;
///
/// // REST API: no CSRF, no HTTPS redirect (TLS terminated upstream)
/// let app: Router = SecurityStack::new()
///     .without_csrf()
///     .without_redirect_https()
///     .apply(Router::new().route("/api/data", post(|| async { "ok" })));
/// ```
#[derive(Clone, Debug)]
pub struct SecurityStack {
    helmet: Option<Helmet>,
    csrf: Option<CsrfConfig>,
    ratelimit: Option<RateLimitConfig>,
    ipfilter: Option<IpFilterConfig>,
    redirect_https: Option<RedirectHttps>,
    body_limit: Option<BodyLimit>,
}

impl Default for SecurityStack {
    fn default() -> Self {
        Self {
            helmet: Some(Helmet::new()),
            csrf: Some(CsrfConfig::new()),
            ratelimit: Some(RateLimitConfig::new()),
            ipfilter: None,
            redirect_https: Some(RedirectHttps::new()),
            body_limit: Some(BodyLimit::new()),
        }
    }
}

impl SecurityStack {
    /// Creates a `SecurityStack` with the same safe defaults as [`Default`].
    ///
    /// # Examples
    ///
    /// ```rust,no_run
    /// use axum::{routing::get, Router};
    /// use rune_axum_stack::SecurityStack;
    ///
    /// let app: Router = SecurityStack::new()
    ///     .without_csrf()
    ///     .apply(Router::new().route("/", get(|| async { "ok" })));
    /// ```
    pub fn new() -> Self {
        Self::default()
    }

    /// Replaces the [`HelmetLayer`] configuration.
    pub fn helmet(mut self, config: Helmet) -> Self {
        self.helmet = Some(config);
        self
    }

    /// Removes the [`HelmetLayer`] from the stack.
    pub fn without_helmet(mut self) -> Self {
        self.helmet = None;
        self
    }

    /// Replaces the [`CsrfLayer`] configuration.
    pub fn csrf(mut self, config: CsrfConfig) -> Self {
        self.csrf = Some(config);
        self
    }

    /// Removes the [`CsrfLayer`] from the stack.
    ///
    /// Useful for stateless APIs that authenticate via bearer tokens or API keys
    /// where traditional CSRF protection is not applicable.
    pub fn without_csrf(mut self) -> Self {
        self.csrf = None;
        self
    }

    /// Replaces the [`RateLimitLayer`] configuration.
    pub fn ratelimit(mut self, config: RateLimitConfig) -> Self {
        self.ratelimit = Some(config);
        self
    }

    /// Removes the [`RateLimitLayer`] from the stack.
    pub fn without_ratelimit(mut self) -> Self {
        self.ratelimit = None;
        self
    }

    /// Enables IP filtering with the given [`IpFilterConfig`].
    ///
    /// IP filtering is disabled by default; call this to opt in.
    pub fn ipfilter(mut self, config: IpFilterConfig) -> Self {
        self.ipfilter = Some(config);
        self
    }

    /// Removes the [`IpFilterLayer`] from the stack (the default state).
    pub fn without_ipfilter(mut self) -> Self {
        self.ipfilter = None;
        self
    }

    /// Replaces the [`RedirectHttpsLayer`] configuration.
    pub fn redirect_https(mut self, config: RedirectHttps) -> Self {
        self.redirect_https = Some(config);
        self
    }

    /// Removes the [`RedirectHttpsLayer`] from the stack.
    ///
    /// Suitable when TLS is terminated by an upstream proxy that never forwards
    /// plain HTTP to the application.
    pub fn without_redirect_https(mut self) -> Self {
        self.redirect_https = None;
        self
    }

    /// Replaces the [`BodyLimitLayer`] configuration.
    pub fn body_limit(mut self, config: BodyLimit) -> Self {
        self.body_limit = Some(config);
        self
    }

    /// Removes the [`BodyLimitLayer`] from the stack.
    pub fn without_body_limit(mut self) -> Self {
        self.body_limit = None;
        self
    }

    /// Applies all enabled layers to `router` and returns the wrapped router.
    ///
    /// Layers are composed outermost-first:
    /// `helmet` → `redirect_https` → `ipfilter` → `ratelimit` → `body_limit` → `csrf` → handler.
    ///
    /// # Examples
    ///
    /// ```rust,no_run
    /// use axum::{routing::get, Router};
    /// use rune_axum_stack::SecurityStack;
    ///
    /// let app: Router = SecurityStack::default().apply(
    ///     Router::new().route("/", get(|| async { "ok" })),
    /// );
    /// ```
    pub fn apply<S>(self, router: axum::Router<S>) -> axum::Router<S>
    where
        S: Clone + Send + Sync + 'static,
    {
        let mut r = router;

        // Applied first → innermost → last to process a request.
        if let Some(config) = self.csrf {
            r = r.layer(CsrfLayer::new(config));
        }
        if let Some(config) = self.body_limit {
            r = r.layer(BodyLimitLayer::new(config));
        }
        if let Some(config) = self.ratelimit {
            r = r.layer(RateLimitLayer::new(config));
        }
        if let Some(config) = self.ipfilter {
            r = r.layer(IpFilterLayer::new(config));
        }
        if let Some(config) = self.redirect_https {
            r = r.layer(RedirectHttpsLayer::new(config));
        }
        // Applied last → outermost → first to process a request.
        if let Some(config) = self.helmet {
            r = r.layer(HelmetLayer::new(config));
        }

        r
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use axum::{
        body::Body,
        routing::{get, post},
        Router,
    };
    use http::StatusCode;
    use tower::ServiceExt;

    fn base_router() -> Router {
        Router::new()
            .route("/", get(|| async { "ok" }))
            .route("/submit", post(|| async { "ok" }))
    }

    async fn send(app: Router, req: http::Request<Body>) -> http::Response<Body> {
        app.oneshot(req).await.unwrap()
    }

    fn get_req() -> http::Request<Body> {
        http::Request::builder()
            .method("GET")
            .uri("/")
            .header("x-forwarded-for", "1.2.3.4")
            .body(Body::empty())
            .unwrap()
    }

    fn post_req() -> http::Request<Body> {
        http::Request::builder()
            .method("POST")
            .uri("/submit")
            .header("x-forwarded-for", "1.2.3.4")
            .body(Body::empty())
            .unwrap()
    }

    #[tokio::test]
    async fn default_stack_allows_get() {
        let app = SecurityStack::default().apply(base_router());
        assert_eq!(send(app, get_req()).await.status(), StatusCode::OK);
    }

    #[tokio::test]
    async fn default_stack_sets_security_headers() {
        let app = SecurityStack::default().apply(base_router());
        let resp = send(app, get_req()).await;
        assert_eq!(resp.status(), StatusCode::OK);
        assert!(resp.headers().contains_key("x-content-type-options"));
        assert!(resp.headers().contains_key("x-frame-options"));
    }

    #[tokio::test]
    async fn default_stack_blocks_post_without_csrf_token() {
        let app = SecurityStack::default().apply(base_router());
        assert_eq!(send(app, post_req()).await.status(), StatusCode::FORBIDDEN);
    }

    #[tokio::test]
    async fn without_csrf_allows_post() {
        let app = SecurityStack::default().without_csrf().apply(base_router());
        assert_eq!(send(app, post_req()).await.status(), StatusCode::OK);
    }

    #[tokio::test]
    async fn custom_ratelimit_zero_blocks_request() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .ratelimit(RateLimitConfig::new().requests(0))
            .apply(base_router());
        assert_eq!(send(app, get_req()).await.status(), StatusCode::TOO_MANY_REQUESTS);
    }

    #[tokio::test]
    async fn without_ratelimit_passes() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .without_ratelimit()
            .apply(base_router());
        assert_eq!(send(app, get_req()).await.status(), StatusCode::OK);
    }

    #[tokio::test]
    async fn body_limit_rejects_oversized_request() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .body_limit(BodyLimit::new().limit(10))
            .apply(base_router());
        let req = http::Request::builder()
            .method("POST")
            .uri("/submit")
            .header("content-length", "100")
            .body(Body::empty())
            .unwrap();
        assert_eq!(send(app, req).await.status(), StatusCode::PAYLOAD_TOO_LARGE);
    }

    #[tokio::test]
    async fn custom_helmet_deny_frame_options() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .helmet(Helmet::new().frame_options(XFrameOptions::Deny))
            .apply(base_router());
        let resp = send(app, get_req()).await;
        assert_eq!(
            resp.headers().get("x-frame-options").unwrap().to_str().unwrap(),
            "DENY"
        );
    }

    #[tokio::test]
    async fn without_helmet_no_security_headers() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .without_helmet()
            .apply(base_router());
        let resp = send(app, get_req()).await;
        assert!(!resp.headers().contains_key("x-content-type-options"));
    }

    #[tokio::test]
    async fn redirect_https_triggers_on_forwarded_proto() {
        let app = SecurityStack::new()
            .without_csrf()
            .apply(base_router());
        let req = http::Request::builder()
            .method("GET")
            .uri("http://example.com/")
            .header("x-forwarded-proto", "http")
            .header("host", "example.com")
            .body(Body::empty())
            .unwrap();
        assert_eq!(send(app, req).await.status(), StatusCode::PERMANENT_REDIRECT);
    }

    #[tokio::test]
    async fn without_redirect_https_no_redirect() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .apply(base_router());
        let req = http::Request::builder()
            .method("GET")
            .uri("http://example.com/")
            .header("x-forwarded-proto", "http")
            .header("host", "example.com")
            .body(Body::empty())
            .unwrap();
        assert_eq!(send(app, req).await.status(), StatusCode::OK);
    }

    #[tokio::test]
    async fn ipfilter_blocks_configured_cidr() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .ipfilter(
                IpFilterConfig::new()
                    .mode(FilterMode::Blocklist)
                    .cidr("1.2.3.4/32"),
            )
            .apply(base_router());
        assert_eq!(send(app, get_req()).await.status(), StatusCode::FORBIDDEN);
    }

    #[tokio::test]
    async fn security_headers_present_on_rate_limit_rejection() {
        let app = SecurityStack::new()
            .without_csrf()
            .without_redirect_https()
            .ratelimit(RateLimitConfig::new().requests(0))
            .apply(base_router());
        let resp = send(app, get_req()).await;
        assert_eq!(resp.status(), StatusCode::TOO_MANY_REQUESTS);
        assert!(resp.headers().contains_key("x-content-type-options"));
    }

    #[tokio::test]
    async fn all_layers_disabled_passes_through() {
        let app = SecurityStack::new()
            .without_helmet()
            .without_csrf()
            .without_ratelimit()
            .without_ipfilter()
            .without_redirect_https()
            .without_body_limit()
            .apply(base_router());
        assert_eq!(send(app, get_req()).await.status(), StatusCode::OK);
    }
}