runique 2.0.0

A Django-inspired web framework for Rust with ORM, templates, and comprehensive security middleware
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

//! Axum `Prisme<T>` extractor: Sentinel → CSRF → Aegis → form deserialization pipeline.
use crate::forms::{
    field::RuniqueForm,
    prisme::{aegis, csrf_gate, sentinel},
};
use crate::utils::{
    aliases::{ARuniqueConfig, ATera, StrMap, StrVecMap},
    trad::t,
};

use axum::{
    body::Body,
    extract::{FromRequest, FromRequestParts, Path},
    http::{Request, StatusCode},
    response::{IntoResponse, Response},
};
use std::collections::HashMap;

/// Prism: Sentinel -> CSRF -> Aegis pipeline (extraction)
pub struct Prisme<T>(pub T);

/// Reusable pipeline function: Sentinel -> CSRF -> Aegis
pub async fn prisme<S, T>(req: Request<Body>, state: &S) -> Result<Prisme<T>, Response>
where
    S: Send + Sync,
    T: RuniqueForm,
{
    // Sentinel: dependencies + access rules
    let tera = req.extensions().get::<ATera>().cloned().ok_or_else(|| {
        (
            StatusCode::INTERNAL_SERVER_ERROR,
            t("forms.tera_not_configured").to_string(),
        )
            .into_response()
    })?;

    let config = req
        .extensions()
        .get::<ARuniqueConfig>()
        .cloned()
        .ok_or_else(|| {
            (
                StatusCode::INTERNAL_SERVER_ERROR,
                t("forms.config_not_found").to_string(),
            )
                .into_response()
        })?;

    sentinel(&req, &config).map_err(|boxed| *boxed)?;

    let csrf_session = req
        .extensions()
        .get::<crate::utils::csrf::CsrfToken>()
        .cloned()
        .ok_or_else(|| {
            (
                StatusCode::INTERNAL_SERVER_ERROR,
                t("csrf.missing").to_string(),
            )
                .into_response()
        })?;

    let method = req.method().clone();

    let content_type = req
        .headers()
        .get("content-type")
        .and_then(|v| v.to_str().ok())
        .unwrap_or("")
        .to_string();

    // Extraction of URL parameters before consuming the body
    let (mut parts, body) = req.into_parts();

    let path_params = Path::<HashMap<String, String>>::from_request_parts(&mut parts, state)
        .await
        .map(|Path(p)| p)
        .unwrap_or_default();

    let query_params = parts
        .uri
        .query()
        .and_then(|q| serde_urlencoded::from_str::<HashMap<String, String>>(q).ok())
        .unwrap_or_default();

    let req = Request::from_parts(parts, body);

    // Aegis (extraction): single read of the body
    let parsed = aegis(req, state, config.clone(), &content_type).await?;

    // CSRF gate: early check on parsed data
    if let Some(prisme) =
        csrf_gate::<T>(&parsed, csrf_session.as_str(), tera.clone(), &method).await?
    {
        return Ok(prisme);
    }

    let form_data = convert_for_form(parsed);

    // Pass the masked token to the form: hidden fields and re-renders
    // then contain a base64 token consistent with AJAX validation (X-CSRF-Token).
    let csrf_for_form = csrf_session
        .masked()
        .unwrap_or_else(|_| csrf_session.clone());
    let mut form = T::build_with_data(&form_data, tera, csrf_for_form.as_str(), method).await;
    form.get_form_mut()
        .set_url_params(path_params, query_params);

    Ok(Prisme(form))
}

impl<S, T> FromRequest<S> for Prisme<T>
where
    S: Send + Sync,
    T: RuniqueForm,
{
    type Rejection = Response;

    async fn from_request(req: Request<Body>, state: &S) -> Result<Self, Self::Rejection> {
        prisme(req, state).await
    }
}

fn convert_for_form(parsed: StrVecMap) -> StrMap {
    parsed.into_iter().map(|(k, v)| (k, v.join(","))).collect()
}