rustapi-extras 0.1.478

Production-ready middleware collection for RustAPI. Includes JWT auth, CORS, Rate Limiting, SQLx integration, and OpenTelemetry observability.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283

use super::config::CsrfConfig;
use super::token::CsrfToken;
use cookie::Cookie;
use http::{Method, StatusCode};
use rustapi_core::middleware::{BoxedNext, MiddlewareLayer};
use rustapi_core::{ApiError, IntoResponse, Request, Response};
use std::future::Future;
use std::pin::Pin;
use std::sync::Arc;

/// Middleware for CSRF protection using the Double-Submit Cookie pattern.
#[derive(Clone, Debug)]
pub struct CsrfLayer {
    config: Arc<CsrfConfig>,
}

impl CsrfLayer {
    /// Create a new CSRF middleware layer.
    pub fn new(config: CsrfConfig) -> Self {
        Self {
            config: Arc::new(config),
        }
    }
}

impl MiddlewareLayer for CsrfLayer {
    fn call(
        &self,
        mut req: Request,
        next: BoxedNext,
    ) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>> {
        let config = self.config.clone();

        Box::pin(async move {
            // 1. Extract existing token from cookie
            let existing_token = req
                .headers()
                .get(http::header::COOKIE)
                .and_then(|h| h.to_str().ok())
                .and_then(|cookie_str| {
                    cookie::Cookie::split_parse(cookie_str)
                        .filter_map(|c| c.ok())
                        .find(|c| c.name() == config.cookie_name)
                        .map(|c| c.value().to_string())
                })
                .map(CsrfToken::new);

            // 2. Determine the token to use for this request context
            // If existing, use it. If not, generate new.
            let (token, is_new) = match existing_token {
                Some(t) => (t, false),
                None => (CsrfToken::generate(config.token_length), true),
            };

            // 3. Store token in request extensions so handlers/templates can access it
            req.extensions_mut().insert(token.clone());

            // 4. Validate if unsafe method
            let method = req.method();
            let is_safe = matches!(
                *method,
                Method::GET | Method::HEAD | Method::OPTIONS | Method::TRACE
            );

            if !is_safe {
                // For unsafe methods, we MUST have received a matching token in the header
                let header_value = req
                    .headers()
                    .get(&config.header_name)
                    .and_then(|v| v.to_str().ok());

                let valid = match header_value {
                    Some(h_token) => h_token == token.as_str(),
                    None => false,
                };

                if !valid {
                    // Mismatch or missing header -> Forbidden
                    // If cookie was missing (is_new=true), it fails here too as header can't match.
                    // We return JSON error for consistency
                    return ApiError::new(
                        StatusCode::FORBIDDEN,
                        "csrf_forbidden",
                        "CSRF token validation failed",
                    )
                    .into_response();
                }
            }

            // 5. Proceed
            let mut response = next(req).await;

            // 6. Set cookie if new
            if is_new {
                let mut cookie =
                    Cookie::build((config.cookie_name.clone(), token.as_str().to_owned()))
                        .path(config.cookie_path.clone())
                        .secure(config.cookie_secure)
                        .http_only(config.cookie_http_only)
                        .same_site(config.cookie_same_site);

                if let Some(domain) = &config.cookie_domain {
                    cookie = cookie.domain(domain.clone());
                }

                // Note: Not setting max-age strictly to avoid dependency complexity in this snippets,
                // but usually recommended.

                let c = cookie.build();
                let header_value = c.to_string();

                response.headers_mut().append(
                    http::header::SET_COOKIE,
                    header_value
                        .parse()
                        .unwrap_or(http::header::HeaderValue::from_static("")),
                );
            }

            response
        })
    }

    fn clone_box(&self) -> Box<dyn MiddlewareLayer> {
        Box::new(self.clone())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use http::StatusCode;
    use rustapi_core::{get, post, RustApi};
    use rustapi_testing::{TestClient, TestRequest, TestResponse};

    async fn handler() -> &'static str {
        "ok"
    }

    #[tokio::test]
    async fn test_safe_method_generates_cookie() {
        let config = CsrfConfig::new().cookie_name("csrf_id");
        let app = RustApi::new()
            .layer(CsrfLayer::new(config))
            .route("/", get(handler));

        let client = TestClient::new(app);
        let res: TestResponse = client.get("/").await;

        assert_eq!(res.status(), StatusCode::OK);
        let cookies = res
            .headers()
            .get("set-cookie")
            .expect("No cookie set")
            .to_str()
            .unwrap();
        assert!(cookies.contains("csrf_id="));
    }

    #[tokio::test]
    async fn test_unsafe_method_without_cookie_fails() {
        let config = CsrfConfig::new();
        let app = RustApi::new()
            .layer(CsrfLayer::new(config))
            .route("/", post(handler));

        let client = TestClient::new(app);
        // POST without cookie or header
        let res: TestResponse = client.request(TestRequest::post("/")).await;

        assert_eq!(res.status(), StatusCode::FORBIDDEN);
    }

    #[tokio::test]
    async fn test_unsafe_method_valid_passes() {
        let config = CsrfConfig::new().cookie_name("ID").header_name("X-ID");
        let app = RustApi::new()
            .layer(CsrfLayer::new(config))
            .route("/", post(handler));

        let client = TestClient::new(app);
        let res: TestResponse = client
            .request(
                TestRequest::post("/")
                    .header("Cookie", "ID=token123")
                    .header("X-ID", "token123"),
            )
            .await;

        assert_eq!(res.status(), StatusCode::OK);
    }

    #[tokio::test]
    async fn test_unsafe_method_mismatch_fails() {
        let config = CsrfConfig::new().cookie_name("ID").header_name("X-ID");
        let app = RustApi::new()
            .layer(CsrfLayer::new(config))
            .route("/", post(handler));

        let client = TestClient::new(app);
        let res: TestResponse = client
            .request(
                TestRequest::post("/")
                    .header("Cookie", "ID=token123")
                    .header("X-ID", "wrongtoken"),
            )
            .await;

        assert_eq!(res.status(), StatusCode::FORBIDDEN);
    }

    #[tokio::test]
    async fn test_csrf_lifecycle() {
        let config = CsrfConfig::new()
            .cookie_name("token")
            .header_name("x-token");
        // Chain handlers on same route to avoid conflict
        let app = RustApi::new()
            .layer(CsrfLayer::new(config))
            .route("/", get(handler).post(handler));

        let client = TestClient::new(app);

        // 1. Initial GET to get token
        let res: TestResponse = client.get("/").await;
        assert_eq!(res.status(), StatusCode::OK);
        let set_cookie = res
            .headers()
            .get("set-cookie")
            .expect("No cookie set")
            .to_str()
            .unwrap();

        // Parse cookie value (simple parse for "token=VALUE; ...")
        let token_part = set_cookie.split(';').next().unwrap(); // "token=VALUE"
        let token_val = token_part.split('=').nth(1).unwrap();

        // 2. Unsafe POST with valid token
        let res: TestResponse = client
            .request(
                TestRequest::post("/")
                    .header("Cookie", token_part)
                    .header("x-token", token_val),
            )
            .await;
        assert_eq!(res.status(), StatusCode::OK);

        // 3. Unsafe POST with invalid token (Mismatch)
        let res: TestResponse = client
            .request(
                TestRequest::post("/")
                    .header("Cookie", token_part)
                    .header("x-token", "bad"),
            )
            .await;
        assert_eq!(res.status(), StatusCode::FORBIDDEN);
    }

    #[tokio::test]
    async fn test_token_extraction() {
        use crate::csrf::CsrfToken;

        async fn token_handler(token: CsrfToken) -> String {
            token.as_str().to_string()
        }

        let config = CsrfConfig::new().cookie_name("csrf_id");
        let app = RustApi::new()
            .layer(CsrfLayer::new(config))
            .route("/", get(token_handler));

        let client = TestClient::new(app);
        let res: TestResponse = client.get("/").await;

        assert_eq!(res.status(), StatusCode::OK);
        let body = res.text();
        assert!(!body.is_empty());

        // Verify token matches cookie
        let cookie_val = res.headers().get("set-cookie").unwrap().to_str().unwrap();
        assert!(cookie_val.contains(&body));
    }
}