ultimo 0.5.0

Modern Rust web framework with automatic TypeScript client generation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

//! Session configuration.

use crate::cookie::SameSite;
use std::time::Duration;

/// Session middleware configuration. Secure-by-default.
#[derive(Debug, Clone)]
pub struct SessionConfig {
    /// Name of the session-id cookie.
    pub cookie_name: String,
    /// Server-side + cookie lifetime.
    pub ttl: Duration,
    /// `HttpOnly` cookie attribute (default true).
    pub http_only: bool,
    /// `Secure` cookie attribute (default true).
    pub secure: bool,
    /// `SameSite` cookie attribute (default Lax).
    pub same_site: SameSite,
    /// Cookie `Path` (default "/").
    pub path: String,
}

impl Default for SessionConfig {
    fn default() -> Self {
        Self {
            cookie_name: "ultimo_sid".to_string(),
            ttl: Duration::from_secs(60 * 60 * 24),
            http_only: true,
            secure: true,
            same_site: SameSite::Lax,
            path: "/".to_string(),
        }
    }
}

impl SessionConfig {
    /// Set the session cookie name.
    pub fn cookie_name(mut self, n: impl Into<String>) -> Self {
        self.cookie_name = n.into();
        self
    }
    /// Set the session lifetime.
    pub fn ttl(mut self, ttl: Duration) -> Self {
        self.ttl = ttl;
        self
    }
    /// Set the `Secure` attribute (disable only for local HTTP dev).
    pub fn secure(mut self, v: bool) -> Self {
        self.secure = v;
        self
    }
    /// Set the `SameSite` attribute.
    pub fn same_site(mut self, v: SameSite) -> Self {
        self.same_site = v;
        self
    }

    /// Validate invariants. `SameSite=None` requires `Secure` (browser rule).
    /// Panics on violation — a misconfigured session is a programming error.
    pub fn validated(self) -> Self {
        if self.same_site == SameSite::None && !self.secure {
            panic!("SessionConfig: SameSite=None requires secure=true");
        }
        self
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn secure_defaults() {
        let c = SessionConfig::default();
        assert!(c.http_only && c.secure);
        assert_eq!(c.same_site, SameSite::Lax);
    }

    #[test]
    #[should_panic(expected = "SameSite=None requires secure")]
    fn samesite_none_requires_secure() {
        SessionConfig::default()
            .same_site(SameSite::None)
            .secure(false)
            .validated();
    }
}