ultimo 0.5.0

Modern Rust web framework with automatic TypeScript client generation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

//! Cookie-based session management.
//!
//! Enable with the `session` feature. Register the middleware with a store, then
//! read/write the session via [`Context::session`](crate::context::Context::session).
//!
//! ```
//! use ultimo::session::{session, MemoryStore, SessionConfig};
//! use ultimo::{Context, Ultimo};
//!
//! # async fn build() {
//! let mut app = Ultimo::new_without_defaults();
//! app.use_middleware(session(MemoryStore::new(), SessionConfig::default()));
//!
//! app.get("/login", |ctx: Context| async move {
//!     ctx.session().await.set("user_id", &42u64).await?;
//!     ctx.text("logged in").await
//! });
//! # }
//! ```

mod config;
mod middleware;
mod store;

pub use config::SessionConfig;
pub use middleware::session;
pub use store::{MemoryStore, SessionStore};

use crate::error::Result;
use serde::{de::DeserializeOwned, Serialize};
use std::collections::HashMap;
use std::sync::atomic::{AtomicBool, Ordering};
use std::sync::Arc;
use tokio::sync::RwLock;

/// Session payload: arbitrary JSON values keyed by string.
pub type SessionData = HashMap<String, serde_json::Value>;

/// A handle to the current session. Cheap to clone (shares inner state), so the
/// middleware and the handler observe the same session.
#[derive(Clone)]
pub struct Session {
    inner: Arc<SessionInner>,
}

struct SessionInner {
    id: RwLock<String>,
    data: RwLock<SessionData>,
    dirty: AtomicBool,
    destroyed: AtomicBool,
    regenerate: AtomicBool,
}

impl Session {
    pub(crate) fn new(id: String, data: SessionData) -> Self {
        Self {
            inner: Arc::new(SessionInner {
                id: RwLock::new(id),
                data: RwLock::new(data),
                dirty: AtomicBool::new(false),
                destroyed: AtomicBool::new(false),
                regenerate: AtomicBool::new(false),
            }),
        }
    }

    /// Current session id.
    pub async fn id(&self) -> String {
        self.inner.id.read().await.clone()
    }

    /// Get a typed value by key.
    pub async fn get<T: DeserializeOwned>(&self, key: &str) -> Result<Option<T>> {
        let data = self.inner.data.read().await;
        match data.get(key) {
            Some(v) => Ok(Some(serde_json::from_value(v.clone())?)),
            None => Ok(None),
        }
    }

    /// Set a typed value (marks the session dirty).
    pub async fn set<T: Serialize>(&self, key: &str, value: &T) -> Result<()> {
        let v = serde_json::to_value(value)?;
        self.inner.data.write().await.insert(key.to_string(), v);
        self.inner.dirty.store(true, Ordering::SeqCst);
        Ok(())
    }

    /// Remove a key (marks dirty).
    pub async fn remove(&self, key: &str) {
        self.inner.data.write().await.remove(key);
        self.inner.dirty.store(true, Ordering::SeqCst);
    }

    /// Clear all data (marks dirty).
    pub async fn clear(&self) {
        self.inner.data.write().await.clear();
        self.inner.dirty.store(true, Ordering::SeqCst);
    }

    /// Request a fresh session id on the next persist (session-fixation
    /// defense — call this on login / privilege change). The middleware
    /// generates the new id and destroys the old store entry.
    pub fn regenerate(&self) {
        self.inner.regenerate.store(true, Ordering::SeqCst);
        self.inner.dirty.store(true, Ordering::SeqCst);
    }

    /// Destroy the session (server-side entry + cookie are cleared).
    pub fn destroy(&self) {
        self.inner.destroyed.store(true, Ordering::SeqCst);
    }

    // --- internal accessors used by the middleware ---
    pub(crate) fn is_dirty(&self) -> bool {
        self.inner.dirty.load(Ordering::SeqCst)
    }
    pub(crate) fn is_destroyed(&self) -> bool {
        self.inner.destroyed.load(Ordering::SeqCst)
    }
    pub(crate) async fn snapshot(&self) -> SessionData {
        self.inner.data.read().await.clone()
    }
    pub(crate) fn wants_regenerate(&self) -> bool {
        self.inner.regenerate.load(Ordering::SeqCst)
    }
    pub(crate) async fn is_empty(&self) -> bool {
        self.inner.data.read().await.is_empty()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[tokio::test]
    async fn set_get_and_dirty() {
        let s = Session::new("id".into(), SessionData::new());
        assert!(!s.is_dirty());
        s.set("n", &7u32).await.unwrap();
        assert!(s.is_dirty());
        assert_eq!(s.get::<u32>("n").await.unwrap(), Some(7));
        assert!(!s.is_empty().await);
    }

    #[tokio::test]
    async fn regenerate_sets_flag() {
        let s = Session::new("old".into(), SessionData::new());
        assert!(!s.wants_regenerate());
        s.regenerate();
        assert!(s.wants_regenerate());
        assert!(s.is_dirty());
    }
}