authzen-session

Utilities for managing user sessions in distributed key value stores.

Provides integrations with: - tower, for extracting and verifying sessions from http request cookies - axum, for extracting verified sessions from http request extensions in request handlers

Example

Note that this example would require the features account-session, redis-backend and one of axum-core-02 or axum-core-03 to be enabled. ```rs use axum::Router; use jsonwebtoken as jwt; use http::StatusCode; use hyper::{Body, Response}; use lazystatic::lazystatic; use serde::{Deserialize, Serialize}; use std::net::{IpAddr, Ipv4Addr, SocketAddr}; use tower::ServiceBuilder; use uuid::Uuid;

type AccountId = Uuid;

[derive(Clone, Debug, Deserialize, Serialize)]

pub struct AccountSessionFields { pub role_ids: Vec, }

// useful to alias the constructed AccountSession type in your application // to avoid needing to plug in these generics everywhere type AccountSession = authzen_session::AccountSession;

pub const ACCOUNTSESSIONJWTALGORITHM: jwt::Algorithm = jwt::Algorithm::RS512; lazystatic! { pub static ref ACCOUNTSESSIONDECODINGKEY: jwt::DecodingKey = { let jwtpubliccertificate = std::env::var("JWTPUBLICCERTIFICATE").expect("expected an environment variable JWTPUBLICCERTIFICATE to exist"); authzensession::parsedecodingkey(jwtpubliccertificate) }; pub static ref ACCOUNTSESSIONENCODINGKEY: jwt::EncodingKey = { let jwtprivatecertificate = std::env::var("JWTPRIVATECERTIFICATE").expect("expected an environment variable JWTPRIVATECERTIFICATE to exist"); authzensession::parseencodingkey(jwtprivatecertificate) }; pub static ref ACCOUNTSESSIONJWTVALIDATION: jwt::Validation = { let mut validation = jwt::Validation::new(ACCOUNTSESSIONJWTALGORITHM); validation.setissuer(&[ACCOUNTSISSUER]); validation.setrequiredspec_claims(&["exp", "iss", "sub"]); validation }; }

[tokio::main]

async fn main() { let accountsessionstore = accountsessionstore();

let middleware = ServiceBuilder::new()
    // additional layers
    //
    // this layer will attempt to extract an account session from an inbound
    // http request by deserializing its cookies, verifying their signature,
    // retrieving the corresponding session data from a distributed key-value
    // store (Redis in this example), and inserting the session data as an
    // extension on the http request
    .layer(authzen_session::SessionLayer::<AccountSession, _, _, _>::encoded(
        account_session_store.clone(),
        std::env::var("SESSION_JWT_PUBLIC_CERTIFICATE")?,
        &ACCOUNT_SESSION_JWT_VALIDATION,
    ))
    // additional layers
    .into_inner();

let router = Router::new()
    .post("/sign-in", sign_in)
    .get("/my-account-id", my_account_id);

let app = router
    .layer(Extension(account_session_store))
    .layer(middleware);

axum::Server::bind(&SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 8080))
    .serve(app.into_make_service())
    .with_graceful_shutdown(service_util::shutdown_signal())
    .await?;

Ok(())

}

// creates a redis session store with decoded tokens of type // authzen_session::AccountSession<Uuid, AccountSessionFields> which is equivalent to // authzen_session::Session<authzen_session::AccountSessionToken<authzen_session::AccountSessionClaims<Uuid, AccountSessionFields>>> pub async fn accountsessionstore() -> Result { authzensession::redisstorestandalone( RedisStoreConfig { keyname: "sessionid", key: std::env::var("SESSIONSECRET")?, username: std::env::var("REDISUSERNAME").ok(), password: std::env::var("REDISPASSWORD").ok(), }, RedisStoreNodeConfig { db: std::env::var("REDISDB").ok().map(|x| str::parse(&x)).transpose()?, host: std::env::var("REDISHOST")?, port: std::env::var("REDIS_PORT").ok().map(|x| str::parse(&x)).transpose()?, }, ) .await }

[derive(Deserialize)]

pub struct SignInPost { pub email: String, pub password: String, }

// test endpoint for creating sessions when a user signs in async fn signin( Extension(accountsessionstore): Extension, rawbody: RawBody, ) -> Result, StatusCode> { let signinpost: SignInPost = hyper::body::tobytes(body) .await .maperr(|| StatusCode::BADREQUEST) .andthen(|bytes| { serdejson::fromslice(&bytes) .maperr(|| StatusCode::BADREQUEST) })?;

// check email / password

let token = authzen_session::AccountSessionClaims::new_exp_in(
    AccountSessionState {
        account_id: db_account.id,
        fields: AccountSessionFields {
            role_ids: vec![],
        },
    },
    "my-service-name",
    chrono::Duration::hours(12),
)
.encode(
    &jwt::Header::new(ACCOUNT_SESSION_JWT_ALGORITHM),
    &ACCOUNT_SESSION_ENCODING_KEY,
)?;

let mut response = Response::new(Body::empty());
account_session_store
    .store_session_and_set_cookie(
        &mut response,
        authzen_session::CookieConfig::new(&token)
          .domain("example.org")
          .secure(false)
          .max_age(chrono::Duration::hours(12)),
        Some(format!("{}", db_account.id)),
    )
    .await?;

Ok(response)

}

// test endpoint for extracting sessions from requests if one is supplied and using them // note that Extension<Option<AccountSession>> is used and not Extension<AccountSession> // if no session is found for this request and we tried to extract the latter type, Axum will return // a typing error for us because it would be unable to retrieve all the arguments required to satisfy // this function's signature // using Option<AccountSession> allows us to return whatever response we choose if no session is found async fn myaccountid(Extension(session): Extension>) -> Result { let session = session.okor(StatusCode::BADREQUEST)?; Ok(*session.account_id()) } ```