Sputnik

A microframework based on Hyper providing traits to:

extend http::request::Parts with query parameter deserialization & cookie parsing
extend hyper::Body with form deserialization (and optional CSRF protection)
extend http::response::Builder with methods to set & delete cookies and set the Content-Type

Furthermore Sputnik provides what's necessary to implement signed & expiring cookies with the expiry date encoded into the signed cookie value, providing a more lightweight alternative to JWT if you don't need interoperability.

Sputnik does not handle routing. For most web applications matching on (method, path) suffices. If you need path variables, you can use one of the many router crates.

Sputnik encourages you to create your own error enum and implement From conversions for every error type, which you want to short-circuit with the ? operator. This can be easily done with thiserror because Sputnik restricts its error types to the 'static lifetime.

Example

```rust use std::convert::Infallible; use hyper::service::{servicefn, makeservice_fn}; use hyper::{Method, Server, StatusCode, Body}; use hyper::http::request::Parts; use hyper::http::response::Builder; use serde::Deserialize; use sputnik::{mime, request::{SputnikParts, SputnikBody}, response::SputnikBuilder}; use sputnik::request::CsrfProtectedFormError;

type Response = hyper::Response;

[derive(thiserror::Error, Debug)]

enum Error { #[error("page not found")] NotFound(String), #[error("{0}")] CsrfError(#[from] CsrfProtectedFormError) }

fn rendererror(err: Error) -> (StatusCode, String) { match err { Error::NotFound(msg) => (StatusCode::NOTFOUND, msg), Error::CsrfError(err) => (StatusCode::BADREQUEST, err.tostring()), } }

async fn route(req: &mut Parts, body: Body) -> Result { match (&req.method, req.uri.path()) { (&Method::GET, "/form") => Ok(getform(req)), (&Method::POST, "/form") => postform(req, body).await, _ => return Err(Error::NotFound("page not found".to_owned())) } }

fn getform(req: &mut Parts) -> Response { let mut response = Builder::new(); let csrfinput = req.csrfhtmlinput(&mut response); response.contenttype(mime::TEXTHTML).body( format!("

", csrf_input).into() ).unwrap() }

[derive(Deserialize)]

struct FormData {text: String}

async fn postform(req: &mut Parts, body: Body) -> Result { let msg: FormData = body.intoform_csrf(req).await?; Ok(Builder::new().body( format!("hello {}", msg.text).into() ).unwrap()) }

async fn service(req: hyper::Request) -> Result, Infallible> { let (mut parts, body) = req.intoparts(); match route(&mut parts, body).await { Ok(res) => Ok(res), Err(err) => { let (code, message) = rendererror(err); // you can easily wrap or log errors here Ok(hyper::Response::builder().status(code).body(message.into()).unwrap()) } } }

[tokio::main]

async fn main() { let service = makeservicefn(move || { async move { Ok::<_, hyper::Error>(servicefn(move |req| { service(req) })) } });

let addr = ([127, 0, 0, 1], 8000).into();
let server = Server::bind(&addr).serve(service);
println!("Listening on http://{}", addr);
server.await;

} ```

Signed & expiring cookies

After a successful authentication you can build a session id cookie for example as follows:

rust let expiry_date = OffsetDateTime::now_utc() + Duration::hours(24); let mut cookie = Cookie::new("userid", key.sign( &encode_expiring_claim(&userid, expiry_date) )); cookie.set_secure(Some(true)); cookie.set_expires(expiry_date); cookie.set_same_site(SameSite::Lax); resp.set_cookie(cookie);

This session id cookie can then be retrieved and verified as follows:

rust let userid = req.cookies().get("userid") .ok_or_else(|| "expected userid cookie".to_owned()) .and_then(|cookie| key.verify(cookie.value()) .and_then(|value| decode_expiring_claim(value).map_err(|e| format!("failed to decode userid cookie: {}", e)));

Tip: If you want to store multiple claims in the cookie, you can (de)serialize a struct with serde_json. This approach can pose a lightweight alternative to JWT, if you don't care about the standardization aspect.