-
-
Notifications
You must be signed in to change notification settings - Fork 293
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added RequestContextStore, RequestContext and SignedPrivateCookieJar #633
base: master
Are you sure you want to change the base?
Conversation
@jondot @schungx Here is my current development plan and the key points I've summarized from the discussion. Please don't hesitate to correct me if I've missed anything that might lead to security issues. |
src/boot.rs
Outdated
@@ -205,6 +206,7 @@ pub async fn create_context<H: Hooks>(environment: &Environment) -> Result<AppCo | |||
queue: connect_redis(&config).await, | |||
storage: Storage::single(storage::drivers::null::new()).into(), | |||
cache: cache::Cache::new(cache::drivers::null::new()).into(), | |||
request_context: create_request_context_store(&config.request_context)?.into(), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what happens to request context when there is no request involved? for example tasks, workers ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm, that is a good point
Looks like a fantastic plan! |
I wonder if we can do something wrt cookie-based instead of just disallowing it for production. It is just the case that the hash resides on the client instead of on the server. If the server needs to read the hash, then obviously it'll fail -- not supported. If the server needs to write to the hash, for example to force-expire it, then it can potentially be queued up (Redis?) and replayed during the next response to be sent to the client (which will include the relevant cookie header to set the hash values). Would this be possible? EDIT: Come to think of it ... this may not be very useful. If I can store commands in Redis, I might as well put the session store there. Or in an in memory store. In this case, why not just make the in-memory store the default and be done with it? |
Cookie sessions can be useful across multiple servers, the pros and cons should be around the same as arguments between JWT tokens and session tokens |
Added SignedPrivateCookieJar for encrypting/decrypting and signing data between outcoming/incoming headers. Added testing for both functionality
# Conflicts: # Cargo.toml
I believe if the hash is on the client and is stored on the browser, it is still being sent, and received as-is, so if the server wants, it can access the hash via incoming cookie header. |
… middleware for external access
… middleware for external access
…ed request context functionality on demo layer
@jondot Sorry for postponing this ticket. I was trying out Ruby on Rails and experimenting it to get a better idea about how the request context being used and the feels in the framework. I am going to continue this ticket this week 👍. |
# Conflicts: # src/errors.rs
@yinho999 please note that we just pushed a request_id implementation to master (including some improvement in middleware run order), so that takes some effort off from your PR |
No worries, gonna remove my current implementation right now |
# Conflicts: # src/controller/app_routes.rs
…text - Updated imports and references to use `LocoRequestId` instead of `RequestId`. - Removed unused `request_id` module. - Adjusted `RequestContext` struct and methods to accommodate the new `LocoRequestId`. - Cleaned up unnecessary imports in `boot.rs`.
…text - Updated imports and references to use `LocoRequestId` instead of `RequestId`. - Removed unused `request_id` module. - Adjusted `RequestContext` struct and methods to accommodate the new `LocoRequestId`. - Cleaned up unnecessary imports in `boot.rs`.
- Introduced `create_request_context` and updated `get_request_context` in `mysession.rs` for managing request context data. - Added tests for setting and getting request context data in `mysession.rs`. - Updated `test.yaml` and `teste2e.yaml` to include request context configuration. - Minor refactoring and cleanup in `cookie.rs` and other test files.
… `DerefMut` traits
- Added `insert`, `get`, `remove`, and `clear` methods to `RequestContext` for session management. - Introduced `RequestContextError::DriverError` to handle driver-related errors. - Updated `create_request_context` and `get_request_context` functions in `mysession.rs` to use the new `RequestContext` methods.
# Conflicts: # examples/demo/tests/cmd/cli.trycmd
…ower session middleware
The changes in this PR focus on code formatting and documentation improvements: - Reorder imports to follow standard Rust style (std first, then external, then local) - Wrap long documentation lines to improve readability - Fix indentation and spacing issues - Remove unnecessary blank lines - Improve formatting consistency across the codebase
…or `cargo clippy`
# Conflicts: # Cargo.toml # examples/demo/Cargo.lock # loco-gen/src/model.rs # loco-gen/src/scaffold.rs
@kaplanelad @jondot Most of the features and tests are done. However, I couldn't figure out how to solve the failure tests from loco-new:ci. Would you mind providing me with some guidance? |
Moving to draft until this pr is ready for review |
# Conflicts: # examples/demo/src/app.rs # src/cli.rs
Goal
Configurability
Session
ctx
toreq
in function signatures:Cookies Store (Cookie)
PrivateCookieJar
) RailsCookies Security
Session Store (In Memory or Other Database)
Default Behavior
Documentation and Tooling
Additional Considerations Rails
Flash Messages(Optional)
Plan
Template