update for latest security-focused changes to async-session

Author: jbr

Cargo.toml

@@ -7,10 +7,6 @@ edition = "2018"
 [dependencies]
 redis = { version = "0.16.0", features = ["aio"] }
 async-session = "1.0.2"
-serde = "1.0.114"
-serde_json = "1.0.56"
-async-trait = "0.1.36"
-http-types = "2.2.1"
 
 [patch.crates-io]
 async-session = { git = "https://github.com/jbr/async-session", branch = "tide" }

src/lib.rs

@@ -1,69 +1,103 @@
-use async_session::{uuid::Uuid, Session, SessionStore};
-use http_types::cookies::Cookie;
-use redis::AsyncCommands;
-use redis::{Client, RedisError};
+use async_session::{async_trait, base64, serde_json, utils, Session, SessionStore};
+use redis::{AsyncCommands, Client, RedisError};
 use std::time::Duration;
 
-#[derive(Clone)]
+#[derive(Clone, Debug)]
 pub struct RedisSessionStore {
     client: Client,
     ttl: Duration,
+    prefix: Option<String>,
 }
 
 impl RedisSessionStore {
     pub fn from_client(client: Client) -> Self {
         Self {
             client,
             ttl: Duration::from_secs(86400),
+            prefix: None,
         }
     }
 
     pub fn new(connection_info: impl redis::IntoConnectionInfo) -> Result<Self, RedisError> {
         Ok(Self::from_client(Client::open(connection_info)?))
     }
+
+    pub fn with_prefix(mut self, prefix: String) -> Self {
+        self.prefix = Some(prefix);
+        self
+    }
+
+    pub fn with_ttl(mut self, ttl: Duration) -> Self {
+        self.ttl = ttl;
+        self
+    }
+
+    fn prefix_key(&self, key: impl AsRef<str>) -> String {
+        if let Some(ref prefix) = self.prefix {
+            format!("{}{}", prefix, key.as_ref())
+        } else {
+            key.as_ref().into()
+        }
+    }
+
+    async fn connection(&self) -> redis::RedisResult<redis::aio::Connection> {
+        self.client.get_async_std_connection().await
+    }
 }
 
-#[async_trait::async_trait]
+#[async_trait]
 impl SessionStore for RedisSessionStore {
     type Error = Error;
 
-    async fn load_session(&self, cookie: Cookie<'_>) -> Result<Option<Session>, Self::Error> {
-        let mut connection = self.client.get_async_std_connection().await?;
-        let value: String = connection.get(cookie.value()).await?;
-        let session: Session = serde_json::from_str(&value)?;
-        Ok(Some(session))
+    async fn load_session(&self, cookie_value: String) -> Option<Session> {
+        let id = utils::id_from_string(&cookie_value).ok()?;
+        let mut connection = self.connection().await.ok()?;
+        match connection.get::<_, Option<String>>(id).await.ok()? {
+            Some(value) => serde_json::from_str(&value).ok()?,
+            None => None,
+        }
     }
 
-    async fn store_session(&self, session: Session) -> Result<String, Self::Error> {
+    async fn store_session(&self, mut session: Session) -> Option<String> {
         let id = session.id();
-        let mut connection = self.client.get_async_std_connection().await?;
-        let string = serde_json::to_string(&session)?;
+        let string = serde_json::to_string(&session).ok()?;
 
-        let _: () = connection
-            .set_ex(&id, string, self.ttl.as_secs() as usize)
-            .await?;
+        let mut connection = self.connection().await.ok()?;
+        connection
+            .set_ex::<_, _, ()>(id, string, self.ttl.as_secs() as usize)
+            .await
+            .ok()?;
+
+        session.take_cookie_value()
+    }
 
-        Ok(id)
+    async fn destroy_session(&self, session: Session) -> Result<(), Self::Error> {
+        self.connection()
+            .await?
+            .del::<_, ()>(self.prefix_key(session.id().to_string()))
+            .await?;
+        Ok(())
     }
 
-    async fn create_session(&self) -> Result<Session, Self::Error> {
-        let sess = Session::new();
-        sess.insert("id".to_string(), Uuid::new_v4().to_string());
-        Ok(sess)
+    async fn clear_store(&self) -> Result<(), Self::Error> {
+        self.connection().await?.del(self.prefix_key("*")).await?;
+        Ok(())
     }
 }
 
 #[derive(Debug)]
 pub enum Error {
     RedisError(RedisError),
     SerdeError(serde_json::Error),
+    Base64Error(base64::DecodeError),
 }
 
 impl std::fmt::Display for Error {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
             Error::RedisError(e) => e.fmt(f),
             Error::SerdeError(e) => e.fmt(f),
+            Error::Base64Error(e) => e.fmt(f),
         }
     }
 }
@@ -74,6 +108,12 @@ impl From<serde_json::Error> for Error {
     }
 }
 
+impl From<base64::DecodeError> for Error {
+    fn from(e: base64::DecodeError) -> Self {
+        Self::Base64Error(e)
+    }
+}
+
 impl From<RedisError> for Error {
     fn from(e: RedisError) -> Self {
         Self::RedisError(e)