axum-login doesn't work with encrypted or signed tower-sessions cookies
Elizafox opened this issue · comments
- I have looked for existing issues (including closed) about this
Bug Report
Version
0.14.0
Platform
Darwin ember.local 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:17:35 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T8112 arm64
Crates
tower-sessions 0.11.1
Description
When passing in a SessionManagerLayer
that uses encrypted and/or signed cookies, AuthManagerLayerBuilder
no longer accepts the passed-in AuthManagerLayerBuilder
with a compiler error:
--> src/web/app.rs:85:64
|
85 | let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer.clone()).build();
| ---------------------------- ^^^^^^^^^^^^^^^^^^^^^ expected `SessionManagerLayer<_>`, found `SessionManagerLayer<RedisStore<RedisPool>, ...>`
| |
| arguments to this function are incorrect
|
= note: expected struct `SessionManagerLayer<_, PlaintextCookie>`
found struct `SessionManagerLayer<RedisStore<tower_sessions_redis_store::fred::clients::RedisPool>, PrivateCookie>`
Changing the order of .with_private()
and .with_signed()
only changes the error slightly:
= note: expected struct `SessionManagerLayer<_, PlaintextCookie>`
found struct `SessionManagerLayer<RedisStore<tower_sessions_redis_store::fred::clients::RedisPool>, SignedCookie>
My speculation is that the private
and signed
features need to be re-exported in axum-login
and passed onto tower-sessions
, but I could be wrong.
I've been digging more into the issue. I think the issue is this:
The default trait used here is CookieController = PlaintextCookie
:
https://github.com/maxcountryman/tower-sessions/blob/main/src/service.rs#L140
https://github.com/maxcountryman/tower-sessions/blob/main/src/service.rs#L278
These get copied into the bounds here:
https://github.com/maxcountryman/axum-login/blob/main/axum-login/src/service.rs#L106
https://github.com/maxcountryman/axum-login/blob/main/axum-login/src/service.rs#L115
https://github.com/maxcountryman/axum-login/blob/main/axum-login/src/service.rs#L128
Perhaps allow the cookie type to come in as a parameter also?
Thanks for reporting this.
Your diagnosis seems right to me, so perhaps default type parameters are not SemVer safe after all.
Or more specifically the issue here is that we can only use the default but that's a problem for anyone wanting to use SignedCookie
and PrivateCookie
.
I'm not sure what the "right" way to handle this is: ideally we don't need to yank the tower-sessions release but the release can't work with axum-login as-is (and presumably for other things written over tower-sessions in a similar way).
Should I file a bug in tower-sessions about this? I do think this is an issue on that end.
I cut a new minor version release of tower-sessions so what we can do is cut a new release minor version release of axum-login which updates to that (and supports the signed and private features properly).
I just cut 0.15.0
which should address this. If you run into other problems, please do let me know.
Thanks!