• I have looked for existing issues (including closed) about this

Bug Report

Version

0.14.0

Platform

Darwin ember.local 22.6.0 Darwin Kernel Version 22.6.0: Wed Jul 5 22:17:35 PDT 2023; root:xnu-8796.141.3~6/RELEASE_ARM64_T8112 arm64

Crates

tower-sessions 0.11.1

Description

When passing in a SessionManagerLayer that uses encrypted and/or signed cookies, AuthManagerLayerBuilder no longer accepts the passed-in AuthManagerLayerBuilder with a compiler error:

   --> src/web/app.rs:85:64
    |
85  |         let auth_layer = AuthManagerLayerBuilder::new(backend, session_layer.clone()).build();
    |                          ----------------------------          ^^^^^^^^^^^^^^^^^^^^^ expected `SessionManagerLayer<_>`, found `SessionManagerLayer<RedisStore<RedisPool>, ...>`
    |                          |
    |                          arguments to this function are incorrect
    |
    = note: expected struct `SessionManagerLayer<_, PlaintextCookie>`
               found struct `SessionManagerLayer<RedisStore<tower_sessions_redis_store::fred::clients::RedisPool>, PrivateCookie>`

Changing the order of .with_private() and .with_signed() only changes the error slightly:

    = note: expected struct `SessionManagerLayer<_, PlaintextCookie>`
               found struct `SessionManagerLayer<RedisStore<tower_sessions_redis_store::fred::clients::RedisPool>, SignedCookie>

My speculation is that the private and signed features need to be re-exported in axum-login and passed onto tower-sessions, but I could be wrong.

I've been digging more into the issue. I think the issue is this:

The default trait used here is CookieController = PlaintextCookie:

https://github.com/maxcountryman/tower-sessions/blob/main/src/service.rs#L140
https://github.com/maxcountryman/tower-sessions/blob/main/src/service.rs#L278

These get copied into the bounds here:

https://github.com/maxcountryman/axum-login/blob/main/axum-login/src/service.rs#L106
https://github.com/maxcountryman/axum-login/blob/main/axum-login/src/service.rs#L115
https://github.com/maxcountryman/axum-login/blob/main/axum-login/src/service.rs#L128

Perhaps allow the cookie type to come in as a parameter also?

Thanks for reporting this.

Your diagnosis seems right to me, so perhaps default type parameters are not SemVer safe after all.

Or more specifically the issue here is that we can only use the default but that's a problem for anyone wanting to use SignedCookie and PrivateCookie.

I'm not sure what the "right" way to handle this is: ideally we don't need to yank the tower-sessions release but the release can't work with axum-login as-is (and presumably for other things written over tower-sessions in a similar way).

Should I file a bug in tower-sessions about this? I do think this is an issue on that end.

I cut a new minor version release of tower-sessions so what we can do is cut a new release minor version release of axum-login which updates to that (and supports the signed and private features properly).

I just cut 0.15.0 which should address this. If you run into other problems, please do let me know.

Thanks!