Can't extract auth session. Is AuthManagerLayer enabled?

[ghost]

I received this error after enabling setting up my auth layer as so:

let session_layer = SessionManagerLayer::new(MokaStore::new(Some(10_000)))
.with_same_site(::tower_sessions::cookie::SameSite::Strict).with_expiry(Expiry::OnInactivity(time::Duration::minutes(10)));

(within a larger service builder)
.layer(AuthManagerLayerBuilder::new(MySurreal(DB.clone()), session_layer ).build())

Unfortunately I cannot find anything in the documentation that clarifies if I need to explicitly "enable" the middleware after applying it. Is there another middleware that flips the on switch? This error persists regardless of what session store I apply.
In version 6 I was able to successfully implement the necessary traits for SurrealDB to be my backend, I have implemented them this time via wrapper (MySurreal), but I'm unsure if this error could be related. Its rather cryptic.

[maxcountryman]

Hi is it possible to share a runnable example so we can take a closer look?

[ghost]

So this is interesting, ill share my example below, but a little update first.
When I ran it, it worked, I was surprised but came to find out that the middleware throws that error if it is not in its own dedicated ServiceBuilder. If i combine it in a larger stack, it wont work. It's unfortunate as far as flexibility, but manageable for now. Another thing i did notice, the "sid" cookie is not retrievable, or not set by the session layer:

#![feature(lazy_cell)]

use axum::{async_trait, debug_handler, error_handling::HandleErrorLayer, Router, routing::get, http::StatusCode, BoxError, response::IntoResponse};
use axum_extra::extract::CookieJar;
use axum_login::{AuthnBackend, AuthUser, UserId, AuthManagerLayerBuilder};
use password_worker::{PasswordWorker, Argon2id};
use tower_sessions::{SessionManagerLayer, MokaStore, Expiry};
use std::sync::LazyLock;
use serde::*;
use surrealdb::{engine::remote::ws, Surreal, sql::{Thing, Id}, opt::auth::Root};
use time::Duration;
use tracing::error;
use tower::ServiceBuilder;

type AuthSession = axum_login::AuthSession;
static DB: LazyLock<Surrealws::Client> = LazyLock::new(Surreal::init);
const AUTH_USER: &str = "SELECT * FROM user";
pub static PASSWORD_WORKER: LazyLock<PasswordWorker> = LazyLock::new(|| { PasswordWorker::new_argon2id(4).unwrap()});

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct AccountForm {
pub username: String,
pub password: String,
#[serde(default)]
pub confirm_password: Option,
}

#[derive(Clone)]
pub struct MySurreal(pub Surrealws::Client);

#[async_trait]
impl AuthnBackend for MySurreal {
type User = User;
type Credentials = AccountForm;
type Error = surrealdb::Error;

async fn authenticate( &self, creds: Self::Credentials) -> Result<Option<Self::User>, Self::Error> {
    let u: Option<User> = DB.query(AUTH_USER).bind(("username", creds.username)).await?.take(0)?;
    if let Some(user) = u {
        let password_match = PASSWORD_WORKER.verify(creds.password, &user.password_hash).await
            .map_err(|e|{error!("Password worker error in AuthnBackend: {}", e);e});
        match password_match {
            Ok(true)  => Ok(Some(user)),
            Ok(false) => Ok(None),
            Err(e)=> {error!("Error hashing password in authenticate: {}", e) ; Ok(None)}
        }
    } else {Ok(None)}
}

async fn get_user(&self, user_id: &UserId<Self>) -> Result<Option<Self::User>, Self::Error> {
    let user = DB.query("SELECT $user").bind(("user", user_id)).await
        .map_err(|e| {error!("Error in get_user auth: {}", e);e})?.take(0)
        .map_err(|e| {error!("Error in get_user auth: {}", e);e})?;

Ok(user)
}

}

#[derive(Debug, Clone, Serialize, PartialEq, Deserialize)]
pub struct User {
pub id: Thing,
pub username: String,
pub password_hash: String,
}

impl AuthUser for User {
type Id = Id;
fn id(&self) -> Self::Id { self.id.id.clone() }
fn session_auth_hash(&self) -> &[u8] { &self.password_hash.as_bytes() }
}

#[debug_handler]
async fn index_handler(session: AuthSession, jar: CookieJar) -> impl IntoResponse {
let sid = jar.get("sid");
assert_eq!(session.user, None);
println!("Your sid cookie is: {:?}", sid);
}

#[tokio::main]
async fn main() {

/*
DB.connect::<ws::Wss>("localhost:8000").await.expect("Failed to connect");
DB.signin(Root {
    username: "root",
    password: "123456",
}).await.unwrap();
DB.use_ns("main").use_db("application").await.expect("Something err'ed on NameServer or DB");
*/

let session_layer = SessionManagerLayer::new(MokaStore::new(Some(10_000)))
    .with_same_site(::tower_sessions::cookie::SameSite::Strict).with_expiry(Expiry::OnInactivity(Duration::minutes(10)));


let middlewares = ServiceBuilder::new()
                                .layer(HandleErrorLayer::new(|e: BoxError| async move {println!("{}", e.to_string()); StatusCode::INTERNAL_SERVER_ERROR.into_response()}))
                                .layer(AuthManagerLayerBuilder::new(MySurreal(DB.clone()), session_layer).build());

axum::serve(tokio::net::TcpListener::bind("0.0.0.0:3008").await.unwrap(), 
    Router::new()
    .route("/", get(index_handler))
    .layer(middlewares))
            .await.unwrap();

}

[maxcountryman]

I'm having trouble reading your code blocks and I'm not sure what you mean by "sid" here (the default name for the cookie is "id", so are you using a custom name or something else?)

Please provide an example we can run ourselves.

[ghost]

Sorry, I was unaware the "sid" cookie had been changed to "id" in recent versions, but regardless, it still shows no "id" cookie

`#![feature(lazy_cell)]

use axum::{async_trait, debug_handler, error_handling::HandleErrorLayer, Router, routing::get, http::StatusCode, BoxError, response::IntoResponse};
use axum_extra::extract::CookieJar;
use axum_login::{AuthnBackend, AuthUser, UserId, AuthManagerLayerBuilder};
use password_worker::{PasswordWorker, Argon2id};
use tower_sessions::{SessionManagerLayer, MokaStore, Expiry};
use std::sync::LazyLock;
use serde::*;
use surrealdb::{engine::remote::ws, Surreal, sql::{Thing, Id}, opt::auth::Root};
use time::Duration;
use tracing::error;
use tower::ServiceBuilder;

type AuthSession = axum_login::AuthSession;
static DB: LazyLock<Surrealws::Client> = LazyLock::new(Surreal::init);
const AUTH_USER: &str = "SELECT * FROM user";
pub static PASSWORD_WORKER: LazyLock<PasswordWorker> = LazyLock::new(|| { PasswordWorker::new_argon2id(4).unwrap()});

#[derive(Serialize, Deserialize, Debug, Clone)]
pub struct AccountForm {
pub username: String,
pub password: String,
#[serde(default)]
pub confirm_password: Option,
}

#[derive(Clone)]
pub struct MySurreal(pub Surrealws::Client);

#[async_trait]
impl AuthnBackend for MySurreal {
type User = User;
type Credentials = AccountForm;
type Error = surrealdb::Error;

async fn authenticate( &self, creds: Self::Credentials) -> Result<Option<Self::User>, Self::Error> {
    let u: Option<User> = DB.query(AUTH_USER).bind(("username", creds.username)).await?.take(0)?;
    if let Some(user) = u {
        let password_match = PASSWORD_WORKER.verify(creds.password, &user.password_hash).await
            .map_err(|e|{error!("Password worker error in AuthnBackend: {}", e);e});
        match password_match {
            Ok(true)  => Ok(Some(user)),
            Ok(false) => Ok(None),
            Err(e)=> {error!("Error hashing password in authenticate: {}", e) ; Ok(None)}
        }
    } else {Ok(None)}
}

async fn get_user(&self, user_id: &UserId<Self>) -> Result<Option<Self::User>, Self::Error> {
    let user = DB.query("SELECT $user").bind(("user", user_id)).await
        .map_err(|e| {error!("Error in get_user auth: {}", e);e})?.take(0)
        .map_err(|e| {error!("Error in get_user auth: {}", e);e})?;

Ok(user)
}

}

#[derive(Debug, Clone, Serialize, PartialEq, Deserialize)]
pub struct User {
pub id: Thing,
pub username: String,
pub password_hash: String,
}

impl AuthUser for User {
type Id = Id;
fn id(&self) -> Self::Id { self.id.id.clone() }
fn session_auth_hash(&self) -> &[u8] { &self.password_hash.as_bytes() }
}

#[debug_handler]
async fn index_handler(session: AuthSession, jar: CookieJar) -> impl IntoResponse {
let id = jar.get("id");
assert_eq!(session.user, None);
println!("Your id cookie is: {:?}", id);
}

#[tokio::main]
async fn main() {

/*
DB.connect::<ws::Wss>("localhost:8000").await.expect("Failed to connect");
DB.signin(Root {
    username: "root",
    password: "123456",
}).await.unwrap();
DB.use_ns("main").use_db("application").await.expect("Something err'ed on NameServer or DB");
*/

let session_layer = SessionManagerLayer::new(MokaStore::new(Some(10_000)))
    .with_same_site(::tower_sessions::cookie::SameSite::Strict).with_expiry(Expiry::OnInactivity(Duration::minutes(10)));


let middlewares = ServiceBuilder::new()
                                .layer(HandleErrorLayer::new(|e: BoxError| async move {println!("{}", e.to_string()); StatusCode::INTERNAL_SERVER_ERROR.into_response()}))
                                .layer(AuthManagerLayerBuilder::new(MySurreal(DB.clone()), session_layer).build());

axum::serve(tokio::net::TcpListener::bind("0.0.0.0:3008").await.unwrap(), 
    Router::new()
    .route("/", get(index_handler))
    .layer(middlewares))
            .await.unwrap();

}`

[ghost]

Is it possible that the sessionlayer no longer sets the sid/id cookie anymore? I think in axum_login 0.6 it was dependent on tower-session rather than tower-sessions. They were also decoupled back then. I needed to have every first time visitor receive a session cookie in my last build. It seems this doesnt generate session cookies for clients visiting the site for the first time. It was also possible to integrate the auth and session layers into a larger servicebuilder. Would you recommend I roll back to axum login 0.6 to regain this functionality?

[maxcountryman]

The session cookie is named "id" by default (but you can configure this to another name if you like).

It's important to know that session cookies are not persisted if they're empty. So you need to set some value on the site visitor's session if you want it to persist.

[maxcountryman]

It was also possible to integrate the auth and session layers into a larger servicebuilder

I really am not following you--why can't you do this?

Again we need you to provide a runnable example to help. It's really difficult to help without this.

[ghost]

Okay! Thats useful information, im sorry but the code i provided runs perfectly fine, its everything below the first sentence, im not sure why it formats incorrectly despite putting it in a code block. If you simple copy and paste it into your IDE you shouldnt have a problem. So basically in this newer version, a client only receives a cookie if its given some type of false data for the session?

It was also possible to integrate the auth and session layers into a larger servicebuilder

I really am not following you--why can't you do this?

I'm not sure why at all, thats the entire reason I raised the issue. I get the "Can't extract auth session. Is AuthManagerLayer enabled?" error on any request when I put the single authmanagerlayerbuilder in any larger servicebuilder stack, if its a standalone servicebuilder i dont get the error.

I appreciate the follow-up though! im just going to rollback to a working version and call it good.

[maxcountryman]

Try to reproduce what you're seeing with one of the examples, you can fork one of those if it's easier to share. We can't copy/paste your code blocks and run them.