Session cookie removed on on every request. #222
-
|
Hello, i'm using axum-session with an sqlx session store, and I'm currently facing an issue where every time I've logged in a user. Any request they make to the authentication API will remove their session cookie.
Full source can be found here: https://github.com/YousofMersal/website/tree/main/services/server |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 11 replies
-
|
How is the request being made? It sounds like the session cookie is not being included in the request based on the logs you shared. |
Beta Was this translation helpful? Give feedback.
-
|
I figured out what the error was after trying one by one getting it closer to the multi arch example. In y original code i had let user = match auth_session
.authenticate(Credentials::Password(creds.clone()))
.await
{
Ok(Some(mut user)) => {
user.password = None;
user
}
Ok(None) => {
return (StatusCode::UNAUTHORIZED, "invalid password".to_string())
.into_response()
}
Err(_) => return StatusCode::INTERNAL_SERVER_ERROR.into_response(),
};
if auth_session.login(&user).await.is_err() {
return StatusCode::INTERNAL_SERVER_ERROR.into_response();
}
// snipBut changing that to let mut user = match auth_session
.authenticate(Credentials::Password(creds.clone()))
.await
{
Ok(Some(user)) => user,
Ok(None) => {
return (StatusCode::UNAUTHORIZED, "invalid password".to_string())
.into_response()
}
Err(_) => return StatusCode::INTERNAL_SERVER_ERROR.into_response(),
};
if auth_session.login(&user).await.is_err() {
return StatusCode::INTERNAL_SERVER_ERROR.into_response();
}
user.password = None;
// snipI wasn't aware that axum-login used the password field in it's hash, which i guess makes the hash of the user not match and causes it to delete the session on the next request? |
Beta Was this translation helpful? Give feedback.
-
|
If the hash doesn't match it will invalidate the login state and force the client to authenticate again. So that seems plausible. The auth hash doesn't have to be a password hash but it should be unique per user and the idea is that it will invalidate when a user changes important state (like their password). |
Beta Was this translation helpful? Give feedback.
-
|
I though that the hash would be the user id as that should be unique, but i can't quite figure out where the hash is set, so i still don't quite understand how the error happened, i just know it it got fixed now. Where in the multi-auth example is it set where the auth-hash is made of? |
Beta Was this translation helpful? Give feedback.
-
|
It's up to your implementation of AuthUser. But I would be careful setting it a user ID: while it is unique, it won't account for invalidating sessions when a user changes their passwords (that's okay if you don't want that but it's generally a good practice). |
Beta Was this translation helpful? Give feedback.
-
|
Oh of course! Thank you now i understand how it works! impl AuthUser for User {
type Id = i64;
fn id(&self) -> Self::Id {
self.id
}
fn session_auth_hash(&self) -> &[u8] {
if let Some(access_token) = &self.access_token {
return access_token.as_bytes();
}
if let Some(password) = &self.password {
return password.as_bytes();
}
&[]
}
}Now it all makes perfect sense, thank you for your time and explanation! |
Beta Was this translation helpful? Give feedback.
It's up to your implementation of AuthUser. But I would be careful setting it a user ID: while it is unique, it won't account for invalidating sessions when a user changes their passwords (that's okay if you don't want that but it's generally a good practice).