What cookie(s) should a client request include to authenticate it? #45
-
Sorry about the newbie question. It's my first time writing auth. When a user is logged in on the server, it should respond with the data necessary for authentication, right? Data that should be stored on the client as a cookie so that it's attached with every subsequent request. Since Looking at impl<User, ReqBody, ResBody, Role> AuthorizeRequest<ReqBody> for Login<User, ResBody, Role>
where
Role: PartialOrd + PartialEq + Clone + Send + Sync + 'static,
User: AuthUser<Role>,
ResBody: HttpBody + Default,
{
type ResponseBody = ResBody;
fn authorize(
&mut self,
request: &mut Request<ReqBody>,
) -> Result<(), Response<Self::ResponseBody>> {
let user = request
.extensions()
.get::<Option<User>>()
.expect("Auth extension missing. Is the auth layer installed?");
match user {
Some(user) if self.role_bounds.contains(user.get_role()) => {
let user = user.clone();
request.extensions_mut().insert(user);
Ok(())
}
_ => {
let unauthorized_response = Response::builder()
.status(http::StatusCode::UNAUTHORIZED)
.body(Default::default())
.unwrap();
Err(unauthorized_response)
}
}
}
} Is that what I'm supposed to include in the |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 12 replies
-
axum-login uses axum-sessions which in turn sets its own cookie (by default this is axum.sid but can be configured to be called whatever you like). While the docs for RequireAuthorizationLayer do mention the Authorization header in our implementation that part is not relevant: we instead use the middleware directly to obtain a User if one is present. This works because axum-sessions manages the cookie for us and axum-login provides the user context via that. So the only thing that needs to be passed back to the server is that cookie, axum.sid. This also means the cookie is sensitive and should never be shared. For that reason the cookie uses a number of default settings that help ensure it cannot be easily stolen. |
Beta Was this translation helpful? Give feedback.
axum-login uses axum-sessions which in turn sets its own cookie (by default this is axum.sid but can be configured to be called whatever you like).
While the docs for RequireAuthorizationLayer do mention the Authorization header in our implementation that part is not relevant: we instead use the middleware directly to obtain a User if one is present. This works because axum-sessions manages the cookie for us and axum-login provides the user context via that.
So the only thing that needs to be passed back to the server is that cookie, axum.sid. This also means the cookie is sensitive and should never be shared. For that reason the cookie uses a number of default settings that help ensure i…