Fix cookie path, fix get_session_id not using depot over existing invalid cookie, add more tracing

2025-12-05 23:14:53 -06:00 · 2024-12-23 17:41:12 -06:00
parent d15fad4685
commit ef679d2159
2 changed files with 27 additions and 10 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -33,13 +33,21 @@ async fn session_middleware(req: &mut Request, res: &mut Response, depot: &mut D
                Ok(session_id) => {
                    let mut store = STORE.lock().await;
                    if !store.sessions.contains_key(&session_id) {
-                        tracing::debug!("Session provided in cookie, but does not exist");
-                        let id = store.new_session(res).await;
-                        depot.insert("session_id", id);
+                        let new_session_id = store.new_session(res).await;
+                        depot.insert("session_id", new_session_id);
+                        tracing::debug!(
+                            existing_session_id = session_id,
+                            new_session_id = new_session_id,
+                            "Session provided in cookie, but does not exist"
+                        );
                    }
                }
-                Err(_) => {
-                    tracing::debug!("Session provided in cookie, but is not a valid number");
+                Err(parse_error) => {
+                    tracing::debug!(
+                        invalid_session_id = cookie.value(),
+                        error = ?parse_error,
+                        "Session provided in cookie, but is not a valid number"
+                    );
                    let mut store = STORE.lock().await;
                    let id = store.new_session(res).await;

@@ -157,6 +165,7 @@ pub async fn download(req: &mut Request, res: &mut Response, depot: &mut Depot)

    // Create a download for the session
    let session_download = session.add_download(executable);
+    tracing::info!(session_id, type = download_id, dl_token = session_download.token, "Download created");
    let data = executable.with_key(session_id.to_string().as_bytes());

    if let Err(e) = res.write_body(data) {
@@ -198,17 +207,22 @@ pub async fn get_session(req: &mut Request, res: &mut Response, depot: &mut Depo
    }
 }

-// Acquires the session id from the request, preferring the request Cookie
+// Acquires the session id from the request, preferring the depot
 fn get_session_id(req: &Request, depot: &Depot) -> Option<usize> {
+    if depot.contains_key("session_id") {
+        return Some(*depot.get::<usize>("session_id").unwrap());
+    }
+
+    // Otherwise, just use whatever the Cookie might have
    match req.cookie("Session") {
        Some(cookie) => match cookie.value().parse::<usize>() {
            Ok(id) => Some(id),
            _ => None,
        },
-        None => match depot.get::<usize>("session_id") {
-            Ok(id) => Some(*id),
-            _ => None,
-        },
+        None => {
+            tracing::warn!("Session was not provided in cookie or depot");
+            None
+        }
    }
 }

--- a/src/models.rs
+++ b/src/models.rs
@@ -118,6 +118,9 @@ impl<'a> State<'a> {

        res.add_cookie(
            Cookie::build(("Session", id.to_string()))
+                .http_only(true)
+                .path("/")
+                .same_site(salvo::http::cookie::SameSite::Lax)
                .permanent()
                .build(),
        );