upgrade to softwaremill PR #86 (softwaremill/akka-http-session#86)

Author: fupelaqu

build.sbt

@@ -30,7 +30,7 @@ ThisBuild / organization := "app.softnetwork"
 
 name := "generic-persistence-api"
 
-ThisBuild / version := "0.3.2"
+ThisBuild / version := "0.3.2.1"
 
 ThisBuild / scalaVersion := "2.12.11"
 

session/core/src/main/scala/com/softwaremill/session/Completion.scala

@@ -0,0 +1,41 @@
+package com.softwaremill.session
+
+import scala.concurrent.{Await, Future}
+import scala.concurrent.duration.{Duration, DurationInt, FiniteDuration}
+import scala.util.{Failure, Success, Try}
+
+import scala.language.implicitConversions
+
+trait Completion {
+
+  /** maximum wait time, which may be negative (no waiting is done),
+    * [[scala.concurrent.duration.Duration.Inf Duration.Inf]] for unbounded waiting, or a finite
+    * positive duration
+    */
+  def defaultTimeout: FiniteDuration = 60.seconds
+
+  implicit class AwaitCompletion[T](future: Future[T])(implicit atMost: Duration = defaultTimeout) {
+
+    /** Usage: aFuture wait { case a: A => //... case other => //... } match { case Success(s) => s
+      * case Failure(f) => //... }
+      *
+      * @param fun
+      *   - the function which will be called
+      * @tparam B
+      *   - the function return type
+      * @return
+      *   a successfull B or an exception
+      */
+    def await[B](fun: T => B): Try[B] =
+      Try(Await.result(future, atMost)) match {
+        case Success(s) => Success(fun(s))
+        case Failure(f) => Failure(f)
+      }
+    def complete(): Try[T] = await[T] { t =>
+      t
+    }
+  }
+
+}
+
+object Completion extends Completion

session/core/src/main/scala/com/softwaremill/session/CsrfEndpoints.scala

@@ -1,30 +1,13 @@
 package com.softwaremill.session
 
 import sttp.model.Method
-import sttp.model.headers.{CookieValueWithMeta, CookieWithMeta}
-import sttp.tapir._
+import sttp.model.headers.CookieValueWithMeta
 import sttp.tapir.server.PartialServerEndpointWithSecurityOutput
 
 import scala.concurrent.{ExecutionContext, Future}
 
 trait CsrfEndpoints {
 
-  /** Protects against CSRF attacks using a double-submit cookie. The cookie will be set on any
-    * `GET` request which doesn't have the token set in the header. For all other requests, the
-    * value of the token from the CSRF cookie must match the value in the custom header (or request
-    * body, if `checkFormBody` is `true`).
-    *
-    * The cookie value is the concatenation of a timestamp and its HMAC hash following the OWASP
-    * recommendation for CSRF prevention:
-    * @see
-    *   <a
-    *   href="https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#hmac-based-token-pattern">OWASP</a>
-    *
-    * Note that this scheme can be broken when not all subdomains are protected or not using HTTPS
-    * and secure cookies, and the token is placed in the request body (not in the header).
-    *
-    * See the documentation for more details.
-    */
   def hmacTokenCsrfProtection[T, SECURITY_INPUT, PRINCIPAL, SECURITY_OUTPUT](
     checkMode: TapirCsrfCheckMode[T]
   )(
@@ -52,19 +35,11 @@ trait CsrfEndpoints {
       body
     }
 
-  def csrfCookie[T](
-    checkMode: TapirCsrfCheckMode[T]
-  ): EndpointIO.Header[Option[CookieValueWithMeta]] =
-    checkMode.csrfCookie
-
-  def csrfTokenFromCookie[T](
-    checkMode: TapirCsrfCheckMode[T]
-  ): Endpoint[Option[String], Unit, Unit, Unit, Any] =
-    checkMode.csrfTokenFromCookie()
-
   def setNewCsrfToken[T](
     checkMode: TapirCsrfCheckMode[T]
-  ): CookieWithMeta =
+  ): PartialServerEndpointWithSecurityOutput[Unit, Unit, Unit, Unit, Option[
+    CookieValueWithMeta
+  ], Unit, Any, Future] =
     checkMode.setNewCsrfToken()
 }
 
@@ -77,7 +52,7 @@ object TapirCsrfOptions {
     new TapirCsrfCheckHeaderAndForm[T]()
 }
 
-sealed trait TapirCsrfCheckMode[T] extends TapirCsrf[T] {
+sealed trait TapirCsrfCheckMode[T] extends TapirCsrf[T] { _: CsrfCheck =>
   def manager: SessionManager[T]
   def ec: ExecutionContext
   def csrfManager: CsrfManager[T] = manager.csrfManager

session/core/src/main/scala/com/softwaremill/session/OneOffTapirSession.scala

@@ -119,13 +119,6 @@ private[session] trait OneOffTapirSession[T] {
       case CookieOrHeaderST => oneOffCookieOrHeaderSession(required)
     }
 
-  private[this] def oneOffCookieSessionLogic(
-    cookie: Option[String],
-    required: Option[Boolean]
-  ): Either[Unit, (Option[CookieValueWithMeta], SessionResult[T])] = {
-    oneOffCookieOrHeaderSessionLogic(cookie, None, required).map(e => (e._1._1, e._2))
-  }
-
   def oneOffCookieSession(
     required: Option[Boolean] = None
   ): PartialServerEndpointWithSecurityOutput[Seq[Option[String]], SessionResult[
@@ -140,23 +133,19 @@ private[session] trait OneOffTapirSession[T] {
       )
       .errorOut(statusCode(StatusCode.Unauthorized))
       .serverSecurityLogicWithOutput { inputs =>
-        Future.successful(oneOffCookieSessionLogic(inputs.head, required) match {
-          case Left(l)  => Left(l)
-          case Right(r) => Right(Seq(r._1.map(_.value)), r._2)
-        })
+        Future.successful(
+          oneOffCookieOrHeaderSessionLogic(inputs.head, None, required)
+            .map(e => (e._1._1, e._2)) match {
+            case Left(l)  => Left(l)
+            case Right(r) => Right((Seq(r._1), r._2))
+          }
+        )
       }
   }
 
   def extractOneOffSession(maybeValue: Option[String]): Option[T] =
     maybeValue.flatMap(manager.clientSessionManager.decode(_).toOption)
 
-  private[this] def oneOffHeaderSessionLogic(
-    header: Option[String],
-    required: Option[Boolean]
-  ): Either[Unit, (Option[String], SessionResult[T])] = {
-    oneOffCookieOrHeaderSessionLogic(None, header, required).map(e => (e._1._2, e._2))
-  }
-
   def oneOffHeaderSession(
     required: Option[Boolean] = None
   ): PartialServerEndpointWithSecurityOutput[Seq[Option[String]], SessionResult[
@@ -171,49 +160,52 @@ private[session] trait OneOffTapirSession[T] {
       .mapOut(Seq(_))(_.head)
       .errorOut(statusCode(StatusCode.Unauthorized))
       .serverSecurityLogicWithOutput { inputs =>
-        Future.successful(oneOffHeaderSessionLogic(inputs.head, required) match {
-          case Left(l)  => Left(l)
-          case Right(r) => Right(Seq(r._1), r._2)
-        })
+        Future.successful(
+          oneOffCookieOrHeaderSessionLogic(None, inputs.head, required)
+            .map(e => (e._1._2, e._2)) match {
+            case Left(l)  => Left(l)
+            case Right(r) => Right((Seq(r._1), r._2))
+          }
+        )
       }
 
   def oneOffCookieOrHeaderSessionLogic(
     maybeCookie: Option[String],
     maybeHeader: Option[String],
     required: Option[Boolean]
-  ): Either[Unit, ((Option[CookieValueWithMeta], Option[String]), SessionResult[T])] = {
-    maybeCookie match {
-      case Some(cookie) =>
-        val decoded = manager.clientSessionManager.decode(cookie)
+  ): Either[Unit, ((Option[String], Option[String]), SessionResult[T])] = {
+    // read session from the cookie and/or header
+    val oneOff = maybeCookie.fold(maybeHeader)(Some(_))
+    oneOff match {
+      case Some(value) =>
+        val decoded = manager.clientSessionManager.decode(value)
         decoded match {
-          case SessionResult.Expired | SessionResult.Corrupt(_) =>
-            Right((None, maybeHeader), decoded)
+          case s: SessionResult.DecodedLegacy[T] =>
+            Right(
+              (
+                (
+                  Some(manager.clientSessionManager.encode(s.session)),
+                  maybeHeader.map(_ => value)
+                ),
+                s
+              )
+            )
           case s =>
             Right(
               (
-                Some(manager.clientSessionManager.createCookieWithValue(cookie).valueWithMeta),
-                maybeHeader
-              ),
-              s
+                (
+                  None,
+                  None
+                ),
+                s
+              )
             )
         }
       case _ =>
-        maybeHeader match {
-          case Some(header) =>
-            val decoded = manager.clientSessionManager.decode(header)
-            decoded match {
-              case SessionResult.Expired | SessionResult.Corrupt(_) =>
-                if (required.getOrElse(false))
-                  Left(())
-                else
-                  Right((None, None), decoded)
-              case s => Right((None, Some(header)), s)
-            }
-          case _ =>
-            if (required.getOrElse(false))
-              Left(())
-            else
-              Right((None, None), SessionResult.NoSession)
+        if (required.getOrElse(false)) {
+          Left(())
+        } else {
+          Right(((None, None), SessionResult.NoSession))
         }
     }
   }
@@ -239,7 +231,7 @@ private[session] trait OneOffTapirSession[T] {
       .serverSecurityLogicWithOutput { inputs =>
         Future.successful(
           oneOffCookieOrHeaderSessionLogic(inputs.head, inputs.last, required)
-            .map(result => (Seq(result._1._1.map(_.value), result._1._2), result._2))
+            .map(result => (Seq(result._1._1, result._1._2), result._2))
         )
       }
 
@@ -254,33 +246,37 @@ private[session] trait OneOffTapirSession[T] {
         maybeHeader match {
           case Some(_) =>
             Right(
-              Seq(
-                Some("deleted"),
-                Some("")
-              ),
-              principal
+              (
+                Seq(
+                  Some("deleted"),
+                  Some("")
+                ),
+                principal
+              )
             )
           case _ =>
             Right(
-              Seq(
-                Some("deleted"),
-                None
-              ),
-              principal
+              (
+                Seq(
+                  Some("deleted"),
+                  None
+                ),
+                principal
+              )
             )
         }
       case _ =>
         maybeHeader match {
-          case Some(_) => Right(Seq(None, Some("")), principal)
-          case _       => Right(Seq(None, None), principal)
+          case Some(_) => Right((Seq(None, Some("")), principal))
+          case _       => Right((Seq(None, None), principal))
         }
     }
   }
 
   def invalidateOneOffSession[
     SECURITY_INPUT,
     PRINCIPAL
-  ](
+  ](st: GetSessionTransport)(
     body: => PartialServerEndpointWithSecurityOutput[
       SECURITY_INPUT,
       PRINCIPAL,
@@ -343,12 +339,12 @@ private[session] trait OneOffTapirSession[T] {
             val session = r._2
             st match {
               case CookieST | HeaderST =>
-                setOneOffSessionLogic(session.toOption, inputs.head)
+                setOneOffSessionLogic(session.toOption, None)
                   .map(result => (Seq(result), session))
               case CookieOrHeaderST =>
                 val maybeCookie = inputs.head
                 val maybeHeader = inputs.last
-                setOneOffSessionLogic(session.toOption, inputs.head)
+                setOneOffSessionLogic(session.toOption, None)
                   .map(result =>
                     (
                       Seq(maybeCookie.flatMap(_ => result), maybeHeader.flatMap(_ => result)),