Update Rust crate tower-sessions to ~0.14.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tower-sessions	workspace.dependencies	minor	~0.7.0 -> ~0.14.0

---

Release Notes

maxcountryman/tower-sessions (tower-sessions)

v0.14.0

Compare Source

• Update axum-core to v0.5.0. #​231

This also includes an version bump to tower-cookies, now at v0.11.0.

v0.13.0

Compare Source

• Add option to always save session. #​216

v0.12.3

Compare Source

• Ensure continuously_delete_expired waits for initial run. #​208

v0.12.2

Compare Source

• Ensure set_expiry mutates Max-Age. #​191

This addresses a bug where using set_expiry on a session with no initial expiry time would not add the Max-age attribute to the cookie leading to an inconsitency between the cookie and the database.

v0.12.1

Compare Source

Important Security Update

• Ensure ID cycling invokes create. #​188

Because cycling the session ID involves creating a new ID, this must follow the same semantics as normal session creation. Therefore prior to this fix session ID collision could occur through this vector.

v0.12.0

Compare Source

Important Security Update

• Id collision mitigation. #​181

This release introduces a new method, create, to the SessionStore trait to distinguish between creating a new session and updating an existing one. This distinction is crucial for mitigating the potential for session ID collisions.

Although the probability of session ID collisions is statistically low, given that IDs are composed of securely-random i128 values, such collisions pose a significant security risk. A store that does not differentiate between session creation and updates could inadvertently allow an existing session to be accessed, leading to potential session takeovers.

Session store authors are strongly encouraged to update and implement create such that potential ID collisions are handled, either by generating a new ID or returning an error.

As a transitional measure, we have provided a default implementation of create that wraps the existing save method. However, this default is not immune to the original issue. Therefore, it is imperative that stores override the create method with an implementation that adheres to the required uniqueness semantics, thereby effectively mitigating the risk of session ID collisions.

v0.11.1

Compare Source

• Ensure session.set_expiry updates record. #​175
• Provide signed and private features, enabling signing and encryption respectively. #​157

v0.11.0

Compare Source

• Uses slices when encoding and decoding Id. #​159

Breaking Changes

• Removes IdError type in favor of using base64::DecodeSliceError. #​159
• Provides the same changes as 0.10.4, without breaking SemVer.
• Updates base64 to 0.22.0.

v0.10.4

Compare Source

• Revert introduction of lifetime parameter; use static lifetime directly

This ensures that the changes introduced in 0.10.3 do not break SemVer.

Please note that 0.10.3 has been yanked in accordance with cargo guidelines.

v0.10.3

Compare Source

• Improve session config allocation footprint #​158

v0.10.2

Compare Source

• Ensure "Path" and "Domain" are set on removal cookie #​154

v0.10.1

Compare Source

• Ensure Expires: Session #​149

v0.10.0

Compare Source

Breaking Changes

• Improve session ID #​141
• Relocate previously bundled stores #​145
• Move service out of core #​146

Session IDs are now represetned as base64-encoded i128s, boast 128 bits of entropy, and are shorter, saving network bandwidth and improving the secure nature of sessions.

We no longer bundle session stores via feature flags and as such applications must be updated to require the stores directly. For example, applications that use the tower-sessions-sqlx-store should update their Cargo.toml like so:

tower-sessions = "0.10.0"
tower-sessions-sqlx-store = { version = "0.10.0", features = ["sqlite"] }

Assuming a SQLite store, as an example.

Furthermore, imports will also need to be updated accordingly. For example:

use std::net::SocketAddr;

use axum::{response::IntoResponse, routing::get, Router};
use serde::{Deserialize, Serialize};
use time::Duration;
use tower_sessions::{session_store::ExpiredDeletion, Expiry, Session, SessionManagerLayer};
use tower_sessions_sqlx_store::{sqlx::SqlitePool, SqliteStore};

const COUNTER_KEY: &str = "counter";

#[derive(Serialize, Deserialize, Default)]
struct Counter(usize);

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let pool = SqlitePool::connect("sqlite::memory:").await?;
    let session_store = SqliteStore::new(pool);
    session_store.migrate().await?;

    let deletion_task = tokio::task::spawn(
        session_store
            .clone()
            .continuously_delete_expired(tokio::time::Duration::from_secs(60)),
    );

    let session_layer = SessionManagerLayer::new(session_store)
        .with_secure(false)
        .with_expiry(Expiry::OnInactivity(Duration::seconds(10)));

    let app = Router::new().route("/", get(handler)).layer(session_layer);

    let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
    let listener = tokio::net::TcpListener::bind(&addr).await?;
    axum::serve(listener, app.into_make_service()).await?;

    deletion_task.await??;

    Ok(())
}

async fn handler(session: Session) -> impl IntoResponse {
    let counter: Counter = session.get(COUNTER_KEY).await.unwrap().unwrap_or_default();
    session.insert(COUNTER_KEY, counter.0 + 1).await.unwrap();
    format!("Current count: {}", counter.0)
}

Finally, the service itself has been moved out of the core crate, which makes this crate smaller as well as establishes better boundaries between code.

Thank you for bearing with us: we are approaching longer term stability and aim to minimize churn going forward as we begin to move toward a 1.0 release.

v0.9.1

Compare Source

• Ensure clear works before record loading. #​134

v0.9.0

Compare Source

Breakiung Changes

• Make service infallible. #​132

This updates the service such that it always returns a response directly. In practice this means that e.g. axum applications no longer need the HandleErrorLayer and instead can use the layer directly. Note that if you use other fallible tower middleware, you will still need to use HandleErrorLayer.

As such we've also remove the MissingCookies and MissingId variants from the session error enum.

v0.8.2

Compare Source

• Derive PartialEq for Record. #​125

v0.8.1

Compare Source

• Allow constructing RedisStore from RedisPool. #​122

v0.8.0

Compare Source

Breaking Changes

• Lazy sessions. #​112

Among other things, session methods are now entirely async, meaning applications must be updated to await these methods in order to migrate.

Separately, SessionStore has been updated to use a Record intermediary. As such, SessionStore implementations must be updated accordingly.

Session stores now use a concrete error type that must be used in implementations of SessionStore.

The secure cookie attribute now defaults to true.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.