major refactoring of session framework

Author: fupelaqu

build.sbt

@@ -8,7 +8,7 @@ ThisBuild / organization := "app.softnetwork"
 
 name := "generic-persistence-api"
 
-ThisBuild / version := "0.4.2"
+ThisBuild / version := "0.5.0"
 
 ThisBuild / scalaVersion := "2.12.18"
 

server/src/main/scala/app/softnetwork/api/server/ServiceEndpoints.scala

@@ -3,7 +3,7 @@ package app.softnetwork.api.server
 import app.softnetwork.concurrent.Completion
 import app.softnetwork.persistence.message.{Command, CommandResult, ErrorMessage}
 import app.softnetwork.persistence.service.Service
-import app.softnetwork.persistence.typed.scaladsl.EntityPattern
+import app.softnetwork.persistence.typed.scaladsl.Patterns
 import sttp.tapir.generic.auto.SchemaDerivation
 import sttp.tapir.Tapir
 
@@ -14,7 +14,7 @@ trait ServiceEndpoints[C <: Command, R <: CommandResult]
     with Tapir
     with SchemaDerivation
     with Service[C, R]
-    with Completion { _: EntityPattern[C, R] =>
+    with Completion { _: Patterns[C, R] =>
 
   implicit def resultToApiError(result: R): ApiErrors.ErrorInfo =
     result match {

session/common/src/main/protobuf/session.proto

@@ -23,6 +23,6 @@ message Session {
     option (scalapb.message).extends = "SessionData";
     option (scalapb.message).extends = "SessionDecorator";
     option (scalapb.message).companion_extends = "SessionCompanion";
-    map<string, string> data = 1 [(scalapb.field).map_type="collection.mutable.Map"];
+    map<string, string> data = 1 [(scalapb.field).map_type="collection.immutable.Map", (scalapb.field).scala_name = "kvs"];
     bool refreshable = 2;
 }

session/common/src/main/resources/reference.conf

@@ -1,6 +1,6 @@
 akka {
   http {
-    session{
+    session {
       # The secret used to sign the session cookie. This should be changed to a random string.
       server-secret = ";C5/n}5K&/AX<8SO`nNuGl*^>w[hOD7uuhFLt*y`QNTL8vqHDK9te+Pd+.,,'njk"
       server-secret = ${?HTTP_SESSION_SERVER_SECRET}

session/common/src/main/scala/app/softnetwork/session/config/Settings.scala

@@ -2,33 +2,34 @@ package app.softnetwork.session.config
 
 /** Created by smanciot on 21/03/2018.
   */
+import com.softwaremill.session.SessionConfig
 import com.typesafe.config.{Config, ConfigFactory}
 import configs.ConfigError
 import org.softnetwork.session.model.Session.SessionType
 
 object Settings {
   lazy val config: Config = ConfigFactory.load()
 
-  def configErrorsToException(err: ConfigError) =
+  def configErrorsToException: ConfigError => Throwable = err =>
     new IllegalStateException(err.entries.map(_.messageWithPath).mkString(","))
 
   object Session {
-    val CookieName: String = config getString "akka.http.session.cookie.name"
 
-    val CookieSecret: String = config getString "akka.http.session.server-secret"
-
-    val Continuity: String = config getString "akka.http.session.continuity"
-
-    val Transport: String = config getString "akka.http.session.transport"
+    val DefaultSessionConfig: SessionConfig = SessionConfig.fromConfig(config)
+    require(
+      DefaultSessionConfig.serverSecret.nonEmpty,
+      "akka.http.session.server-secret must not be empty"
+    )
 
-    require(CookieName.nonEmpty, "akka.http.session.cookie.name must be non-empty")
-    require(CookieSecret.nonEmpty, "akka.http.session.server-secret must be non-empty")
-    require(Continuity.nonEmpty, "akka.http.session.continuity must be non-empty")
-    require(Transport.nonEmpty, "akka.http.session.transport must be non-empty")
+    val Continuity: String = (config getString "akka.http.session.continuity").toLowerCase
+    require(Continuity.nonEmpty, "akka.http.session.continuity must not be empty")
     require(
       Continuity == "one-off" || Continuity == "refreshable",
       "akka.http.session.continuity must be one-off or refreshable"
     )
+
+    val Transport: String = (config getString "akka.http.session.transport").toLowerCase
+    require(Transport.nonEmpty, "akka.http.session.transport must not be empty")
     require(
       Transport == "cookie" || Transport == "header",
       "akka.http.session.transport must be cookie or header"

session/common/src/main/scala/app/softnetwork/session/model/Session.scala

@@ -1,56 +1,67 @@
 package app.softnetwork.session.model
 
 import java.util.UUID
-
-import com.softwaremill.session.{SessionConfig, SessionManager, SessionSerializer}
+import com.softwaremill.session.{
+  JValueSessionSerializer,
+  JwtSessionEncoder,
+  SessionConfig,
+  SessionEncoder,
+  SessionManager,
+  SessionSerializer
+}
 import app.softnetwork.persistence.model.ProtobufDomainObject
 import app.softnetwork.session.config.Settings.Session._
 import app.softnetwork.session.security.Crypto
-
+import org.json4s.{Formats, JValue}
 import org.softnetwork.session.model.Session
 
-import scala.collection.mutable
+import scala.language.implicitConversions
 import scala.util.Try
 
 /** Created by smanciot on 29/04/2021.
   */
 trait SessionData extends ProtobufDomainObject
 
-trait SessionDecorator { _: Session =>
+trait SessionDecorator { self: Session =>
 
   import Session._
 
   private var dirty: Boolean = false
 
   def clear(): Session = {
     val theId = id
-    data.clear()
-    this += CookieName -> theId
+    withKvs(Map.empty[String, String] + (SessionName -> theId))
   }
 
   def isDirty: Boolean = dirty
 
-  def get(key: String): Option[String] = data.get(key)
+  def get(key: String): Option[String] = kvs.get(key)
 
-  def isEmpty: Boolean = data.isEmpty
+  def isEmpty: Boolean = kvs.isEmpty
 
-  def contains(key: String): Boolean = data.contains(key)
+  def contains(key: String): Boolean = kvs.contains(key)
 
-  def -=(key: String): Session = synchronized {
-    dirty = true
-    data -= key
-    this
-  }
+  def -(key: String): Session =
+    synchronized {
+      dirty = true
+      withKvs(kvs - key)
+    }
 
-  def +=(kv: (String, String)): Session = synchronized {
-    dirty = true
-    data += kv
-    this
-  }
+  def +(kv: (String, String)): Session =
+    synchronized {
+      dirty = true
+      withKvs(kvs + kv)
+    }
 
-  def apply(key: String): Any = data(key)
+  def ++(kvs: Seq[(String, String)]): Session =
+    synchronized {
+      dirty = true
+      withKvs(this.kvs ++ kvs)
+    }
 
-  lazy val id: String = data(CookieName)
+  def apply(key: String): Any = kvs(key)
+
+  lazy val id: String = kvs(SessionName)
 
   lazy val admin: Boolean = get(adminKey).exists(_.toBoolean)
 
@@ -66,67 +77,95 @@ trait SessionCompanion {
 
   val anonymousKey = "anonymous"
 
-  val sessionConfig: SessionConfig = {
-    SessionConfig.default(CookieSecret)
-  }
+  val SessionName: String = DefaultSessionConfig.sessionCookieConfig.name
 
-  implicit val sessionManager: SessionManager[Session] = new SessionManager[Session](sessionConfig)
+  val _refreshable: Boolean = Continuity match {
+    case "refreshable" => true
+    case _             => false
+  }
 
   def apply(): Session =
     Session.defaultInstance
-      .withData(mutable.Map(CookieName -> UUID.randomUUID.toString))
-      .withRefreshable(false)
+      .withKvs(Map(SessionName -> UUID.randomUUID.toString))
+      .withRefreshable(_refreshable)
 
   def apply(uuid: String): Session =
     Session.defaultInstance
-      .withData(mutable.Map(CookieName -> uuid))
-      .withRefreshable(false)
-
-  implicit def sessionSerializer: SessionSerializer[Session, String] =
-    new SessionSerializer[Session, String] {
-      override def serialize(session: Session): String = {
-        val encoded = java.net.URLEncoder
-          .encode(
-            session.data
-              .filterNot(_._1.contains(":"))
-              .map(d => d._1 + ":" + d._2)
-              .mkString("\u0000"),
-            "UTF-8"
-          )
-        Crypto.sign(encoded, CookieSecret) + "-" + encoded
-      }
+      .withKvs(Map(SessionName -> uuid))
+      .withRefreshable(_refreshable)
 
-      override def deserialize(data: String): Try[Session] = {
-        def urldecode(data: String) =
-          mutable.Map[String, String](
-            java.net.URLDecoder
-              .decode(data, "UTF-8")
-              .split("\u0000")
-              .map(_.split(":"))
-              .map(p => p(0) -> p.drop(1).mkString(":")): _*
-          )
-        // Do not change this unless you understand the security issues behind timing attacks.
-        // This method intentionally runs in constant time if the two strings have the same length.
-        // If it didn't, it would be vulnerable to a timing attack.
-        def safeEquals(a: String, b: String) = {
-          if (a.length != b.length) false
-          else {
-            var equal = 0
-            for (i <- Array.range(0, a.length)) {
-              equal |= a(i) ^ b(i)
-            }
-            equal == 0
-          }
-        }
+}
 
-        Try {
-          val splitted = data.split("-")
-          val message = splitted.tail.mkString("-")
-          if (safeEquals(splitted(0), Crypto.sign(message, CookieSecret)))
-            Session.defaultInstance.withData(urldecode(message))
-          else
-            throw new Exception("corrupted encrypted data")
+class BasicSessionSerializer(val serverSecret: String) extends SessionSerializer[Session, String] {
+
+  override def serialize(session: Session): String = {
+    val encoded = java.net.URLEncoder
+      .encode(
+        session.kvs
+          .filterNot(_._1.contains(":"))
+          .map(d => d._1 + ":" + d._2)
+          .mkString("\u0000"),
+        "UTF-8"
+      )
+    Crypto.sign(encoded, serverSecret) + "-" + encoded
+  }
+
+  override def deserialize(kvs: String): Try[Session] = {
+    def urldecode(kvs: String) =
+      Map[String, String](
+        java.net.URLDecoder
+          .decode(kvs, "UTF-8")
+          .split("\u0000")
+          .map(_.split(":"))
+          .map(p => p(0) -> p.drop(1).mkString(":")): _*
+      )
+
+    // Do not change this unless you understand the security issues behind timing attacks.
+    // This method intentionally runs in constant time if the two strings have the same length.
+    // If it didn't, it would be vulnerable to a timing attack.
+    def safeEquals(a: String, b: String) = {
+      if (a.length != b.length) false
+      else {
+        var equal = 0
+        for (i <- Array.range(0, a.length)) {
+          equal |= a(i) ^ b(i)
         }
+        equal == 0
       }
     }
+
+    Try {
+      val split = kvs.split("-")
+      val message = split.tail.mkString("-")
+      if (safeEquals(split(0), Crypto.sign(message, serverSecret)))
+        Session.defaultInstance.withKvs(urldecode(message))
+      else
+        throw new Exception("corrupted encrypted kvs")
+    }
+  }
+}
+
+object SessionSerializers {
+
+  def basic(secret: String): SessionSerializer[Session, String] =
+    new BasicSessionSerializer(secret)
+
+  def jwt(implicit formats: Formats): SessionSerializer[Session, JValue] =
+    JValueSessionSerializer.caseClass[Session]
+}
+
+object SessionManagers {
+
+  def basic(implicit sessionConfig: SessionConfig): SessionManager[Session] = {
+    import SessionEncoder._
+    implicit val serializer: SessionSerializer[Session, String] =
+      SessionSerializers.basic(sessionConfig.serverSecret)
+    new SessionManager[Session](sessionConfig)
+  }
+
+  def jwt(implicit sessionConfig: SessionConfig, formats: Formats): SessionManager[Session] = {
+    implicit val serializer: SessionSerializer[Session, JValue] = SessionSerializers.jwt(formats)
+    implicit val encoder: JwtSessionEncoder[Session] = new JwtSessionEncoder[Session]
+    new SessionManager[Session](sessionConfig)(encoder)
+  }
 }

session/common/src/test/scala/app/softnetwork/session/model/SessionEncodersSpec.scala

@@ -0,0 +1,70 @@
+package app.softnetwork.session.model
+
+import app.softnetwork.serialization.commonFormats
+import app.softnetwork.session.config.Settings.Session.DefaultSessionConfig
+import com.softwaremill.session.{
+  JwtSessionEncoder,
+  SessionConfig,
+  SessionEncoder,
+  SessionSerializer
+}
+import org.json4s.{Formats, JValue}
+import org.scalatest.Assertion
+import org.scalatest.wordspec.AnyWordSpecLike
+import org.softnetwork.session.model.Session
+
+class SessionEncodersSpec extends AnyWordSpecLike {
+
+  implicit def sessionConfig: SessionConfig = DefaultSessionConfig
+
+  implicit def formats: Formats = commonFormats
+
+  val session: Session = Session.defaultInstance.withKvs(
+    Map(
+      "_sessiondata" -> "id",
+      "profile"      -> "profile",
+      "admin"        -> "true"
+    )
+  )
+
+  val now: Long = System.currentTimeMillis()
+
+  var result: String = _
+
+  "basic session encoder" must {
+    "encode" in {
+      implicit val serializer: SessionSerializer[Session, String] =
+        SessionSerializers.basic(sessionConfig.serverSecret)
+      result = SessionEncoder.basic.encode(session, now, sessionConfig)
+    }
+    "decode" in {
+      implicit val serializer: SessionSerializer[Session, String] =
+        SessionSerializers.basic(sessionConfig.serverSecret)
+      SessionEncoder.basic[Session].decode(result, sessionConfig).toOption match {
+        case Some(r) => check(Some(r.t))
+        case _       => fail("unable to decode session")
+      }
+    }
+  }
+
+  "jwt session encoder" must {
+    "encode" in {
+      implicit val serializer: SessionSerializer[Session, JValue] = SessionSerializers.jwt(formats)
+      result = new JwtSessionEncoder[Session].encode(session, now, sessionConfig)
+    }
+    "decode" in {
+      implicit val serializer: SessionSerializer[Session, JValue] = SessionSerializers.jwt(formats)
+      new JwtSessionEncoder[Session].decode(result, sessionConfig).toOption match {
+        case Some(r) => check(Some(r.t))
+        case _       => fail("unable to decode session")
+      }
+    }
+  }
+
+  def check(maybeSession: Option[Session]): Assertion = {
+    assert(maybeSession.isDefined)
+    assert(maybeSession.get.id == session.id)
+    assert(maybeSession.get.profile.getOrElse("") == session.profile.getOrElse(""))
+    assert(maybeSession.get.admin == session.admin)
+  }
+}