How to update a private cookie in a middleware

[ckruse]

Summary

Hi there,

I'm trying to implement a „remember me” functionality. For this I'd like to update a private cookie with every request. I figured that a middleware would be the best option to do this, but I can't get the cookie to be updated. This is my attempt:

pub async fn remember_me(
    State(state): State<AppState>,
    mut auth: AuthSession,
    jar: PrivateCookieJar,
    request: Request,
    next: Next,
) -> Response {
    if let Some(cookie) = jar.get("remember_me") {
        if let Ok(user_id) = cookie.value().parse::<i64>() {
            let now = cookie::time::OffsetDateTime::now_utc() + cookie::time::Duration::days(30);
            let cookie = Cookie::build(("remember_me", user_id.to_string()))
                .expires(now)
                .http_only(true)
                .secure(SECURE)
                .path("/")
                .domain(std::env::var("COOKIE_DOMAIN").unwrap_or_default())
                .same_site(cookie::SameSite::Strict)
                .build();

            jar.add(cookie);

            if auth.user.is_none() {
                let user = users::get_user(user_id, &state.pool).await.ok().flatten();

                if let Some(user) = user {
                    auth.login(&user).await.ok();
                }
            }
        }
    }

    next.run(request).await
}

What am I doing wrong?

Best regards,
CK

axum version

0.7.2

[davidpdrsn]

From the docs:

Note that methods like PrivateCookieJar::add, PrivateCookieJar::remove, etc updates the PrivateCookieJar and returns it. This value must be returned from the handler as part of the response for the changes to be propagated.

[ckruse]

Yes, I read that. Does that imply that there is no way to do that from a middleware?

[davidpdrsn]

There is, but you need to return the updated jar along with the response from next.run(...).

[ckruse]

Ah! I didn't know that I can do it that easy! It works, thank you very much!

[phuctgps42473]

How do you add the jar alongside with the next.run(...), I can't find a way to do it

[jplatte]

You can do

let response = next.run(..).await;
(jar, response) // return this from the from_fn middleware

This may or may not do what you want: Changes to the jar will not be seen by the inner service / handler, so it would only work if the middleware is the only thing that updates cookies.

If you want to update some cookies from the middleware and some from the handler, I think the better solution is likely tower-cookies (though I haven't used it myself).