FromRequestParts not getting session after save

[jdu]

I have a handler that saves a "user" prop to the session through SessionManageLayer.

#[debug_handler]
pub async fn login_authorized(
    Query(query): Query<AuthRequest>,
    session: Session,
    State(oauth_client): State<BasicClient>,
) -> Result<impl IntoResponse, AppError> {
    println!("login_authorized");
    let token = oauth_client
        .exchange_code(AuthorizationCode::new(query.code.clone()))
        .request_async(async_http_client)
        .await
        .context("failed in sending request request to authorization server")?;
    dbg!(&query);

    let client = reqwest::Client::new();
    let user_data: User = client
        .get("https://graph.microsoft.com/v1.0/me")
        .bearer_auth(token.access_token().secret())
        .send()
        .await
        .context("failed in sending request to target url")?
        .json::<User>()
        .await
        .context("failed to deserialize response as json")?;

    session.insert("user", &user_data).await.unwrap();
    session.save().await.unwrap();
    println!("AUTHED");
    let id = session.id();
    dbg!(&id);

    Ok(Redirect::to("/"))
}

On successful authentication I redirect the user back to the / of the application.

In order to pull out the user session data I have a FromRequestParts implementation around a struct similar to the setup in the example in the rust docs.

pub struct AuthRedirect;

impl IntoResponse for AuthRedirect {
    fn into_response(self) -> Response {
        Redirect::temporary("/auth").into_response()
    }
}

#[async_trait]
impl<S> FromRequestParts<S> for UserSession
where
    S: Send + Sync,
{
    type Rejection = AuthRedirect;

    async fn from_request_parts(req: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
        let session = Session::from_request_parts(req, state).await.unwrap();

        let id = session.id();
        dbg!(&id);

        println!("MID1");
        dbg!(&session);
        let mut user_data: User = session.get("user").await.unwrap().ok_or(AuthRedirect)?;
        println!("MID2");
        dbg!(&user_data);

        Ok(UserSession { session, user_data })
    }
}

After I've set the "user" property on the session through session.insert(...) and redirected back to / this code above in the implementation, when I try to get the "user" data, it returns nothing and ends me up in a redirect loop.

If I just change the URL in my browser to go directly to the / of the application, it loads the session fine.

Is there something I have to return in the redirect to make sure that headers or a cookie is set correctly after the session.save()?

[jdu]

I've seen the other answer about setting CORS up, but this is just on a straight GET call, there's no JS involved. It's just an OAuth flow:

/ -> /auth -> OAuth Login Screen -> /auth/authorized (set session deets here) -> redirect / (No session)

[jdu]

Right, so the issue is that the SET_COOKIE header isn't set on the redirect. Which I can explicitly return Ok((headers, Redirect::temporary("/")) but I need the cookie header from the session, which I can't seem to see how to get.

[jdu]

I've tried explicitly setting the cookie in the login_authorized function:

    let id = session.id().unwrap();
    let mut headers = HeaderMap::new();
    let cookie = format!("id={id}; SameSite=Lax; Path=/");
    headers.insert(SET_COOKIE, cookie.parse().expect("Failed to parse cookie"));

    Ok((headers, Redirect::temporary("/")))

Which the the cookie is set when i'm passed onto that function, I can see it in the firefox console that the cookie is set in the response. But the response from the / route that it's redirected onto has no cookie in the response headers...

[jdu]

Right, so I've figured this out, for anyone else bashing their heads.

Basically, it's because of the internal redirect after a redirect from a third-party site. My OAuth flow routes a user out to an Azure SSO login page, once they log in there, they're redirected to /auth/authorized which sets up their session data, then redirects to the index page of the site /.

Because it's a redirect, the referrer for the redirect to the / page is actually still the MS Azure login page, rather than the sites own page. This means the browser won't send the cookie back to the server because the referrer doesn't match up in strict mode.

So changing the SessionManagerLayer to use with_same_site(SameSite::Lax) seems to have fixed it.