actix / actix-extras

A collection of additional crates supporting the actix and actix-web frameworks.
https://actix.rs
Apache License 2.0
780 stars 200 forks source link

How to solve the error when not logged in after setting actix_identity? #456

Closed sunkaifei closed 1 month ago

sunkaifei commented 2 months ago

How to set it up correctly? I am copying the configuration from the code sample。


            .wrap(IdentityMiddleware::default())
            .wrap(
                SessionMiddleware::builder(CookieSessionStore::default(), signing_key.clone())
                    .cookie_secure(false)
                    .build(),
            )

Why does this prompt appear when not logged in?


DEBUG [actix_web::extract] - Error for Option<T> extractor: There is no identity information attached to the current session
purefunctor commented 2 months ago

This seems to be a critical regression in actix-session 0.10.0? Downgrading to 0.9.0 is working for me so far. On Safari it needed a little more convincing with setting the right cookie attributes.

Additional context:

actix-files = "0.6.6"
actix-identity = "0.7.1"
actix-session = { version = "0.9.0", features = ["cookie-session"] }
actix-web = "4.9.0"
anyhow = "1.0.86"
base64 = "0.22.1"
diesel = { version = "2.2.2", features = ["postgres", "r2d2", "uuid"] }
dotenvy = "0.15.7"
hex = "0.4.3"
hmac = "0.12.1"
rand = "0.8.5"
rand_chacha = "0.3.1"
regex = "1.10.6"
secrecy = "0.8.0"
serde = { version = "1.0.206", features = ["serde_derive"] }
serde_with = { version = "3.9.0", features = ["base64"] }
sha2 = "0.10.8"
thiserror = "1.0.63"
tracing = "0.1.40"
tracing-actix-web = "0.7.11"
tracing-subscriber = "0.3.18"
uuid = "1.10.0"

Update: I think I found the root cause:

As of identity-v0.7.1, actix-identity requires actix-session 0.9.0 https://github.com/actix/actix-extras/blob/db2193b8c5c6e8f40b9d85d7ee8618baa4af7fb5/actix-identity/Cargo.toml#L22

I'm guessing that since actix-session 0.10.0 also gets compiled as a dependency, the type magic inside actix is unable to reconcile the two Session types. Downgrading to actix-session 0.9.0 specifically would be the solution, until a new version of actix-identity is published with the updated version bound

sunkaifei commented 2 months ago

I have tried both versions, I have tried this way

sunkaifei commented 2 months ago

@purefunctor Do you have any errors in version 0.9.0? I have the same version, and accessing pages that haven't been logged in will result in an error, so I can only use the session directly.

purefunctor commented 2 months ago

@sunkaifei You can ignore the DEBUG log:

2024-08-13T17:30:54.181711Z DEBUG HTTP request{http.method=GET http.route=/auth/generate http.flavor=1.1 http.scheme=http http.host=localhost:3000 http.client_ip=127.0.0.1 http.user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0 http.target=/auth/generate otel.name=HTTP GET /auth/generate otel.kind="server" request_id=3d20b23f-5d8c-4aef-b6b1-8dcc140a5a89}: actix_web::extract: Error for Option<T> extractor: There is no identity information attached to the current session    
2024-08-13T17:30:54.181806Z  INFO HTTP request{http.method=GET http.route=/auth/generate http.flavor=1.1 http.scheme=http http.host=localhost:3000 http.client_ip=127.0.0.1 http.user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0 http.target=/auth/generate otel.name=HTTP GET /auth/generate otel.kind="server" request_id=3d20b23f-5d8c-4aef-b6b1-8dcc140a5a89}: server::page: No user
2024-08-13T17:31:01.854869Z  INFO HTTP request{http.method=POST http.route=/api/v1/auth/login http.flavor=1.1 http.scheme=http http.host=localhost:3000 http.client_ip=127.0.0.1 http.user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0 http.target=/api/v1/auth/login otel.name=HTTP POST /api/v1/auth/login otel.kind="server" request_id=5f18e02e-b5b3-4aee-86eb-f449e4215966}: server::api::auth: Inserted user: "4436d90f-cce5-44c1-8a77-c10ad4d3e873"
2024-08-13T17:31:24.988591Z  INFO HTTP request{http.method=GET http.route=/auth/generate http.flavor=1.1 http.scheme=http http.host=localhost:3000 http.client_ip=127.0.0.1 http.user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:129.0) Gecko/20100101 Firefox/129.0 http.target=/auth/generate otel.name=HTTP GET /auth/generate otel.kind="server" request_id=1adb78c4-168f-4bfb-9ffa-f77fc0bed561}: server::page: "4436d90f-cce5-44c1-8a77-c10ad4d3e873"

It's meant for developers:

https://github.com/actix/actix-web/blob/f61fcbe8407019ad6ec958ab78ef2401f2ccd68f/actix-web/src/extract.rs#L173-L184

sunkaifei commented 2 months ago

On the first line of your log, there is also an error message when the user is not logged in, just like my prompt

purefunctor commented 2 months ago

Yes, it's normal. You can set the log to filter DEBUG messages

junbl commented 2 months ago

Update: I think I found the root cause:

As of identity-v0.7.1, actix-identity requires actix-session 0.9.0

https://github.com/actix/actix-extras/blob/db2193b8c5c6e8f40b9d85d7ee8618baa4af7fb5/actix-identity/Cargo.toml#L22

I'm guessing that since actix-session 0.10.0 also gets compiled as a dependency, the type magic inside actix is unable to reconcile the two Session types. Downgrading to actix-session 0.9.0 specifically would be the solution, until a new version of actix-identity is published with the updated version bound

Also seeing this issue after upgrading to 0.10.0, and works to downgrade to 0.9.0. I guess ideally that would have failed to compile, but I think because of the way the middleware works in actix web i don't think it's possible to statically guarantee that the right actix_session::SessionMiddleware is in your app.

Easiest solution might just be to reexport actix_session out of actix_identity and recommend people use that, since you can't really use identity without session anyway.

Or add peer dependencies to cargo (jk jk)

jwiesler commented 2 months ago

The issue is that actix-identity's actix-session dependency was updated in f2339971cdbfbd42a3720d2bc6fa5478b7eef2a8 but no version increment was done or no new version was published to crates.io. The current source code on crates.io still depends on actix-session 0.9 and is 6 months old. Maybe someone can fix this by pushing a new version? @robjtede maybe?

Edit: actix-limitation probably has the same issue.

enaut commented 1 month ago

Oh – I see the problem now… that issue took me 6h to find. Could someone do the publish - even better figure out a way to avoid this? I don't think I know enough to solve it for good.

robjtede commented 1 month ago

New actix-identity release published: https://github.com/actix/actix-extras/releases/tag/identity-v0.8.0

Sorry for the delay.

enaut commented 1 month ago

Thank you so much!

purefunctor commented 1 month ago

Thank you!