feat(middleware): add HTTP session & cookie support with tests

Author: GaspardKirira

include/vix/middleware/app/presets.hpp

@@ -38,6 +38,8 @@
 #include <vix/middleware/auth/api_key.hpp>
 #include <vix/middleware/auth/rbac.hpp>
 #include <vix/middleware/app/app_middleware.hpp>
+#include <vix/middleware/http/cookies.hpp>
+#include <vix/middleware/auth/session.hpp>
 
 namespace vix::middleware::app
 {
@@ -347,6 +349,82 @@ namespace vix::middleware::app
     return adapt_ctx(vix::middleware::auth::jwt(std::move(opt)));
   }
 
+  inline vix::App::Middleware session_dev(
+      std::string secret,
+      std::string cookie_name = "sid",
+      std::chrono::seconds ttl = std::chrono::hours(24 * 7),
+      bool secure = false,
+      std::string same_site = "Lax",
+      bool http_only = true,
+      std::string cookie_path = "/",
+      bool auto_create = true)
+  {
+    vix::middleware::auth::SessionOptions opt{};
+    opt.secret = std::move(secret);
+    opt.cookie_name = std::move(cookie_name);
+    opt.cookie_path = std::move(cookie_path);
+    opt.secure = secure;
+    opt.http_only = http_only;
+    opt.same_site = std::move(same_site);
+    opt.ttl = ttl;
+    opt.auto_create = auto_create;
+
+    return adapt_ctx(vix::middleware::auth::session(std::move(opt)));
+  }
+
+  inline vix::App::Middleware session_strict(
+      std::string secret,
+      std::string cookie_name = "sid",
+      std::chrono::seconds ttl = std::chrono::hours(24 * 7))
+  {
+    vix::middleware::auth::SessionOptions opt{};
+    opt.secret = std::move(secret);
+    opt.cookie_name = std::move(cookie_name);
+    opt.cookie_path = "/";
+
+    // strict defaults
+    opt.secure = true;
+    opt.http_only = true;
+    opt.same_site = "None"; // needed for cross-site cookies, requires Secure=true
+    opt.ttl = ttl;
+    opt.auto_create = true;
+
+    return adapt_ctx(vix::middleware::auth::session(std::move(opt)));
+  }
+
+  inline vix::App::Middleware set_cookie_dev(
+      std::string name,
+      std::string value,
+      int max_age = 3600,
+      bool secure = false,
+      std::string same_site = "Lax",
+      bool http_only = true,
+      std::string path = "/")
+  {
+    return adapt_ctx(
+        [name = std::move(name),
+         value = std::move(value),
+         max_age,
+         secure,
+         same_site = std::move(same_site),
+         http_only,
+         path = std::move(path)](vix::middleware::Context &ctx, vix::middleware::Next next) mutable
+        {
+          next();
+
+          vix::middleware::http::Cookie c;
+          c.name = std::move(name);
+          c.value = std::move(value);
+          c.max_age = max_age;
+          c.secure = secure;
+          c.same_site = std::move(same_site);
+          c.http_only = http_only;
+          c.path = std::move(path);
+
+          vix::middleware::http::set(ctx.res(), c);
+        });
+  }
+
   inline vix::App::Middleware api_key_auth(
       vix::middleware::auth::ApiKeyOptions opt)
   {

include/vix/middleware/auth/session.hpp

@@ -0,0 +1,68 @@
+#ifndef VIX_MIDDLEWARE_AUTH_SESSION_HPP
+#define VIX_MIDDLEWARE_AUTH_SESSION_HPP
+
+#include <string>
+#include <unordered_map>
+#include <optional>
+#include <memory>
+#include <chrono>
+
+#include <vix/middleware/middleware.hpp>
+
+namespace vix::middleware::auth
+{
+  struct Session
+  {
+    std::string id;
+    std::unordered_map<std::string, std::string> data;
+
+    bool is_new{false};
+    bool dirty{false};
+    bool destroyed{false};
+
+    void set(std::string k, std::string v);
+    std::optional<std::string> get(const std::string &k) const;
+    void erase(const std::string &k);
+    void destroy();
+  };
+
+  class ISessionStore
+  {
+  public:
+    virtual ~ISessionStore() = default;
+    virtual std::optional<Session> load(const std::string &sid) = 0;
+    virtual void save(const Session &s, std::chrono::seconds ttl) = 0;
+    virtual void destroy(const std::string &sid) = 0;
+  };
+
+  class InMemorySessionStore final : public ISessionStore
+  {
+  public:
+    std::optional<Session> load(const std::string &sid) override;
+    void save(const Session &s, std::chrono::seconds ttl) override;
+    void destroy(const std::string &sid) override;
+
+  private:
+    std::unordered_map<std::string, Session> map_;
+  };
+
+  struct SessionOptions
+  {
+    std::shared_ptr<ISessionStore> store{};
+
+    std::string secret; // required
+    std::string cookie_name{"sid"};
+    std::string cookie_path{"/"};
+    bool secure{false};
+    bool http_only{true};
+    std::string same_site{"Lax"};
+
+    std::chrono::seconds ttl{std::chrono::hours(24 * 7)};
+    bool auto_create{true};
+  };
+
+  MiddlewareFn session(SessionOptions opt);
+
+} // namespace vix::middleware::auth
+
+#endif

include/vix/middleware/http/cookies.hpp

@@ -0,0 +1,143 @@
+#ifndef VIX_MIDDLEWARE_HTTP_COOKIES_HPP
+#define VIX_MIDDLEWARE_HTTP_COOKIES_HPP
+
+#include <string>
+#include <string_view>
+#include <unordered_map>
+#include <optional>
+#include <cctype>
+
+#include <boost/beast/core/string.hpp>
+#include <boost/beast/http/field.hpp>
+
+#include <vix/middleware/middleware.hpp>
+
+namespace vix::middleware::http
+{
+  struct Cookie
+  {
+    std::string name;
+    std::string value;
+
+    std::string path{"/"};
+    std::string domain{};
+    int max_age{-1}; // -1 => omit
+    bool http_only{true};
+    bool secure{false};
+    std::string same_site{"Lax"}; // Lax | Strict | None
+  };
+
+  inline std::string trim(std::string_view s)
+  {
+    size_t b = 0;
+    while (b < s.size() && std::isspace(static_cast<unsigned char>(s[b])))
+      b++;
+    size_t e = s.size();
+    while (e > b && std::isspace(static_cast<unsigned char>(s[e - 1])))
+      e--;
+    return std::string(s.substr(b, e - b));
+  }
+
+  inline std::unordered_map<std::string, std::string> parse_cookie_header(std::string_view header)
+  {
+    std::unordered_map<std::string, std::string> out;
+
+    size_t i = 0;
+    while (i < header.size())
+    {
+      size_t semi = header.find(';', i);
+      if (semi == std::string_view::npos)
+        semi = header.size();
+
+      auto part = header.substr(i, semi - i);
+      i = (semi < header.size()) ? semi + 1 : semi;
+
+      auto eq = part.find('=');
+      if (eq == std::string_view::npos)
+        continue;
+
+      std::string k = trim(part.substr(0, eq));
+      std::string v = trim(part.substr(eq + 1));
+
+      if (!k.empty())
+        out.emplace(std::move(k), std::move(v));
+    }
+
+    return out;
+  }
+
+  inline std::unordered_map<std::string, std::string> parse(const vix::middleware::Request &req)
+  {
+    const std::string h = req.header("cookie");
+    if (h.empty())
+      return {};
+    return parse_cookie_header(h);
+  }
+
+  inline std::optional<std::string> get(const vix::middleware::Request &req, std::string_view name)
+  {
+    const std::string h = req.header("cookie");
+    if (h.empty())
+      return std::nullopt;
+
+    auto m = parse_cookie_header(h);
+    auto it = m.find(std::string(name));
+    if (it == m.end())
+      return std::nullopt;
+    return it->second;
+  }
+
+  inline std::string build_set_cookie_value(const Cookie &c)
+  {
+    std::string s;
+    s.reserve(128);
+
+    s += c.name;
+    s += '=';
+    s += c.value;
+
+    if (!c.path.empty())
+    {
+      s += "; Path=";
+      s += c.path;
+    }
+    if (!c.domain.empty())
+    {
+      s += "; Domain=";
+      s += c.domain;
+    }
+    if (c.max_age >= 0)
+    {
+      s += "; Max-Age=";
+      s += std::to_string(c.max_age);
+    }
+
+    if (c.http_only)
+      s += "; HttpOnly";
+    if (c.secure)
+      s += "; Secure";
+
+    if (!c.same_site.empty())
+    {
+      s += "; SameSite=";
+      s += c.same_site;
+    }
+
+    return s;
+  }
+
+  inline void set(vix::middleware::Response &res, const Cookie &c)
+  {
+    using boost::beast::string_view;
+
+    const std::string v = build_set_cookie_value(c);
+
+    // IMPORTANT: repeatable header
+    res.res.insert(
+        string_view{"Set-Cookie", 10},
+        string_view{v.data(), v.size()});
+  }
+
+} // namespace vix::middleware::http
+
+#endif