Optimize cache management

Cargo.lock

@@ -184,6 +184,7 @@ dependencies = [
  "anyhow",
  "derive_more",
  "rand 0.9.2",
+ "redis",
  "serde",
  "serde_json",
  "tracing",
@@ -395,6 +396,12 @@ version = "1.0.100"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61"
 
+[[package]]
+name = "arc-swap"
+version = "1.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"
+
 [[package]]
 name = "arrayref"
 version = "0.3.9"
@@ -506,6 +513,15 @@ version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
 
+[[package]]
+name = "backon"
+version = "1.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "cffb0e931875b666fc4fcb20fee52e9bbd1ef836fd9e9e04ec21555f9f85f7ef"
+dependencies = [
+ "fastrand",
+]
+
 [[package]]
 name = "base16ct"
 version = "0.2.0"
@@ -567,10 +583,12 @@ dependencies = [
  "base64 0.22.1",
  "bcrypt",
  "bincode",
+ "build-time",
  "chrono",
  "clap",
  "digest 0.11.0-rc.4",
  "env_logger",
+ "httpdate",
  "include_dir",
  "jwt-simple",
  "lazy-regex",
@@ -706,6 +724,19 @@ dependencies = [
  "alloc-stdlib",
 ]
 
+[[package]]
+name = "build-time"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f1219c19fc29b7bfd74b7968b420aff5bc951cf517800176e795d6b2300dd382"
+dependencies = [
+ "chrono",
+ "once_cell",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.19.0"
@@ -854,6 +885,20 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
+[[package]]
+name = "combine"
+version = "4.6.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
+dependencies = [
+ "bytes",
+ "futures-core",
+ "memchr",
+ "pin-project-lite",
+ "tokio",
+ "tokio-util",
+]
+
 [[package]]
 name = "const-oid"
 version = "0.9.6"
@@ -1323,6 +1368,7 @@ checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81"
 dependencies = [
  "futures-core",
  "futures-macro",
+ "futures-sink",
  "futures-task",
  "pin-project-lite",
  "pin-utils",
@@ -2593,6 +2639,30 @@ version = "0.10.0-rc-2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "104a23e4e8b77312a823b6b5613edbac78397e2f34320bc7ac4277013ec4478e"
 
+[[package]]
+name = "redis"
+version = "0.32.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "014cc767fefab6a3e798ca45112bccad9c6e0e218fbd49720042716c73cfef44"
+dependencies = [
+ "arc-swap",
+ "backon",
+ "bytes",
+ "cfg-if",
+ "combine",
+ "futures-channel",
+ "futures-util",
+ "itoa",
+ "num-bigint",
+ "percent-encoding",
+ "pin-project-lite",
+ "ryu",
+ "socket2 0.6.1",
+ "tokio",
+ "tokio-util",
+ "url",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.18"

Cargo.toml

@@ -9,7 +9,7 @@ edition = "2024"
 actix = "0.13.5"
 actix-identity = "0.9.0"
 actix-web = "4.12.1"
-actix-session = { version = "0.11.0", features = ["cookie-session"] }
+actix-session = { version = "0.11.0", features = ["cookie-session", "redis-session"] }
 actix-remote-ip = "0.1.0"
 clap = { version = "4.5.53", features = ["derive", "env"] }
 include_dir = "0.7.4"
@@ -39,3 +39,5 @@ bincode = "2.0.1"
 chrono = "0.4.42"
 lazy_static = "1.5.0"
 mailchecker = "6.0.19"
+httpdate = "1.0.3"
+build-time = "0.1.3"

sample_upstream_provider/docker-compose.yaml

@@ -1,4 +1,15 @@
 services:
+  redis:
+    image: redis
+    network_mode: host
+    volumes:
+      - ./redis/redis.conf:/redis.conf:ro
+    command: [ "redis-server", "/redis.conf" ]
+    healthcheck:
+      test: [ "CMD", "redis-cli", "ping" ]
+      interval: 10s
+      timeout: 30s
+      retries: 3
   upstream:
     image: dexidp/dex
     user: "1000"
@@ -33,9 +44,14 @@ services:
     image: rust
     user: "1000"
     network_mode: host
+    depends_on:
+      redis:
+        condition: service_healthy
     environment:
       - STORAGE_PATH=/storage
       - DISABLE_LOCAL_LOGIN=true
+      - USE_REDIS=true
+      - REDIS_PASSWORD=secretsecret
       #- RUST_LOG=debug
     volumes:
       - ../:/app

sample_upstream_provider/redis/redis.conf

@@ -0,0 +1,3 @@
+maxmemory 256mb
+maxmemory-policy allkeys-lru
+requirepass secretsecret

src/actors/bruteforce_actor.rs

@@ -5,7 +5,7 @@ use std::net::IpAddr;
 use actix::{Actor, AsyncContext, Context, Handler, Message};
 
 use crate::constants::{FAIL_LOGIN_ATTEMPT_CLEANUP_INTERVAL, KEEP_FAILED_LOGIN_ATTEMPTS_FOR};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Message)]
 #[rtype(result = "()")]
@@ -87,7 +87,7 @@ mod test {
     use std::net::{IpAddr, Ipv4Addr};
 
     use crate::actors::bruteforce_actor::BruteForceActor;
-    use crate::utils::time::time;
+    use crate::utils::time_utils::time;
 
     const IP_1: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 1));
     const IP_2: IpAddr = IpAddr::V4(Ipv4Addr::new(192, 168, 1, 2));

src/actors/openid_sessions_actor.rs

@@ -10,7 +10,7 @@ use crate::data::jwt_signer::JWTSigner;
 use crate::data::user::UserID;
 use crate::utils::err::Res;
 use crate::utils::string_utils::rand_str;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize, Eq, PartialEq)]
 pub struct SessionID(pub String);

src/actors/providers_states_actor.rs

@@ -15,7 +15,7 @@ use std::net::IpAddr;
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::ProviderID;
 use crate::utils::string_utils::rand_str;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Debug, Clone, serde::Serialize)]
 pub struct ProviderLoginState {

src/controllers/assets_controller.rs

@@ -1,7 +1,11 @@
-use std::path::Path;
-
-use actix_web::{HttpResponse, web};
+use crate::utils::crypt_utils::sha256;
+use crate::utils::time_utils;
+use actix_web::http::header;
+use actix_web::{HttpRequest, HttpResponse, web};
 use include_dir::{Dir, include_dir};
+use std::ops::Add;
+use std::path::Path;
+use std::time::Duration;
 
 /// Assets directory
 static ASSETS_DIR: Dir = include_dir!("$CARGO_MANIFEST_DIR/assets");
@@ -12,14 +16,39 @@ pub async fn robots_txt() -> HttpResponse {
         .body(include_str!("../../assets/robots.txt"))
 }
 
-pub async fn assets_route(path: web::Path<String>) -> HttpResponse {
+pub async fn assets_route(req: HttpRequest, path: web::Path<String>) -> HttpResponse {
     let path: &Path = path.as_ref().as_ref();
     match ASSETS_DIR.get_file(path) {
         None => HttpResponse::NotFound().body("404 Not found"),
         Some(file) => {
             let res = mime_guess::from_path(path).first_or_octet_stream();
+            let digest = format!("{:x?}", sha256(file.contents()));
+
+            // Check if the browser already knows the file by date
+            if let Some(c) = req.headers().get(header::IF_MODIFIED_SINCE) {
+                let date_str = c.to_str().unwrap_or("");
+                if let Ok(date) = httpdate::parse_http_date(date_str)
+                    && date.add(Duration::from_secs(1))
+                        >= time_utils::unix_to_system_time(time_utils::build_time())
+                {
+                    return HttpResponse::NotModified().finish();
+                }
+            }
+
+            // Check if the browser already knows the etag
+            if let Some(c) = req.headers().get(header::IF_NONE_MATCH)
+                && c.to_str().unwrap_or("") == digest
+            {
+                return HttpResponse::NotModified().finish();
+            }
+
             HttpResponse::Ok()
                 .content_type(res.to_string())
+                .insert_header(("etag", digest))
+                .insert_header((
+                    "last-modified",
+                    time_utils::unix_to_http_date(time_utils::build_time()),
+                ))
                 .body(file.contents())
         }
     }

src/controllers/openid_controller.rs

@@ -26,7 +26,7 @@ use crate::data::login_redirect::{LoginRedirect, get_2fa_url};
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
 use crate::utils::string_utils::rand_str;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 pub async fn get_configuration(req: HttpRequest) -> impl Responder {
     let is_secure_request = req

src/controllers/two_factors_controller.rs

@@ -14,7 +14,7 @@ use crate::data::current_user::CurrentUser;
 use crate::data::totp_key::TotpKey;
 use crate::data::user::User;
 use crate::data::webauthn_manager::WebAuthManagerReq;
-use crate::utils::time::fmt_time;
+use crate::utils::time_utils::fmt_time;
 
 #[derive(Template)]
 #[template(path = "settings/two_factors_page.html")]

src/data/action_logger.rs

@@ -17,7 +17,7 @@ use crate::data::provider::{Provider, ProviderID};
 
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::{FactorID, GrantedClients, TwoFactor, TwoFactorType, User, UserID};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(serde::Serialize)]
 pub struct LoggableUser {

src/data/app_config.rs

@@ -67,6 +67,30 @@ pub struct AppConfig {
     /// to authenticate
     #[arg(long, env)]
     pub disable_local_login: bool,
+
+    /// Use Redis to store cookie sessions
+    #[arg(long, env)]
+    pub use_redis: bool,
+
+    /// Redis connection hostname
+    #[clap(long, env, default_value = "localhost")]
+    redis_hostname: String,
+
+    /// Redis connection port
+    #[clap(long, env, default_value_t = 6379)]
+    redis_port: u16,
+
+    /// Redis database number
+    #[clap(long, env, default_value_t = 0)]
+    redis_db_number: i64,
+
+    /// Redis username
+    #[clap(long, env)]
+    redis_username: Option<String>,
+
+    /// Redis password
+    #[clap(long, env, default_value = "secretredis")]
+    redis_password: String,
 }
 
 lazy_static::lazy_static! {
@@ -137,6 +161,21 @@ impl AppConfig {
         let domain = self.domain_name();
         domain.split_once(':').map(|i| i.0).unwrap_or(domain)
     }
+
+    /// Get Redis connection configuration
+    pub fn redis_connection_string(&self) -> Option<String> {
+        match self.use_redis {
+            true => Some(format!(
+                "redis://{}:{}@{}:{}/{}",
+                self.redis_username.as_deref().unwrap_or(""),
+                self.redis_password,
+                self.redis_hostname,
+                self.redis_port,
+                self.redis_db_number
+            )),
+            false => None,
+        }
+    }
 }
 
 #[cfg(test)]

src/data/current_user.rs

@@ -13,7 +13,7 @@ use crate::actors::users_actor::UsersActor;
 use crate::constants::SECOND_FACTOR_EXPIRATION_FOR_CRITICAL_OPERATIONS;
 use crate::data::session_identity::SessionIdentity;
 use crate::data::user::User;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 pub struct CurrentUser {
     user: User,

src/data/provider_configuration.rs

@@ -9,7 +9,7 @@ use crate::data::app_config::AppConfig;
 
 use crate::data::provider::Provider;
 use crate::utils::err::Res;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 /// Provider configuration
 #[derive(Debug, Clone)]

src/data/session_identity.rs

@@ -3,7 +3,7 @@ use actix_web::{HttpMessage, HttpRequest};
 use serde::{Deserialize, Serialize};
 
 use crate::data::user::{User, UserID};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Debug, Serialize, Deserialize, Eq, PartialEq, Default)]
 pub enum SessionStatus {

src/data/totp_key.rs

@@ -5,7 +5,7 @@ use totp_rfc6238::{HashAlgorithm, TotpGenerator};
 use crate::data::app_config::AppConfig;
 use crate::data::user::User;
 use crate::utils::err::Res;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 const BASE32_ALPHABET: Alphabet = Alphabet::Rfc4648 { padding: true };
 const NUM_DIGITS: usize = 6;

src/data/user.rs

@@ -9,7 +9,7 @@ use crate::data::login_redirect::LoginRedirect;
 use crate::data::provider::{Provider, ProviderID};
 use crate::data::totp_key::TotpKey;
 use crate::data::webauthn_manager::WebauthnPubKey;
-use crate::utils::time::{fmt_time, time};
+use crate::utils::time_utils::{fmt_time, time};
 
 #[derive(Clone, Debug, Eq, PartialEq, serde::Serialize, serde::Deserialize, Encode, Decode)]
 pub struct UserID(pub String);

src/data/users_file_entity.rs

@@ -4,7 +4,7 @@ use crate::actors::users_actor::{AuthorizedAuthenticationSources, UsersSyncBacke
 use crate::data::entity_manager::EntityManager;
 use crate::data::user::{FactorID, GeneralSettings, GrantedClients, TwoFactor, User, UserID};
 use crate::utils::err::{Res, new_error};
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 impl EntityManager<User> {
     /// Update user information

src/data/webauthn_manager.rs

@@ -16,7 +16,7 @@ use crate::constants::{
 use crate::data::app_config::AppConfig;
 use crate::data::user::{User, UserID};
 use crate::utils::err::Res;
-use crate::utils::time::time;
+use crate::utils::time_utils::time;
 
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub struct WebauthnPubKey {

src/main.rs

@@ -1,12 +1,12 @@
 use core::time::Duration;
 use std::sync::Arc;
 
-use actix::Actor;
+use actix::{Actor, Addr};
 use actix_identity::IdentityMiddleware;
 use actix_identity::config::LogoutBehavior;
 use actix_remote_ip::RemoteIPConfig;
 use actix_session::SessionMiddleware;
-use actix_session::storage::CookieSessionStore;
+use actix_session::storage::{CookieSessionStore, RedisSessionStore};
 use actix_web::cookie::{Key, SameSite};
 use actix_web::middleware::Logger;
 use actix_web::{App, HttpResponse, HttpServer, get, middleware, web};
@@ -14,6 +14,7 @@ use actix_web::{App, HttpResponse, HttpServer, get, middleware, web};
 use basic_oidc::actors::bruteforce_actor::BruteForceActor;
 use basic_oidc::actors::openid_sessions_actor::OpenIDSessionsActor;
 use basic_oidc::actors::providers_states_actor::ProvidersStatesActor;
+use basic_oidc::actors::users_actor;
 use basic_oidc::actors::users_actor::{UsersActor, UsersSyncBackend};
 use basic_oidc::constants::*;
 use basic_oidc::controllers::assets_controller::assets_route;
@@ -26,9 +27,20 @@ use basic_oidc::data::provider::ProvidersManager;
 use basic_oidc::data::user::User;
 use basic_oidc::data::webauthn_manager::WebAuthManager;
 use basic_oidc::middlewares::auth_middleware::AuthMiddleware;
+use basic_oidc::middlewares::multi_session_store::MultiSessionStore;
 
 #[get("/health")]
-async fn health() -> &'static str {
+async fn health(users: web::Data<Addr<UsersActor>>) -> &'static str {
+    // Check users list is working
+    let users = users
+        .send(users_actor::GetAllUsers)
+        .await
+        .expect("Could not retrieve users list!");
+    if users.is_empty() {
+        log::error!("Got empty list of users!");
+        panic!("Got empty list of users!");
+    }
+
     "Running"
 }
 
@@ -69,6 +81,18 @@ async fn main() -> std::io::Result<()> {
             .expect("Failed to change default admin password!");
     }
 
+    let redis_store = match AppConfig::get().redis_connection_string() {
+        Some(s) => {
+            log::info!("Connect to Redis session store...");
+            Some(
+                RedisSessionStore::new(s)
+                    .await
+                    .expect("Failed to connect to Redis!"),
+            )
+        }
+        None => None,
+    };
+
     let users_actor = UsersActor::new(users).start();
     let bruteforce_actor = BruteForceActor::default().start();
     let providers_states_actor = ProvidersStatesActor::default().start();
@@ -91,7 +115,10 @@ async fn main() -> std::io::Result<()> {
 
     HttpServer::new(move || {
         let session_mw = SessionMiddleware::builder(
-            CookieSessionStore::default(),
+            match redis_store.clone() {
+                None => MultiSessionStore::Cookie(CookieSessionStore::default()),
+                Some(s) => MultiSessionStore::Redis(s),
+            },
             Key::from(config.token_key.as_bytes()),
         )
         .cookie_name(SESSION_COOKIE_NAME.to_string())

src/middlewares/mod.rs

@@ -1 +1,2 @@
 pub mod auth_middleware;
+pub mod multi_session_store;

src/middlewares/multi_session_store.rs

@@ -0,0 +1,63 @@
+use actix_session::storage::{
+    CookieSessionStore, LoadError, RedisSessionStore, SaveError, SessionKey, SessionStore,
+    UpdateError,
+};
+use actix_web::cookie::time::Duration;
+use jwt_simple::Error;
+use std::collections::HashMap;
+
+type SessionState = HashMap<String, String>;
+
+/// Session store multiplexer.
+///
+/// Allows to easily support different store without having a lot of duplicate code
+pub enum MultiSessionStore {
+    Cookie(CookieSessionStore),
+    Redis(RedisSessionStore),
+}
+
+impl SessionStore for MultiSessionStore {
+    async fn load(&self, session_key: &SessionKey) -> Result<Option<SessionState>, LoadError> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.load(session_key).await,
+            MultiSessionStore::Redis(r) => r.load(session_key).await,
+        }
+    }
+
+    async fn save(
+        &self,
+        session_state: SessionState,
+        ttl: &Duration,
+    ) -> Result<SessionKey, SaveError> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.save(session_state, ttl).await,
+            MultiSessionStore::Redis(r) => r.save(session_state, ttl).await,
+        }
+    }
+
+    async fn update(
+        &self,
+        session_key: SessionKey,
+        session_state: SessionState,
+        ttl: &Duration,
+    ) -> Result<SessionKey, UpdateError> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.update(session_key, session_state, ttl).await,
+            MultiSessionStore::Redis(r) => r.update(session_key, session_state, ttl).await,
+        }
+    }
+
+    async fn update_ttl(&self, session_key: &SessionKey, ttl: &Duration) -> Result<(), Error> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.update_ttl(session_key, ttl).await,
+            MultiSessionStore::Redis(r) => r.update_ttl(session_key, ttl).await,
+        }
+    }
+
+    async fn delete(&self, session_key: &SessionKey) -> Result<(), Error> {
+        match self {
+            MultiSessionStore::Cookie(c) => c.delete(session_key).await,
+            MultiSessionStore::Redis(r) => r.delete(session_key).await,
+        }
+    }
+}

src/utils/mod.rs

@@ -1,4 +1,4 @@
 pub mod crypt_utils;
 pub mod err;
 pub mod string_utils;
-pub mod time;
+pub mod time_utils;

src/utils/time_utils.rs

@@ -1,5 +1,5 @@
 use chrono::DateTime;
-use std::time::{SystemTime, UNIX_EPOCH};
+use std::time::{Duration, SystemTime, UNIX_EPOCH};
 
 /// Get the current time since epoch
 pub fn time() -> u64 {
@@ -19,9 +19,27 @@ pub fn fmt_time(timestamp: u64) -> String {
     datetime.format("%Y-%m-%d %H:%M:%S").to_string()
 }
 
+/// Convert UNIX time to system time
+pub fn unix_to_system_time(time: u64) -> SystemTime {
+    UNIX_EPOCH + Duration::from_secs(time)
+}
+
+/// Format UNIX time to HTTP date
+pub fn unix_to_http_date(time: u64) -> String {
+    httpdate::fmt_http_date(unix_to_system_time(time))
+}
+
+/// Get build time in UNIX format
+pub fn build_time() -> u64 {
+    let build_time = build_time::build_time_local!();
+    let date =
+        chrono::DateTime::parse_from_rfc3339(build_time).expect("Failed to parse compile date");
+    date.timestamp() as u64
+}
+
 #[cfg(test)]
 mod test {
-    use crate::utils::time::{fmt_time, time};
+    use crate::utils::time_utils::{fmt_time, time};
 
     #[test]
     fn test_time() {