livery_auth_session (livery v0.2.0)

Signed session-cookie middleware.

Reads a cookie, verifies its HMAC-SHA256 signature against a shared secret, decodes the JSON payload, and stores it on the request as meta(session, Data) (read it back with livery_ext:session/1). The cookie is stateless: the signed payload travels with the client, so no server-side session store is needed.

State:

{livery_auth_session, #{
    secret   => <<"a long random secret">>,  %% required
    name     => <<"session">>,                %% cookie name, default
    meta_key => session,                      %% meta key, default
    required => false                         %% default false
}}

A missing cookie is allowed through when required => false (the default); the handler sees no session meta. A present but tampered or expired cookie is always rejected with 401.

Issue and clear cookies from a handler with sign/2 plus set_cookie_header/2 and clear_cookie_header/1:

login(Req) ->
    Value = livery_auth_session:sign(#{<<"uid">> => 42},
                                     #{secret => Secret, max_age => 3600}),
    Hdr = livery_auth_session:set_cookie_header(Value,
                                                #{max_age => 3600}),
    R = livery_resp:redirect(303, <<"/">>),
    livery_resp:with_header(element(1, Hdr), element(2, Hdr), R).

Summary

Types

error_reason()

Functions

call(Req, Next, State)

clear_cookie_header(Opts)

Build a Set-Cookie header that expires the session cookie.

set_cookie_header(Value, Opts)

Build a Set-Cookie header carrying a signed value.

sign(Data, Opts)

Sign a session payload into a cookie value.

verify(Cookie, Opts)

Verify a cookie value and return its payload map.