Merge pull request #120 from jetzig-framework/anti-csrf

Closes #108: Anti-CSRF middleware

.github/workflows/CI.yml

@@ -45,7 +45,7 @@ jobs:
       - name: Run App Tests
         run: |
           cd demo
-          zig build jetzig:test
+          zig build -Denvironment=testing jetzig:test
 
       - name: Build artifacts
         if: ${{ matrix.os == 'ubuntu-latest' }}

build.zig

@@ -109,6 +109,7 @@ pub fn build(b: *std.Build) !void {
     main_tests.root_module.addImport("smtp", smtp_client_dep.module("smtp_client"));
     const test_build_options = b.addOptions();
     test_build_options.addOption(Environment, "environment", .testing);
+    test_build_options.addOption(bool, "build_static", true);
     const run_main_tests = b.addRunArtifact(main_tests);
     main_tests.root_module.addOptions("build_options", test_build_options);
 
@@ -137,6 +138,11 @@ pub fn jetzigInit(b: *std.Build, exe: *std.Build.Step.Compile, options: JetzigIn
         "environment",
         "Jetzig server environment.",
     ) orelse .development;
+    const build_static = b.option(
+        bool,
+        "build_static",
+        "Pre-render static routes. [default: false in development, true in testing/production]",
+    ) orelse (environment != .development);
 
     const jetzig_dep = b.dependency(
         "jetzig",
@@ -164,6 +170,7 @@ pub fn jetzigInit(b: *std.Build, exe: *std.Build.Step.Compile, options: JetzigIn
 
     const build_options = b.addOptions();
     build_options.addOption(Environment, "environment", environment);
+    build_options.addOption(bool, "build_static", build_static);
     jetzig_module.addOptions("build_options", build_options);
 
     exe.root_module.addImport("jetzig", jetzig_module);
@@ -253,15 +260,23 @@ pub fn jetzigInit(b: *std.Build, exe: *std.Build.Step.Compile, options: JetzigIn
     exe_static_routes.root_module.addImport("zmpl", zmpl_module);
 
     const markdown_fragments_write_files = b.addWriteFiles();
-    const path = markdown_fragments_write_files.add("markdown_fragments.zig", try generateMarkdownFragments(b));
+    const path = markdown_fragments_write_files.add(
+        "markdown_fragments.zig",
+        try generateMarkdownFragments(b),
+    );
     const markdown_fragments_module = b.createModule(.{ .root_source_file = path });
     exe_static_routes.root_module.addImport("markdown_fragments", markdown_fragments_module);
 
     const run_static_routes_cmd = b.addRunArtifact(exe_static_routes);
     const static_outputs_path = run_static_routes_cmd.addOutputFileArg("static.zig");
-    const static_module = b.createModule(.{ .root_source_file = static_outputs_path });
+    const static_module = if (build_static)
-    exe.root_module.addImport("static", static_module);
+        b.createModule(.{ .root_source_file = static_outputs_path })
+    else
+        b.createModule(.{
+            .root_source_file = jetzig_dep.builder.path("src/jetzig/development_static.zig"),
+        });
 
+    exe.root_module.addImport("static", static_module);
     run_static_routes_cmd.expectExitCode(0);
 
     const run_tests_file_cmd = b.addRunArtifact(exe_routes_file);

build.zig.zon

@@ -7,8 +7,8 @@
             .hash = "1220d0e8734628fd910a73146e804d10a3269e3e7d065de6bb0e3e88d5ba234eb163",
         },
         .zmpl = .{
-            .url = "https://github.com/jetzig-framework/zmpl/archive/25b91d030b992631d319adde1cf01baecd9f3934.tar.gz",
+            .url = "https://github.com/jetzig-framework/zmpl/archive/af75c8b842c3957eb97b4fc4bc49c7b2243968fa.tar.gz",
-            .hash = "12208dd5a4bf0c6c7efc4e9f37a5d8ed80d6004d5680176d1fc2114bfa593e927baf",
+            .hash = "1220ecac93d295dafd2f034a86f0979f6108d40e5ea1a39e3a2b9977c35147cac684",
         },
         .jetkv = .{
             .url = "https://github.com/jetzig-framework/jetkv/archive/2b1130a48979ea2871c8cf6ca89c38b1e7062839.tar.gz",

demo/src/app/views/anti_csrf.zig

@@ -0,0 +1,77 @@
+const std = @import("std");
+const jetzig = @import("jetzig");
+
+pub const layout = "application";
+
+pub const actions = .{
+    .before = .{jetzig.middleware.AntiCsrfMiddleware},
+};
+
+pub fn post(request: *jetzig.Request) !jetzig.View {
+    var root = try request.data(.object);
+
+    const Params = struct { spam: []const u8 };
+    const params = try request.expectParams(Params) orelse {
+        return request.fail(.unprocessable_entity);
+    };
+
+    try root.put("spam", params.spam);
+
+    return request.render(.created);
+}
+
+pub fn index(request: *jetzig.Request) !jetzig.View {
+    return request.render(.ok);
+}
+
+test "post with missing token" {
+    var app = try jetzig.testing.app(std.testing.allocator, @import("routes"));
+    defer app.deinit();
+
+    const response = try app.request(.POST, "/anti_csrf", .{});
+    try response.expectStatus(.forbidden);
+}
+
+test "post with invalid token" {
+    var app = try jetzig.testing.app(std.testing.allocator, @import("routes"));
+    defer app.deinit();
+
+    const response = try app.request(.POST, "/anti_csrf", .{});
+    try response.expectStatus(.forbidden);
+}
+
+test "post with valid token but missing expected params" {
+    var app = try jetzig.testing.app(std.testing.allocator, @import("routes"));
+    defer app.deinit();
+
+    _ = try app.request(.GET, "/anti_csrf", .{});
+    const token = app.session.getT(.string, jetzig.authenticity_token_name).?;
+    const response = try app.request(
+        .POST,
+        "/anti_csrf",
+        .{ .params = .{ ._jetzig_authenticity_token = token } },
+    );
+    try response.expectStatus(.unprocessable_entity);
+}
+
+test "post with valid token and expected params" {
+    var app = try jetzig.testing.app(std.testing.allocator, @import("routes"));
+    defer app.deinit();
+
+    _ = try app.request(.GET, "/anti_csrf", .{});
+    const token = app.session.getT(.string, jetzig.authenticity_token_name).?;
+    const response = try app.request(
+        .POST,
+        "/anti_csrf",
+        .{ .params = .{ ._jetzig_authenticity_token = token, .spam = "Spam" } },
+    );
+    try response.expectStatus(.created);
+}
+
+test "index" {
+    var app = try jetzig.testing.app(std.testing.allocator, @import("routes"));
+    defer app.deinit();
+
+    const response = try app.request(.GET, "/anti_csrf", .{});
+    try response.expectStatus(.ok);
+}

demo/src/app/views/anti_csrf/index.zmpl

@@ -0,0 +1,8 @@
+<form action="/anti_csrf" method="POST">
+    {{context.authenticityFormElement()}}
+
+    <label>Enter spam here:</label>
+    <input type="text" name="spam" />
+
+    <input type="submit" value="Submit Spam" />
+</form>

demo/src/app/views/anti_csrf/post.zmpl

@@ -0,0 +1,5 @@
+<h1>Spam Submitted Successfully</h1>
+
+<h2>Spam:</h2>
+
+<div>{{$.spam}}</div>

demo/src/main.zig

@@ -12,6 +12,8 @@ pub const jetzig_options = struct {
     /// Middleware chain. Add any custom middleware here, or use middleware provided in
     /// `jetzig.middleware` (e.g. `jetzig.middleware.HtmxMiddleware`).
     pub const middleware: []const type = &.{
+        // jetzig.middleware.AuthMiddleware,
+        // jetzig.middleware.AntiCsrfMiddleware,
         // jetzig.middleware.HtmxMiddleware,
         // jetzig.middleware.CompressionMiddleware,
         // @import("app/middleware/DemoMiddleware.zig"),
@@ -79,13 +81,16 @@ pub const jetzig_options = struct {
     pub const Schema = @import("Schema");
 
     /// HTTP cookie configuration
-    pub const cookies: jetzig.http.Cookies.CookieOptions = .{
+    pub const cookies: jetzig.http.Cookies.CookieOptions = switch (jetzig.environment) {
-        .domain = switch (jetzig.environment) {
+        .development, .testing => .{
-            .development => "localhost",
+            .domain = "localhost",
-            .testing => "localhost",
-            .production => "www.example.com",
-        },
             .path = "/",
+        },
+        .production => .{
+            .same_site = true,
+            .secure = true,
+            .http_only = true,
+        },
     };
 
     /// Key-value store options. Set backend to `.file` to use a file-based store.

src/Routes.zig

@@ -280,6 +280,8 @@ fn writeRoute(self: *Routes, writer: std.ArrayList(u8).Writer, route: Function)
         \\            .static = {4s},
         \\            .uri_path = "{5s}",
         \\            .template = "{6s}",
+        \\            .before_callbacks = jetzig.callbacks.beforeCallbacks(@import("{7s}")),
+        \\            .after_callbacks = jetzig.callbacks.afterCallbacks(@import("{7s}")),
         \\            .layout = if (@hasDecl(@import("{7s}"), "layout")) @import("{7s}").layout else null,
         \\            .json_params = &[_][]const u8 {{ {8s} }},
         \\            .formats = if (@hasDecl(@import("{7s}"), "formats")) @import("{7s}").formats else null,
@@ -389,7 +391,7 @@ fn generateRoutesForView(self: *Routes, dir: std.fs.Dir, path: []const u8) !Rout
 
                     for (capture.args, 0..) |arg, arg_index| {
                         if (std.mem.eql(u8, try arg.typeBasename(), "StaticRequest")) {
-                            capture.static = true;
+                            capture.static = jetzig.build_options.build_static;
                             capture.legacy = arg_index + 1 < capture.args.len;
                             try static_routes.append(capture.*);
                         } else if (std.mem.eql(u8, try arg.typeBasename(), "Request")) {

src/commands/routes.zig

@@ -13,7 +13,7 @@ pub fn main() !void {
 
     log("Jetzig Routes:", .{});
 
-    const environment = jetzig.Environment.init(allocator, .{ .silent = true });
+    const environment = try jetzig.Environment.init(allocator, .{ .silent = true });
     const initHook: ?*const fn (*jetzig.App) anyerror!void = if (@hasDecl(app, "init")) app.init else null;
 
     inline for (routes.routes) |route| max_uri_path_len = @max(route.uri_path.len + 5, max_uri_path_len);
@@ -44,7 +44,7 @@ pub fn main() !void {
     }
 
     var jetzig_app = jetzig.App{
-        .environment = environment,
+        .env = environment,
         .allocator = allocator,
         .custom_routes = std.ArrayList(jetzig.views.Route).init(allocator),
         .initHook = initHook,

src/compile_static_routes.zig

@@ -147,7 +147,7 @@ fn renderMarkdown(
 
         if (zmpl.findPrefixed("views", prefixed_name)) |layout| {
             view.data.content = .{ .data = content };
-            return try layout.render(view.data);
+            return try layout.render(view.data, jetzig.TemplateContext, .{}, .{});
         } else {
             std.debug.print("Unknown layout: {s}\n", .{layout_name});
             return content;
@@ -170,13 +170,18 @@ fn renderZmplTemplate(
             defer allocator.free(prefixed_name);
 
             if (zmpl.findPrefixed("views", prefixed_name)) |layout| {
-                return try template.renderWithOptions(view.data, .{ .layout = layout });
+                return try template.render(
+                    view.data,
+                    jetzig.TemplateContext,
+                    .{},
+                    .{ .layout = layout },
+                );
             } else {
                 std.debug.print("Unknown layout: {s}\n", .{layout_name});
                 return try allocator.dupe(u8, "");
             }
         } else {
-            return try template.render(view.data);
+            return try template.render(view.data, jetzig.TemplateContext, .{}, .{});
         }
     } else return null;
 }

src/jetzig.zig

@@ -22,11 +22,15 @@ pub const database = @import("jetzig/database.zig");
 pub const testing = @import("jetzig/testing.zig");
 pub const config = @import("jetzig/config.zig");
 pub const auth = @import("jetzig/auth.zig");
+pub const callbacks = @import("jetzig/callbacks.zig");
+pub const TemplateContext = @import("jetzig/TemplateContext.zig");
 
 pub const DateTime = jetcommon.types.DateTime;
 pub const Time = jetcommon.types.Time;
 pub const Date = jetcommon.types.Date;
 
+pub const authenticity_token_name = config.get([]const u8, "authenticity_token_name");
+
 pub const build_options = @import("build_options");
 pub const environment = std.enums.nameCast(Environment.EnvironmentName, build_options.environment);
 
@@ -46,6 +50,9 @@ pub const Request = http.Request;
 /// requests.
 pub const StaticRequest = http.StaticRequest;
 
+/// An HTTP response generated during request processing.
+pub const Response = http.Response;
+
 /// Generic, JSON-compatible data type. Provides `Value` which in turn provides `Object`,
 /// `Array`, `String`, `Integer`, `Float`, `Boolean`, and `NullType`.
 pub const Data = data.Data;
@@ -78,7 +85,8 @@ pub const Logger = loggers.Logger;
 
 pub const root = @import("root");
 pub const Global = if (@hasDecl(root, "Global")) root.Global else DefaultGlobal;
-pub const DefaultGlobal = struct { __jetzig_default: bool };
+pub const DefaultGlobal = struct { comptime __jetzig_default: bool = true };
+pub const default_global = DefaultGlobal{};
 
 pub const initHook: ?*const fn (*App) anyerror!void = if (@hasDecl(root, "init")) root.init else null;
 

src/jetzig/App.zig

@@ -17,8 +17,8 @@ pub fn deinit(self: *const App) void {
     @constCast(self).custom_routes.deinit();
 }
 
-// Not used yet, but allows us to add new options to `start()` without breaking
+/// Specify a global value accessible as `request.server.global`.
-// backward-compatibility.
+/// Must specify type by defining `pub const Global` in your app's `src/main.zig`.
 const AppOptions = struct {
     global: *anyopaque = undefined,
 };
@@ -228,6 +228,8 @@ pub fn createRoutes(
             .template = const_route.template,
             .json_params = const_route.json_params,
             .formats = const_route.formats,
+            .before_callbacks = const_route.before_callbacks,
+            .after_callbacks = const_route.after_callbacks,
         };
 
         try var_route.initParams(allocator);

src/jetzig/TemplateContext.zig

@@ -0,0 +1,25 @@
+const std = @import("std");
+
+pub const http = @import("http.zig");
+pub const config = @import("config.zig");
+
+/// Context available in every Zmpl template as `context`.
+pub const TemplateContext = @This();
+
+request: ?*http.Request = null,
+
+pub fn authenticityToken(self: TemplateContext) !?[]const u8 {
+    return if (self.request) |request|
+        try request.authenticityToken()
+    else
+        null;
+}
+
+pub fn authenticityFormElement(self: TemplateContext) !?[]const u8 {
+    return if (self.request) |request| blk: {
+        const token = try request.authenticityToken();
+        break :blk try std.fmt.allocPrint(request.allocator,
+            \\<input type="hidden" name="{s}" value="{s}" />
+        , .{ config.get([]const u8, "authenticity_token_name"), token });
+    } else null;
+}

src/jetzig/callbacks.zig

@@ -0,0 +1,112 @@
+const std = @import("std");
+
+const jetzig = @import("../jetzig.zig");
+
+pub const BeforeCallback = *const fn (
+    *jetzig.http.Request,
+    jetzig.views.Route,
+) anyerror!void;
+
+pub const AfterCallback = *const fn (
+    *jetzig.http.Request,
+    *jetzig.http.Response,
+    jetzig.views.Route,
+) anyerror!void;
+
+pub const Context = enum { before, after };
+
+pub fn beforeCallbacks(view: type) []const BeforeCallback {
+    comptime {
+        return buildCallbacks(.before, view);
+    }
+}
+
+pub fn afterCallbacks(view: type) []const AfterCallback {
+    comptime {
+        return buildCallbacks(.after, view);
+    }
+}
+
+fn buildCallbacks(comptime context: Context, view: type) switch (context) {
+    .before => []const BeforeCallback,
+    .after => []const AfterCallback,
+} {
+    comptime {
+        if (!@hasDecl(view, "actions")) return &.{};
+        if (!@hasField(@TypeOf(view.actions), @tagName(context))) return &.{};
+
+        var size: usize = 0;
+        for (@field(view.actions, @tagName(context))) |module| {
+            if (isCallback(context, module)) {
+                size += 1;
+            } else {
+                @compileError(std.fmt.comptimePrint(
+                    "`{0s}` callbacks must be either a function `{1s}` or a type that defines " ++
+                        "`pub const {0s}Render`. Found: `{2s}`",
+                    .{
+                        @tagName(context),
+                        switch (context) {
+                            .before => @typeName(BeforeCallback),
+                            .after => @typeName(AfterCallback),
+                        },
+                        if (@TypeOf(module) == type)
+                            @typeName(module)
+                        else
+                            @typeName(@TypeOf(&module)),
+                    },
+                ));
+            }
+        }
+
+        var callbacks: [size]switch (context) {
+            .before => BeforeCallback,
+            .after => AfterCallback,
+        } = undefined;
+        var index: usize = 0;
+        for (@field(view.actions, @tagName(context))) |module| {
+            if (!isCallback(context, module)) continue;
+
+            callbacks[index] = if (@TypeOf(module) == type)
+                @field(module, @tagName(context) ++ "Render")
+            else
+                &module;
+
+            index += 1;
+        }
+
+        const final = callbacks;
+        return &final;
+    }
+}
+
+fn isCallback(comptime context: Context, comptime module: anytype) bool {
+    comptime {
+        if (@typeInfo(@TypeOf(module)) == .@"fn") {
+            const expected = switch (context) {
+                .before => BeforeCallback,
+                .after => AfterCallback,
+            };
+
+            const info = @typeInfo(@TypeOf(module)).@"fn";
+
+            const actual_params = info.params;
+            const expected_params = @typeInfo(@typeInfo(expected).pointer.child).@"fn".params;
+
+            if (actual_params.len != expected_params.len) return false;
+
+            for (actual_params, expected_params) |actual_param, expected_param| {
+                if (actual_param.type != expected_param.type) return false;
+            }
+
+            if (@typeInfo(info.return_type.?) != .error_union) return false;
+            if (@typeInfo(info.return_type.?).error_union.payload != void) return false;
+
+            return true;
+        }
+
+        return if (@TypeOf(module) == type and @hasDecl(module, @tagName(context) ++ "Render"))
+            true
+        else
+            false;
+    }
+}

src/jetzig/config.zig

@@ -17,6 +17,9 @@ pub const jobs = @import("jobs.zig");
 pub const mail = @import("mail.zig");
 pub const kv = @import("kv.zig");
 pub const db = @import("database.zig");
+pub const Environment = @import("Environment.zig");
+pub const environment = std.enums.nameCast(Environment.EnvironmentName, build_options.environment);
+pub const build_options = @import("build_options");
 
 const root = @import("root");
 
@@ -149,11 +152,26 @@ pub const smtp: mail.SMTPConfig = .{
 };
 
 /// HTTP cookie configuration
-pub const cookies: http.Cookies.CookieOptions = .{
+pub const cookies: http.Cookies.CookieOptions = switch (environment) {
+    .development, .testing => .{
         .domain = "localhost",
         .path = "/",
+    },
+    .production => .{
+        .secure = true,
+        .http_only = true,
+        .same_site = true,
+        .path = "/",
+    },
 };
 
+/// Override the default anti-CSRF authenticity token name that is stored in the encrypted
+/// session. This value is also used by `context.authenticityFormElement()` to render an HTML
+/// element: the element's `name` attribute is set to this value.
+pub const authenticity_token_name: []const u8 = "_jetzig_authenticity_token";
+
+/// When using `AuthMiddleware`, set this value to override the default JetQuery model name that
+/// maps the users table.
 pub const auth: @import("auth.zig").AuthOptions = .{
     .user_model = "User",
 };

src/jetzig/development_static.zig

@@ -0,0 +1,12 @@
+pub const compiled = [_]Compiled{};
+
+const StaticOutput = struct {
+    json: ?[]const u8 = null,
+    html: ?[]const u8 = null,
+    params: ?[]const u8,
+};
+
+const Compiled = struct {
+    route_id: []const u8,
+    output: StaticOutput,
+};

src/jetzig/http.zig

@@ -1,9 +1,14 @@
 const std = @import("std");
 const builtin = @import("builtin");
 
+pub const build_options = @import("build_options");
+
 pub const Server = @import("http/Server.zig");
 pub const Request = @import("http/Request.zig");
-pub const StaticRequest = @import("http/StaticRequest.zig");
+pub const StaticRequest = if (build_options.environment == .development)
+    Request
+else
+    @import("http/StaticRequest.zig");
 pub const Response = @import("http/Response.zig");
 pub const Session = @import("http/Session.zig");
 pub const Cookies = @import("http/Cookies.zig");

src/jetzig/http/Cookies.zig

@@ -8,18 +8,18 @@ cookies: std.StringArrayHashMap(*Cookie),
 modified: bool = false,
 arena: std.heap.ArenaAllocator,
 
-const Self = @This();
+const Cookies = @This();
 
 const SameSite = enum { strict, lax, none };
 pub const CookieOptions = struct {
-    domain: []const u8 = "localhost",
+    domain: ?[]const u8 = "localhost",
     path: []const u8 = "/",
-    same_site: ?SameSite = null,
     secure: bool = false,
-    expires: ?i64 = null, // if used, set to time in seconds to be added to std.time.timestamp()
     http_only: bool = false,
-    max_age: ?i64 = null,
     partitioned: bool = false,
+    same_site: ?SameSite = null,
+    expires: ?i64 = null, // if used, set to time in seconds to be added to std.time.timestamp()
+    max_age: ?i64 = null,
 };
 
 const cookie_options = jetzig.config.get(CookieOptions, "cookies");
@@ -27,43 +27,50 @@ const cookie_options = jetzig.config.get(CookieOptions, "cookies");
 pub const Cookie = struct {
     name: []const u8,
     value: []const u8,
-    domain: ?[]const u8 = null,
+    secure: bool = cookie_options.secure,
-    path: ?[]const u8 = null,
+    http_only: bool = cookie_options.http_only,
-    same_site: ?SameSite = null,
+    partitioned: bool = cookie_options.partitioned,
-    secure: ?bool = null,
+    domain: ?[]const u8 = cookie_options.domain,
-    expires: ?i64 = null, // if used, set to time in seconds to be added to std.time.timestamp()
+    path: ?[]const u8 = cookie_options.path,
-    http_only: ?bool = null,
+    same_site: ?SameSite = cookie_options.same_site,
-    max_age: ?i64 = null,
+    // if used, set to time in seconds to be added to std.time.timestamp()
-    partitioned: ?bool = null,
+    expires: ?i64 = cookie_options.expires,
+    max_age: ?i64 = cookie_options.max_age,
 
     /// Build a cookie string.
     pub fn bufPrint(self: Cookie, buf: *[4096]u8) ![]const u8 {
-        var options = cookie_options;
-        inline for (std.meta.fields(CookieOptions)) |field| {
-            @field(options, field.name) = @field(self, field.name) orelse @field(cookie_options, field.name);
-        }
-
-        // secure is required if samesite is set to none
-        const require_secure = if (options.same_site) |same_site| same_site == .none else false;
-
         var stream = std.io.fixedBufferStream(buf);
         const writer = stream.writer();
+        try writer.print("{}", .{self});
+        return stream.getWritten();
+    }
 
-        try writer.print("{s}={s}; path={s}; domain={s};", .{
+    /// Build a cookie string.
+    pub fn format(self: Cookie, _: anytype, _: anytype, writer: anytype) !void {
+        // secure is required if samesite is set to none
+        const require_secure = if (self.same_site) |same_site| same_site == .none else false;
+
+        try writer.print("{s}={s}; path={s};", .{
             self.name,
             self.value,
-            options.path,
+            self.path orelse "/",
-            options.domain,
         });
 
-        if (options.same_site) |same_site| try writer.print(" SameSite={s};", .{@tagName(same_site)});
+        if (self.domain) |domain| try writer.print(" domain={s};", .{domain});
-        if (options.secure or require_secure) try writer.writeAll(" Secure;");
+        if (self.same_site) |same_site| try writer.print(
-        if (options.expires) |expires| try writer.print(" Expires={d};", .{std.time.timestamp() + expires});
+            " SameSite={s};",
-        if (options.max_age) |max_age| try writer.print(" Max-Age={d};", .{max_age});
+            .{@tagName(same_site)},
-        if (options.http_only) try writer.writeAll(" HttpOnly;");
+        );
-        if (options.partitioned) try writer.writeAll(" Partitioned;");
+        if (self.secure or require_secure) try writer.writeAll(" Secure;");
-
+        if (self.expires) |expires| {
-        return stream.getWritten();
+            const seconds = std.time.timestamp() + expires;
+            const timestamp = try jetzig.jetcommon.DateTime.fromUnix(seconds, .seconds);
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate
+            try timestamp.strftime(writer, " Expires=%a, %d %h %Y %H:%M:%S GMT;");
+        }
+        if (self.max_age) |max_age| try writer.print(" Max-Age={d};", .{max_age});
+        if (self.http_only) try writer.writeAll(" HttpOnly;");
+        if (self.partitioned) try writer.writeAll(" Partitioned;");
     }
 
     pub fn applyFlag(self: *Cookie, allocator: std.mem.Allocator, flag: Flag) !void {
@@ -80,7 +87,7 @@ pub const Cookie = struct {
     }
 };
 
-pub fn init(allocator: std.mem.Allocator, cookie_string: []const u8) Self {
+pub fn init(allocator: std.mem.Allocator, cookie_string: []const u8) Cookies {
     return .{
         .allocator = allocator,
         .cookie_string = cookie_string,
@@ -89,7 +96,7 @@ pub fn init(allocator: std.mem.Allocator, cookie_string: []const u8) Self {
     };
 }
 
-pub fn deinit(self: *Self) void {
+pub fn deinit(self: *Cookies) void {
     var it = self.cookies.iterator();
     while (it.next()) |item| {
         self.allocator.free(item.key_ptr.*);
@@ -100,11 +107,11 @@ pub fn deinit(self: *Self) void {
     self.arena.deinit();
 }
 
-pub fn get(self: *Self, key: []const u8) ?*Cookie {
+pub fn get(self: *Cookies, key: []const u8) ?*Cookie {
     return self.cookies.get(key);
 }
 
-pub fn put(self: *Self, cookie: Cookie) !void {
+pub fn put(self: *Cookies, cookie: Cookie) !void {
     self.modified = true;
 
     if (self.cookies.fetchSwapRemove(cookie.name)) |entry| {
@@ -125,8 +132,12 @@ pub const HeaderIterator = struct {
     cookies_iterator: std.StringArrayHashMap(*Cookie).Iterator,
     buf: *[4096]u8,
 
-    pub fn init(allocator: std.mem.Allocator, cookies: *Self, buf: *[4096]u8) HeaderIterator {
+    pub fn init(allocator: std.mem.Allocator, cookies: *Cookies, buf: *[4096]u8) HeaderIterator {
-        return .{ .allocator = allocator, .cookies_iterator = cookies.cookies.iterator(), .buf = buf };
+        return .{
+            .allocator = allocator,
+            .cookies_iterator = cookies.cookies.iterator(),
+            .buf = buf,
+        };
     }
 
     pub fn next(self: *HeaderIterator) !?[]const u8 {
@@ -139,14 +150,14 @@ pub const HeaderIterator = struct {
     }
 };
 
-pub fn headerIterator(self: *Self, buf: *[4096]u8) HeaderIterator {
+pub fn headerIterator(self: *Cookies, buf: *[4096]u8) HeaderIterator {
     return HeaderIterator.init(self.allocator, self, buf);
 }
 
 // https://datatracker.ietf.org/doc/html/rfc6265#section-4.2.1
 // cookie-header = "Cookie:" OWS cookie-string OWS
 // cookie-string = cookie-pair *( ";" SP cookie-pair )
-pub fn parse(self: *Self) !void {
+pub fn parse(self: *Cookies) !void {
     var key_buf = std.ArrayList(u8).init(self.allocator);
     var value_buf = std.ArrayList(u8).init(self.allocator);
     var key_terminated = false;
@@ -202,6 +213,13 @@ pub fn parse(self: *Self) !void {
     for (cookie_buf.items) |cookie| try self.put(cookie);
 }
 
+pub fn format(self: Cookies, _: anytype, _: anytype, writer: anytype) !void {
+    var it = self.cookies.iterator();
+    while (it.next()) |entry| {
+        try writer.print("{}; ", .{entry.value_ptr.*});
+    }
+}
+
 const Flag = union(enum) {
     domain: []const u8,
     path: []const u8,
@@ -250,7 +268,7 @@ fn parseFlag(key: []const u8, value: []const u8) ?Flag {
 
 test "basic cookie string" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux;");
     defer cookies.deinit();
     try cookies.parse();
     try std.testing.expectEqualStrings("bar", cookies.get("foo").?.value);
@@ -259,14 +277,14 @@ test "basic cookie string" {
 
 test "empty cookie string" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "");
+    var cookies = Cookies.init(allocator, "");
     defer cookies.deinit();
     try cookies.parse();
 }
 
 test "cookie string with irregular spaces" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=   bar;     baz=        qux;");
+    var cookies = Cookies.init(allocator, "foo=   bar;     baz=        qux;");
     defer cookies.deinit();
     try cookies.parse();
     try std.testing.expectEqualStrings("bar", cookies.get("foo").?.value);
@@ -280,7 +298,7 @@ test "headerIterator" {
 
     const writer = buf.writer();
 
-    var cookies = Self.init(allocator, "foo=bar; baz=qux;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux;");
     defer cookies.deinit();
     try cookies.parse();
 
@@ -300,7 +318,7 @@ test "headerIterator" {
 
 test "modified" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -312,7 +330,7 @@ test "modified" {
 
 test "domain=example.com" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; Domain=example.com;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; Domain=example.com;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -322,7 +340,7 @@ test "domain=example.com" {
 
 test "path=/example_path" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; Path=/example_path;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; Path=/example_path;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -332,7 +350,7 @@ test "path=/example_path" {
 
 test "SameSite=lax" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; SameSite=lax;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; SameSite=lax;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -342,7 +360,7 @@ test "SameSite=lax" {
 
 test "SameSite=none" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; SameSite=none;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; SameSite=none;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -352,7 +370,7 @@ test "SameSite=none" {
 
 test "SameSite=strict" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; SameSite=strict;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; SameSite=strict;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -362,27 +380,27 @@ test "SameSite=strict" {
 
 test "Secure" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; Secure;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; Secure;");
     defer cookies.deinit();
 
     try cookies.parse();
     const cookie = cookies.get("foo").?;
-    try std.testing.expect(cookie.secure.?);
+    try std.testing.expect(cookie.secure);
 }
 
 test "Partitioned" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; Partitioned;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; Partitioned;");
     defer cookies.deinit();
 
     try cookies.parse();
     const cookie = cookies.get("foo").?;
-    try std.testing.expect(cookie.partitioned.?);
+    try std.testing.expect(cookie.partitioned);
 }
 
 test "Max-Age" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; Max-Age=123123123;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; Max-Age=123123123;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -392,7 +410,7 @@ test "Max-Age" {
 
 test "Expires" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux; Expires=123123123;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux; Expires=123123123;");
     defer cookies.deinit();
 
     try cookies.parse();
@@ -402,17 +420,17 @@ test "Expires" {
 
 test "default flags" {
     const allocator = std.testing.allocator;
-    var cookies = Self.init(allocator, "foo=bar; baz=qux;");
+    var cookies = Cookies.init(allocator, "foo=bar; baz=qux;");
     defer cookies.deinit();
 
     try cookies.parse();
     const cookie = cookies.get("foo").?;
-    try std.testing.expect(cookie.domain == null);
+    try std.testing.expect(cookie.secure == false);
-    try std.testing.expect(cookie.path == null);
+    try std.testing.expect(cookie.partitioned == false);
+    try std.testing.expect(cookie.http_only == false);
     try std.testing.expect(cookie.same_site == null);
-    try std.testing.expect(cookie.secure == null);
+    try std.testing.expectEqualStrings(cookie.domain.?, "localhost");
+    try std.testing.expectEqualStrings(cookie.path.?, "/");
     try std.testing.expect(cookie.expires == null);
-    try std.testing.expect(cookie.http_only == null);
     try std.testing.expect(cookie.max_age == null);
-    try std.testing.expect(cookie.partitioned == null);
 }

src/jetzig/http/Headers.zig

@@ -46,10 +46,9 @@ pub fn getAll(self: Headers, name: []const u8) []const []const u8 {
     var headers = std.ArrayList([]const u8).init(self.allocator);
 
     for (self.httpz_headers.keys, 0..) |key, index| {
-        var buf: [max_bytes_header_name]u8 = undefined;
+        if (std.ascii.eqlIgnoreCase(name, key)) {
-        const lower = std.ascii.lowerString(&buf, name);
+            headers.append(self.httpz_headers.values[index]) catch @panic("OOM");
-
+        }
-        if (std.mem.eql(u8, lower, key)) headers.append(self.httpz_headers.values[index]) catch @panic("OOM");
     }
     return headers.toOwnedSlice() catch @panic("OOM");
 }

src/jetzig/http/Request.zig

@@ -10,6 +10,7 @@ const default_content_type = "text/html";
 pub const Method = enum { DELETE, GET, PATCH, POST, HEAD, PUT, CONNECT, OPTIONS, TRACE };
 pub const Modifier = enum { edit, new };
 pub const Format = enum { HTML, JSON, UNKNOWN };
+pub const Protocol = enum { http, https };
 
 allocator: std.mem.Allocator,
 path: jetzig.http.Path,
@@ -34,6 +35,8 @@ response_started: bool = false,
 dynamic_assigned_template: ?[]const u8 = null,
 layout: ?[]const u8 = null,
 layout_disabled: bool = false,
+// TODO: Squash rendered/redirected/failed into
+// `state: enum { initial, rendered, redirected, failed }`
 rendered: bool = false,
 redirected: bool = false,
 failed: bool = false,
@@ -249,7 +252,10 @@ pub fn middleware(
     unreachable;
 }
 
-const RedirectState = struct { location: []const u8, status_code: jetzig.http.status_codes.StatusCode };
+const RedirectState = struct {
+    location: []const u8,
+    status_code: jetzig.http.status_codes.StatusCode,
+};
 
 pub fn renderRedirect(self: *Request, state: RedirectState) !void {
     self.response_data.reset();
@@ -275,7 +281,12 @@ pub fn renderRedirect(self: *Request, state: RedirectState) !void {
         .HTML, .UNKNOWN => if (maybe_template) |template| blk: {
             try view.data.addConst("jetzig_view", view.data.string("internal"));
             try view.data.addConst("jetzig_action", view.data.string(@tagName(state.status_code)));
-            break :blk try template.render(self.response_data);
+            break :blk try template.render(
+                self.response_data,
+                jetzig.TemplateContext,
+                .{ .request = self },
+                .{},
+            );
         } else try std.fmt.allocPrint(self.allocator, "Redirecting to {s}", .{state.location}),
         .JSON => blk: {
             break :blk try std.json.stringifyAlloc(
@@ -486,6 +497,31 @@ pub fn session(self: *Request) !*jetzig.http.Session {
     return local_session;
 }
 
+/// Return the anti-CSRF token cookie value. If no cookie exist, create it.
+pub fn authenticityToken(self: *Request) ![]const u8 {
+    var local_session = try self.session();
+
+    return local_session.getT(.string, jetzig.authenticity_token_name) orelse blk: {
+        const token = try jetzig.util.generateSecret(self.allocator, 32);
+        try local_session.put(jetzig.authenticity_token_name, token);
+        break :blk local_session.getT(.string, jetzig.authenticity_token_name).?;
+    };
+}
+
+pub fn resourceId(self: *const Request) ![]const u8 {
+    return self.path.resource_id;
+}
+
+/// Return the protocol used to serve the current request by detecting the `X-Forwarded-Proto`
+/// header.
+pub fn protocol(self: *const Request) Protocol {
+    return if (self.headers.get("x-forwarded-proto")) |x_forwarded_proto|
+        if (std.ascii.eqlIgnoreCase(x_forwarded_proto, "https")) .https else .http
+    else
+        // TODO: Extend login when we support serving HTTPS directly.
+        .http;
+}
+
 /// Create a new Job. Receives a job name which must resolve to `src/app/jobs/<name>.zig`
 /// Call `Job.put(...)` to set job params.
 /// Call `Job.background()` to run the job outside of the request/response flow.

src/jetzig/http/Server.zig

@@ -14,7 +14,6 @@ custom_routes: []jetzig.views.Route,
 job_definitions: []const jetzig.JobDefinition,
 mailer_definitions: []const jetzig.MailerDefinition,
 mime_map: *jetzig.http.mime.MimeMap,
-std_net_server: std.net.Server = undefined,
 initialized: bool = false,
 store: *jetzig.kv.Store,
 job_queue: *jetzig.kv.Store,
@@ -57,7 +56,6 @@ pub fn init(
 }
 
 pub fn deinit(self: *Server) void {
-    if (self.initialized) self.std_net_server.deinit();
     self.allocator.free(self.env.secret);
     self.allocator.free(self.env.bind);
 }
@@ -187,21 +185,45 @@ fn renderResponse(self: *Server, request: *jetzig.http.Request) !void {
         } else unreachable; // In future a MiddlewareRoute might provide a render function etc.
     }
 
-    const route = self.matchCustomRoute(request) orelse try self.matchRoute(request, false);
+    const maybe_route = self.matchCustomRoute(request) orelse try self.matchRoute(request, false);
 
-    if (route) |capture| {
+    if (maybe_route) |route| {
-        if (!capture.validateFormat(request)) {
+        if (!route.validateFormat(request)) {
             return request.setResponse(try self.renderNotFound(request), .{});
         }
     }
 
-    switch (request.requestFormat()) {
+    if (maybe_route) |route| {
-        .HTML => try self.renderHTML(request, route),
+        for (route.before_callbacks) |callback| {
-        .JSON => try self.renderJSON(request, route),
+            try callback(request, route);
-        .UNKNOWN => try self.renderHTML(request, route),
+            if (request.rendered_view) |view| {
+                if (request.failed) {
+                    request.setResponse(try self.renderError(request, view.status_code), .{});
+                } else if (request.rendered) {
+                    // TODO: Allow callbacks to set content
+                }
+                return;
+            }
+            if (request.redirect_state) |state| {
+                try request.renderRedirect(state);
+                return;
+            }
+        }
     }
 
-    if (request.redirect_state) |state| return try request.renderRedirect(state);
+    switch (request.requestFormat()) {
+        .HTML => try self.renderHTML(request, maybe_route),
+        .JSON => try self.renderJSON(request, maybe_route),
+        .UNKNOWN => try self.renderHTML(request, maybe_route),
+    }
+
+    if (maybe_route) |route| {
+        for (route.after_callbacks) |callback| {
+            try callback(request, request.response, route);
+        }
+    }
+
+    if (request.redirect_state) |state| try request.renderRedirect(state);
 }
 
 fn renderStatic(resource: StaticResource, request: *jetzig.http.Request) !void {
@@ -355,6 +377,8 @@ fn renderTemplateWithLayout(
 ) ![]const u8 {
     try addTemplateConstants(view, route);
 
+    const template_context = jetzig.TemplateContext{ .request = request };
+
     if (request.getLayout(route)) |layout_name| {
         // TODO: Allow user to configure layouts directory other than src/app/views/layouts/
         const prefixed_name = try std.mem.concat(
@@ -365,23 +389,37 @@ fn renderTemplateWithLayout(
         defer self.allocator.free(prefixed_name);
 
         if (zmpl.findPrefixed("views", prefixed_name)) |layout| {
-            return try template.renderWithOptions(view.data, .{ .layout = layout });
+            return try template.render(
+                view.data,
+                jetzig.TemplateContext,
+                template_context,
+                .{ .layout = layout },
+            );
         } else {
             try self.logger.WARN("Unknown layout: {s}", .{layout_name});
-            return try template.render(view.data);
+            return try template.render(
+                view.data,
+                jetzig.TemplateContext,
+                template_context,
+                .{},
+            );
         }
-    } else return try template.render(view.data);
+    } else return try template.render(
+        view.data,
+        jetzig.TemplateContext,
+        template_context,
+        .{},
+    );
 }
 
 fn addTemplateConstants(view: jetzig.views.View, route: jetzig.views.Route) !void {
-    try view.data.addConst("jetzig_view", view.data.string(route.view_name));
-
     const action = switch (route.action) {
         .custom => route.name,
         else => |tag| @tagName(tag),
     };
 
     try view.data.addConst("jetzig_action", view.data.string(action));
+    try view.data.addConst("jetzig_view", view.data.string(route.view_name));
 }
 
 fn isBadRequest(err: anyerror) bool {
@@ -481,7 +519,15 @@ fn renderErrorView(
                     .HTML, .UNKNOWN => {
                         if (zmpl.findPrefixed("views", route.template)) |template| {
                             try addTemplateConstants(view, route.*);
-                            return .{ .view = view, .content = try template.render(request.response_data) };
+                            return .{
+                                .view = view,
+                                .content = try template.render(
+                                    request.response_data,
+                                    jetzig.TemplateContext,
+                                    .{ .request = request },
+                                    .{},
+                                ),
+                            };
                         }
                     },
                     .JSON => return .{ .view = view, .content = try request.response_data.toJson() },
@@ -573,19 +619,26 @@ fn matchMiddlewareRoute(request: *const jetzig.http.Request) ?jetzig.middleware.
 fn matchRoute(self: *Server, request: *jetzig.http.Request, static: bool) !?jetzig.views.Route {
     for (self.routes) |route| {
         // .index routes always take precedence.
-        if (route.static == static and route.action == .index and try request.match(route.*)) {
+        if (route.action == .index and try request.match(route.*)) {
-            return route.*;
+            if (!jetzig.build_options.build_static) return route.*;
+            if (route.static == static) return route.*;
         }
     }
 
     for (self.routes) |route| {
-        if (route.static == static and try request.match(route.*)) return route.*;
+        if (try request.match(route.*)) {
+            if (!jetzig.build_options.build_static) return route.*;
+            if (route.static == static) return route.*;
+        }
     }
 
     return null;
 }
 
-const StaticResource = struct { content: []const u8, mime_type: []const u8 = "application/octet-stream" };
+const StaticResource = struct {
+    content: []const u8,
+    mime_type: []const u8 = "application/octet-stream",
+};
 
 fn matchStaticResource(self: *Server, request: *jetzig.http.Request) !?StaticResource {
     // TODO: Map public and static routes at launch to avoid accessing the file system when
@@ -682,7 +735,7 @@ fn matchStaticContent(self: *Server, request: *jetzig.http.Request) !?[]const u8
 }
 
 pub fn decodeStaticParams(self: *Server) !void {
-    if (!@hasDecl(jetzig.root, "static")) return;
+    if (comptime !@hasDecl(jetzig.root, "static")) return;
 
     // Store decoded static params (i.e. declared in views) for faster comparison at request time.
     var decoded = std.ArrayList(*jetzig.data.Value).init(self.allocator);

src/jetzig/mail/Job.zig

@@ -134,7 +134,7 @@ fn defaultHtml(
     try data.addConst("jetzig_view", data.string(""));
     try data.addConst("jetzig_action", data.string(""));
     return if (jetzig.zmpl.findPrefixed("mailers", mailer.html_template)) |template|
-        try template.render(&data)
+        try template.render(&data, jetzig.TemplateContext, .{}, .{})
     else
         null;
 }
@@ -152,7 +152,7 @@ fn defaultText(
     try data.addConst("jetzig_view", data.string(""));
     try data.addConst("jetzig_action", data.string(""));
     return if (jetzig.zmpl.findPrefixed("mailers", mailer.text_template)) |template|
-        try template.render(&data)
+        try template.render(&data, jetzig.TemplateContext, .{}, .{})
     else
         null;
 }

src/jetzig/middleware.zig

@@ -4,6 +4,7 @@ const jetzig = @import("../jetzig.zig");
 pub const HtmxMiddleware = @import("middleware/HtmxMiddleware.zig");
 pub const CompressionMiddleware = @import("middleware/CompressionMiddleware.zig");
 pub const AuthMiddleware = @import("middleware/AuthMiddleware.zig");
+pub const AntiCsrfMiddleware = @import("middleware/AntiCsrfMiddleware.zig");
 
 const RouteOptions = struct {
     content: ?[]const u8 = null,

src/jetzig/middleware/AntiCsrfMiddleware.zig

@@ -0,0 +1,73 @@
+const std = @import("std");
+const jetzig = @import("../../jetzig.zig");
+
+pub const middleware_name = "anti_csrf";
+
+const TokenParams = @Type(.{
+    .@"struct" = .{
+        .layout = .auto,
+        .is_tuple = false,
+        .decls = &.{},
+        .fields = &.{.{
+            .name = jetzig.authenticity_token_name ++ "",
+            .type = []const u8,
+            .is_comptime = false,
+            .default_value = null,
+            .alignment = @alignOf([]const u8),
+        }},
+    },
+});
+
+pub fn afterRequest(request: *jetzig.http.Request) !void {
+    try verifyCsrfToken(request);
+}
+
+pub fn beforeRender(request: *jetzig.http.Request, route: jetzig.views.Route) !void {
+    _ = route;
+    try verifyCsrfToken(request);
+}
+
+fn logFailure(request: *jetzig.http.Request) !void {
+    _ = request.fail(.forbidden);
+    try request.server.logger.DEBUG("Anti-CSRF token validation failed. Request aborted.", .{});
+}
+
+fn verifyCsrfToken(request: *jetzig.http.Request) !void {
+    switch (request.method) {
+        .DELETE, .PATCH, .PUT, .POST => {},
+        else => return,
+    }
+
+    switch (request.requestFormat()) {
+        .HTML, .UNKNOWN => {},
+        // We do not authenticate JSON requests. Users must implement their own authentication
+        // system or disable JSON endpoints that should be protected.
+        .JSON => return,
+    }
+
+    const session = try request.session();
+
+    if (session.getT(.string, jetzig.authenticity_token_name)) |token| {
+        const params = try request.expectParams(TokenParams) orelse {
+            return logFailure(request);
+        };
+
+        if (token.len != 32 or @field(params, jetzig.authenticity_token_name).len != 32) {
+            return try logFailure(request);
+        }
+
+        var actual: [32]u8 = undefined;
+        var expected: [32]u8 = undefined;
+
+        @memcpy(&actual, token[0..32]);
+        @memcpy(&expected, @field(params, jetzig.authenticity_token_name)[0..32]);
+
+        const valid = std.crypto.timing_safe.eql([32]u8, expected, actual);
+
+        if (!valid) {
+            return try logFailure(request);
+        }
+    } else {
+        return try logFailure(request);
+    }
+}

src/jetzig/middleware/AuthMiddleware.zig

@@ -11,11 +11,11 @@ const user_model = jetzig.config.get(jetzig.auth.AuthOptions, "auth").user_model
 /// they can also be modified.
 user: ?@TypeOf(jetzig.database.Query(user_model).find(0)).ResultType,
 
-const Self = @This();
+const AuthMiddleware = @This();
 
 /// Initialize middleware.
-pub fn init(request: *jetzig.http.Request) !*Self {
+pub fn init(request: *jetzig.http.Request) !*AuthMiddleware {
-    const middleware = try request.allocator.create(Self);
+    const middleware = try request.allocator.create(AuthMiddleware);
     middleware.* = .{ .user = null };
     return middleware;
 }
@@ -31,8 +31,11 @@ const map = std.StaticStringMap(void).initComptime(.{
 ///
 /// User ID is accessible from a request:
 /// ```zig
-///
+/// if (request.middleware(.auth).user) |user| {
-pub fn afterRequest(self: *Self, request: *jetzig.http.Request) !void {
+///     try request.server.log(.DEBUG, "{}", .{user.id});
+/// }
+/// ```
+pub fn afterRequest(self: *AuthMiddleware, request: *jetzig.http.Request) !void {
     if (request.path.extension) |extension| {
         if (map.get(extension) == null) return;
     }
@@ -47,6 +50,6 @@ pub fn afterRequest(self: *Self, request: *jetzig.http.Request) !void {
 /// Invoked after `afterRequest` is called, use this function to do any clean-up.
 /// Note that `request.allocator` is an arena allocator, so any allocations are automatically
 /// done before the next request starts processing.
-pub fn deinit(self: *Self, request: *jetzig.http.Request) void {
+pub fn deinit(self: *AuthMiddleware, request: *jetzig.http.Request) void {
     request.allocator.destroy(self);
 }

src/jetzig/testing/App.zig

@@ -15,6 +15,8 @@ multipart_boundary: ?[]const u8 = null,
 logger: jetzig.loggers.Logger,
 server: Server,
 repo: *jetzig.database.Repo,
+cookies: *jetzig.http.Cookies,
+session: *jetzig.http.Session,
 
 const Server = struct { logger: jetzig.loggers.Logger };
 
@@ -47,6 +49,13 @@ pub fn init(allocator: std.mem.Allocator, routes_module: type) !App {
     const app = try alloc.create(App);
     const repo = try alloc.create(jetzig.database.Repo);
 
+    const cookies = try alloc.create(jetzig.http.Cookies);
+    cookies.* = jetzig.http.Cookies.init(alloc, "");
+    try cookies.parse();
+
+    const session = try alloc.create(jetzig.http.Session);
+    session.* = jetzig.http.Session.init(alloc, cookies, jetzig.testing.secret);
+
     app.* = App{
         .arena = arena,
         .allocator = allocator,
@@ -57,6 +66,8 @@ pub fn init(allocator: std.mem.Allocator, routes_module: type) !App {
         .logger = logger,
         .server = .{ .logger = logger },
         .repo = repo,
+        .cookies = cookies,
+        .session = session,
     };
 
     repo.* = try jetzig.database.repo(alloc, app.*);
@@ -149,30 +160,61 @@ pub fn request(
     try server.decodeStaticParams();
 
     var buf: [1024]u8 = undefined;
-    var httpz_request = try stubbedRequest(allocator, &buf, method, path, self.multipart_boundary, options);
+    var httpz_request = try stubbedRequest(
+        allocator,
+        &buf,
+        method,
+        path,
+        self.multipart_boundary,
+        options,
+        self.cookies,
+    );
     var httpz_response = try stubbedResponse(allocator);
+
     try server.processNextRequest(&httpz_request, &httpz_response);
-    var headers = std.ArrayList(jetzig.testing.TestResponse.Header).init(self.arena.allocator());
+
-    for (0..httpz_response.headers.len) |index| {
+    {
-        try headers.append(.{
+        const cookies = try allocator.create(jetzig.http.Cookies);
-            .name = try self.arena.allocator().dupe(u8, httpz_response.headers.keys[index]),
+        cookies.* = jetzig.http.Cookies.init(allocator, "");
-            .value = try self.arena.allocator().dupe(u8, httpz_response.headers.values[index]),
+        try cookies.parse();
-        });
+        self.cookies = cookies;
     }
+
+    var headers = std.ArrayList(jetzig.testing.TestResponse.Header).init(allocator);
+    for (0..httpz_response.headers.len) |index| {
+        const key = httpz_response.headers.keys[index];
+        const value = httpz_response.headers.values[index];
+
+        try headers.append(.{
+            .name = try allocator.dupe(u8, key),
+            .value = try allocator.dupe(u8, httpz_response.headers.values[index]),
+        });
+
+        if (std.ascii.eqlIgnoreCase(key, "set-cookie")) {
+            // FIXME: We only expect one set-cookie header at the moment.
+            const cookies = try allocator.create(jetzig.http.Cookies);
+            cookies.* = jetzig.http.Cookies.init(allocator, value);
+            self.cookies = cookies;
+            try self.cookies.parse();
+        }
+    }
+
     var data = jetzig.data.Data.init(allocator);
     defer data.deinit();
 
-    var jobs = std.ArrayList(jetzig.testing.TestResponse.Job).init(self.arena.allocator());
+    var jobs = std.ArrayList(jetzig.testing.TestResponse.Job).init(allocator);
     while (try self.job_queue.popFirst(&data, "__jetzig_jobs")) |value| {
         if (value.getT(.string, "__jetzig_job_name")) |job_name| try jobs.append(.{
-            .name = try self.arena.allocator().dupe(u8, job_name),
+            .name = try allocator.dupe(u8, job_name),
         });
     }
 
+    try self.initSession();
+
     return .{
-        .allocator = self.arena.allocator(),
+        .allocator = allocator,
         .status = httpz_response.status,
-        .body = try self.arena.allocator().dupe(u8, httpz_response.body),
+        .body = try allocator.dupe(u8, httpz_response.body),
         .headers = try headers.toOwnedSlice(),
         .jobs = try jobs.toOwnedSlice(),
     };
@@ -189,6 +231,16 @@ pub fn params(self: App, args: anytype) []Param {
     return array.toOwnedSlice() catch @panic("OOM");
 }
 
+pub fn initSession(self: *App) !void {
+    const allocator = self.arena.allocator();
+
+    var local_session = try allocator.create(jetzig.http.Session);
+    local_session.* = jetzig.http.Session.init(allocator, self.cookies, jetzig.testing.secret);
+    try local_session.parse();
+
+    self.session = local_session;
+}
+
 /// Encode an arbitrary struct to a JSON string for use as a request body.
 pub fn json(self: App, args: anytype) []const u8 {
     const allocator = self.arena.allocator();
@@ -245,15 +297,29 @@ fn stubbedRequest(
     comptime path: []const u8,
     multipart_boundary: ?[]const u8,
     options: RequestOptions,
+    maybe_cookies: ?*const jetzig.http.Cookies,
 ) !httpz.Request {
     // TODO: Use httpz.testing
     var request_headers = try keyValue(allocator, 32);
     for (options.headers) |header| request_headers.add(header.name, header.value);
+
+    if (maybe_cookies) |cookies| {
+        var cookie_buf = std.ArrayList(u8).init(allocator);
+        const cookie_writer = cookie_buf.writer();
+        try cookie_writer.print("{}", .{cookies});
+        const cookie = try cookie_buf.toOwnedSlice();
+        request_headers.add("cookie", cookie);
+    }
+
     if (options.json != null) {
         request_headers.add("accept", "application/json");
         request_headers.add("content-type", "application/json");
     } else if (multipart_boundary) |boundary| {
-        const header = try std.mem.concat(allocator, u8, &.{ "multipart/form-data; boundary=", boundary });
+        const header = try std.mem.concat(
+            allocator,
+            u8,
+            &.{ "multipart/form-data; boundary=", boundary },
+        );
         request_headers.add("content-type", header);
     }
 
@@ -358,7 +424,10 @@ fn buildOptions(allocator: std.mem.Allocator, app: *const App, args: anytype) !R
     }
 
     return .{
-        .headers = if (@hasField(@TypeOf(args), "headers")) try buildHeaders(allocator, args.headers) else &.{},
+        .headers = if (@hasField(@TypeOf(args), "headers"))
+            try buildHeaders(allocator, args.headers)
+        else
+            &.{},
         .json = if (@hasField(@TypeOf(args), "json")) app.json(args.json) else null,
         .params = if (@hasField(@TypeOf(args), "params")) app.params(args.params) else null,
         .body = if (@hasField(@TypeOf(args), "body")) args.body else null,
@@ -368,7 +437,12 @@ fn buildOptions(allocator: std.mem.Allocator, app: *const App, args: anytype) !R
 fn buildHeaders(allocator: std.mem.Allocator, args: anytype) ![]const jetzig.testing.TestResponse.Header {
     var headers = std.ArrayList(jetzig.testing.TestResponse.Header).init(allocator);
     inline for (std.meta.fields(@TypeOf(args))) |field| {
-        try headers.append(jetzig.testing.TestResponse.Header{ .name = field.name, .value = @field(args, field.name) });
+        try headers.append(
+            jetzig.testing.TestResponse.Header{
+                .name = field.name,
+                .value = @field(args, field.name),
+            },
+        );
     }
     return try headers.toOwnedSlice();
 }

src/jetzig/util.zig

@@ -67,25 +67,25 @@ pub inline fn unquote(input: []const u8) []const u8 {
 }
 
 /// Generate a secure random string of `len` characters (for cryptographic purposes).
-pub fn generateSecret(allocator: std.mem.Allocator, comptime len: u10) ![]const u8 {
+pub fn generateSecret(allocator: std.mem.Allocator, len: u10) ![]const u8 {
     const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-    var secret: [len]u8 = undefined;
+    const secret = try allocator.alloc(u8, len);
 
     for (0..len) |index| {
-        secret[index] = chars[std.crypto.random.intRangeAtMost(u8, 0, chars.len)];
+        secret[index] = chars[std.crypto.random.intRangeAtMost(u8, 0, chars.len - 1)];
     }
 
-    return try allocator.dupe(u8, &secret);
+    return secret;
 }
 
 pub fn generateRandomString(buf: []u8) []const u8 {
     const chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
 
     for (0..buf.len) |index| {
-        buf[index] = chars[std.crypto.random.intRangeAtMost(u8, 0, chars.len)];
+        buf[index] = chars[std.crypto.random.intRangeAtMost(u8, 0, chars.len - 1)];
     }
 
-    return buf;
+    return buf[0..];
 }
 
 /// Calculate a duration from a given start time (in nanoseconds) to the current time.

src/jetzig/views/Route.zig

@@ -56,6 +56,8 @@ json_params: []const []const u8,
 params: std.ArrayList(*jetzig.data.Data) = undefined,
 id: []const u8,
 formats: ?Formats = null,
+before_callbacks: []const jetzig.callbacks.BeforeCallback = &.{},
+after_callbacks: []const jetzig.callbacks.AfterCallback = &.{},
 
 /// Initializes a route's static params on server launch. Converts static params (JSON strings)
 /// to `jetzig.data.Data` values. Memory is owned by caller (`App.start()`).