Chapter 3: Per-User Storage with VirtualRoot
This chapter shows how to isolate user file storage using VirtualRoot<UserUploads>. Each user gets their own virtual filesystem that cannot access other users' files.
The Problem: User Isolation
Without proper isolation, users could access each other's files:
#![allow(unused)] fn main() { // ❌ UNSAFE: Users can escape their directory let user_file = format!("./uploads/{}/{}", user_id, filename); // User sends filename="../other_user/secret.txt" }
The Solution: VirtualRoot Per User
VirtualRoot creates an isolated view where paths are relative to the user's directory:
#![allow(unused)] fn main() { // ✅ SAFE: Isolated per-user virtual filesystem let user_root = VirtualRoot::<UserUploads>::try_new( format!("./uploads/user_{user_id}") )?; // User's paths are always within their root let file = user_root.virtual_join(filename)?; // Can't escape! }
Implementation: File Upload Handler
Create src/routes/upload.rs:
#![allow(unused)] fn main() { use axum::{ extract::{Multipart, Path, State}, http::StatusCode, response::IntoResponse, }; use strict_path::VirtualRoot; use crate::{markers::UserUploads, state::AppState, error::AppError}; /// Handle file upload for authenticated user pub async fn upload_file( State(state): State<AppState>, Path(user_id): Path<String>, mut multipart: Multipart, ) -> Result<impl IntoResponse, AppError> { // Get or create user's virtual root let user_root = state.get_user_root(&user_id)?; while let Some(field) = multipart.next_field().await? { let filename = field .file_name() .ok_or(AppError::MissingFilename)? .to_string(); // SECURITY: virtual_join validates filename // Rejects: "../", absolute paths, special chars let file_path = user_root .virtual_join(&filename) .map_err(|_| AppError::InvalidFilename)?; let data = field.bytes().await?; // Safe: file_path is guaranteed within user's boundary file_path.write(data.as_ref())?; } Ok(StatusCode::CREATED) } /// List files in user's directory pub async fn list_files( State(state): State<AppState>, Path(user_id): Path<String>, ) -> Result<impl IntoResponse, AppError> { let user_root = state.get_user_root(&user_id)?; // Convert to StrictPath to read directory let root_dir = user_root.as_unvirtual(); let entries = root_dir.read_dir()?; let files: Vec<String> = entries .filter_map(|e| e.ok()) .filter_map(|e| e.file_name().into_string().ok()) .collect(); Ok(axum::Json(files)) } }
Update AppState
Modify src/state.rs to manage per-user roots:
#![allow(unused)] fn main() { use std::collections::HashMap; use std::sync::{Arc, RwLock}; use strict_path::{PathBoundary, VirtualRoot}; use crate::markers::{WebAssets, UserUploads, AppConfig}; pub struct AppState { pub assets: PathBoundary<WebAssets>, pub config: PathBoundary<AppConfig>, uploads_base: PathBoundary<UserUploads>, // Cache of user virtual roots user_roots: Arc<RwLock<HashMap<String, VirtualRoot<UserUploads>>>>, } impl AppState { pub fn new() -> Result<Self, Box<dyn std::error::Error>> { Ok(Self { assets: PathBoundary::try_new_create("./data/assets")?, config: PathBoundary::try_new("./data/config")?, uploads_base: PathBoundary::try_new_create("./data/uploads")?, user_roots: Arc::new(RwLock::new(HashMap::new())), }) } /// Get or create virtual root for user pub fn get_user_root( &self, user_id: &str, ) -> Result<VirtualRoot<UserUploads>, Box<dyn std::error::Error>> { // Check cache first { let cache = self.user_roots.read().unwrap(); if let Some(root) = cache.get(user_id) { return Ok(root.clone()); } } // Create new user directory and virtual root let user_dir = self.uploads_base.strict_join(user_id)?; user_dir.create_dir_all()?; let vroot = VirtualRoot::try_new(user_dir.interop_path())?; // Cache it self.user_roots.write().unwrap().insert(user_id.to_string(), vroot.clone()); Ok(vroot) } } }
Register Routes
Update src/main.rs:
mod routes { pub mod assets; pub mod upload; } use axum::{ routing::{get, post}, Router, }; #[tokio::main] async fn main() -> Result<(), Box<dyn std::error::Error>> { let state = AppState::new()?; let app = Router::new() .route("/assets/*path", get(routes::assets::serve_asset)) .route("/users/:user_id/files", post(routes::upload::upload_file)) .route("/users/:user_id/files", get(routes::upload::list_files)) .with_state(state); let listener = tokio::net::TcpListener::bind("127.0.0.1:3000").await?; println!("Server running on http://127.0.0.1:3000"); axum::serve(listener, app).await?; Ok(()) }
Key Security Properties
- User Isolation: Each
VirtualRootis scoped to one user's directory - Path Validation:
virtual_join()prevents directory traversal - Type Safety:
VirtualRoot<UserUploads>can't mix withPathBoundary<WebAssets> - Automatic Caching: User roots are cached for performance
Testing the Isolation
# Upload to user_001
curl -F "file=@test.txt" http://localhost:3000/users/user_001/files
# Try to access user_002's files (will fail)
curl -F "file=@../user_002/secret.txt" http://localhost:3000/users/user_001/files
# Returns 400: InvalidFilename
# List user_001's files (only shows their files)
curl http://localhost:3000/users/user_001/files
What We Learned
VirtualRootprovides per-user filesystem isolationvirtual_join()validates filenames and prevents escapes- AppState can manage multiple virtual roots efficiently
- Type markers prevent accidentally mixing user storage with other boundaries
Navigation:
← Chapter 2 | Tutorial Overview