std::net::http::http_async_serverAsync HTTP/1.1 server codec — idiomatic Hew over a suspending listener+conn.
The await-suspended sibling of the blocking std::net::http server
(which is backed by a native engine and cannot suspend an actor). The codec
is pure Hew layered on NEW-2's await listener.accept() carrier and NEW-1's
await conn.read(): an acceptor handler creates a listener with
net.listen, awaits a connection, drives an await conn.read()
loop until the request is fully buffered ([request_complete]), parses it
([parse_request]), and replies by writing the bytes from [response_text]
/ [response_json] / [build_response] over the connection.
Scope (v0.5.0): HTTP/1.1 only, fully-buffered request/response bodies, one
connection handled per accept (the OTP acceptor-per-conn shape). The
Listener/Connection are handler LOCALs, never actor state (the
supervisor-restart clone gate rejects opaque handles in state). Streaming
bodies are NEW-7; HTTPS is BUG-NET-3.
import std::net;
import std::net::http::http_async_server;
import std::string;
actor Server {
let addr: string; // "127.0.0.1:8080"
receive fn serve(unused: i64) {
let listener = net.listen(addr);
let conn = await listener.accept(); // suspends on readiness
var raw = "";
var reads = 0;
var done = false;
while !done {
let chunk = await conn.read_string(); // suspends the worker
reads = reads + 1;
if string.is_empty(chunk) {
done = true;
} else {
raw = raw + chunk;
if http_async_server.over_limit(raw) { // F2: fail closed
done = true;
} else if http_async_server.request_complete(raw) {
done = true;
}
}
if reads > http_async_server.MAX_READS { // F2: read ceiling
done = true;
}
}
let req = http_async_server.parse_request(raw);
var reply = http_async_server.response_text(req.reject_status(), "rejected");
if req.is_valid() { // F2/F3: fail closed
reply = match req.path() {
"/hello" => http_async_server.response_text(200, "hi from hew"),
_ => http_async_server.response_text(404, "nope"),
};
}
conn.write_string(reply);
let _ = conn.close();
let _ = listener.close();
}
}
request_completeWhether raw holds a complete HTTP/1.1 request: the header terminator
(CRLF-CRLF) is present AND, when a Content-Length header is declared, the
buffered body is at least that long. Drives the acceptor's read loop so it
stops reading as soon as the request is fully buffered (rather than waiting
for the peer to close).
over_limitWhether raw has exceeded a size bound and the read loop must STOP and fail
closed (F2). True when the buffered bytes exceed the total ceiling, the head
exceeds the header ceiling (even before a terminator is seen), or the declared
Content-Length exceeds the body ceiling. The acceptor's read loop checks
this before [request_complete] so a malicious peer cannot OOM the worker by
streaming an unbounded head/body or declaring an enormous Content-Length.
parse_requestParse the buffered bytes into an [AsyncRequest]. The request line is the
first CRLF-terminated line (GET /path HTTP/1.1); the method and path are
its first two space-separated tokens. The body is everything after the first
CRLF-CRLF. The framing is validated and the request FAILS CLOSED — see
[AsyncRequest::reject_status] — on a malformed request line, an unsupported
Transfer-Encoding, a duplicate/conflicting/non-numeric Content-Length, or
any size bound (F2/F3); the acceptor replies with that status and closes.
response_textBuild a plain-text HTTP/1.1 response (Content-Type: text/plain).
response_jsonBuild a JSON HTTP/1.1 response (Content-Type: application/json).
build_responseBuild a full HTTP/1.1 response: the status line, Content-Type,
Content-Length (derived from body), Connection: close, the blank line,
then the body. The status text is a small well-known mapping (anything
unknown is labelled Status).
FAILS CLOSED on header smuggling (F4): a content_type carrying a \r/\n
or other control character would inject extra headers into the response, so
such a value is rejected and an empty string is returned (the acceptor writes
nothing and closes) rather than emitting an attacker-controlled header.
AsyncRequestA fully-buffered HTTP/1.1 request parsed from the bytes read off an accepted
connection. verb is the method (GET/POST/…), target the request path,
header_section the raw header block (CRLF-separated lines after the request
line), and body_text the request body. reject_code is 0 for a
well-formed request, or the HTTP status the codec failed closed with
(400 malformed framing, 413 over a size bound).
AsyncRequestMethodsMethods on [AsyncRequest] — the request-side accessor surface.
The HTTP method (e.g. "GET", "POST"). Empty on a malformed request.
The request path (e.g. "/api/users"). Empty on a malformed request.
Look up a request header by name (case-insensitive). Empty if absent.
The request body as a string.
The fail-closed reject status (0 when the request is well-formed, else
the HTTP status to reply with: 400 malformed framing, 413 too large).
Whether the request passed all framing + size validation.
MAX_HEADER_BYTESMaximum bytes accepted in the request head (request line + headers). A head
larger than this fails closed with 413 rather than buffering unbounded.
MAX_BODY_BYTESMaximum bytes accepted in the request body — also the Content-Length
ceiling. A declared or buffered body larger than this fails closed with 413.
MAX_REQUEST_BYTESMaximum total request bytes buffered before the read loop fails closed
(MAX_HEADER_BYTES + MAX_BODY_BYTES). The single overall cap that bounds the
accumulator regardless of framing.
MAX_READSMaximum number of read iterations a request loop will accept before failing closed. Bounds an endless-trickle peer that never satisfies a framing rule.