From 30bdae3d9e3d81722efdfac92daa667ec24876e7 Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Tue, 25 Oct 2022 16:20:32 -0600 Subject: [PATCH] sessions: check idp id to detect provider changes to force session invalidation (#3707) * sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test --- authenticate/handlers.go | 4 +- authenticate/state.go | 4 +- authorize/check_response_test.go | 5 -- authorize/grpc.go | 3 +- authorize/grpc_test.go | 5 -- authorize/session.go | 63 --------------- authorize/session_test.go | 76 ------------------ authorize/state.go | 14 ++-- config/identity.go | 22 +++++- config/session.go | 83 ++++++++++++++++++++ config/session_test.go | 128 +++++++++++++++++++++++++++++++ internal/sessions/middleware.go | 24 +----- internal/sessions/store.go | 19 +++++ proxy/state.go | 8 -- 14 files changed, 265 insertions(+), 193 deletions(-) delete mode 100644 authorize/session.go delete mode 100644 authorize/session_test.go create mode 100644 config/session.go create mode 100644 config/session_test.go diff --git a/authenticate/handlers.go b/authenticate/handlers.go index 4085033bf..6a23ca72b 100644 --- a/authenticate/handlers.go +++ b/authenticate/handlers.go @@ -111,9 +111,9 @@ func (a *Authenticate) mountDashboard(r *mux.Router) { cr.Path("/").Handler(a.requireValidSignature(a.Callback)).Methods(http.MethodGet) } -// RetrieveSession is the middleware used retrieve session by the sessionLoaders +// RetrieveSession is the middleware used retrieve session by the sessionLoader func (a *Authenticate) RetrieveSession(next http.Handler) http.Handler { - return sessions.RetrieveSession(a.state.Load().sessionLoaders...)(next) + return sessions.RetrieveSession(a.state.Load().sessionLoader)(next) } // VerifySession is the middleware used to enforce a valid authentication diff --git a/authenticate/state.go b/authenticate/state.go index 0b6b7924a..dcbccfc0f 100644 --- a/authenticate/state.go +++ b/authenticate/state.go @@ -42,7 +42,7 @@ type authenticateState struct { sessionStore sessions.SessionStore // sessionLoaders are a collection of session loaders to attempt to pull // a user's session state from - sessionLoaders []sessions.SessionLoader + sessionLoader sessions.SessionLoader jwk *jose.JSONWebKeySet @@ -120,7 +120,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err } state.sessionStore = cookieStore - state.sessionLoaders = []sessions.SessionLoader{cookieStore} + state.sessionLoader = cookieStore state.jwk = new(jose.JSONWebKeySet) signingKey, err := cfg.Options.GetSigningKey() if err != nil { diff --git a/authorize/check_response_test.go b/authorize/check_response_test.go index 1dbf50c9b..438a6a25b 100644 --- a/authorize/check_response_test.go +++ b/authorize/check_response_test.go @@ -19,7 +19,6 @@ import ( "github.com/pomerium/pomerium/authorize/internal/store" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" - "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/testutil" "github.com/pomerium/pomerium/pkg/policy/criteria" ) @@ -68,8 +67,6 @@ func TestAuthorize_okResponse(t *testing.T) { JWTClaimsHeaders: config.NewJWTClaimHeaders("email"), } a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(opt) a.store = store.New() pe, err := newPolicyEvaluator(opt, a.store) @@ -124,8 +121,6 @@ func TestAuthorize_okResponse(t *testing.T) { func TestAuthorize_deniedResponse(t *testing.T) { a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(&config.Options{ Policies: []config.Policy{{ Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, diff --git a/authorize/grpc.go b/authorize/grpc.go index 4816fe0d2..03664157d 100644 --- a/authorize/grpc.go +++ b/authorize/grpc.go @@ -55,8 +55,7 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v3.CheckRe } } - rawJWT, _ := loadRawSession(hreq, a.currentOptions.Load(), state.encoder) - sessionState, _ := loadSession(state.encoder, rawJWT) + sessionState, _ := state.sessionStore.LoadSessionState(hreq) var s sessionOrServiceAccount var u *user.User diff --git a/authorize/grpc_test.go b/authorize/grpc_test.go index 28a8cdbbb..5fa8910fb 100644 --- a/authorize/grpc_test.go +++ b/authorize/grpc_test.go @@ -16,7 +16,6 @@ import ( "github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/config" "github.com/pomerium/pomerium/internal/atomicutil" - "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/pkg/grpc/databroker" @@ -48,8 +47,6 @@ yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA== func Test_getEvaluatorRequest(t *testing.T) { a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(&config.Options{ Policies: []config.Policy{{ Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, @@ -262,8 +259,6 @@ func Test_handleForwardAuth(t *testing.T) { func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) { a := &Authorize{currentOptions: config.NewAtomicOptions(), state: atomicutil.NewValue(new(authorizeState))} - encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}) - a.state.Load().encoder = encoder a.currentOptions.Store(&config.Options{ Policies: []config.Policy{{ Source: &config.StringURL{URL: &url.URL{Host: "example.com"}}, diff --git a/authorize/session.go b/authorize/session.go deleted file mode 100644 index c40b7add6..000000000 --- a/authorize/session.go +++ /dev/null @@ -1,63 +0,0 @@ -package authorize - -import ( - "errors" - "net/http" - - "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/encoding" - "github.com/pomerium/pomerium/internal/sessions" - "github.com/pomerium/pomerium/internal/sessions/cookie" - "github.com/pomerium/pomerium/internal/sessions/header" - "github.com/pomerium/pomerium/internal/sessions/queryparam" - "github.com/pomerium/pomerium/internal/urlutil" -) - -func loadRawSession(req *http.Request, options *config.Options, encoder encoding.MarshalUnmarshaler) ([]byte, error) { - var loaders []sessions.SessionLoader - cookieStore, err := getCookieStore(options, encoder) - if err != nil { - return nil, err - } - loaders = append(loaders, - cookieStore, - header.NewStore(encoder), - queryparam.NewStore(encoder, urlutil.QuerySession), - ) - - for _, loader := range loaders { - sess, err := loader.LoadSession(req) - if err != nil && !errors.Is(err, sessions.ErrNoSessionFound) { - return nil, err - } else if err == nil { - return []byte(sess), nil - } - } - - return nil, sessions.ErrNoSessionFound -} - -func loadSession(encoder encoding.MarshalUnmarshaler, rawJWT []byte) (*sessions.State, error) { - var s sessions.State - err := encoder.Unmarshal(rawJWT, &s) - if err != nil { - return nil, err - } - return &s, nil -} - -func getCookieStore(options *config.Options, encoder encoding.MarshalUnmarshaler) (sessions.SessionStore, error) { - cookieStore, err := cookie.NewStore(func() cookie.Options { - return cookie.Options{ - Name: options.CookieName, - Domain: options.CookieDomain, - Secure: options.CookieSecure, - HTTPOnly: options.CookieHTTPOnly, - Expire: options.CookieExpire, - } - }, encoder) - if err != nil { - return nil, err - } - return cookieStore, nil -} diff --git a/authorize/session_test.go b/authorize/session_test.go deleted file mode 100644 index 53b509e80..000000000 --- a/authorize/session_test.go +++ /dev/null @@ -1,76 +0,0 @@ -package authorize - -import ( - "net/url" - "testing" - - envoy_service_auth_v3 "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" - "github.com/stretchr/testify/assert" - - "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/encoding/jws" - "github.com/pomerium/pomerium/internal/sessions" -) - -func TestLoadSession(t *testing.T) { - opts := config.NewDefaultOptions() - encoder, err := jws.NewHS256Signer(nil) - if !assert.NoError(t, err) { - return - } - state := &sessions.State{ID: "xyz"} - rawjwt, err := encoder.Marshal(state) - if !assert.NoError(t, err) { - return - } - - load := func(t *testing.T, hattrs *envoy_service_auth_v3.AttributeContext_HttpRequest) (*sessions.State, error) { - req := getHTTPRequestFromCheckRequest(&envoy_service_auth_v3.CheckRequest{ - Attributes: &envoy_service_auth_v3.AttributeContext{ - Request: &envoy_service_auth_v3.AttributeContext_Request{ - Http: hattrs, - }, - }, - }) - raw, err := loadRawSession(req, opts, encoder) - if err != nil { - return nil, err - } - var state sessions.State - err = encoder.Unmarshal(raw, &state) - if err != nil { - return nil, err - } - return &state, nil - } - - t.Run("header", func(t *testing.T) { - hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Id: "req-1", - Method: "GET", - Headers: map[string]string{ - "Authorization": "Pomerium " + string(rawjwt), - }, - Path: "/hello/world", - Host: "example.com", - Scheme: "https", - } - sess, err := load(t, hattrs) - assert.NoError(t, err) - assert.NotNil(t, sess) - }) - t.Run("query param", func(t *testing.T) { - hattrs := &envoy_service_auth_v3.AttributeContext_HttpRequest{ - Id: "req-1", - Method: "GET", - Path: "/hello/world?" + url.Values{ - "pomerium_session": []string{string(rawjwt)}, - }.Encode(), - Host: "example.com", - Scheme: "https", - } - sess, err := load(t, hattrs) - assert.NoError(t, err) - assert.NotNil(t, sess) - }) -} diff --git a/authorize/state.go b/authorize/state.go index 6440c4a10..4bf58a040 100644 --- a/authorize/state.go +++ b/authorize/state.go @@ -9,8 +9,6 @@ import ( "github.com/pomerium/pomerium/authorize/evaluator" "github.com/pomerium/pomerium/authorize/internal/store" "github.com/pomerium/pomerium/config" - "github.com/pomerium/pomerium/internal/encoding" - "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/pkg/grpc" "github.com/pomerium/pomerium/pkg/grpc/databroker" "github.com/pomerium/pomerium/pkg/protoutil" @@ -21,10 +19,10 @@ var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn) type authorizeState struct { sharedKey []byte evaluator *evaluator.Evaluator - encoder encoding.MarshalUnmarshaler dataBrokerClientConnection *googlegrpc.ClientConn dataBrokerClient databroker.DataBrokerServiceClient auditEncryptor *protoutil.Encryptor + sessionStore *config.SessionStore } func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*authorizeState, error) { @@ -46,11 +44,6 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho return nil, err } - state.encoder, err = jws.NewHS256Signer(state.sharedKey) - if err != nil { - return nil, err - } - sharedKey, err := cfg.Options.GetSharedKey() if err != nil { return nil, err @@ -76,5 +69,10 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho state.auditEncryptor = protoutil.NewEncryptor(auditKey) } + state.sessionStore, err = config.NewSessionStore(cfg.Options) + if err != nil { + return nil, fmt.Errorf("authorize: invalid session store: %w", err) + } + return state, nil } diff --git a/config/identity.go b/config/identity.go index 7fc1a1cbd..5843c3147 100644 --- a/config/identity.go +++ b/config/identity.go @@ -1,14 +1,16 @@ package config import ( + "github.com/pomerium/pomerium/internal/urlutil" "github.com/pomerium/pomerium/pkg/grpc/identity" ) // GetIdentityProviderForID returns the identity provider associated with the given IDP id. // If none is found the default provider is returned. func (o *Options) GetIdentityProviderForID(idpID string) (*identity.Provider, error) { - for _, policy := range o.GetAllPolicies() { - idp, err := o.GetIdentityProviderForPolicy(&policy) //nolint + for _, p := range o.GetAllPolicies() { + p := p + idp, err := o.GetIdentityProviderForPolicy(&p) if err != nil { return nil, err } @@ -48,3 +50,19 @@ func (o *Options) GetIdentityProviderForPolicy(policy *Policy) (*identity.Provid idp.Id = idp.Hash() return idp, nil } + +// GetIdentityProviderForRequestURL gets the identity provider associated with the given request URL. +func (o *Options) GetIdentityProviderForRequestURL(requestURL string) (*identity.Provider, error) { + u, err := urlutil.ParseAndValidateURL(requestURL) + if err != nil { + return nil, err + } + + for _, p := range o.GetAllPolicies() { + p := p + if p.Matches(*u) { + return o.GetIdentityProviderForPolicy(&p) + } + } + return o.GetIdentityProviderForPolicy(nil) +} diff --git a/config/session.go b/config/session.go new file mode 100644 index 000000000..6f3b36ccb --- /dev/null +++ b/config/session.go @@ -0,0 +1,83 @@ +package config + +import ( + "fmt" + "net/http" + + "github.com/pomerium/pomerium/internal/encoding" + "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/sessions" + "github.com/pomerium/pomerium/internal/sessions/cookie" + "github.com/pomerium/pomerium/internal/sessions/header" + "github.com/pomerium/pomerium/internal/sessions/queryparam" + "github.com/pomerium/pomerium/internal/urlutil" +) + +// A SessionStore saves and loads sessions based on the options. +type SessionStore struct { + options *Options + encoder encoding.MarshalUnmarshaler + loader sessions.SessionLoader +} + +// NewSessionStore creates a new SessionStore from the Options. +func NewSessionStore(options *Options) (*SessionStore, error) { + store := &SessionStore{ + options: options, + } + + sharedKey, err := options.GetSharedKey() + if err != nil { + return nil, fmt.Errorf("config/sessions: shared_key is required: %w", err) + } + + store.encoder, err = jws.NewHS256Signer(sharedKey) + if err != nil { + return nil, fmt.Errorf("config/sessions: invalid session encoder: %w", err) + } + + cookieStore, err := cookie.NewStore(func() cookie.Options { + return cookie.Options{ + Name: options.CookieName, + Domain: options.CookieDomain, + Secure: options.CookieSecure, + HTTPOnly: options.CookieHTTPOnly, + Expire: options.CookieExpire, + } + }, store.encoder) + if err != nil { + return nil, err + } + headerStore := header.NewStore(store.encoder) + queryParamStore := queryparam.NewStore(store.encoder, urlutil.QuerySession) + store.loader = sessions.MultiSessionLoader(cookieStore, headerStore, queryParamStore) + + return store, nil +} + +// LoadSessionState loads the session state from a request. +func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, error) { + rawJWT, err := store.loader.LoadSession(r) + if err != nil { + return nil, err + } + + var state sessions.State + err = store.encoder.Unmarshal([]byte(rawJWT), &state) + if err != nil { + return nil, err + } + + // confirm that the identity provider id matches the state + idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String()) + if err != nil { + return nil, err + } + + if idp.GetId() != state.IdentityProviderID { + return nil, fmt.Errorf("unexpected session state identity provider id: %s != %s", + idp.GetId(), state.IdentityProviderID) + } + + return &state, nil +} diff --git a/config/session_test.go b/config/session_test.go new file mode 100644 index 000000000..6a1471b26 --- /dev/null +++ b/config/session_test.go @@ -0,0 +1,128 @@ +package config + +import ( + "encoding/base64" + "net/http" + "net/url" + "testing" + + "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + + "github.com/pomerium/pomerium/internal/encoding/jws" + "github.com/pomerium/pomerium/internal/httputil" + "github.com/pomerium/pomerium/internal/sessions" + "github.com/pomerium/pomerium/internal/urlutil" + "github.com/pomerium/pomerium/pkg/cryptutil" +) + +func TestSessionStore_LoadSessionState(t *testing.T) { + t.Parallel() + + sharedKey := cryptutil.NewKey() + options := NewDefaultOptions() + options.SharedKey = base64.StdEncoding.EncodeToString(sharedKey) + options.Provider = "oidc" + options.ProviderURL = "https://oidc.example.com" + options.ClientID = "client_id" + options.ClientSecret = "client_secret" + options.Policies = append(options.Policies, + Policy{ + From: "https://p1.example.com", + To: mustParseWeightedURLs(t, "https://p1"), + IDPClientID: "client_id_1", + IDPClientSecret: "client_secret_1", + }, + Policy{ + From: "https://p2.example.com", + To: mustParseWeightedURLs(t, "https://p2"), + IDPClientID: "client_id_2", + IDPClientSecret: "client_secret_2", + }) + require.NoError(t, options.Validate()) + + store, err := NewSessionStore(options) + require.NoError(t, err) + + idp1, err := options.GetIdentityProviderForPolicy(nil) + require.NoError(t, err) + require.NotNil(t, idp1) + + idp2, err := options.GetIdentityProviderForPolicy(&options.Policies[0]) + require.NoError(t, err) + require.NotNil(t, idp2) + + idp3, err := options.GetIdentityProviderForPolicy(&options.Policies[1]) + require.NoError(t, err) + require.NotNil(t, idp3) + + makeJWS := func(t *testing.T, state *sessions.State) string { + e, err := jws.NewHS256Signer(sharedKey) + require.NoError(t, err) + + rawJWS, err := e.Marshal(state) + require.NoError(t, err) + + return string(rawJWS) + } + + t.Run("mssing", func(t *testing.T) { + r, err := http.NewRequest(http.MethodGet, "https://p1.example.com", nil) + require.NoError(t, err) + s, err := store.LoadSessionState(r) + assert.ErrorIs(t, err, sessions.ErrNoSessionFound) + assert.Nil(t, s) + }) + t.Run("query", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp2.GetId(), + }) + + r, err := http.NewRequest(http.MethodGet, "https://p1.example.com?"+url.Values{ + urlutil.QuerySession: {rawJWS}, + }.Encode(), nil) + require.NoError(t, err) + s, err := store.LoadSessionState(r) + assert.NoError(t, err) + assert.Empty(t, cmp.Diff(&sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp2.GetId(), + }, s)) + }) + t.Run("header", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp3.GetId(), + }) + + r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil) + require.NoError(t, err) + r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS) + s, err := store.LoadSessionState(r) + assert.NoError(t, err) + assert.Empty(t, cmp.Diff(&sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp3.GetId(), + }, s)) + }) + t.Run("wrong idp", func(t *testing.T) { + rawJWS := makeJWS(t, &sessions.State{ + Issuer: "authenticate.example.com", + ID: "example", + IdentityProviderID: idp1.GetId(), + }) + + r, err := http.NewRequest(http.MethodGet, "https://p2.example.com", nil) + require.NoError(t, err) + r.Header.Set(httputil.HeaderPomeriumAuthorization, rawJWS) + s, err := store.LoadSessionState(r) + assert.Error(t, err) + assert.Nil(t, s) + }) +} diff --git a/internal/sessions/middleware.go b/internal/sessions/middleware.go index af17d3c42..45d5047e6 100644 --- a/internal/sessions/middleware.go +++ b/internal/sessions/middleware.go @@ -2,7 +2,6 @@ package sessions import ( "context" - "errors" "net/http" ) @@ -14,17 +13,17 @@ var ( // RetrieveSession takes a slice of session loaders and tries to find a valid // session in the order they were supplied and is added to the request's context -func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler { +func RetrieveSession(s SessionLoader) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { - return retrieve(s...)(next) + return retrieve(s)(next) } } -func retrieve(s ...SessionLoader) func(http.Handler) http.Handler { +func retrieve(s SessionLoader) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { hfn := func(w http.ResponseWriter, r *http.Request) { ctx := r.Context() - jwt, err := retrieveFromRequest(r, s...) + jwt, err := s.LoadSession(r) ctx = NewContext(ctx, jwt, err) next.ServeHTTP(w, r.WithContext(ctx)) } @@ -32,21 +31,6 @@ func retrieve(s ...SessionLoader) func(http.Handler) http.Handler { } } -// retrieveFromRequest extracts sessions state from the request by calling -// token find functions in the order they where provided. -func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (string, error) { - for _, s := range sessions { - jwt, err := s.LoadSession(r) - if err != nil && !errors.Is(err, ErrNoSessionFound) { - return "", err - } else if err == nil { - return jwt, nil - } - } - - return "", ErrNoSessionFound -} - // NewContext sets context values for the user session state and error. func NewContext(ctx context.Context, jwt string, err error) context.Context { ctx = context.WithValue(ctx, SessionCtxKey, jwt) diff --git a/internal/sessions/store.go b/internal/sessions/store.go index 7f838763a..bc88207ac 100644 --- a/internal/sessions/store.go +++ b/internal/sessions/store.go @@ -3,6 +3,7 @@ package sessions import ( + "errors" "net/http" ) @@ -17,3 +18,21 @@ type SessionStore interface { type SessionLoader interface { LoadSession(*http.Request) (string, error) } + +type multiSessionLoader []SessionLoader + +func (l multiSessionLoader) LoadSession(r *http.Request) (string, error) { + for _, ll := range l { + s, err := ll.LoadSession(r) + if errors.Is(err, ErrNoSessionFound) { + continue + } + return s, err + } + return "", ErrNoSessionFound +} + +// MultiSessionLoader returns a session loader that returns the first session available. +func MultiSessionLoader(loaders ...SessionLoader) SessionLoader { + return multiSessionLoader(loaders) +} diff --git a/proxy/state.go b/proxy/state.go index f8bc827fd..b4ed3cdfd 100644 --- a/proxy/state.go +++ b/proxy/state.go @@ -9,8 +9,6 @@ import ( "github.com/pomerium/pomerium/internal/encoding/jws" "github.com/pomerium/pomerium/internal/sessions" "github.com/pomerium/pomerium/internal/sessions/cookie" - "github.com/pomerium/pomerium/internal/sessions/header" - "github.com/pomerium/pomerium/internal/sessions/queryparam" "github.com/pomerium/pomerium/pkg/cryptutil" ) @@ -26,7 +24,6 @@ type proxyState struct { encoder encoding.MarshalUnmarshaler cookieSecret []byte sessionStore sessions.SessionStore - sessionLoaders []sessions.SessionLoader jwtClaimHeaders config.JWTClaimHeaders programmaticRedirectDomainWhitelist []string @@ -84,11 +81,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) { if err != nil { return nil, err } - state.sessionLoaders = []sessions.SessionLoader{ - state.sessionStore, - header.NewStore(state.encoder), - queryparam.NewStore(state.encoder, "pomerium_session"), - } state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist return state, nil