sessions: check idp id to detect provider changes to force session invalidation (#3707)

* sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test
2025-06-04 20:03:18 +02:00 · 2022-10-25 16:20:32 -06:00 · 2022-10-25 16:20:32 -06:00 · 30bdae3d9e
commit 30bdae3d9e
parent 3f7a482815
14 changed files with 265 additions and 193 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -111,9 +111,9 @@ func (a *Authenticate) mountDashboard(r *mux.Router) {
 	cr.Path("/").Handler(a.requireValidSignature(a.Callback)).Methods(http.MethodGet)
 }

-// RetrieveSession is the middleware used retrieve session by the sessionLoaders
+// RetrieveSession is the middleware used retrieve session by the sessionLoader
 func (a *Authenticate) RetrieveSession(next http.Handler) http.Handler {
-	return sessions.RetrieveSession(a.state.Load().sessionLoaders...)(next)
+	return sessions.RetrieveSession(a.state.Load().sessionLoader)(next)
 }

 // VerifySession is the middleware used to enforce a valid authentication
--- a/authenticate/state.go
+++ b/authenticate/state.go
@ -42,7 +42,7 @@ type authenticateState struct {
 	sessionStore sessions.SessionStore
 	// sessionLoaders are a collection of session loaders to attempt to pull
 	// a user's session state from
-	sessionLoaders []sessions.SessionLoader
+	sessionLoader sessions.SessionLoader

 	jwk *jose.JSONWebKeySet

@ -120,7 +120,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
 	}

 	state.sessionStore = cookieStore
-	state.sessionLoaders = []sessions.SessionLoader{cookieStore}
+	state.sessionLoader = cookieStore
 	state.jwk = new(jose.JSONWebKeySet)
 	signingKey, err := cfg.Options.GetSigningKey()
 	if err != nil {