make session ids route-specific

2025-06-05 20:32:57 +02:00 · 2025-02-17 16:29:06 -07:00 · 2025-02-17 16:29:06 -07:00 · 7e3db1a39f
commit 7e3db1a39f
parent 6b42074fe9
2 changed files with 44 additions and 7 deletions
--- a/config/session.go
+++ b/config/session.go
@ -2,6 +2,7 @@ package config

 import (
 	"context"
+	"encoding/binary"
 	"fmt"
 	"net/http"
 	"strings"
@ -129,11 +130,6 @@ func (store *SessionStore) SaveSession(w http.ResponseWriter, r *http.Request, v
 	return store.store.SaveSession(w, r, v)
 }

-var (
-	accessTokenUUIDNamespace   = uuid.MustParse("0194f6f8-e760-76a0-8917-e28ac927a34d")
-	identityTokenUUIDNamespace = uuid.MustParse("0194f6f9-aec0-704e-bb4a-51054f17ad17")
-)
-
 type IncomingIDPTokenSessionCreator interface {
 	CreateSession(ctx context.Context, cfg *Config, policy *Policy, r *http.Request) (*session.Session, error)
 }
@ -176,7 +172,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionAccessToken(
 	policy *Policy,
 	rawAccessToken string,
 ) (*session.Session, error) {
-	sessionID := uuid.NewSHA1(accessTokenUUIDNamespace, []byte(rawAccessToken)).String()
+	sessionID := getAccessTokenSessionID(policy, rawAccessToken)
 	s, err := c.getSession(ctx, sessionID)
 	if err == nil {
 		return s, nil
@ -225,7 +221,7 @@ func (c *incomingIDPTokenSessionCreator) createSessionForIdentityToken(
 	policy *Policy,
 	rawIdentityToken string,
 ) (*session.Session, error) {
-	sessionID := uuid.NewSHA1(identityTokenUUIDNamespace, []byte(rawIdentityToken)).String()
+	sessionID := getIdentityTokenSessionID(policy, rawIdentityToken)
 	s, err := c.getSession(ctx, sessionID)
 	if err == nil {
 		return s, nil
@ -417,3 +413,29 @@ func (cfg *Config) GetIncomingIDPIdentityTokenForPolicy(policy *Policy, r *http.

 	return "", false
 }
+
+var accessTokenUUIDNamespace = uuid.MustParse("0194f6f8-e760-76a0-8917-e28ac927a34d")
+
+func getAccessTokenSessionID(policy *Policy, rawAccessToken string) string {
+	namespace := accessTokenUUIDNamespace
+	// make the session ID per-route
+	if policy != nil {
+		var data [8]byte
+		binary.BigEndian.PutUint64(data[:], policy.MustRouteID())
+		namespace = uuid.NewSHA1(namespace, data[:])
+	}
+	return uuid.NewSHA1(namespace, []byte(rawAccessToken)).String()
+}
+
+var identityTokenUUIDNamespace = uuid.MustParse("0194f6f9-aec0-704e-bb4a-51054f17ad17")
+
+func getIdentityTokenSessionID(policy *Policy, rawIdentityToken string) string {
+	namespace := identityTokenUUIDNamespace
+	// make the session ID per-route
+	if policy != nil {
+		var data [8]byte
+		binary.BigEndian.PutUint64(data[:], policy.MustRouteID())
+		namespace = uuid.NewSHA1(namespace, data[:])
+	}
+	return uuid.NewSHA1(namespace, []byte(rawIdentityToken)).String()
+}
--- a/config/session_test.go
+++ b/config/session_test.go
@ -164,3 +164,18 @@ func TestGetIdentityProviderDetectsChangesToAuthenticateServiceURL(t *testing.T)
 	assert.NotEqual(t, idp1.GetId(), idp2.GetId(),
 		"identity provider should change when authenticate service url changes")
 }
+
+func Test_getAccessTokenSessionID(t *testing.T) {
+	t.Parallel()
+
+	assert.Equal(t, "532b0a3d-b413-50a0-8c9f-e6eb340a05d3", getAccessTokenSessionID(nil, "TOKEN"))
+	assert.Equal(t, "e0b8096c-54dd-5623-8098-5488f9c302db", getIdentityTokenSessionID(nil, "TOKEN"))
+	assert.Equal(t, "c58990ec-85d4-5054-b27f-e7c5d9c602c5", getAccessTokenSessionID(&Policy{
+		From:     "https://from.example.com",
+		Response: &DirectResponse{Status: 204},
+	}, "TOKEN"))
+	assert.Equal(t, "4dff4540-493b-502a-bdec-2f346e6e480d", getIdentityTokenSessionID(&Policy{
+		From:     "https://from.example.com",
+		Response: &DirectResponse{Status: 204},
+	}, "TOKEN"))
+}