core/proxy: support loading sessions from headers and query string (#5294)

core/proxy: support loading sessions from headers and query string (#5291) * core/proxy: support loading sessions from headers and query string * update test Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-06-15 01:02:54 +02:00 · 2024-09-19 12:03:58 -06:00 · 2024-09-19 12:03:58 -06:00 · 8b6dc27a01
commit 8b6dc27a01
parent 3dadcf1825
8 changed files with 136 additions and 104 deletions
--- a/config/session.go
+++ b/config/session.go
@ -15,11 +15,14 @@ import (

 // A SessionStore saves and loads sessions based on the options.
 type SessionStore struct {
+	store   sessions.SessionStore
+	loader  sessions.SessionLoader
 	options *Options
 	encoder encoding.MarshalUnmarshaler
-	loader  sessions.SessionLoader
 }

+var _ sessions.SessionStore = (*SessionStore)(nil)
+
 // NewSessionStore creates a new SessionStore from the Options.
 func NewSessionStore(options *Options) (*SessionStore, error) {
 	store := &SessionStore{
@ -36,7 +39,7 @@ func NewSessionStore(options *Options) (*SessionStore, error) {
 		return nil, fmt.Errorf("config/sessions: invalid session encoder: %w", err)
 	}

-	cookieStore, err := cookie.NewStore(func() cookie.Options {
+	store.store, err = cookie.NewStore(func() cookie.Options {
 		return cookie.Options{
 			Name:     options.CookieName,
 			Domain:   options.CookieDomain,
@ -51,11 +54,21 @@ func NewSessionStore(options *Options) (*SessionStore, error) {
 	}
 	headerStore := header.NewStore(store.encoder)
 	queryParamStore := queryparam.NewStore(store.encoder, urlutil.QuerySession)
-	store.loader = sessions.MultiSessionLoader(cookieStore, headerStore, queryParamStore)
+	store.loader = sessions.MultiSessionLoader(store.store, headerStore, queryParamStore)

 	return store, nil
 }

+// ClearSession clears the session.
+func (store *SessionStore) ClearSession(w http.ResponseWriter, r *http.Request) {
+	store.store.ClearSession(w, r)
+}
+
+// LoadSession loads the session.
+func (store *SessionStore) LoadSession(r *http.Request) (string, error) {
+	return store.loader.LoadSession(r)
+}
+
 // LoadSessionState loads the session state from a request.
 func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, error) {
 	rawJWT, err := store.loader.LoadSession(r)
@ -69,6 +82,16 @@ func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, e
 		return nil, err
 	}

+	return &state, nil
+}
+
+// LoadSessionStateAndCheckIDP loads the session state from a request and checks that the idp id matches.
+func (store *SessionStore) LoadSessionStateAndCheckIDP(r *http.Request) (*sessions.State, error) {
+	state, err := store.LoadSessionState(r)
+	if err != nil {
+		return nil, err
+	}
+
 	// confirm that the identity provider id matches the state
 	if state.IdentityProviderID != "" {
 		idp, err := store.options.GetIdentityProviderForRequestURL(urlutil.GetAbsoluteURL(r).String())
@ -82,5 +105,10 @@ func (store *SessionStore) LoadSessionState(r *http.Request) (*sessions.State, e
 		}
 	}

-	return &state, nil
+	return state, nil
+}
+
+// SaveSession saves the session.
+func (store *SessionStore) SaveSession(w http.ResponseWriter, r *http.Request, v any) error {
+	return store.store.SaveSession(w, r, v)
 }