core/proxy: support loading sessions from headers and query string (#5294)

core/proxy: support loading sessions from headers and query string (#5291) * core/proxy: support loading sessions from headers and query string * update test Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2025-06-13 00:04:31 +02:00 · 2024-09-19 12:03:58 -06:00 · 2024-09-19 12:03:58 -06:00 · 8b6dc27a01
commit 8b6dc27a01
parent 3dadcf1825
8 changed files with 136 additions and 104 deletions
--- a/proxy/data.go
+++ b/proxy/data.go
@ -6,11 +6,8 @@ import (

 	"github.com/pomerium/csrf"
 	"github.com/pomerium/datasource/pkg/directory"
-	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/handlers/webauthn"
-	"github.com/pomerium/pomerium/internal/httputil"
-	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
@ -31,33 +28,12 @@ func (p *Proxy) getSession(ctx context.Context, sessionID string) (s *session.Se
 	return s, isImpersonated, err
 }

-func (p *Proxy) getSessionState(r *http.Request) (sessions.State, error) {
-	state := p.state.Load()
-
-	rawJWT, err := state.sessionStore.LoadSession(r)
-	if err != nil {
-		return sessions.State{}, err
-	}
-
-	encoder, err := jws.NewHS256Signer(state.sharedKey)
-	if err != nil {
-		return sessions.State{}, err
-	}
-
-	var sessionState sessions.State
-	if err := encoder.Unmarshal([]byte(rawJWT), &sessionState); err != nil {
-		return sessions.State{}, httputil.NewError(http.StatusBadRequest, err)
-	}
-
-	return sessionState, nil
-}
-
 func (p *Proxy) getUser(ctx context.Context, userID string) (*user.User, error) {
 	client := p.state.Load().dataBrokerClient
 	return user.Get(ctx, client, userID)
 }

-func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error) {
+func (p *Proxy) getUserInfoData(r *http.Request) handlers.UserInfoData {
 	options := p.currentOptions.Load()
 	state := p.state.Load()

@ -66,7 +42,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
 		BrandingOptions: options.BrandingOptions,
 	}

-	ss, err := p.getSessionState(r)
+	ss, err := p.state.Load().sessionStore.LoadSessionState(r)
 	if err == nil {
 		data.Session, data.IsImpersonated, err = p.getSession(r.Context(), ss.ID)
 		if err != nil {
@ -82,7 +58,7 @@ func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error)
 	data.WebAuthnCreationOptions, data.WebAuthnRequestOptions, _ = p.webauthn.GetOptions(r)
 	data.WebAuthnURL = urlutil.WebAuthnURL(r, urlutil.GetAbsoluteURL(r), state.sharedKey, r.URL.Query())
 	p.fillEnterpriseUserInfoData(r.Context(), &data)
-	return data, nil
+	return data
 }

 func (p *Proxy) fillEnterpriseUserInfoData(ctx context.Context, data *handlers.UserInfoData) {
@ -109,7 +85,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
 	options := p.currentOptions.Load()
 	state := p.state.Load()

-	ss, err := p.getSessionState(r)
+	ss, err := p.state.Load().sessionStore.LoadSessionState(r)
 	if err != nil {
 		return nil, err
 	}
@ -135,7 +111,7 @@ func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
 		SharedKey:               state.sharedKey,
 		Client:                  state.dataBrokerClient,
 		Session:                 s,
-		SessionState:            &ss,
+		SessionState:            ss,
 		SessionStore:            state.sessionStore,
 		RelyingParty:            webauthnutil.GetRelyingParty(r, state.dataBrokerClient),
 		BrandingOptions:         options.BrandingOptions,