internal/sessions: refactor how sessions loading (#351)

These chagnes standardize how session loading is done for session cookie, auth bearer token, and query params. - Bearer token previously combined with session cookie. - rearranged cookie-store to put exported methods above unexported - added header store that implements session loader interface - added query param store that implements session loader interface Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-08-03 00:40:25 +02:00 · 2019-10-06 10:47:53 -07:00 · 2019-10-06 10:47:53 -07:00 · badd8d69af
commit badd8d69af
parent 7aa4621b1b
13 changed files with 322 additions and 234 deletions
--- a/internal/sessions/header_store.go
+++ b/internal/sessions/header_store.go
@ -0,0 +1,61 @@
+package sessions // import "github.com/pomerium/pomerium/internal/sessions"
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/pomerium/pomerium/internal/cryptutil"
+)
+
+const (
+	// defaultAuthHeader and defaultAuthType are default header name for the
+	// authorization bearer  token header as defined in rfc2617
+	// https://tools.ietf.org/html/rfc6750#section-2.1
+	defaultAuthHeader = "Authorization"
+	defaultAuthType   = "Bearer"
+)
+
+// HeaderStore implements the load session store interface using http
+// authorization headers.
+type HeaderStore struct {
+	authHeader string
+	authType   string
+	encoder    cryptutil.SecureEncoder
+}
+
+// NewHeaderStore returns a new header store for loading sessions from
+// authorization headers.
+func NewHeaderStore(enc cryptutil.SecureEncoder) *HeaderStore {
+	return &HeaderStore{
+		authHeader: defaultAuthHeader,
+		authType:   defaultAuthType,
+		encoder:    enc,
+	}
+}
+
+// LoadSession tries to retrieve the token string from the Authorization header.
+//
+// NOTA BENE: While most servers do not log Authorization headers by default,
+// you should ensure no other services are logging or leaking your auth headers.
+func (as *HeaderStore) LoadSession(r *http.Request) (*State, error) {
+	cipherText := as.tokenFromHeader(r)
+	if cipherText == "" {
+		return nil, ErrNoSessionFound
+	}
+	session, err := UnmarshalSession(cipherText, as.encoder)
+	if err != nil {
+		return nil, ErrMalformed
+	}
+	return session, nil
+
+}
+
+// retrieve the value of the authorization header
+func (as *HeaderStore) tokenFromHeader(r *http.Request) string {
+	bearer := r.Header.Get(as.authHeader)
+	atSize := len(as.authType)
+	if len(bearer) > atSize && strings.EqualFold(bearer[0:atSize], as.authType) {
+		return bearer[atSize+1:]
+	}
+	return ""
+}