mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-05 12:23:03 +02:00
internal/sessions: refactor how sessions loading (#351)
These chagnes standardize how session loading is done for session cookie, auth bearer token, and query params. - Bearer token previously combined with session cookie. - rearranged cookie-store to put exported methods above unexported - added header store that implements session loader interface - added query param store that implements session loader interface Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone
GitHub
parent
7aa4621b1b
commit
badd8d69af
13 changed files with 322 additions and 234 deletions
|
|
@ -4,7 +4,6 @@ import (
|
|||
"context"
|
||||
"errors"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// Context keys
|
||||
|
|
@ -13,65 +12,56 @@ var (
|
|||
ErrorCtxKey = &contextKey{"Error"}
|
||||
)
|
||||
|
||||
// Library errors
|
||||
var (
|
||||
ErrExpired = errors.New("internal/sessions: session is expired")
|
||||
ErrNoSessionFound = errors.New("internal/sessions: session is not found")
|
||||
ErrMalformed = errors.New("internal/sessions: session is malformed")
|
||||
)
|
||||
|
||||
// RetrieveSession http middleware handler will verify a auth session from a http request.
|
||||
//
|
||||
// RetrieveSession will search for a auth session in a http request, in the order:
|
||||
// 1. `pomerium_session` URI query parameter
|
||||
// 2. `Authorization: BEARER` request header
|
||||
// 3. Cookie `_pomerium` value
|
||||
func RetrieveSession(s SessionStore) func(http.Handler) http.Handler {
|
||||
func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return retrieve(s, TokenFromQuery, TokenFromHeader, TokenFromCookie)(next)
|
||||
return retrieve(s...)(next)
|
||||
}
|
||||
}
|
||||
|
||||
func retrieve(s SessionStore, findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler {
|
||||
func retrieve(s ...SessionLoader) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
hfn := func(w http.ResponseWriter, r *http.Request) {
|
||||
ctx := r.Context()
|
||||
token, err := retrieveFromRequest(s, r, findTokenFns...)
|
||||
ctx = NewContext(ctx, token, err)
|
||||
state, err := retrieveFromRequest(r, s...)
|
||||
ctx = NewContext(ctx, state, err)
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
}
|
||||
return http.HandlerFunc(hfn)
|
||||
}
|
||||
}
|
||||
|
||||
func retrieveFromRequest(s SessionStore, r *http.Request, findTokenFns ...func(r *http.Request) string) (*State, error) {
|
||||
var tokenStr string
|
||||
func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (*State, error) {
|
||||
state := new(State)
|
||||
var err error
|
||||
|
||||
// Extract token string from the request by calling token find functions in
|
||||
// Extract sessions state from the request by calling token find functions in
|
||||
// the order they where provided. Further extraction stops if a function
|
||||
// returns a non-empty string.
|
||||
for _, fn := range findTokenFns {
|
||||
tokenStr = fn(r)
|
||||
if tokenStr != "" {
|
||||
for _, s := range sessions {
|
||||
state, err = s.LoadSession(r)
|
||||
if err != nil && !errors.Is(err, ErrNoSessionFound) {
|
||||
// unexpected error
|
||||
return nil, err
|
||||
}
|
||||
// break, we found a session state
|
||||
if state != nil {
|
||||
break
|
||||
}
|
||||
}
|
||||
if tokenStr == "" {
|
||||
// no session found if state is still empty
|
||||
if state == nil {
|
||||
return nil, ErrNoSessionFound
|
||||
}
|
||||
|
||||
state, err := s.LoadSession(r)
|
||||
if err != nil {
|
||||
return nil, ErrMalformed
|
||||
}
|
||||
err = state.Valid()
|
||||
if err != nil {
|
||||
if err = state.Valid(); err != nil {
|
||||
// a little unusual but we want to return the expired state too
|
||||
return state, err
|
||||
}
|
||||
|
||||
// Valid!
|
||||
return state, nil
|
||||
}
|
||||
|
||||
|
|
@ -89,35 +79,6 @@ func FromContext(ctx context.Context) (*State, error) {
|
|||
return state, err
|
||||
}
|
||||
|
||||
// TokenFromCookie tries to retrieve the token string from a cookie named
|
||||
// "_pomerium".
|
||||
func TokenFromCookie(r *http.Request) string {
|
||||
cookie, err := r.Cookie("_pomerium")
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
return cookie.Value
|
||||
}
|
||||
|
||||
// TokenFromHeader tries to retrieve the token string from the
|
||||
// "Authorization" request header: "Authorization: BEARER T".
|
||||
func TokenFromHeader(r *http.Request) string {
|
||||
// Get token from authorization header.
|
||||
bearer := r.Header.Get("Authorization")
|
||||
if len(bearer) > 7 && strings.EqualFold(bearer[0:6], "BEARER") {
|
||||
return bearer[7:]
|
||||
}
|
||||
return ""
|
||||
}
|
||||
|
||||
// TokenFromQuery tries to retrieve the token string from the "pomerium_session" URI
|
||||
// query parameter.
|
||||
// todo(bdd) : document setting session code as queryparam
|
||||
func TokenFromQuery(r *http.Request) string {
|
||||
// Get token from query param named "pomerium_session".
|
||||
return r.URL.Query().Get("pomerium_session")
|
||||
}
|
||||
|
||||
// contextKey is a value for use with context.WithValue. It's used as
|
||||
// a pointer so it fits in an interface{} without allocation. This technique
|
||||
// for defining context keys was copied from Go 1.7's new use of context in net/http.
|
||||
|
|
@ -126,5 +87,5 @@ type contextKey struct {
|
|||
}
|
||||
|
||||
func (k *contextKey) String() string {
|
||||
return "SessionStore context value " + k.name
|
||||
return "context value " + k.name
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue