mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-03 20:36:03 +02:00
badd8d69af
These chagnes standardize how session loading is done for session cookie, auth bearer token, and query params. - Bearer token previously combined with session cookie. - rearranged cookie-store to put exported methods above unexported - added header store that implements session loader interface - added query param store that implements session loader interface Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
91 lines
2.5 KiB
Go
91 lines
2.5 KiB
Go
package sessions // import "github.com/pomerium/pomerium/internal/sessions"
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
)
|
|
|
|
// Context keys
|
|
var (
|
|
SessionCtxKey = &contextKey{"Session"}
|
|
ErrorCtxKey = &contextKey{"Error"}
|
|
)
|
|
|
|
// RetrieveSession will search for a auth session in a http request, in the order:
|
|
// 1. `pomerium_session` URI query parameter
|
|
// 2. `Authorization: BEARER` request header
|
|
// 3. Cookie `_pomerium` value
|
|
func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return retrieve(s...)(next)
|
|
}
|
|
}
|
|
|
|
func retrieve(s ...SessionLoader) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
hfn := func(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
state, err := retrieveFromRequest(r, s...)
|
|
ctx = NewContext(ctx, state, err)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
}
|
|
return http.HandlerFunc(hfn)
|
|
}
|
|
}
|
|
|
|
func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (*State, error) {
|
|
state := new(State)
|
|
var err error
|
|
|
|
// Extract sessions state from the request by calling token find functions in
|
|
// the order they where provided. Further extraction stops if a function
|
|
// returns a non-empty string.
|
|
for _, s := range sessions {
|
|
state, err = s.LoadSession(r)
|
|
if err != nil && !errors.Is(err, ErrNoSessionFound) {
|
|
// unexpected error
|
|
return nil, err
|
|
}
|
|
// break, we found a session state
|
|
if state != nil {
|
|
break
|
|
}
|
|
}
|
|
// no session found if state is still empty
|
|
if state == nil {
|
|
return nil, ErrNoSessionFound
|
|
}
|
|
|
|
if err = state.Valid(); err != nil {
|
|
// a little unusual but we want to return the expired state too
|
|
return state, err
|
|
}
|
|
|
|
return state, nil
|
|
}
|
|
|
|
// NewContext sets context values for the user session state and error.
|
|
func NewContext(ctx context.Context, t *State, err error) context.Context {
|
|
ctx = context.WithValue(ctx, SessionCtxKey, t)
|
|
ctx = context.WithValue(ctx, ErrorCtxKey, err)
|
|
return ctx
|
|
}
|
|
|
|
// FromContext retrieves context values for the user session state and error.
|
|
func FromContext(ctx context.Context) (*State, error) {
|
|
state, _ := ctx.Value(SessionCtxKey).(*State)
|
|
err, _ := ctx.Value(ErrorCtxKey).(error)
|
|
return state, err
|
|
}
|
|
|
|
// contextKey is a value for use with context.WithValue. It's used as
|
|
// a pointer so it fits in an interface{} without allocation. This technique
|
|
// for defining context keys was copied from Go 1.7's new use of context in net/http.
|
|
type contextKey struct {
|
|
name string
|
|
}
|
|
|
|
func (k *contextKey) String() string {
|
|
return "context value " + k.name
|
|
}
|