mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-24 20:18:13 +02:00
badd8d69af
These chagnes standardize how session loading is done for session cookie, auth bearer token, and query params. - Bearer token previously combined with session cookie. - rearranged cookie-store to put exported methods above unexported - added header store that implements session loader interface - added query param store that implements session loader interface Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
61 lines
1.7 KiB
Go
61 lines
1.7 KiB
Go
package sessions // import "github.com/pomerium/pomerium/internal/sessions"
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/pomerium/pomerium/internal/cryptutil"
|
|
)
|
|
|
|
const (
|
|
// defaultAuthHeader and defaultAuthType are default header name for the
|
|
// authorization bearer token header as defined in rfc2617
|
|
// https://tools.ietf.org/html/rfc6750#section-2.1
|
|
defaultAuthHeader = "Authorization"
|
|
defaultAuthType = "Bearer"
|
|
)
|
|
|
|
// HeaderStore implements the load session store interface using http
|
|
// authorization headers.
|
|
type HeaderStore struct {
|
|
authHeader string
|
|
authType string
|
|
encoder cryptutil.SecureEncoder
|
|
}
|
|
|
|
// NewHeaderStore returns a new header store for loading sessions from
|
|
// authorization headers.
|
|
func NewHeaderStore(enc cryptutil.SecureEncoder) *HeaderStore {
|
|
return &HeaderStore{
|
|
authHeader: defaultAuthHeader,
|
|
authType: defaultAuthType,
|
|
encoder: enc,
|
|
}
|
|
}
|
|
|
|
// LoadSession tries to retrieve the token string from the Authorization header.
|
|
//
|
|
// NOTA BENE: While most servers do not log Authorization headers by default,
|
|
// you should ensure no other services are logging or leaking your auth headers.
|
|
func (as *HeaderStore) LoadSession(r *http.Request) (*State, error) {
|
|
cipherText := as.tokenFromHeader(r)
|
|
if cipherText == "" {
|
|
return nil, ErrNoSessionFound
|
|
}
|
|
session, err := UnmarshalSession(cipherText, as.encoder)
|
|
if err != nil {
|
|
return nil, ErrMalformed
|
|
}
|
|
return session, nil
|
|
|
|
}
|
|
|
|
// retrieve the value of the authorization header
|
|
func (as *HeaderStore) tokenFromHeader(r *http.Request) string {
|
|
bearer := r.Header.Get(as.authHeader)
|
|
atSize := len(as.authType)
|
|
if len(bearer) > atSize && strings.EqualFold(bearer[0:atSize], as.authType) {
|
|
return bearer[atSize+1:]
|
|
}
|
|
return ""
|
|
}
|