go/authboss
1
0
Fork 0
mirror of https://github.com/volatiletech/authboss.git synced 2024-11-24 08:42:17 +02:00
Code Issues Releases Activity
2eeaf342f9
authboss/client_state.go

342 lines
9.9 KiB
Go
Raw Normal View History

Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
package authboss
import (
"context"
Add ability to wrap responsewriters indefinitely
2018-01-29 21:35:47 +02:00
"fmt"
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
"net/http"
)
const (
// SessionKey is the primarily used key by authboss.
SessionKey = "uid"
// SessionHalfAuthKey is used for sessions that have been authenticated by
// the remember module. This serves as a way to force full authentication
// by denying half-authed users acccess to sensitive areas.
SessionHalfAuthKey = "halfauth"
// SessionLastAction is the session key to retrieve the last action of a user.
SessionLastAction = "last_action"
Add totp2fa module
2018-08-23 06:34:38 +02:00
// Session2FA is set when a user has been authenticated with a second factor
Session2FA = "twofactor"
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
// SessionOAuth2State is the xsrf protection key for oauth.
SessionOAuth2State = "oauth2_state"
// SessionOAuth2Params is the additional settings for oauth like redirection/remember.
SessionOAuth2Params = "oauth2_params"
// CookieRemember is used for cookies and form input names.
CookieRemember = "rm"
// FlashSuccessKey is used for storing sucess flash messages on the session
FlashSuccessKey = "flash_success"
// FlashErrorKey is used for storing sucess flash messages on the session
FlashErrorKey = "flash_error"
)
// ClientStateEventKind is an enum.
type ClientStateEventKind int
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked
2018-02-01 03:07:11 +02:00
// ClientStateEvent kinds
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
const (
ClientStateEventPut ClientStateEventKind = iota
ClientStateEventDel
)
// ClientStateEvent are the different events that can be recorded during
type ClientStateEvent struct {
Kind ClientStateEventKind
Key string
Value string
}
// ClientStateReadWriter is used to create a cookie storer from an http request.
// Keep in mind security considerations for your implementation, Secure,
// HTTP-Only, etc flags.
//
// There's two major uses for this. To create session storage, and remember me
// cookies.
type ClientStateReadWriter interface {
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
// ReadState should return a map like structure allowing it to look up
// any values in the current session, or any cookie in the request
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
ReadState(*http.Request) (ClientState, error)
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
// WriteState can sometimes be called with a nil ClientState in the event
Fix breakages from last commit
2018-03-08 02:41:58 +02:00
// that no ClientState was read in from LoadClientState
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
WriteState(http.ResponseWriter, ClientState, []ClientStateEvent) error
}
Add ability to wrap responsewriters indefinitely
2018-01-29 21:35:47 +02:00
// UnderlyingResponseWriter retrieves the response
// writer underneath the current one. This allows us
// to wrap and later discover the particular one that we want.
// Keep in mind this should not be used to call the normal methods
// of a responsewriter, just additional ones particular to that type
// because it's possible to introduce subtle bugs otherwise.
type UnderlyingResponseWriter interface {
UnderlyingResponseWriter() http.ResponseWriter
}
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
// ClientState represents the client's current state and can answer queries
// about it.
type ClientState interface {
Get(key string) (string, bool)
}
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked
2018-02-01 03:07:11 +02:00
// ClientStateResponseWriter is used to write out the client state at the last
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
// moment before the response code is written.
type ClientStateResponseWriter struct {
http.ResponseWriter
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
cookieStateRW ClientStateReadWriter
sessionStateRW ClientStateReadWriter
cookieState ClientState
sessionState ClientState
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
hasWritten bool
cookieStateEvents []ClientStateEvent
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
sessionStateEvents []ClientStateEvent
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
Fix tests back up again. - Remove a test that was obsoleted by optimizations. Not 100% sure this is correct, but it seems like if nothing has changed since the previous session/cookie read then we shouldn't need to write any new headers for them. This is especially true in the typical "I use cookies for everything" use case, but may not be true of other use cases... Remains to be seen. Since they're optimizations they should be able to removed "safely" later.
2018-02-15 01:16:44 +02:00
// LoadClientStateMiddleware wraps all requests with the ClientStateResponseWriter
// as well as loading the current client state into the context for use.
func (a *Authboss) LoadClientStateMiddleware(h http.Handler) http.Handler {
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
writer := a.NewResponse(w)
request, err := a.LoadClientState(writer, r)
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
if err != nil {
Fix error handling in client state middleware - Fix #181
2018-08-16 18:34:25 +02:00
logger := a.RequestLogger(r)
logger.Errorf("failed to load client state %+v", err)
w.WriteHeader(http.StatusInternalServerError)
return
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
}
h.ServeHTTP(writer, request)
})
}
Re(move) swaths of code - Document more things - Remove module code - Remove callbacks code - Remove data makers, flash messages, and context providers in exchange for middlewares that use context (unwritten) - Move more implementations (responses, redirector, router) to defaults package - Rename key interfaces (again), Storer -> User, StoreLoader -> ServerStorer (opposite of ClientStateStorer) if this is the last time I rename these I'll be shocked
2018-02-01 03:07:11 +02:00
// NewResponse wraps the ResponseWriter with a ClientStateResponseWriter
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
func (a *Authboss) NewResponse(w http.ResponseWriter) *ClientStateResponseWriter {
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
return &ClientStateResponseWriter{
ResponseWriter: w,
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
cookieStateRW: a.Config.Storage.CookieState,
sessionStateRW: a.Config.Storage.SessionState,
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
}
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
// LoadClientState loads the state from sessions and cookies into the ResponseWriter
// for later use.
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
func (a *Authboss) LoadClientState(w http.ResponseWriter, r *http.Request) (*http.Request, error) {
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
if a.Storage.SessionState != nil {
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
state, err := a.Storage.SessionState.ReadState(r)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
if err != nil {
return nil, err
Fix error handling in client state middleware - Fix #181
2018-08-16 18:34:25 +02:00
} else if state != nil {
c := MustClientStateResponseWriter(w)
c.sessionState = state
r = r.WithContext(context.WithValue(r.Context(), CTXKeySessionState, state))
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
}
Get tests working after latest refactors - Change changelog format to use keepachangelog standard - Refactor the config to be made of substructs to help organize all the pieces - Add the new interfaces to the configuration - Clean up module loading (no unnecessary reflection to create new value) - Change User interface to have a Get/SetPID not E-mail/Username, this way we don't ever have to refer to one or the other, we just always assume pid. In the case of Confirm/Recover we'll have to make a GetEmail or there won't be a way for us to get the e-mail to send to. - Delete the xsrf nonsense in the core
2018-02-02 01:42:48 +02:00
if a.Storage.CookieState != nil {
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
state, err := a.Storage.CookieState.ReadState(r)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
if err != nil {
return nil, err
Fix error handling in client state middleware - Fix #181
2018-08-16 18:34:25 +02:00
} else if state != nil {
c := MustClientStateResponseWriter(w)
c.cookieState = state
r = r.WithContext(context.WithValue(r.Context(), CTXKeyCookieState, state))
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
}
return r, nil
}
Add ability to wrap responsewriters indefinitely
2018-01-29 21:35:47 +02:00
// MustClientStateResponseWriter tries to find a csrw inside the response
// writer by using the UnderlyingResponseWriter interface.
func MustClientStateResponseWriter(w http.ResponseWriter) *ClientStateResponseWriter {
for {
if c, ok := w.(*ClientStateResponseWriter); ok {
return c
}
if u, ok := w.(UnderlyingResponseWriter); ok {
w = u.UnderlyingResponseWriter()
continue
}
Change error message to be more clear
2018-08-16 17:01:29 +02:00
panic(fmt.Sprintf("ResponseWriter must be a ClientStateResponseWriter or UnderlyingResponseWriter in (see: authboss.LoadClientStateMiddleware): %T", w))
Add ability to wrap responsewriters indefinitely
2018-01-29 21:35:47 +02:00
}
}
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
// WriteHeader writes the header, but in order to handle errors from the
// underlying ClientStateReadWriter, it has to panic.
func (c *ClientStateResponseWriter) WriteHeader(code int) {
if !c.hasWritten {
if err := c.putClientState(); err != nil {
panic(err)
}
}
c.ResponseWriter.WriteHeader(code)
}
// Header retrieves the underlying headers
func (c ClientStateResponseWriter) Header() http.Header {
return c.ResponseWriter.Header()
}
Fix tests back up again. - Remove a test that was obsoleted by optimizations. Not 100% sure this is correct, but it seems like if nothing has changed since the previous session/cookie read then we shouldn't need to write any new headers for them. This is especially true in the typical "I use cookies for everything" use case, but may not be true of other use cases... Remains to be seen. Since they're optimizations they should be able to removed "safely" later.
2018-02-15 01:16:44 +02:00
// Write ensures that the client state is written before any writes
// to the body occur (before header flush to http client)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
func (c *ClientStateResponseWriter) Write(b []byte) (int, error) {
if !c.hasWritten {
if err := c.putClientState(); err != nil {
return 0, err
}
}
return c.ResponseWriter.Write(b)
}
Fix tests back up again. - Remove a test that was obsoleted by optimizations. Not 100% sure this is correct, but it seems like if nothing has changed since the previous session/cookie read then we shouldn't need to write any new headers for them. This is especially true in the typical "I use cookies for everything" use case, but may not be true of other use cases... Remains to be seen. Since they're optimizations they should be able to removed "safely" later.
2018-02-15 01:16:44 +02:00
// UnderlyingResponseWriter for this instance
Add ability to wrap responsewriters indefinitely
2018-01-29 21:35:47 +02:00
func (c *ClientStateResponseWriter) UnderlyingResponseWriter() http.ResponseWriter {
return c.ResponseWriter
}
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
func (c *ClientStateResponseWriter) putClientState() error {
if c.hasWritten {
panic("should not call putClientState twice")
}
c.hasWritten = true
Fix some inconsistencies in clientstate - Add a ClientStateMiddleware that loads the client state into the request context and prepares a ClientStateResponseWriter for downstream handlers - Clean up some of the handling around session and cookie state, for example don't write if there are no events to be processed - Redo the Defaultts() method for config to be useful again. - Prefix LogoutMethod with Auth to be consistent
2018-02-05 09:28:31 +02:00
if len(c.cookieStateEvents) == 0 && len(c.sessionStateEvents) == 0 {
return nil
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
if c.sessionStateRW != nil && len(c.sessionStateEvents) > 0 {
err := c.sessionStateRW.WriteState(c, c.sessionState, c.sessionStateEvents)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
if err != nil {
return err
}
}
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
if c.cookieStateRW != nil && len(c.cookieStateEvents) > 0 {
err := c.cookieStateRW.WriteState(c, c.cookieState, c.cookieStateEvents)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
if err != nil {
return err
}
}
return nil
}
Add totp2fa module
2018-08-23 06:34:38 +02:00
// IsFullyAuthed returns false if the user has a SessionHalfAuth
WIP
2018-07-17 16:09:38 +02:00
// in his session.
func IsFullyAuthed(r *http.Request) bool {
_, hasHalfAuth := GetSession(r, SessionHalfAuthKey)
return !hasHalfAuth
}
Add totp2fa module
2018-08-23 06:34:38 +02:00
// IsTwoFactored returns false if the user doesn't have a Session2FA
// in his session.
func IsTwoFactored(r *http.Request) bool {
_, has2fa := GetSession(r, Session2FA)
return has2fa
}
Finish TODOs
2018-03-09 23:11:08 +02:00
// DelKnownSession deletes all known session variables, effectively
// logging a user out.
func DelKnownSession(w http.ResponseWriter) {
DelSession(w, SessionKey)
DelSession(w, SessionHalfAuthKey)
Increase testing coverage. - Missed some actual tests, added them. - Added a bunch of useless tests to increase coverage. Guilty as charged.
2018-05-14 23:27:33 +02:00
DelSession(w, SessionLastAction)
Finish TODOs
2018-03-09 23:11:08 +02:00
}
// DelKnownCookie deletes all known cookie variables, which can be used
// to delete remember me pieces.
func DelKnownCookie(w http.ResponseWriter) {
DelCookie(w, CookieRemember)
}
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
// PutSession puts a value into the session
func PutSession(w http.ResponseWriter, key, val string) {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
putState(w, CTXKeySessionState, key, val)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
// DelSession deletes a key-value from the session.
func DelSession(w http.ResponseWriter, key string) {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
delState(w, CTXKeySessionState, key)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
// GetSession fetches a value from the session
func GetSession(r *http.Request, key string) (string, bool) {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
return getState(r, CTXKeySessionState, key)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
// PutCookie puts a value into the session
func PutCookie(w http.ResponseWriter, key, val string) {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
putState(w, CTXKeyCookieState, key, val)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
// DelCookie deletes a key-value from the session.
func DelCookie(w http.ResponseWriter, key string) {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
delState(w, CTXKeyCookieState, key)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
// GetCookie fetches a value from the session
func GetCookie(r *http.Request, key string) (string, bool) {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
return getState(r, CTXKeyCookieState, key)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
func putState(w http.ResponseWriter, CTXKey contextKey, key, val string) {
setState(w, CTXKey, ClientStateEventPut, key, val)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
func delState(w http.ResponseWriter, CTXKey contextKey, key string) {
setState(w, CTXKey, ClientStateEventDel, key, "")
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
}
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
func setState(w http.ResponseWriter, ctxKey contextKey, op ClientStateEventKind, key, val string) {
Add ability to wrap responsewriters indefinitely
2018-01-29 21:35:47 +02:00
csrw := MustClientStateResponseWriter(w)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
ev := ClientStateEvent{
Kind: op,
Key: key,
}
if op == ClientStateEventPut {
ev.Value = val
}
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
switch ctxKey {
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
case CTXKeySessionState:
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
csrw.sessionStateEvents = append(csrw.sessionStateEvents, ev)
Move expiry module - Remove the errors from User interfaces
2018-02-15 00:18:03 +02:00
case CTXKeyCookieState:
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
csrw.cookieStateEvents = append(csrw.cookieStateEvents, ev)
}
}
Clean up context and client state - Remove extraneous http.ResponseWriter from all read-only queries against the request context (for the ClientState) - Instead of using a context.Context on the ClientStateResponseWriter just store variables for the things we'd like to store, it should be less expensive and it's much easier to work with and more clear. - Save the loaded client state into both the ResponseWriter itself and the Request context, the ResponseWriter will store them simply to send them into the WriteState() method later on, the Request will store them to be able to query data.
2018-03-08 02:21:37 +02:00
func getState(r *http.Request, ctxKey contextKey, key string) (string, bool) {
val := r.Context().Value(ctxKey)
Introduce new type of client storage - This addresses the problem of having to update multiple times during one request. It's hard to have a nice interface especially with JWT because you always end up having to decode the request, encode new response, write header, then a second write to it comes, and where do you grab the value from? Often you don't have access to the response as a "read" structure. So we store it as events instead, and play those events against the original data right before the response is written to set the headers.
2017-02-25 02:45:47 +02:00
if val == nil {
return "", false
}
state := val.(ClientState)
return state.Get(key)
}
// FlashSuccess returns FlashSuccessKey from the session and removes it.
func FlashSuccess(w http.ResponseWriter, r *http.Request) string {
str, ok := GetSession(r, FlashSuccessKey)
if !ok {
return ""
}
DelSession(w, FlashSuccessKey)
return str
}
// FlashError returns FlashError from the session and removes it.
func FlashError(w http.ResponseWriter, r *http.Request) string {
str, ok := GetSession(r, FlashErrorKey)
if !ok {
return ""
}
DelSession(w, FlashErrorKey)
return str
}
Reference in New Issue Copy Permalink