mirror of
https://github.com/volatiletech/authboss.git
synced 2025-09-16 09:06:20 +02:00
Fix expire token shenanigans
- Add session and cookie cleanup on logout
This commit is contained in:
Kris Runzer
@@ -148,6 +148,9 @@ func (a *Auth) logoutHandlerFunc(ctx *authboss.Context, w http.ResponseWriter, r
|
|||||||
switch r.Method {
|
switch r.Method {
|
||||||
case methodGET:
|
case methodGET:
|
||||||
ctx.SessionStorer.Del(authboss.SessionKey)
|
ctx.SessionStorer.Del(authboss.SessionKey)
|
||||||
|
ctx.CookieStorer.Del(authboss.CookieRemember)
|
||||||
|
ctx.SessionStorer.Del(authboss.SessionLastAction)
|
||||||
|
|
||||||
http.Redirect(w, r, authboss.Cfg.AuthLogoutOKPath, http.StatusFound)
|
http.Redirect(w, r, authboss.Cfg.AuthLogoutOKPath, http.StatusFound)
|
||||||
default:
|
default:
|
||||||
w.WriteHeader(http.StatusMethodNotAllowed)
|
w.WriteHeader(http.StatusMethodNotAllowed)
|
||||||
|
|||||||
@@ -306,15 +306,26 @@ func TestAuth_logoutHandlerFunc_GET(t *testing.T) {
|
|||||||
authboss.Cfg.AuthLogoutOKPath = "/dashboard"
|
authboss.Cfg.AuthLogoutOKPath = "/dashboard"
|
||||||
|
|
||||||
ctx, w, r, sessionStorer := testRequest("GET")
|
ctx, w, r, sessionStorer := testRequest("GET")
|
||||||
|
|
||||||
sessionStorer.Put(authboss.SessionKey, "asdf")
|
sessionStorer.Put(authboss.SessionKey, "asdf")
|
||||||
|
sessionStorer.Put(authboss.SessionLastAction, "1234")
|
||||||
|
|
||||||
|
cookieStorer := mocks.NewMockClientStorer(authboss.CookieRemember, "qwert")
|
||||||
|
ctx.CookieStorer = cookieStorer
|
||||||
|
|
||||||
if err := a.logoutHandlerFunc(ctx, w, r); err != nil {
|
if err := a.logoutHandlerFunc(ctx, w, r); err != nil {
|
||||||
t.Error("Unexpected error:", err)
|
t.Error("Unexpected error:", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, ok := sessionStorer.Get(authboss.SessionKey); ok {
|
if val, ok := sessionStorer.Get(authboss.SessionKey); ok {
|
||||||
t.Errorf("Expected to be logged out")
|
t.Errorf("Unexpected session key:", val)
|
||||||
|
}
|
||||||
|
|
||||||
|
if val, ok := sessionStorer.Get(authboss.SessionLastAction); ok {
|
||||||
|
t.Errorf("Unexpected last action:", val)
|
||||||
|
}
|
||||||
|
|
||||||
|
if val, ok := cookieStorer.Get(authboss.CookieRemember); ok {
|
||||||
|
t.Errorf("Unexpected rm cookie:", val)
|
||||||
}
|
}
|
||||||
|
|
||||||
if http.StatusFound != w.Code {
|
if http.StatusFound != w.Code {
|
||||||
|
|||||||
@@ -12,6 +12,9 @@ const (
|
|||||||
// SessionLastAction is the session key to retrieve the last action of a user.
|
// SessionLastAction is the session key to retrieve the last action of a user.
|
||||||
SessionLastAction = "last_action"
|
SessionLastAction = "last_action"
|
||||||
|
|
||||||
|
// CookieRemember is used for cookies and form input names.
|
||||||
|
CookieRemember = "rm"
|
||||||
|
|
||||||
// FlashSuccessKey is used for storing sucess flash messages on the session
|
// FlashSuccessKey is used for storing sucess flash messages on the session
|
||||||
FlashSuccessKey = "flash_success"
|
FlashSuccessKey = "flash_success"
|
||||||
// FlashErrorKey is used for storing sucess flash messages on the session
|
// FlashErrorKey is used for storing sucess flash messages on the session
|
||||||
|
|||||||
@@ -56,10 +56,11 @@ func (m expireMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
session := Cfg.SessionStoreMaker(w, r)
|
session := Cfg.SessionStoreMaker(w, r)
|
||||||
if _, ok := session.Get(SessionKey); ok {
|
if _, ok := session.Get(SessionKey); ok {
|
||||||
ttl := timeToExpiry(session)
|
ttl := timeToExpiry(session)
|
||||||
if ttl != 0 {
|
if ttl == 0 {
|
||||||
refreshExpiry(session)
|
|
||||||
} else {
|
|
||||||
session.Del(SessionKey)
|
session.Del(SessionKey)
|
||||||
|
session.Del(SessionLastAction)
|
||||||
|
} else {
|
||||||
|
refreshExpiry(session)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -36,6 +36,10 @@ func TestDudeIsExpired(t *testing.T) {
|
|||||||
if key, ok := session.Get(SessionKey); ok {
|
if key, ok := session.Get(SessionKey); ok {
|
||||||
t.Error("Unexpcted session key:", key)
|
t.Error("Unexpcted session key:", key)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if key, ok := session.Get(SessionLastAction); ok {
|
||||||
|
t.Error("Unexpcted last action key:", key)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDudeIsNotExpired(t *testing.T) {
|
func TestDudeIsNotExpired(t *testing.T) {
|
||||||
|
|||||||
@@ -15,8 +15,6 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
// RememberKey is used for cookies and form input names.
|
|
||||||
RememberKey = "rm"
|
|
||||||
nRandBytes = 32
|
nRandBytes = 32
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -71,7 +69,7 @@ func (r *Remember) Storage() authboss.StorageOptions {
|
|||||||
|
|
||||||
// afterAuth is called after authentication is successful.
|
// afterAuth is called after authentication is successful.
|
||||||
func (r *Remember) afterAuth(ctx *authboss.Context) error {
|
func (r *Remember) afterAuth(ctx *authboss.Context) error {
|
||||||
if val, ok := ctx.FirstPostFormValue(RememberKey); !ok || val != "true" {
|
if val, ok := ctx.FirstPostFormValue(authboss.CookieRemember); !ok || val != "true" {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -113,7 +111,7 @@ func (r *Remember) new(cstorer authboss.ClientStorer, storageKey string) (string
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Write the finalToken to the cookie
|
// Write the finalToken to the cookie
|
||||||
cstorer.Put(RememberKey, finalToken)
|
cstorer.Put(authboss.CookieRemember, finalToken)
|
||||||
|
|
||||||
return finalToken, nil
|
return finalToken, nil
|
||||||
}
|
}
|
||||||
@@ -126,7 +124,7 @@ func (r *Remember) auth(ctx *authboss.Context) (authboss.Interrupt, error) {
|
|||||||
return authboss.InterruptNone, nil
|
return authboss.InterruptNone, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
finalToken, ok := ctx.CookieStorer.Get(RememberKey)
|
finalToken, ok := ctx.CookieStorer.Get(authboss.CookieRemember)
|
||||||
if !ok {
|
if !ok {
|
||||||
return authboss.InterruptNone, nil
|
return authboss.InterruptNone, nil
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -59,7 +59,7 @@ func TestAfterAuth(t *testing.T) {
|
|||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
if _, ok := cookies.Values[RememberKey]; !ok {
|
if _, ok := cookies.Values[authboss.CookieRemember]; !ok {
|
||||||
t.Error("Expected a cookie to have been set.")
|
t.Error("Expected a cookie to have been set.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -88,7 +88,7 @@ func TestNew(t *testing.T) {
|
|||||||
t.Error("Expected a token to be saved.")
|
t.Error("Expected a token to be saved.")
|
||||||
}
|
}
|
||||||
|
|
||||||
if token != cookies.Values[RememberKey] {
|
if token != cookies.Values[authboss.CookieRemember] {
|
||||||
t.Error("Expected a cookie set with the token.")
|
t.Error("Expected a cookie set with the token.")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -111,7 +111,7 @@ func TestAuth(t *testing.T) {
|
|||||||
t.Error("Unexpected error:", err)
|
t.Error("Unexpected error:", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
cookie, _ := cookies.Get(RememberKey)
|
cookie, _ := cookies.Get(authboss.CookieRemember)
|
||||||
|
|
||||||
interrupt, err := r.auth(ctx)
|
interrupt, err := r.auth(ctx)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@@ -126,7 +126,7 @@ func TestAuth(t *testing.T) {
|
|||||||
t.Error("The user should have been logged in.")
|
t.Error("The user should have been logged in.")
|
||||||
}
|
}
|
||||||
|
|
||||||
if chocolateChip, _ := cookies.Get(RememberKey); chocolateChip == cookie {
|
if chocolateChip, _ := cookies.Get(authboss.CookieRemember); chocolateChip == cookie {
|
||||||
t.Error("Expected cookie to be different")
|
t.Error("Expected cookie to be different")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user