Remember now properly regenerates tokens on use.

2025-09-16 09:06:20 +02:00 · 2015-03-01 20:40:09 -08:00
parent a7a67981ce
commit 21c35ac1d5
6 changed files with 34 additions and 22 deletions
--- a/authboss.go
+++ b/authboss.go
@@ -26,20 +26,24 @@ func Init() error {

 // CurrentUser retrieves the current user from the session and the database.
 func CurrentUser(w http.ResponseWriter, r *http.Request) (interface{}, error) {
-	sessions := Cfg.SessionStoreMaker(w, r)
-	cookies := Cfg.CookieStoreMaker(w, r)
-	key, ok := sessions.Get(SessionKey)
-	if !ok {
-		return nil, nil
-	}
-
 	ctx, err := ContextFromRequest(r)
 	if err != nil {
 		return nil, err
 	}

-	ctx.SessionStorer = clientStoreWrapper{sessions}
-	ctx.CookieStorer = clientStoreWrapper{cookies}
+	ctx.SessionStorer = clientStoreWrapper{Cfg.SessionStoreMaker(w, r)}
+	ctx.CookieStorer = clientStoreWrapper{Cfg.CookieStoreMaker(w, r)}
+
+	_, err = Cfg.Callbacks.FireBefore(EventGetUserSession, ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	key, ok := ctx.SessionStorer.Get(SessionKey)
+	if !ok {
+		return nil, nil
+	}
+
 	err = ctx.LoadUser(key)
 	if err != nil {
 		return nil, err
--- a/authboss_test.go
+++ b/authboss_test.go
@@ -28,6 +28,9 @@ func TestAuthBossCurrentUser(t *testing.T) {
 	Cfg.SessionStoreMaker = func(_ http.ResponseWriter, _ *http.Request) ClientStorer {
 		return mockClientStore{SessionKey: "joe"}
 	}
+	Cfg.CookieStoreMaker = func(_ http.ResponseWriter, _ *http.Request) ClientStorer {
+		return mockClientStore{}
+	}

 	if err := Init(); err != nil {
 		t.Error("Unexpected error:", err)
--- a/callbacks.go
+++ b/callbacks.go
@@ -17,11 +17,12 @@ const (
 	EventRecoverStart
 	EventRecoverEnd
 	EventGet
+	EventGetUserSession
 )

-const eventNames = "EventRegisterEventAuthEventAuthFailEventRecoverStartEventRecoverEndEventGet"
+const eventNames = "EventRegisterEventAuthEventAuthFailEventRecoverStartEventRecoverEndEventGetEventGetUserSession"

-var eventIndexes = [...]uint8{0, 13, 22, 35, 52, 67, 75}
+var eventIndexes = [...]uint8{0, 13, 22, 35, 52, 67, 75, 94}

 func (i Event) String() string {
 	if i < 0 || i+1 >= Event(len(eventIndexes)) {
--- a/callbacks_test.go
+++ b/callbacks_test.go
@@ -164,6 +164,7 @@ func TestEventString(t *testing.T) {
 		{EventRecoverStart, "EventRecoverStart"},
 		{EventRecoverEnd, "EventRecoverEnd"},
 		{EventGet, "EventGet"},
+		{EventGetUserSession, "EventGetUserSession"},
 	}

 	for i, test := range tests {
--- a/remember/remember.go
+++ b/remember/remember.go
@@ -10,7 +10,6 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"log"

 	"gopkg.in/authboss.v0"
 )
@@ -56,7 +55,7 @@ func (r *Remember) Initialize() error {
 		return errors.New("remember: TokenStorer required for remember me functionality")
 	}

-	authboss.Cfg.Callbacks.Before(authboss.EventGet, r.auth)
+	authboss.Cfg.Callbacks.Before(authboss.EventGetUserSession, r.auth)
 	authboss.Cfg.Callbacks.After(authboss.EventAuth, r.afterAuth)

 	return nil
@@ -121,8 +120,7 @@ func (r *Remember) new(cstorer authboss.ClientStorer, storageKey string) (string

 // auth takes a token that was given to a user and checks to see if something
 // is matching in the database. If something is found the old token is deleted
-// and a new one should be generated. The return value is the key of the
-// record who owned this token.
+// and a new one should be generated.
 func (r *Remember) auth(ctx *authboss.Context) (authboss.Interrupt, error) {
 	if val, ok := ctx.SessionStorer.Get(authboss.SessionKey); ok || len(val) > 0 {
 		return authboss.InterruptNone, nil
@@ -133,15 +131,11 @@ func (r *Remember) auth(ctx *authboss.Context) (authboss.Interrupt, error) {
 		return authboss.InterruptNone, nil
 	}

-	log.Println("finalToken", finalToken)
-
 	token, err := base64.URLEncoding.DecodeString(finalToken)
 	if err != nil {
 		return authboss.InterruptNone, err
 	}

-	log.Println("token", token)
-
 	index := bytes.IndexByte(token, ';')
 	if index < 0 {
 		return authboss.InterruptNone, errors.New("remember: Invalid remember me token.")
@@ -149,23 +143,26 @@ func (r *Remember) auth(ctx *authboss.Context) (authboss.Interrupt, error) {

 	// Get the key.
 	givenKey := token[:index]
-	log.Println("key", givenKey)

 	// Verify the tokens match.
 	sum := md5.Sum(token)

 	key, err := authboss.Cfg.Storer.(TokenStorer).UseToken(string(givenKey), base64.StdEncoding.EncodeToString(sum[:]))
-	log.Println("lookup", key, err)
 	if err == authboss.ErrTokenNotFound {
 		return authboss.InterruptNone, nil
 	} else if err != nil {
 		return authboss.InterruptNone, err
 	}

+	_, err = r.new(ctx.CookieStorer, string(key))
+	if err != nil {
+		return authboss.InterruptNone, err
+	}
+
 	// Ensure a half-auth.
 	ctx.SessionStorer.Put(authboss.SessionHalfAuthKey, "true")
 	// Log the user in.
-	ctx.SessionStorer.Put(authboss.SessionKey, string(givenKey))
+	ctx.SessionStorer.Put(authboss.SessionKey, string(key))

 	return authboss.InterruptNone, nil
 }
--- a/remember/remember_test.go
+++ b/remember/remember_test.go
@@ -111,6 +111,8 @@ func TestAuth(t *testing.T) {
 		t.Error("Unexpected error:", err)
 	}

+	cookie, _ := cookies.Get(RememberKey)
+
 	interrupt, err := r.auth(ctx)
 	if err != nil {
 		t.Error("Unexpected error:", err)
@@ -124,6 +126,10 @@ func TestAuth(t *testing.T) {
 		t.Error("The user should have been logged in.")
 	}

+	if chocolateChip, _ := cookies.Get(RememberKey); chocolateChip == cookie {
+		t.Error("Expected cookie to be different")
+	}
+
 	if authboss.InterruptNone != interrupt {
 		t.Error("Keys should have matched:", interrupt)
 	}