mirror of
https://github.com/volatiletech/authboss.git
synced 2024-11-28 08:58:38 +02:00
393 lines
12 KiB
Go
393 lines
12 KiB
Go
package authboss
|
|
|
|
import (
|
|
"bufio"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
const (
|
|
// SessionKey is the primarily used key by authboss.
|
|
SessionKey = "uid"
|
|
// SessionHalfAuthKey is used for sessions that have been authenticated by
|
|
// the remember module. This serves as a way to force full authentication
|
|
// by denying half-authed users acccess to sensitive areas.
|
|
SessionHalfAuthKey = "halfauth"
|
|
// SessionLastAction is the session key to retrieve the
|
|
// last action of a user.
|
|
SessionLastAction = "last_action"
|
|
// Session2FA is set when a user has been authenticated with a second factor
|
|
Session2FA = "twofactor"
|
|
// Session2FAAuthToken is a random token set in the session to be verified
|
|
// by e-mail.
|
|
Session2FAAuthToken = "twofactor_auth_token"
|
|
// Session2FAAuthed is in the session (and set to "true") when the user
|
|
// has successfully verified the token sent via e-mail in the two factor
|
|
// e-mail authentication process.
|
|
Session2FAAuthed = "twofactor_authed"
|
|
// SessionOAuth2State is the xsrf protection key for oauth.
|
|
SessionOAuth2State = "oauth2_state"
|
|
// SessionOAuth2Params is the additional settings for oauth
|
|
// like redirection/remember.
|
|
SessionOAuth2Params = "oauth2_params"
|
|
|
|
// CookieRemember is used for cookies and form input names.
|
|
CookieRemember = "rm"
|
|
|
|
// FlashSuccessKey is used for storing sucess flash messages on the session
|
|
FlashSuccessKey = "flash_success"
|
|
// FlashErrorKey is used for storing sucess flash messages on the session
|
|
FlashErrorKey = "flash_error"
|
|
)
|
|
|
|
// ClientStateEventKind is an enum.
|
|
type ClientStateEventKind int
|
|
|
|
// ClientStateEvent kinds
|
|
const (
|
|
// ClientStateEventPut means you should put the key-value pair into the
|
|
// client state.
|
|
ClientStateEventPut ClientStateEventKind = iota
|
|
// ClientStateEventPut means you should delete the key-value pair from the
|
|
// client state.
|
|
ClientStateEventDel
|
|
// ClientStateEventDelAll means you should delete EVERY key-value pair from
|
|
// the client state - though a whitelist of keys that should not be deleted
|
|
// may be passed through as a comma separated list of keys in
|
|
// the ClientStateEvent.Key field.
|
|
ClientStateEventDelAll
|
|
)
|
|
|
|
// ClientStateEvent are the different events that can be recorded during
|
|
// a request.
|
|
type ClientStateEvent struct {
|
|
Kind ClientStateEventKind
|
|
Key string
|
|
Value string
|
|
}
|
|
|
|
// ClientStateReadWriter is used to create a cookie storer from an http request.
|
|
// Keep in mind security considerations for your implementation, Secure,
|
|
// HTTP-Only, etc flags.
|
|
//
|
|
// There's two major uses for this. To create session storage, and remember me
|
|
// cookies.
|
|
type ClientStateReadWriter interface {
|
|
// ReadState should return a map like structure allowing it to look up
|
|
// any values in the current session, or any cookie in the request
|
|
ReadState(*http.Request) (ClientState, error)
|
|
// WriteState can sometimes be called with a nil ClientState in the event
|
|
// that no ClientState was read in from LoadClientState
|
|
WriteState(http.ResponseWriter, ClientState, []ClientStateEvent) error
|
|
}
|
|
|
|
// UnderlyingResponseWriter retrieves the response
|
|
// writer underneath the current one. This allows us
|
|
// to wrap and later discover the particular one that we want.
|
|
// Keep in mind this should not be used to call the normal methods
|
|
// of a responsewriter, just additional ones particular to that type
|
|
// because it's possible to introduce subtle bugs otherwise.
|
|
type UnderlyingResponseWriter interface {
|
|
UnderlyingResponseWriter() http.ResponseWriter
|
|
}
|
|
|
|
// ClientState represents the client's current state and can answer queries
|
|
// about it.
|
|
type ClientState interface {
|
|
Get(key string) (string, bool)
|
|
}
|
|
|
|
// ClientStateResponseWriter is used to write out the client state at the last
|
|
// moment before the response code is written.
|
|
type ClientStateResponseWriter struct {
|
|
http.ResponseWriter
|
|
|
|
cookieStateRW ClientStateReadWriter
|
|
sessionStateRW ClientStateReadWriter
|
|
|
|
cookieState ClientState
|
|
sessionState ClientState
|
|
|
|
hasWritten bool
|
|
cookieStateEvents []ClientStateEvent
|
|
sessionStateEvents []ClientStateEvent
|
|
}
|
|
|
|
// LoadClientStateMiddleware wraps all requests with the
|
|
// ClientStateResponseWriter as well as loading the current client
|
|
// state into the context for use.
|
|
func (a *Authboss) LoadClientStateMiddleware(h http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
writer := a.NewResponse(w)
|
|
request, err := a.LoadClientState(writer, r)
|
|
if err != nil {
|
|
logger := a.RequestLogger(r)
|
|
logger.Errorf("failed to load client state %+v", err)
|
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
h.ServeHTTP(writer, request)
|
|
})
|
|
}
|
|
|
|
// NewResponse wraps the ResponseWriter with a ClientStateResponseWriter
|
|
func (a *Authboss) NewResponse(w http.ResponseWriter) *ClientStateResponseWriter {
|
|
return &ClientStateResponseWriter{
|
|
ResponseWriter: w,
|
|
cookieStateRW: a.Config.Storage.CookieState,
|
|
sessionStateRW: a.Config.Storage.SessionState,
|
|
}
|
|
}
|
|
|
|
// LoadClientState loads the state from sessions and cookies
|
|
// into the ResponseWriter for later use.
|
|
func (a *Authboss) LoadClientState(w http.ResponseWriter, r *http.Request) (*http.Request, error) {
|
|
if a.Storage.SessionState != nil {
|
|
state, err := a.Storage.SessionState.ReadState(r)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if state != nil {
|
|
c := MustClientStateResponseWriter(w)
|
|
c.sessionState = state
|
|
r = r.WithContext(context.WithValue(r.Context(), CTXKeySessionState, state))
|
|
}
|
|
}
|
|
if a.Storage.CookieState != nil {
|
|
state, err := a.Storage.CookieState.ReadState(r)
|
|
if err != nil {
|
|
return nil, err
|
|
} else if state != nil {
|
|
c := MustClientStateResponseWriter(w)
|
|
c.cookieState = state
|
|
r = r.WithContext(context.WithValue(r.Context(), CTXKeyCookieState, state))
|
|
}
|
|
}
|
|
|
|
return r, nil
|
|
}
|
|
|
|
// MustClientStateResponseWriter tries to find a csrw inside the response
|
|
// writer by using the UnderlyingResponseWriter interface.
|
|
func MustClientStateResponseWriter(w http.ResponseWriter) *ClientStateResponseWriter {
|
|
for {
|
|
if c, ok := w.(*ClientStateResponseWriter); ok {
|
|
return c
|
|
}
|
|
|
|
if u, ok := w.(UnderlyingResponseWriter); ok {
|
|
w = u.UnderlyingResponseWriter()
|
|
continue
|
|
}
|
|
|
|
panic(fmt.Sprintf("ResponseWriter must be a ClientStateResponseWriter or UnderlyingResponseWriter in (see: authboss.LoadClientStateMiddleware): %T", w))
|
|
}
|
|
}
|
|
|
|
// WriteHeader writes the header, but in order to handle errors from the
|
|
// underlying ClientStateReadWriter, it has to panic.
|
|
func (c *ClientStateResponseWriter) WriteHeader(code int) {
|
|
if !c.hasWritten {
|
|
if err := c.putClientState(); err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
c.ResponseWriter.WriteHeader(code)
|
|
}
|
|
|
|
// Header retrieves the underlying headers
|
|
func (c ClientStateResponseWriter) Header() http.Header {
|
|
return c.ResponseWriter.Header()
|
|
}
|
|
|
|
// Hijack implements the http.Hijacker interface by calling the
|
|
// underlying implementation if available.
|
|
func (c ClientStateResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
|
|
h, ok := c.ResponseWriter.(http.Hijacker)
|
|
if ok {
|
|
return h.Hijack()
|
|
}
|
|
return nil, nil, errors.New("authboss: underlying ResponseWriter does not support hijacking")
|
|
}
|
|
|
|
// Write ensures that the client state is written before any writes
|
|
// to the body occur (before header flush to http client)
|
|
func (c *ClientStateResponseWriter) Write(b []byte) (int, error) {
|
|
if !c.hasWritten {
|
|
if err := c.putClientState(); err != nil {
|
|
return 0, err
|
|
}
|
|
}
|
|
return c.ResponseWriter.Write(b)
|
|
}
|
|
|
|
// UnderlyingResponseWriter for this instance
|
|
func (c *ClientStateResponseWriter) UnderlyingResponseWriter() http.ResponseWriter {
|
|
return c.ResponseWriter
|
|
}
|
|
|
|
func (c *ClientStateResponseWriter) putClientState() error {
|
|
if c.hasWritten {
|
|
panic("should not call putClientState twice")
|
|
}
|
|
c.hasWritten = true
|
|
|
|
if len(c.cookieStateEvents) == 0 && len(c.sessionStateEvents) == 0 {
|
|
return nil
|
|
}
|
|
|
|
if c.sessionStateRW != nil && len(c.sessionStateEvents) > 0 {
|
|
err := c.sessionStateRW.WriteState(c, c.sessionState, c.sessionStateEvents)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
if c.cookieStateRW != nil && len(c.cookieStateEvents) > 0 {
|
|
err := c.cookieStateRW.WriteState(c, c.cookieState, c.cookieStateEvents)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// IsFullyAuthed returns false if the user has a SessionHalfAuth
|
|
// in his session.
|
|
func IsFullyAuthed(r *http.Request) bool {
|
|
_, hasHalfAuth := GetSession(r, SessionHalfAuthKey)
|
|
return !hasHalfAuth
|
|
}
|
|
|
|
// IsTwoFactored returns false if the user doesn't have a Session2FA
|
|
// in his session.
|
|
func IsTwoFactored(r *http.Request) bool {
|
|
_, has2fa := GetSession(r, Session2FA)
|
|
return has2fa
|
|
}
|
|
|
|
// DelAllSession deletes all variables in the session except for those on
|
|
// the whitelist.
|
|
//
|
|
// The whitelist is typically provided directly from the authboss config.
|
|
//
|
|
// This is the best way to ensure the session is cleaned up after use for
|
|
// a given user. An example is when a user is expired or logged out this method
|
|
// is called.
|
|
func DelAllSession(w http.ResponseWriter, whitelist []string) {
|
|
delAllState(w, CTXKeySessionState, whitelist)
|
|
}
|
|
|
|
// DelKnownSession is deprecated. See DelAllSession for an alternative.
|
|
// DelKnownSession deletes all known session variables,
|
|
// effectively logging a user out.
|
|
func DelKnownSession(w http.ResponseWriter) {
|
|
DelSession(w, SessionKey)
|
|
DelSession(w, SessionHalfAuthKey)
|
|
DelSession(w, SessionLastAction)
|
|
}
|
|
|
|
// DelKnownCookie deletes all known cookie variables, which can be used
|
|
// to delete remember me pieces.
|
|
func DelKnownCookie(w http.ResponseWriter) {
|
|
DelCookie(w, CookieRemember)
|
|
}
|
|
|
|
// PutSession puts a value into the session
|
|
func PutSession(w http.ResponseWriter, key, val string) {
|
|
putState(w, CTXKeySessionState, key, val)
|
|
}
|
|
|
|
// DelSession deletes a key-value from the session.
|
|
func DelSession(w http.ResponseWriter, key string) {
|
|
delState(w, CTXKeySessionState, key)
|
|
}
|
|
|
|
// GetSession fetches a value from the session
|
|
func GetSession(r *http.Request, key string) (string, bool) {
|
|
return getState(r, CTXKeySessionState, key)
|
|
}
|
|
|
|
// PutCookie puts a value into the session
|
|
func PutCookie(w http.ResponseWriter, key, val string) {
|
|
putState(w, CTXKeyCookieState, key, val)
|
|
}
|
|
|
|
// DelCookie deletes a key-value from the session.
|
|
func DelCookie(w http.ResponseWriter, key string) {
|
|
delState(w, CTXKeyCookieState, key)
|
|
}
|
|
|
|
// GetCookie fetches a value from the session
|
|
func GetCookie(r *http.Request, key string) (string, bool) {
|
|
return getState(r, CTXKeyCookieState, key)
|
|
}
|
|
|
|
func putState(w http.ResponseWriter, CTXKey contextKey, key, val string) {
|
|
setState(w, CTXKey, ClientStateEventPut, key, val)
|
|
}
|
|
|
|
func delState(w http.ResponseWriter, CTXKey contextKey, key string) {
|
|
setState(w, CTXKey, ClientStateEventDel, key, "")
|
|
}
|
|
|
|
func delAllState(w http.ResponseWriter, CTXKey contextKey, whitelist []string) {
|
|
setState(w, CTXKey, ClientStateEventDelAll, strings.Join(whitelist, ","), "")
|
|
}
|
|
|
|
func setState(w http.ResponseWriter, ctxKey contextKey, op ClientStateEventKind, key, val string) {
|
|
csrw := MustClientStateResponseWriter(w)
|
|
ev := ClientStateEvent{
|
|
Kind: op,
|
|
Key: key,
|
|
}
|
|
|
|
if op == ClientStateEventPut {
|
|
ev.Value = val
|
|
}
|
|
|
|
switch ctxKey {
|
|
case CTXKeySessionState:
|
|
csrw.sessionStateEvents = append(csrw.sessionStateEvents, ev)
|
|
case CTXKeyCookieState:
|
|
csrw.cookieStateEvents = append(csrw.cookieStateEvents, ev)
|
|
}
|
|
}
|
|
|
|
func getState(r *http.Request, ctxKey contextKey, key string) (string, bool) {
|
|
val := r.Context().Value(ctxKey)
|
|
if val == nil {
|
|
return "", false
|
|
}
|
|
|
|
state := val.(ClientState)
|
|
return state.Get(key)
|
|
}
|
|
|
|
// FlashSuccess returns FlashSuccessKey from the session and removes it.
|
|
func FlashSuccess(w http.ResponseWriter, r *http.Request) string {
|
|
str, ok := GetSession(r, FlashSuccessKey)
|
|
if !ok {
|
|
return ""
|
|
}
|
|
|
|
DelSession(w, FlashSuccessKey)
|
|
return str
|
|
}
|
|
|
|
// FlashError returns FlashError from the session and removes it.
|
|
func FlashError(w http.ResponseWriter, r *http.Request) string {
|
|
str, ok := GetSession(r, FlashErrorKey)
|
|
if !ok {
|
|
return ""
|
|
}
|
|
|
|
DelSession(w, FlashErrorKey)
|
|
return str
|
|
}
|