2019-05-05 13:33:13 +01:00
|
|
|
package sessions
|
2015-06-23 07:23:39 -04:00
|
|
|
|
|
|
|
|
import (
|
2019-03-20 22:59:24 +09:00
|
|
|
"encoding/json"
|
2015-06-23 07:23:39 -04:00
|
|
|
"fmt"
|
|
|
|
|
"time"
|
|
|
|
|
|
2020-03-29 14:54:36 +01:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/encryption"
|
2015-06-23 07:23:39 -04:00
|
|
|
)
|
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// SessionState is used to store information about the currently authenticated user session
|
2015-06-23 07:23:39 -04:00
|
|
|
type SessionState struct {
|
2020-05-30 08:53:38 +01:00
|
|
|
AccessToken string `json:",omitempty"`
|
|
|
|
|
IDToken string `json:",omitempty"`
|
|
|
|
|
CreatedAt *time.Time `json:",omitempty"`
|
|
|
|
|
ExpiresOn *time.Time `json:",omitempty"`
|
|
|
|
|
RefreshToken string `json:",omitempty"`
|
|
|
|
|
Email string `json:",omitempty"`
|
|
|
|
|
User string `json:",omitempty"`
|
|
|
|
|
PreferredUsername string `json:",omitempty"`
|
2015-06-23 07:23:39 -04:00
|
|
|
}
|
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// IsExpired checks whether the session has expired
|
2015-06-23 07:23:39 -04:00
|
|
|
func (s *SessionState) IsExpired() bool {
|
2020-05-30 08:53:38 +01:00
|
|
|
if s.ExpiresOn != nil && !s.ExpiresOn.IsZero() && s.ExpiresOn.Before(time.Now()) {
|
2015-06-23 07:23:39 -04:00
|
|
|
return true
|
|
|
|
|
}
|
|
|
|
|
return false
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-07 15:32:46 +01:00
|
|
|
// Age returns the age of a session
|
|
|
|
|
func (s *SessionState) Age() time.Duration {
|
2020-05-30 08:53:38 +01:00
|
|
|
if s.CreatedAt != nil && !s.CreatedAt.IsZero() {
|
|
|
|
|
return time.Now().Truncate(time.Second).Sub(*s.CreatedAt)
|
2019-05-07 15:32:46 +01:00
|
|
|
}
|
|
|
|
|
return 0
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// String constructs a summary of the session state
|
2015-06-23 07:23:39 -04:00
|
|
|
func (s *SessionState) String() string {
|
2020-03-01 16:02:51 +01:00
|
|
|
o := fmt.Sprintf("Session{email:%s user:%s PreferredUsername:%s", s.Email, s.User, s.PreferredUsername)
|
2015-06-23 07:23:39 -04:00
|
|
|
if s.AccessToken != "" {
|
|
|
|
|
o += " token:true"
|
|
|
|
|
}
|
2018-01-27 10:53:17 +00:00
|
|
|
if s.IDToken != "" {
|
|
|
|
|
o += " id_token:true"
|
|
|
|
|
}
|
2019-05-07 15:32:46 +01:00
|
|
|
if !s.CreatedAt.IsZero() {
|
|
|
|
|
o += fmt.Sprintf(" created:%s", s.CreatedAt)
|
|
|
|
|
}
|
2015-06-23 07:23:39 -04:00
|
|
|
if !s.ExpiresOn.IsZero() {
|
|
|
|
|
o += fmt.Sprintf(" expires:%s", s.ExpiresOn)
|
|
|
|
|
}
|
|
|
|
|
if s.RefreshToken != "" {
|
|
|
|
|
o += " refresh_token:true"
|
|
|
|
|
}
|
|
|
|
|
return o + "}"
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-20 10:37:59 +00:00
|
|
|
// EncodeSessionState returns string representation of the current session
|
2019-05-24 17:06:48 +01:00
|
|
|
func (s *SessionState) EncodeSessionState(c *encryption.Cipher) (string, error) {
|
2019-03-20 22:59:24 +09:00
|
|
|
var ss SessionState
|
2015-06-23 07:23:39 -04:00
|
|
|
if c == nil {
|
2019-03-20 22:59:24 +09:00
|
|
|
// Store only Email and User when cipher is unavailable
|
|
|
|
|
ss.Email = s.Email
|
|
|
|
|
ss.User = s.User
|
2020-03-01 16:02:51 +01:00
|
|
|
ss.PreferredUsername = s.PreferredUsername
|
2019-03-20 22:59:24 +09:00
|
|
|
} else {
|
|
|
|
|
ss = *s
|
2020-05-30 08:53:38 +01:00
|
|
|
for _, s := range []*string{
|
|
|
|
|
&ss.Email,
|
|
|
|
|
&ss.User,
|
|
|
|
|
&ss.PreferredUsername,
|
|
|
|
|
&ss.AccessToken,
|
|
|
|
|
&ss.IDToken,
|
|
|
|
|
&ss.RefreshToken,
|
|
|
|
|
} {
|
|
|
|
|
err := c.EncryptInto(s)
|
2019-03-20 22:59:24 +09:00
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
2015-06-23 07:23:39 -04:00
|
|
|
}
|
|
|
|
|
}
|
2020-05-30 08:53:38 +01:00
|
|
|
|
|
|
|
|
b, err := json.Marshal(ss)
|
2019-03-20 22:59:24 +09:00
|
|
|
return string(b), err
|
2017-09-26 23:31:27 +02:00
|
|
|
}
|
|
|
|
|
|
2019-03-20 22:59:24 +09:00
|
|
|
// DecodeSessionState decodes the session cookie string into a SessionState
|
2019-05-24 17:06:48 +01:00
|
|
|
func DecodeSessionState(v string, c *encryption.Cipher) (*SessionState, error) {
|
2020-05-30 08:53:38 +01:00
|
|
|
var ss SessionState
|
|
|
|
|
err := json.Unmarshal([]byte(v), &ss)
|
2020-05-10 10:09:53 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("error unmarshalling session: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-20 22:59:24 +09:00
|
|
|
if c == nil {
|
|
|
|
|
// Load only Email and User when cipher is unavailable
|
2020-05-30 08:53:38 +01:00
|
|
|
ss = SessionState{
|
2020-03-01 16:02:51 +01:00
|
|
|
Email: ss.Email,
|
|
|
|
|
User: ss.User,
|
|
|
|
|
PreferredUsername: ss.PreferredUsername,
|
2019-03-20 22:59:24 +09:00
|
|
|
}
|
|
|
|
|
} else {
|
2019-05-08 12:35:15 -07:00
|
|
|
// Backward compatibility with using unencrypted Email
|
2019-04-09 14:55:33 +03:00
|
|
|
if ss.Email != "" {
|
2019-04-09 15:17:40 +03:00
|
|
|
decryptedEmail, errEmail := c.Decrypt(ss.Email)
|
|
|
|
|
if errEmail == nil {
|
2019-04-09 14:55:33 +03:00
|
|
|
ss.Email = decryptedEmail
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-05-08 12:35:15 -07:00
|
|
|
// Backward compatibility with using unencrypted User
|
2019-04-09 14:55:33 +03:00
|
|
|
if ss.User != "" {
|
2019-04-09 15:17:40 +03:00
|
|
|
decryptedUser, errUser := c.Decrypt(ss.User)
|
|
|
|
|
if errUser == nil {
|
2019-04-09 14:55:33 +03:00
|
|
|
ss.User = decryptedUser
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-05-30 08:53:38 +01:00
|
|
|
|
|
|
|
|
for _, s := range []*string{
|
|
|
|
|
&ss.PreferredUsername,
|
|
|
|
|
&ss.AccessToken,
|
|
|
|
|
&ss.IDToken,
|
|
|
|
|
&ss.RefreshToken,
|
|
|
|
|
} {
|
|
|
|
|
err := c.DecryptInto(s)
|
2019-03-20 22:59:24 +09:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2020-05-30 08:53:38 +01:00
|
|
|
return &ss, nil
|
2015-06-23 07:23:39 -04:00
|
|
|
}
|
