Implement ValidateSessionState for GitHubProvider (#385)

Refactors the setting of the Authorization header into getGitHubHeader. Refs #382 Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2025-01-08 04:03:58 +02:00 · 2020-02-15 16:11:14 +01:00 · 2020-02-15 16:11:14 +01:00 · 2033ce81c3
commit 2033ce81c3
parent 7a6204c8fd
2 changed files with 17 additions and 6 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -9,6 +9,7 @@

 ## Changes since v5.0.0

+- [#385](https://github.com/pusher/oauth2_proxy/pull/385) Use the `Authorization` header instead of `access_token` for refreshing GitHub Provider sessions (@ibuclaw)
 - [#372](https://github.com/pusher/oauth2_proxy/pull/372) Allow fallback to secondary verified email address in GitHub provider (@dmnemec)
 - [#335](https://github.com/pusher/oauth2_proxy/pull/335) OIDC Provider support for empty id_tokens in the access token refresh response (@howzat)
 - [#363](https://github.com/pusher/oauth2_proxy/pull/363) Extension of Redis Session Store to Support Redis Cluster (@yan-dblinf)
--- a/providers/github.go
+++ b/providers/github.go
@ -53,6 +53,13 @@ func NewGitHubProvider(p *ProviderData) *GitHubProvider {
 	return &GitHubProvider{ProviderData: p}
 }

+func getGitHubHeader(accessToken string) http.Header {
+	header := make(http.Header)
+	header.Set("Accept", "application/vnd.github.v3+json")
+	header.Set("Authorization", fmt.Sprintf("token %s", accessToken))
+	return header
+}
+
 // SetOrgTeam adds GitHub org reading parameters to the OAuth2 scope
 func (p *GitHubProvider) SetOrgTeam(org, team string) {
 	p.Org = org
@ -87,8 +94,7 @@ func (p *GitHubProvider) hasOrg(accessToken string) (bool, error) {
 			RawQuery: params.Encode(),
 		}
 		req, _ := http.NewRequest("GET", endpoint.String(), nil)
-		req.Header.Set("Accept", "application/vnd.github.v3+json")
-		req.Header.Set("Authorization", fmt.Sprintf("token %s", accessToken))
+		req.Header = getGitHubHeader(accessToken)
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil {
 			return false, err
@ -164,8 +170,7 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
 		}

 		req, _ := http.NewRequest("GET", endpoint.String(), nil)
-		req.Header.Set("Accept", "application/vnd.github.v3+json")
-		req.Header.Set("Authorization", fmt.Sprintf("token %s", accessToken))
+		req.Header = getGitHubHeader(accessToken)
 		resp, err := http.DefaultClient.Do(req)
 		if err != nil {
 			return false, err
@ -283,7 +288,7 @@ func (p *GitHubProvider) GetEmailAddress(s *sessions.SessionState) (string, erro
 		Path:   path.Join(p.ValidateURL.Path, "/user/emails"),
 	}
 	req, _ := http.NewRequest("GET", endpoint.String(), nil)
-	req.Header.Set("Authorization", fmt.Sprintf("token %s", s.AccessToken))
+	req.Header = getGitHubHeader(s.AccessToken)
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", err
@ -336,7 +341,7 @@ func (p *GitHubProvider) GetUserName(s *sessions.SessionState) (string, error) {
 		return "", fmt.Errorf("could not create new GET request: %v", err)
 	}

-	req.Header.Set("Authorization", fmt.Sprintf("token %s", s.AccessToken))
+	req.Header = getGitHubHeader(s.AccessToken)
 	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", err
@ -361,3 +366,8 @@ func (p *GitHubProvider) GetUserName(s *sessions.SessionState) (string, error) {

 	return user.Login, nil
 }
+
+// ValidateSessionState validates the AccessToken
+func (p *GitHubProvider) ValidateSessionState(s *sessions.SessionState) bool {
+	return validateToken(p, s.AccessToken, getGitHubHeader(s.AccessToken))
+}