mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-28 09:08:44 +02:00
Encrypting user/email from cookie
This commit is contained in:
parent
e9d4f6e0a1
commit
4f7517b2f9
@ -62,6 +62,19 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) {
|
||||
} else {
|
||||
ss = *s
|
||||
var err error
|
||||
// Encrypt also Email and User when cipher is provided
|
||||
if ss.Email != "" {
|
||||
ss.Email, err = c.Encrypt(ss.Email)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
if ss.User != "" {
|
||||
ss.User, err = c.Encrypt(ss.User)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
}
|
||||
if ss.AccessToken != "" {
|
||||
ss.AccessToken, err = c.Encrypt(ss.AccessToken)
|
||||
if err != nil {
|
||||
@ -172,6 +185,20 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) {
|
||||
User: ss.User,
|
||||
}
|
||||
} else {
|
||||
// Backward compatibility with using unecrypted Email
|
||||
if ss.Email != "" {
|
||||
decryptedEmail, err := c.Decrypt(ss.Email)
|
||||
if err == nil {
|
||||
ss.Email = decryptedEmail
|
||||
}
|
||||
}
|
||||
// Backward compatibility with using unecrypted User
|
||||
if ss.User != "" {
|
||||
decryptedUser, err := c.Decrypt(ss.User)
|
||||
if err == nil {
|
||||
ss.User = decryptedUser
|
||||
}
|
||||
}
|
||||
if ss.AccessToken != "" {
|
||||
ss.AccessToken, err = c.Decrypt(ss.AccessToken)
|
||||
if err != nil {
|
||||
|
@ -41,8 +41,8 @@ func TestSessionStateSerialization(t *testing.T) {
|
||||
ss, err = DecodeSessionState(encoded, c2)
|
||||
t.Logf("%#v", ss)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, "user", ss.User)
|
||||
assert.Equal(t, s.Email, ss.Email)
|
||||
assert.NotEqual(t, "user", ss.User)
|
||||
assert.NotEqual(t, s.Email, ss.Email)
|
||||
assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
|
||||
assert.NotEqual(t, s.AccessToken, ss.AccessToken)
|
||||
assert.NotEqual(t, s.IDToken, ss.IDToken)
|
||||
@ -77,8 +77,8 @@ func TestSessionStateSerializationWithUser(t *testing.T) {
|
||||
ss, err = DecodeSessionState(encoded, c2)
|
||||
t.Logf("%#v", ss)
|
||||
assert.Equal(t, nil, err)
|
||||
assert.Equal(t, s.User, ss.User)
|
||||
assert.Equal(t, s.Email, ss.Email)
|
||||
assert.NotEqual(t, s.User, ss.User)
|
||||
assert.NotEqual(t, s.Email, ss.Email)
|
||||
assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
|
||||
assert.NotEqual(t, s.AccessToken, ss.AccessToken)
|
||||
assert.NotEqual(t, s.RefreshToken, ss.RefreshToken)
|
||||
@ -229,7 +229,7 @@ func TestDecodeSessionState(t *testing.T) {
|
||||
ExpiresOn: e,
|
||||
RefreshToken: "refresh4321",
|
||||
},
|
||||
Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString),
|
||||
Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString),
|
||||
Cipher: c,
|
||||
},
|
||||
{
|
||||
@ -237,7 +237,7 @@ func TestDecodeSessionState(t *testing.T) {
|
||||
Email: "user@domain.com",
|
||||
User: "just-user",
|
||||
},
|
||||
Encoded: `{"Email":"user@domain.com","User":"just-user"}`,
|
||||
Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`,
|
||||
Cipher: c,
|
||||
},
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user