mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-28 09:08:44 +02:00
Implement cookie auto-refresh
The intention is to refresh the cookie whenever the user accesses an authenticated service with less than `cookie-refresh` time to go before the cookie expires.
This commit is contained in:
parent
5cbdb74518
commit
8e2d83600c
@ -15,11 +15,11 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
func validateCookie(cookie *http.Cookie, seed string) (string, bool) {
|
||||
func validateCookie(cookie *http.Cookie, seed string) (string, time.Time, bool) {
|
||||
// value, timestamp, sig
|
||||
parts := strings.Split(cookie.Value, "|")
|
||||
if len(parts) != 3 {
|
||||
return "", false
|
||||
return "", time.Unix(0, 0), false
|
||||
}
|
||||
sig := cookieSignature(seed, cookie.Name, parts[0], parts[1])
|
||||
if checkHmac(parts[2], sig) {
|
||||
@ -28,11 +28,11 @@ func validateCookie(cookie *http.Cookie, seed string) (string, bool) {
|
||||
// it's a valid cookie. now get the contents
|
||||
rawValue, err := base64.URLEncoding.DecodeString(parts[0])
|
||||
if err == nil {
|
||||
return string(rawValue), true
|
||||
return string(rawValue), time.Unix(int64(ts), 0), true
|
||||
}
|
||||
}
|
||||
}
|
||||
return "", false
|
||||
return "", time.Unix(0, 0), false
|
||||
}
|
||||
|
||||
func signedCookieValue(seed string, key string, value string) string {
|
||||
|
1
main.go
1
main.go
@ -45,6 +45,7 @@ func main() {
|
||||
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
|
||||
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
||||
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
||||
flagSet.Duration("cookie-refresh", time.Duration(24)*time.Hour, "refresh the cookie when this much time remains before expiration")
|
||||
flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
|
||||
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
|
||||
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
|
||||
|
@ -33,6 +33,7 @@ type OauthProxy struct {
|
||||
CookieSecure bool
|
||||
CookieHttpOnly bool
|
||||
CookieExpire time.Duration
|
||||
CookieRefresh time.Duration
|
||||
Validator func(string) bool
|
||||
|
||||
redirectUrl *url.URL // the url to receive requests at
|
||||
@ -136,6 +137,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
||||
CookieSecure: opts.CookieSecure,
|
||||
CookieHttpOnly: opts.CookieHttpOnly,
|
||||
CookieExpire: opts.CookieExpire,
|
||||
CookieRefresh: opts.CookieRefresh,
|
||||
Validator: validator,
|
||||
|
||||
clientID: opts.ClientID,
|
||||
@ -259,10 +261,11 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
|
||||
}
|
||||
|
||||
func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (email, user, access_token string, ok bool) {
|
||||
var value string
|
||||
var timestamp time.Time
|
||||
cookie, err := req.Cookie(p.CookieKey)
|
||||
if err == nil {
|
||||
var value string
|
||||
value, ok = validateCookie(cookie, p.CookieSeed)
|
||||
value, timestamp, ok = validateCookie(cookie, p.CookieSeed)
|
||||
if ok {
|
||||
email, user, access_token, err = parseCookieValue(
|
||||
value, p.AesCipher)
|
||||
@ -270,6 +273,11 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e
|
||||
}
|
||||
if err != nil {
|
||||
log.Printf(err.Error())
|
||||
} else if p.CookieRefresh != time.Duration(0) {
|
||||
refresh_threshold := time.Now().Add(p.CookieRefresh)
|
||||
if refresh_threshold.Unix() > timestamp.Unix() {
|
||||
p.SetCookie(rw, req, value)
|
||||
}
|
||||
}
|
||||
return
|
||||
}
|
||||
|
@ -353,8 +353,31 @@ func TestProcessCookie(t *testing.T) {
|
||||
assert.Equal(t, "michael.bland", user)
|
||||
}
|
||||
|
||||
func TestProcessCookieError(t *testing.T) {
|
||||
func TestProcessCookieNoCookieError(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
_, _, _, ok := pc_test.ProcessCookie()
|
||||
assert.Equal(t, false, ok)
|
||||
}
|
||||
|
||||
func TestProcessCookieRefreshNotSet(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
|
||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||
pc_test.req.AddCookie(cookie)
|
||||
|
||||
_, _, _, ok := pc_test.ProcessCookie()
|
||||
assert.Equal(t, true, ok)
|
||||
assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
||||
}
|
||||
|
||||
func TestProcessCookieRefresh(t *testing.T) {
|
||||
pc_test := NewProcessCookieTest()
|
||||
cookie := pc_test.MakeCookie("michael.bland@gsa.gov")
|
||||
cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour)
|
||||
pc_test.req.AddCookie(cookie)
|
||||
|
||||
pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour
|
||||
_, _, _, ok := pc_test.ProcessCookie()
|
||||
assert.Equal(t, true, ok)
|
||||
assert.NotEqual(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"])
|
||||
}
|
||||
|
@ -26,6 +26,7 @@ type Options struct {
|
||||
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
|
||||
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
|
||||
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
|
||||
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"`
|
||||
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
|
||||
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
|
||||
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
||||
@ -61,6 +62,7 @@ func NewOptions() *Options {
|
||||
CookieSecure: true,
|
||||
CookieHttpOnly: true,
|
||||
CookieExpire: time.Duration(168) * time.Hour,
|
||||
CookieRefresh: time.Duration(0),
|
||||
PassBasicAuth: true,
|
||||
PassAccessToken: false,
|
||||
PassHostHeader: true,
|
||||
|
Loading…
Reference in New Issue
Block a user