go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-08-08 22:46:33 +02:00
Code Issues Releases Activity

feat(cookie): add feature support for cookie-secret-file (#3104)

Browse Source 
* feat: add feature support for cookie-secret-file

---------

Signed-off-by: Jan Larwig <jan@larwig.com>
Co-Authored-By: Sandy Chen <Yuxuan.Chen@morganstanley.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Sandy Chen
2025-07-23 01:59:55 +09:00
committed by GitHub
parent 137e59d526
commit dc8b1623a2
10 changed files with 226 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
pkg/sessions/cookie/session_store.go
View File

@@ -54,16 +54,18 @@ func (s *SessionStore) Load(req *http.Request) (*sessions.SessionState, error) {
// always http.ErrNoCookie
return nil, err
}
val, _, ok := encryption.Validate(c, s.Cookie.Secret, s.Cookie.Expire)
secret, err := s.Cookie.GetSecret()
if err != nil {
return nil, fmt.Errorf("error getting cookie secret: %v", err)
}
val, _, ok := encryption.Validate(c, secret, s.Cookie.Expire)
if !ok {
return nil, errors.New("cookie signature not valid")
}
session, err := sessions.DecodeSessionState(val, s.CookieCipher, true)
if err != nil {
return nil, err
}
return session, nil
return sessions.DecodeSessionState(val, s.CookieCipher, true)
}
// Clear clears any saved session information by writing a cookie to
@@ -121,7 +123,11 @@ func (s *SessionStore) makeSessionCookie(req *http.Request, value []byte, now ti
strValue := string(value)
if strValue != "" {
var err error
strValue, err = encryption.SignedValue(s.Cookie.Secret, s.Cookie.Name, value, now)
secret, err := s.Cookie.GetSecret()
if err != nil {
return nil, fmt.Errorf("error getting cookie secret: %v", err)
}
strValue, err = encryption.SignedValue(secret, s.Cookie.Name, value, now)
if err != nil {
return nil, err
}
@@ -146,7 +152,11 @@ func (s *SessionStore) makeCookie(req *http.Request, name string, value string,
// NewCookieSessionStore initialises a new instance of the SessionStore from
// the configuration given
func NewCookieSessionStore(opts *options.SessionOptions, cookieOpts *options.Cookie) (sessions.SessionStore, error) {
cipher, err := encryption.NewCFBCipher(encryption.SecretBytes(cookieOpts.Secret))
secret, err := cookieOpts.GetSecret()
if err != nil {
return nil, fmt.Errorf("error getting cookie secret: %v", err)
}
cipher, err := encryption.NewCFBCipher(encryption.SecretBytes(secret))
if err != nil {
return nil, fmt.Errorf("error initialising cipher: %v", err)
}

6
pkg/sessions/persistence/ticket.go
View File

@@ -146,7 +146,11 @@ func decodeTicketFromRequest(req *http.Request, cookieOpts *options.Cookie) (*ti
}
// An existing cookie exists, try to retrieve the ticket
val, _, ok := encryption.Validate(requestCookie, cookieOpts.Secret, cookieOpts.Expire)
secret, err := cookieOpts.GetSecret()
if err != nil {
return nil, fmt.Errorf("error getting cookie secret: %v", err)
}
val, _, ok := encryption.Validate(requestCookie, secret, cookieOpts.Expire)
if !ok {
return nil, fmt.Errorf("session ticket cookie failed validation: %v", err)
}