Improvements to Session State code (#536)

* Drop SessionStateJSON wrapper * Use EncrpytInto/DecryptInto to reduce sessionstate Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2025-06-15 00:15:00 +02:00 · 2020-05-30 08:53:38 +01:00
parent 6a88da7f7a
commit f7b28cb1d3
17 changed files with 185 additions and 164 deletions
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@ -484,8 +484,7 @@ func TestBasicAuthPassword(t *testing.T) {
 	})

 	rw := httptest.NewRecorder()
-	req, _ := http.NewRequest("GET", "/oauth2/callback?code=callback_code&state=nonce:",
-		strings.NewReader(""))
+	req, _ := http.NewRequest("GET", "/oauth2/callback?code=callback_code&state=nonce:", strings.NewReader(""))
 	req.AddCookie(proxy.MakeCSRFCookie(req, "nonce", proxy.CookieExpire, time.Now()))
 	proxy.ServeHTTP(rw, req)
 	if rw.Code >= 400 {
@ -541,11 +540,12 @@ func TestBasicAuthWithEmail(t *testing.T) {
 	expectedEmailHeader := "Basic " + base64.StdEncoding.EncodeToString([]byte(emailAddress+":"+opts.BasicAuthPassword))
 	expectedUserHeader := "Basic " + base64.StdEncoding.EncodeToString([]byte(userName+":"+opts.BasicAuthPassword))

+	created := time.Now()
 	session := &sessions.SessionState{
 		User:        userName,
 		Email:       emailAddress,
 		AccessToken: "oauth_token",
-		CreatedAt:   time.Now(),
+		CreatedAt:   &created,
 	}
 	{
 		rw := httptest.NewRecorder()
@ -582,11 +582,12 @@ func TestPassUserHeadersWithEmail(t *testing.T) {
 	const emailAddress = "john.doe@example.com"
 	const userName = "9fcab5c9b889a557"

+	created := time.Now()
 	session := &sessions.SessionState{
 		User:        userName,
 		Email:       emailAddress,
 		AccessToken: "oauth_token",
-		CreatedAt:   time.Now(),
+		CreatedAt:   &created,
 	}
 	{
 		rw := httptest.NewRecorder()
@ -959,7 +960,8 @@ func (p *ProcessCookieTest) LoadCookiedSession() (*sessions.SessionState, error)
 func TestLoadCookiedSession(t *testing.T) {
 	pcTest := NewProcessCookieTestWithDefaults()

-	startSession := &sessions.SessionState{Email: "john.doe@example.com", AccessToken: "my_access_token", CreatedAt: time.Now()}
+	created := time.Now()
+	startSession := &sessions.SessionState{Email: "john.doe@example.com", AccessToken: "my_access_token", CreatedAt: &created}
 	pcTest.SaveSession(startSession)

 	session, err := pcTest.LoadCookiedSession()
@ -985,7 +987,7 @@ func TestProcessCookieRefreshNotSet(t *testing.T) {
 	})
 	reference := time.Now().Add(time.Duration(-2) * time.Hour)

-	startSession := &sessions.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: reference}
+	startSession := &sessions.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: &reference}
 	pcTest.SaveSession(startSession)

 	session, err := pcTest.LoadCookiedSession()
@ -1001,7 +1003,7 @@ func TestProcessCookieFailIfCookieExpired(t *testing.T) {
 		opts.Cookie.Expire = time.Duration(24) * time.Hour
 	})
 	reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
-	startSession := &sessions.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: reference}
+	startSession := &sessions.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: &reference}
 	pcTest.SaveSession(startSession)

 	session, err := pcTest.LoadCookiedSession()
@ -1016,7 +1018,7 @@ func TestProcessCookieFailIfRefreshSetAndCookieExpired(t *testing.T) {
 		opts.Cookie.Expire = time.Duration(24) * time.Hour
 	})
 	reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
-	startSession := &sessions.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: reference}
+	startSession := &sessions.SessionState{Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: &reference}
 	pcTest.SaveSession(startSession)

 	pcTest.proxy.CookieRefresh = time.Hour
@ -1062,8 +1064,9 @@ func NewAuthOnlyEndpointTest(modifiers ...OptionsModifier) *ProcessCookieTest {

 func TestAuthOnlyEndpointAccepted(t *testing.T) {
 	test := NewAuthOnlyEndpointTest()
+	created := time.Now()
 	startSession := &sessions.SessionState{
-		Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: time.Now()}
+		Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: &created}
 	test.SaveSession(startSession)

 	test.proxy.ServeHTTP(test.rw, test.req)
@ -1087,7 +1090,7 @@ func TestAuthOnlyEndpointUnauthorizedOnExpiration(t *testing.T) {
 	})
 	reference := time.Now().Add(time.Duration(25) * time.Hour * -1)
 	startSession := &sessions.SessionState{
-		Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: reference}
+		Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: &reference}
 	test.SaveSession(startSession)

 	test.proxy.ServeHTTP(test.rw, test.req)
@ -1098,8 +1101,9 @@ func TestAuthOnlyEndpointUnauthorizedOnExpiration(t *testing.T) {

 func TestAuthOnlyEndpointUnauthorizedOnEmailValidationFailure(t *testing.T) {
 	test := NewAuthOnlyEndpointTest()
+	created := time.Now()
 	startSession := &sessions.SessionState{
-		Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: time.Now()}
+		Email: "michael.bland@gsa.gov", AccessToken: "my_access_token", CreatedAt: &created}
 	test.SaveSession(startSession)
 	test.validateUser = false

@ -1129,8 +1133,9 @@ func TestAuthOnlyEndpointSetXAuthRequestHeaders(t *testing.T) {
 	pcTest.req, _ = http.NewRequest("GET",
 		pcTest.opts.ProxyPrefix+"/auth", nil)

+	created := time.Now()
 	startSession := &sessions.SessionState{
-		User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: time.Now()}
+		User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: &created}
 	pcTest.SaveSession(startSession)

 	pcTest.proxy.ServeHTTP(pcTest.rw, pcTest.req)
@ -1160,8 +1165,9 @@ func TestAuthOnlyEndpointSetBasicAuthTrueRequestHeaders(t *testing.T) {
 	pcTest.req, _ = http.NewRequest("GET",
 		pcTest.opts.ProxyPrefix+"/auth", nil)

+	created := time.Now()
 	startSession := &sessions.SessionState{
-		User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: time.Now()}
+		User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: &created}
 	pcTest.SaveSession(startSession)

 	pcTest.proxy.ServeHTTP(pcTest.rw, pcTest.req)
@ -1193,8 +1199,9 @@ func TestAuthOnlyEndpointSetBasicAuthFalseRequestHeaders(t *testing.T) {
 	pcTest.req, _ = http.NewRequest("GET",
 		pcTest.opts.ProxyPrefix+"/auth", nil)

+	created := time.Now()
 	startSession := &sessions.SessionState{
-		User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: time.Now()}
+		User: "oauth_user", Email: "oauth_user@example.com", AccessToken: "oauth_token", CreatedAt: &created}
 	pcTest.SaveSession(startSession)

 	pcTest.proxy.ServeHTTP(pcTest.rw, pcTest.req)
@ -1569,10 +1576,11 @@ func TestGetJwtSession(t *testing.T) {
 	}

 	// Bearer
+	expires := time.Unix(1912151821, 0)
 	session, _ := test.proxy.GetJwtSession(test.req)
 	assert.Equal(t, session.User, "john@example.com")
 	assert.Equal(t, session.Email, "john@example.com")
-	assert.Equal(t, session.ExpiresOn, time.Unix(1912151821, 0))
+	assert.Equal(t, session.ExpiresOn, &expires)
 	assert.Equal(t, session.IDToken, goodJwt)

 	test.proxy.ServeHTTP(test.rw, test.req)