From 168c2307711a7d0bca5fcd81a4fc9fddf5edb0a0 Mon Sep 17 00:00:00 2001
From: bel <squeaky2x3@blapointe.com>
Date: Tue, 31 Dec 2019 11:20:37 -0700
Subject: [PATCH] Must run oauth from same subdomain but no longer use query
 params

---
 const.go                         |  5 +--
 oauth2client/client.go           | 53 +++++++++++++++++++++++---------
 oauth2server/server/authorize.go | 11 +++++--
 oauth2test/package_test.go       | 14 +++++++--
 4 files changed, 61 insertions(+), 22 deletions(-)

diff --git a/const.go b/const.go
index dd1c1bc..ac640c3 100755
--- a/const.go
+++ b/const.go
@@ -1,6 +1,7 @@
 package oauth2
 
 const (
-	COOKIE   = "BOAuthZ"
-	REDIRECT = "BOAuthZ-Redirect"
+	NEWCOOKIE = "NewBOAuthZ"
+	COOKIE    = "BOAuthZ"
+	REDIRECT  = "BOAuthZ-Redirect"
 )
diff --git a/oauth2client/client.go b/oauth2client/client.go
index d769a7a..1d6dab9 100755
--- a/oauth2client/client.go
+++ b/oauth2client/client.go
@@ -40,23 +40,46 @@ func findAccess(w http.ResponseWriter, r *http.Request) (string, bool) {
 }
 
 func findAccessFresh(w http.ResponseWriter, r *http.Request) (string, bool) {
+	access, found := findAccessFreshQueryParam(w, r)
+	if !found {
+		access, found = findAccessFreshCookie(w, r)
+	}
+	if found {
+		setCookie(oauth2.COOKIE, access, "", w)
+	}
+	return access, found
+}
+
+func findAccessFreshQueryParam(w http.ResponseWriter, r *http.Request) (string, bool) {
 	q := r.URL.Query()
-	access := q.Get(oauth2.COOKIE)
-	q.Del(oauth2.COOKIE)
+	access := q.Get(oauth2.NEWCOOKIE)
+	q.Del(oauth2.NEWCOOKIE)
 	r.URL.RawQuery = q.Encode()
 	if access == "" {
 		return "", false
 	}
-	cookie := &http.Cookie{
-		Name:     oauth2.COOKIE,
-		Value:    access,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
-	}
-	http.SetCookie(w, cookie)
 	return access, true
 }
 
+func findAccessFreshCookie(w http.ResponseWriter, r *http.Request) (string, bool) {
+	access, err := r.Cookie(oauth2.NEWCOOKIE)
+	if err == http.ErrNoCookie {
+		return "", false
+	}
+	host := r.Host
+	if r.URL.Host != "" {
+		host = r.URL.Host
+	}
+	host = strings.Split(host, ":")[0]
+	hosts := strings.Split(host, ".")
+	if len(host) > 1 {
+		hosts = hosts[1:]
+	}
+	host = "." + strings.Join(hosts, ".")
+	setCookie(oauth2.NEWCOOKIE, "", host, w)
+	return access.Value, true
+}
+
 func findAccessStable(w http.ResponseWriter, r *http.Request) (string, bool) {
 	access, err := r.Cookie(oauth2.COOKIE)
 	if err == http.ErrNoCookie {
@@ -116,14 +139,14 @@ func verify(access string, oauth2server *url.URL, scope string, w http.ResponseW
 	return nil
 }
 
-func setCookie(access string, w http.ResponseWriter) {
+func setCookie(key, value, domain string, w http.ResponseWriter) {
 	cookie := &http.Cookie{
-		Name:     oauth2.COOKIE,
-		Value:    access,
-		SameSite: http.SameSiteLaxMode,
-		Path:     "/",
+		Name:   key,
+		Value:  value,
+		Path:   "/",
+		Domain: domain,
 	}
-	if access == "" {
+	if value == "" {
 		cookie.Expires = time.Now().Add(-1 * time.Hour)
 	}
 	http.SetCookie(w, cookie)
diff --git a/oauth2server/server/authorize.go b/oauth2server/server/authorize.go
index 654a453..f777211 100755
--- a/oauth2server/server/authorize.go
+++ b/oauth2server/server/authorize.go
@@ -7,6 +7,7 @@ import (
 	"local/storage"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/google/uuid"
 )
@@ -39,9 +40,13 @@ func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
 		if url.Scheme == "" {
 			url.Scheme = "http"
 		}
-		values := url.Query()
-		values.Set(oauth2.COOKIE, access)
-		url.RawQuery = values.Encode()
+		cookie := &http.Cookie{
+			Name:   oauth2.NEWCOOKIE,
+			Value:  access,
+			Path:   "/",
+			Domain: "." + strings.Join(strings.Split(strings.Split(url.Host, ":")[0], ".")[1:], "."),
+		}
+		http.SetCookie(w, cookie)
 		http.Redirect(w, r, url.String(), http.StatusSeeOther)
 	} else {
 		fmt.Fprintln(w, "OK")
diff --git a/oauth2test/package_test.go b/oauth2test/package_test.go
index bdf60d1..fb9e641 100755
--- a/oauth2test/package_test.go
+++ b/oauth2test/package_test.go
@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
+	"net/url"
 	"regexp"
 	"strings"
 	"testing"
@@ -22,6 +23,7 @@ func TestAll(t *testing.T) {
 		t.Fatal(err)
 	}
 	defer oauth2server.Close()
+	oauth2server.URL = strings.ReplaceAll(oauth2server.URL, "127.0.0.1", "echo.belbox.dev")
 
 	s := dummyServer(oauth2server.URL)
 	defer s.Close()
@@ -138,7 +140,7 @@ func testAuth(oauth2server, dummy string) error {
 		return err
 	}
 	log.Println("client should not redir...")
-	if err := clientShouldNotRedir(c, dummy+"?"+oauth2.COOKIE+"="+access); err != nil {
+	if err := clientShouldNotRedir(c, dummy+"?"+oauth2.NEWCOOKIE+"="+access); err != nil {
 		return err
 	}
 	if !strings.Contains(fmt.Sprint(c.Jar), oauth2.COOKIE) {
@@ -161,7 +163,15 @@ func clientLogin(c *http.Client, oauth2server string) (string, error) {
 	if resp.Request.URL.Path != "/" {
 		return "", fmt.Errorf("login response path wrong: %v", resp.Request.URL.Path)
 	}
-	a := resp.Request.URL.Query().Get(oauth2.COOKIE)
+	a := resp.Request.URL.Query().Get(oauth2.NEWCOOKIE)
+	if a == "" {
+		cookies := c.Jar.Cookies(&url.URL{Scheme: "http", Path: "/", Host: "echo.belbox.dev"})
+		for i := range cookies {
+			if cookies[i].Name == oauth2.NEWCOOKIE {
+				a = cookies[i].Value
+			}
+		}
+	}
 	if a == "" {
 		return "", fmt.Errorf("login and redir didnt set cookie: %v", a)
 	}