local
/
oauth2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Must run oauth from same subdomain but no longer use query params

master
bel 2019-12-31 11:20:37 -07:00
parent f7c111bd2f
commit 168c230771
4 changed files with 61 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
const.go
View File

@ -1,6 +1,7 @@
package oauth2 package oauth2
const ( const (
COOKIE = "BOAuthZ" NEWCOOKIE = "NewBOAuthZ"
REDIRECT = "BOAuthZ-Redirect" COOKIE = "BOAuthZ"
REDIRECT = "BOAuthZ-Redirect"
) )

53
oauth2client/client.go
View File

@ -40,23 +40,46 @@ func findAccess(w http.ResponseWriter, r *http.Request) (string, bool) {
} }
func findAccessFresh(w http.ResponseWriter, r *http.Request) (string, bool) { func findAccessFresh(w http.ResponseWriter, r *http.Request) (string, bool) {
access, found := findAccessFreshQueryParam(w, r)
if !found {
access, found = findAccessFreshCookie(w, r)
}
if found {
setCookie(oauth2.COOKIE, access, "", w)
}
return access, found
}
func findAccessFreshQueryParam(w http.ResponseWriter, r *http.Request) (string, bool) {
q := r.URL.Query() q := r.URL.Query()
access := q.Get(oauth2.COOKIE) access := q.Get(oauth2.NEWCOOKIE)
q.Del(oauth2.COOKIE) q.Del(oauth2.NEWCOOKIE)
r.URL.RawQuery = q.Encode() r.URL.RawQuery = q.Encode()
if access == "" { if access == "" {
return "", false return "", false
} }
cookie := &http.Cookie{
Name: oauth2.COOKIE,
Value: access,
SameSite: http.SameSiteLaxMode,
Path: "/",
}
http.SetCookie(w, cookie)
return access, true return access, true
} }
func findAccessFreshCookie(w http.ResponseWriter, r *http.Request) (string, bool) {
access, err := r.Cookie(oauth2.NEWCOOKIE)
if err == http.ErrNoCookie {
return "", false
}
host := r.Host
if r.URL.Host != "" {
host = r.URL.Host
}
host = strings.Split(host, ":")[0]
hosts := strings.Split(host, ".")
if len(host) > 1 {
hosts = hosts[1:]
}
host = "." + strings.Join(hosts, ".")
setCookie(oauth2.NEWCOOKIE, "", host, w)
return access.Value, true
}
func findAccessStable(w http.ResponseWriter, r *http.Request) (string, bool) { func findAccessStable(w http.ResponseWriter, r *http.Request) (string, bool) {
access, err := r.Cookie(oauth2.COOKIE) access, err := r.Cookie(oauth2.COOKIE)
if err == http.ErrNoCookie { if err == http.ErrNoCookie {
@ -116,14 +139,14 @@ func verify(access string, oauth2server *url.URL, scope string, w http.ResponseW
return nil return nil
} }
func setCookie(access string, w http.ResponseWriter) { func setCookie(key, value, domain string, w http.ResponseWriter) {
cookie := &http.Cookie{ cookie := &http.Cookie{
Name: oauth2.COOKIE, Name: key,
Value: access, Value: value,
SameSite: http.SameSiteLaxMode, Path: "/",
Path: "/", Domain: domain,
} }
if access == "" { if value == "" {
cookie.Expires = time.Now().Add(-1 * time.Hour) cookie.Expires = time.Now().Add(-1 * time.Hour)
} }
http.SetCookie(w, cookie) http.SetCookie(w, cookie)

11
oauth2server/server/authorize.go
View File

@ -7,6 +7,7 @@ import (
"local/storage" "local/storage"
"net/http" "net/http"
"net/url" "net/url"
"strings"
"github.com/google/uuid" "github.com/google/uuid"
) )
@ -39,9 +40,13 @@ func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
if url.Scheme == "" { if url.Scheme == "" {
url.Scheme = "http" url.Scheme = "http"
} }
values := url.Query() cookie := &http.Cookie{
values.Set(oauth2.COOKIE, access) Name: oauth2.NEWCOOKIE,
url.RawQuery = values.Encode() Value: access,
Path: "/",
Domain: "." + strings.Join(strings.Split(strings.Split(url.Host, ":")[0], ".")[1:], "."),
}
http.SetCookie(w, cookie)
http.Redirect(w, r, url.String(), http.StatusSeeOther) http.Redirect(w, r, url.String(), http.StatusSeeOther)
} else { } else {
fmt.Fprintln(w, "OK") fmt.Fprintln(w, "OK")

14
oauth2test/package_test.go
View File

@ -11,6 +11,7 @@ import (
"net/http" "net/http"
"net/http/cookiejar" "net/http/cookiejar"
"net/http/httptest" "net/http/httptest"
"net/url"
"regexp" "regexp"
"strings" "strings"
"testing" "testing"
@ -22,6 +23,7 @@ func TestAll(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
defer oauth2server.Close() defer oauth2server.Close()
oauth2server.URL = strings.ReplaceAll(oauth2server.URL, "127.0.0.1", "echo.belbox.dev")
s := dummyServer(oauth2server.URL) s := dummyServer(oauth2server.URL)
defer s.Close() defer s.Close()
@ -138,7 +140,7 @@ func testAuth(oauth2server, dummy string) error {
return err return err
} }
log.Println("client should not redir...") log.Println("client should not redir...")
if err := clientShouldNotRedir(c, dummy+"?"+oauth2.COOKIE+"="+access); err != nil { if err := clientShouldNotRedir(c, dummy+"?"+oauth2.NEWCOOKIE+"="+access); err != nil {
return err return err
} }
if !strings.Contains(fmt.Sprint(c.Jar), oauth2.COOKIE) { if !strings.Contains(fmt.Sprint(c.Jar), oauth2.COOKIE) {
@ -161,7 +163,15 @@ func clientLogin(c *http.Client, oauth2server string) (string, error) {
if resp.Request.URL.Path != "/" { if resp.Request.URL.Path != "/" {
return "", fmt.Errorf("login response path wrong: %v", resp.Request.URL.Path) return "", fmt.Errorf("login response path wrong: %v", resp.Request.URL.Path)
} }
a := resp.Request.URL.Query().Get(oauth2.COOKIE) a := resp.Request.URL.Query().Get(oauth2.NEWCOOKIE)
if a == "" {
cookies := c.Jar.Cookies(&url.URL{Scheme: "http", Path: "/", Host: "echo.belbox.dev"})
for i := range cookies {
if cookies[i].Name == oauth2.NEWCOOKIE {
a = cookies[i].Value
}
}
}
if a == "" { if a == "" {
return "", fmt.Errorf("login and redir didnt set cookie: %v", a) return "", fmt.Errorf("login and redir didnt set cookie: %v", a)
} }