Must run oauth from same subdomain but no longer use query params
bel
parent
f7c111bd2f
commit
168c230771
1
const.go
1
const.go
|
|
@ -1,6 +1,7 @@
|
|||
package oauth2
|
||||
|
||||
const (
|
||||
NEWCOOKIE = "NewBOAuthZ"
|
||||
COOKIE = "BOAuthZ"
|
||||
REDIRECT = "BOAuthZ-Redirect"
|
||||
)
|
||||
|
|
|
|||
|
|
@ -40,23 +40,46 @@ func findAccess(w http.ResponseWriter, r *http.Request) (string, bool) {
|
|||
}
|
||||
|
||||
func findAccessFresh(w http.ResponseWriter, r *http.Request) (string, bool) {
|
||||
access, found := findAccessFreshQueryParam(w, r)
|
||||
if !found {
|
||||
access, found = findAccessFreshCookie(w, r)
|
||||
}
|
||||
if found {
|
||||
setCookie(oauth2.COOKIE, access, "", w)
|
||||
}
|
||||
return access, found
|
||||
}
|
||||
|
||||
func findAccessFreshQueryParam(w http.ResponseWriter, r *http.Request) (string, bool) {
|
||||
q := r.URL.Query()
|
||||
access := q.Get(oauth2.COOKIE)
|
||||
q.Del(oauth2.COOKIE)
|
||||
access := q.Get(oauth2.NEWCOOKIE)
|
||||
q.Del(oauth2.NEWCOOKIE)
|
||||
r.URL.RawQuery = q.Encode()
|
||||
if access == "" {
|
||||
return "", false
|
||||
}
|
||||
cookie := &http.Cookie{
|
||||
Name: oauth2.COOKIE,
|
||||
Value: access,
|
||||
SameSite: http.SameSiteLaxMode,
|
||||
Path: "/",
|
||||
}
|
||||
http.SetCookie(w, cookie)
|
||||
return access, true
|
||||
}
|
||||
|
||||
func findAccessFreshCookie(w http.ResponseWriter, r *http.Request) (string, bool) {
|
||||
access, err := r.Cookie(oauth2.NEWCOOKIE)
|
||||
if err == http.ErrNoCookie {
|
||||
return "", false
|
||||
}
|
||||
host := r.Host
|
||||
if r.URL.Host != "" {
|
||||
host = r.URL.Host
|
||||
}
|
||||
host = strings.Split(host, ":")[0]
|
||||
hosts := strings.Split(host, ".")
|
||||
if len(host) > 1 {
|
||||
hosts = hosts[1:]
|
||||
}
|
||||
host = "." + strings.Join(hosts, ".")
|
||||
setCookie(oauth2.NEWCOOKIE, "", host, w)
|
||||
return access.Value, true
|
||||
}
|
||||
|
||||
func findAccessStable(w http.ResponseWriter, r *http.Request) (string, bool) {
|
||||
access, err := r.Cookie(oauth2.COOKIE)
|
||||
if err == http.ErrNoCookie {
|
||||
|
|
@ -116,14 +139,14 @@ func verify(access string, oauth2server *url.URL, scope string, w http.ResponseW
|
|||
return nil
|
||||
}
|
||||
|
||||
func setCookie(access string, w http.ResponseWriter) {
|
||||
func setCookie(key, value, domain string, w http.ResponseWriter) {
|
||||
cookie := &http.Cookie{
|
||||
Name: oauth2.COOKIE,
|
||||
Value: access,
|
||||
SameSite: http.SameSiteLaxMode,
|
||||
Name: key,
|
||||
Value: value,
|
||||
Path: "/",
|
||||
Domain: domain,
|
||||
}
|
||||
if access == "" {
|
||||
if value == "" {
|
||||
cookie.Expires = time.Now().Add(-1 * time.Hour)
|
||||
}
|
||||
http.SetCookie(w, cookie)
|
||||
|
|
|
|||
|
|
@ -7,6 +7,7 @@ import (
|
|||
"local/storage"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"strings"
|
||||
|
||||
"github.com/google/uuid"
|
||||
)
|
||||
|
|
@ -39,9 +40,13 @@ func (s *Server) authorize(w http.ResponseWriter, r *http.Request) {
|
|||
if url.Scheme == "" {
|
||||
url.Scheme = "http"
|
||||
}
|
||||
values := url.Query()
|
||||
values.Set(oauth2.COOKIE, access)
|
||||
url.RawQuery = values.Encode()
|
||||
cookie := &http.Cookie{
|
||||
Name: oauth2.NEWCOOKIE,
|
||||
Value: access,
|
||||
Path: "/",
|
||||
Domain: "." + strings.Join(strings.Split(strings.Split(url.Host, ":")[0], ".")[1:], "."),
|
||||
}
|
||||
http.SetCookie(w, cookie)
|
||||
http.Redirect(w, r, url.String(), http.StatusSeeOther)
|
||||
} else {
|
||||
fmt.Fprintln(w, "OK")
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import (
|
|||
"net/http"
|
||||
"net/http/cookiejar"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"regexp"
|
||||
"strings"
|
||||
"testing"
|
||||
|
|
@ -22,6 +23,7 @@ func TestAll(t *testing.T) {
|
|||
t.Fatal(err)
|
||||
}
|
||||
defer oauth2server.Close()
|
||||
oauth2server.URL = strings.ReplaceAll(oauth2server.URL, "127.0.0.1", "echo.belbox.dev")
|
||||
|
||||
s := dummyServer(oauth2server.URL)
|
||||
defer s.Close()
|
||||
|
|
@ -138,7 +140,7 @@ func testAuth(oauth2server, dummy string) error {
|
|||
return err
|
||||
}
|
||||
log.Println("client should not redir...")
|
||||
if err := clientShouldNotRedir(c, dummy+"?"+oauth2.COOKIE+"="+access); err != nil {
|
||||
if err := clientShouldNotRedir(c, dummy+"?"+oauth2.NEWCOOKIE+"="+access); err != nil {
|
||||
return err
|
||||
}
|
||||
if !strings.Contains(fmt.Sprint(c.Jar), oauth2.COOKIE) {
|
||||
|
|
@ -161,7 +163,15 @@ func clientLogin(c *http.Client, oauth2server string) (string, error) {
|
|||
if resp.Request.URL.Path != "/" {
|
||||
return "", fmt.Errorf("login response path wrong: %v", resp.Request.URL.Path)
|
||||
}
|
||||
a := resp.Request.URL.Query().Get(oauth2.COOKIE)
|
||||
a := resp.Request.URL.Query().Get(oauth2.NEWCOOKIE)
|
||||
if a == "" {
|
||||
cookies := c.Jar.Cookies(&url.URL{Scheme: "http", Path: "/", Host: "echo.belbox.dev"})
|
||||
for i := range cookies {
|
||||
if cookies[i].Name == oauth2.NEWCOOKIE {
|
||||
a = cookies[i].Value
|
||||
}
|
||||
}
|
||||
}
|
||||
if a == "" {
|
||||
return "", fmt.Errorf("login and redir didnt set cookie: %v", a)
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue