Downgrade gorilla sessions preventing the publishing by traefik hub temporarily.

2026-06-06 22:49:43 +00:00 · 2024-11-06 15:23:38 +00:00
15 changed files with 168 additions and 114 deletions
@@ -13,6 +13,7 @@ testData:
  clientSecret: secret
  callbackURL: /oauth2/callback
  logoutURL: /oauth2/logout
+  postLogoutRedirectURI: /oidc/different-logout # If not provided it will redirect to the "/" URL
  scopes: # If not provided, default scopes will be used (openid, email, profile)
    - openid
    - email
@@ -38,6 +38,7 @@ spec:
      sessionEncryptionKey: vvv
      callbackURL: /cool-oidc/callback
      logoutURL: /cool-oidc/logout
+      postLogoutRedirectURI: /my-website/you-have-logged-out # Optional post logout URL redirection
      scopes:
        - openid
        - email
@@ -6,7 +6,7 @@ toolchain go1.23.1

 require (
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/sessions v1.4.0
+	github.com/gorilla/sessions v1.3.0
 	golang.org/x/time v0.7.0
 )

@@ -4,7 +4,7 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
-github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
+github.com/gorilla/sessions v1.3.0 h1:XYlkq7KcpOB2ZhHBPv5WpjMIxrQosiZanfoy1HLZFzg=
+github.com/gorilla/sessions v1.3.0/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
@@ -27,14 +27,6 @@ func generateNonce() (string, error) {
 	return base64.URLEncoding.EncodeToString(nonceBytes), nil
 }

-// buildFullURL constructs a full URL from scheme, host, and path
-func buildFullURL(scheme, host, path string) string {
-	if scheme == "" {
-		scheme = "http"
-	}
-	return fmt.Sprintf("%s://%s%s", scheme, host, path)
-}
-
 // exchangeTokens exchanges a code or refresh token for tokens
 func (t *TraefikOidc) exchangeTokens(ctx context.Context, grantType, codeOrToken, redirectURL string) (*TokenResponse, error) {
 	data := url.Values{
@@ -97,76 +89,6 @@ func (t *TraefikOidc) getNewTokenWithRefreshToken(refreshToken string) (*TokenRe
 	return tokenResponse, nil
 }

-// handleLogout handles the logout process
-func (t *TraefikOidc) handleLogout(w http.ResponseWriter, r *http.Request) {
-	session, err := t.store.Get(r, cookieName)
-	if err != nil {
-		handleError(w, fmt.Sprintf("Error getting session: %v", err), http.StatusInternalServerError, t.logger)
-		return
-	}
-
-	// Get tokens from session
-	idToken, _ := session.Values["id_token"].(string)
-	refreshToken, _ := session.Values["refresh_token"].(string)
-	accessToken, _ := session.Values["access_token"].(string)
-
-	// Revoke tokens if they exist
-	if refreshToken != "" {
-		t.RevokeTokenWithProvider(refreshToken, "refresh_token")
-		t.RevokeToken(refreshToken)
-	}
-	if accessToken != "" {
-		t.RevokeTokenWithProvider(accessToken, "access_token")
-		t.RevokeToken(accessToken)
-	}
-
-	// Clear session
-	session.Options.MaxAge = -1
-	session.Values = make(map[interface{}]interface{})
-	if err := session.Save(r, w); err != nil {
-		handleError(w, fmt.Sprintf("Error saving session: %v", err), http.StatusInternalServerError, t.logger)
-		return
-	}
-
-	// Determine redirect URL
-	host := r.Header.Get("X-Forwarded-Host")
-	if host == "" {
-		host = r.Host
-	}
-	scheme := "http"
-	if r.Header.Get("X-Forwarded-Proto") == "https" || t.forceHTTPS {
-		scheme = "https"
-	}
-	baseURL := fmt.Sprintf("%s://%s/", scheme, host)
-
-	if t.endSessionURL != "" && idToken != "" {
-		logoutURL, err := BuildLogoutURL(t.endSessionURL, idToken, baseURL)
-		if err != nil {
-			handleError(w, fmt.Sprintf("Invalid end session URL: %v", err), http.StatusInternalServerError, t.logger)
-			return
-		}
-		http.Redirect(w, r, logoutURL, http.StatusFound)
-		return
-	}
-
-	http.Redirect(w, r, baseURL, http.StatusFound)
-}
-
-// BuildLogoutURL constructs the logout URL with proper encoding
-func BuildLogoutURL(endSessionURL, idToken, postLogoutRedirectURI string) (string, error) {
-	u, err := url.Parse(endSessionURL)
-	if err != nil {
-		return "", fmt.Errorf("invalid end session URL: %v", err)
-	}
-
-	q := u.Query()
-	q.Set("id_token_hint", idToken)
-	q.Set("post_logout_redirect_uri", postLogoutRedirectURI)
-	u.RawQuery = q.Encode()
-
-	return u.String(), nil
-}
-
 // handleExpiredToken handles the case when a token has expired
 func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Request, session *sessions.Session) {
 	// Clear the existing session
@@ -441,3 +363,79 @@ func createStringMap(keys []string) map[string]struct{} {
 	}
 	return result
 }
+
+// handleLogout handles the logout request
+func (t *TraefikOidc) handleLogout(rw http.ResponseWriter, req *http.Request) {
+	session, err := t.store.Get(req, cookieName)
+	if err != nil {
+		t.logger.Errorf("Error getting session: %v", err)
+		http.Error(rw, "Session error", http.StatusInternalServerError)
+		return
+	}
+
+	// Get the id_token before clearing the session
+	idToken, _ := session.Values["id_token"].(string)
+
+	// Clear and expire the session
+	session.Values = make(map[interface{}]interface{})
+	session.Options.MaxAge = -1
+	if err := session.Save(req, rw); err != nil {
+		t.logger.Errorf("Error saving session: %v", err)
+		http.Error(rw, "Session error", http.StatusInternalServerError)
+		return
+	}
+
+	// Get the base URL for redirects
+	host := t.determineHost(req)
+	scheme := t.determineScheme(req)
+	baseURL := fmt.Sprintf("%s://%s", scheme, host)
+
+	// Determine post logout redirect URI
+	var postLogoutRedirectURI string
+	if t.postLogoutRedirectURI != "" {
+		// Use explicitly configured postLogoutRedirectURI
+		if strings.HasPrefix(t.postLogoutRedirectURI, "http://") || strings.HasPrefix(t.postLogoutRedirectURI, "https://") {
+			postLogoutRedirectURI = t.postLogoutRedirectURI
+		} else {
+			postLogoutRedirectURI = fmt.Sprintf("%s%s", baseURL, t.postLogoutRedirectURI)
+		}
+	} else {
+		postLogoutRedirectURI = fmt.Sprintf("%s%s", baseURL, "/")
+	}
+
+	t.logger.Debugf("Using post logout redirect URI: %s", postLogoutRedirectURI)
+
+	// If we have an end session endpoint and an ID token, use OIDC end session
+	if t.endSessionURL != "" && idToken != "" {
+		logoutURL, err := BuildLogoutURL(t.endSessionURL, idToken, postLogoutRedirectURI)
+		if err != nil {
+			handleError(rw, fmt.Sprintf("Failed to build logout URL: %v", err), http.StatusInternalServerError, t.logger)
+			return
+		}
+		t.logger.Debugf("Redirecting to end session URL: %s", logoutURL)
+		http.Redirect(rw, req, logoutURL, http.StatusFound)
+		return
+	}
+
+	// If no end session endpoint or no ID token, just redirect to the post logout URI
+	t.logger.Debugf("Redirecting to post logout URI: %s", postLogoutRedirectURI)
+	http.Redirect(rw, req, postLogoutRedirectURI, http.StatusFound)
+}
+
+// BuildLogoutURL constructs the OIDC end session URL
+func BuildLogoutURL(endSessionURL, idToken, postLogoutRedirectURI string) (string, error) {
+	u, err := url.Parse(endSessionURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse end session URL: %w", err)
+	}
+
+	q := u.Query()
+	q.Set("id_token_hint", idToken)
+	if postLogoutRedirectURI != "" {
+		// Ensure postLogoutRedirectURI is properly URL encoded
+		q.Set("post_logout_redirect_uri", postLogoutRedirectURI)
+	}
+	u.RawQuery = q.Encode()
+
+	return u.String(), nil
+}
@@ -65,6 +65,7 @@ type TraefikOidc struct {
 	initComplete               chan struct{}
 	endSessionURL              string
 	baseURL                    string
+	postLogoutRedirectURI      string
 }

 // ProviderMetadata holds OIDC provider metadata
@@ -227,6 +228,12 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 			}
 			return config.LogoutURL
 		}(),
+		postLogoutRedirectURI: func() string {
+			if config.PostLogoutRedirectURI == "" {
+				return "/"
+			}
+			return config.PostLogoutRedirectURI
+		}(),
 		tokenBlacklist:        NewTokenBlacklist(),
 		jwkCache:              &JWKCache{},
 		clientID:              config.ClientID,
@@ -767,3 +774,18 @@ func (t *TraefikOidc) extractGroupsAndRoles(idToken string) ([]string, []string,

 	return groups, roles, nil
 }
+
+// buildFullURL constructs a full URL from scheme, host and path
+func buildFullURL(scheme, host, path string) string {
+	// If the path is already a full URL, return it as-is
+	if strings.HasPrefix(path, "http://") || strings.HasPrefix(path, "https://") {
+		return path
+	}
+
+	// Ensure the path starts with a forward slash
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+
+	return fmt.Sprintf("%s://%s%s", scheme, host, path)
+}
@@ -863,9 +863,8 @@ func TestHandleLogout(t *testing.T) {
 			},
 			endSessionURL:  "https://provider/end-session",
 			expectedStatus: http.StatusFound,
-			// Fix: The entire URL should be URL-encoded
-			expectedURL: "https://provider/end-session?id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
-			host:        "test-host",
+			expectedURL:    "https://provider/end-session?id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
+			host:           "test-host",
 		},
 		{
 			name: "Successful logout without end session endpoint",
@@ -31,6 +31,7 @@ type Config struct {
 	AllowedUserDomains    []string `json:"allowedUserDomains"`
 	AllowedRolesAndGroups []string `json:"allowedRolesAndGroups"`
 	OIDCEndSessionURL     string   `json:"oidcEndSessionURL"`
+	PostLogoutRedirectURI string   `json:"postLogoutRedirectURI"`
 	HTTPClient            *http.Client
 }

@@ -1,4 +1,4 @@
-Copyright (c) 2024 The Gorilla Authors. All rights reserved.
+Copyright (c) 2023 The Gorilla Authors. All rights reserved.

 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -1,7 +1,4 @@
-# Gorilla Sessions
-
-> [!IMPORTANT]
-> The latest version of this repository requires go 1.23 because of the new partitioned attribute. The last version that is compatible with older versions of go is v1.3.0.
+# sessions

 ![testing](https://github.com/gorilla/sessions/actions/workflows/test.yml/badge.svg)
 [![codecov](https://codecov.io/github/gorilla/sessions/branch/main/graph/badge.svg)](https://codecov.io/github/gorilla/sessions)
@@ -77,7 +74,6 @@ Other implementations of the `sessions.Store` interface:
 - [github.com/dsoprea/go-appengine-sessioncascade](https://github.com/dsoprea/go-appengine-sessioncascade) - Memcache/Datastore/Context in AppEngine
 - [github.com/kidstuff/mongostore](https://github.com/kidstuff/mongostore) - MongoDB
 - [github.com/srinathgs/mysqlstore](https://github.com/srinathgs/mysqlstore) - MySQL
- [github.com/danielepintore/gorilla-sessions-mysql](https://github.com/danielepintore/gorilla-sessions-mysql) - MySQL
 - [github.com/EnumApps/clustersqlstore](https://github.com/EnumApps/clustersqlstore) - MySQL Cluster
 - [github.com/antonlindstrom/pgstore](https://github.com/antonlindstrom/pgstore) - PostgreSQL
 - [github.com/boj/redistore](https://github.com/boj/redistore) - Redis
@@ -1,6 +1,5 @@
-// Copyright 2012 The Gorilla Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+//go:build !go1.11
+// +build !go1.11

 package sessions

@@ -9,15 +8,13 @@ import "net/http"
 // newCookieFromOptions returns an http.Cookie with the options set.
 func newCookieFromOptions(name, value string, options *Options) *http.Cookie {
 	return &http.Cookie{
-		Name:        name,
-		Value:       value,
-		Path:        options.Path,
-		Domain:      options.Domain,
-		MaxAge:      options.MaxAge,
-		Secure:      options.Secure,
-		HttpOnly:    options.HttpOnly,
-		Partitioned: options.Partitioned,
-		SameSite:    options.SameSite,
+		Name:     name,
+		Value:    value,
+		Path:     options.Path,
+		Domain:   options.Domain,
+		MaxAge:   options.MaxAge,
+		Secure:   options.Secure,
+		HttpOnly: options.HttpOnly,
 	}

 }
@@ -0,0 +1,21 @@
+//go:build go1.11
+// +build go1.11
+
+package sessions
+
+import "net/http"
+
+// newCookieFromOptions returns an http.Cookie with the options set.
+func newCookieFromOptions(name, value string, options *Options) *http.Cookie {
+	return &http.Cookie{
+		Name:     name,
+		Value:    value,
+		Path:     options.Path,
+		Domain:   options.Domain,
+		MaxAge:   options.MaxAge,
+		Secure:   options.Secure,
+		HttpOnly: options.HttpOnly,
+		SameSite: options.SameSite,
+	}
+
+}
@@ -1,11 +1,8 @@
-// Copyright 2012 The Gorilla Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+//go:build !go1.11
+// +build !go1.11

 package sessions

-import "net/http"
-
 // Options stores configuration for a session or session store.
 //
 // Fields are a subset of http.Cookie fields.
@@ -16,9 +13,7 @@ type Options struct {
 	// deleted after the browser session ends.
 	// MaxAge<0 means delete cookie immediately.
 	// MaxAge>0 means Max-Age attribute present and given in seconds.
-	MaxAge      int
-	Secure      bool
-	HttpOnly    bool
-	Partitioned bool
-	SameSite    http.SameSite
+	MaxAge   int
+	Secure   bool
+	HttpOnly bool
 }
@@ -0,0 +1,23 @@
+//go:build go1.11
+// +build go1.11
+
+package sessions
+
+import "net/http"
+
+// Options stores configuration for a session or session store.
+//
+// Fields are a subset of http.Cookie fields.
+type Options struct {
+	Path   string
+	Domain string
+	// MaxAge=0 means no Max-Age attribute specified and the cookie will be
+	// deleted after the browser session ends.
+	// MaxAge<0 means delete cookie immediately.
+	// MaxAge>0 means Max-Age attribute present and given in seconds.
+	MaxAge   int
+	Secure   bool
+	HttpOnly bool
+	// Defaults to http.SameSiteDefaultMode
+	SameSite http.SameSite
+}
@@ -4,8 +4,8 @@ github.com/google/uuid
 # github.com/gorilla/securecookie v1.1.2
 ## explicit; go 1.20
 github.com/gorilla/securecookie
-# github.com/gorilla/sessions v1.4.0
-## explicit; go 1.23
+# github.com/gorilla/sessions v1.3.0
+## explicit; go 1.20
 github.com/gorilla/sessions
 # golang.org/x/time v0.7.0
 ## explicit; go 1.18