mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
1b49e133da
* Fix bug affecting Azure OIDC authentication ( and most likely others ) * Fixes issue #51 * Ensure that appended roles are unique. Update the documentation. * Improvements targetting possible memory usage spikes. * Additional fixes and cleanup * Refactoring code to fix the issues identified by the users. * Modernize run * Fieldalignment * Multiple changes to improve performance and reduce complexity. - Optimise the errors and recovery. - Deduplicate code in metadata cache. - Remove unused performance monitoring code. - Simplify session management and settings handling. * Fix claims issue. * Add ability to overwrite the default scopes in the settings file * Well.. that escalated quickly. Completely forgot that Traefik uses outdated Yaegi and requires compatibility with 1.20 ( pre-generic Go code ). * Bugfix #51: Ensures that user provided scopes overrides work. * fixup! Bugfix #51: Ensures that user provided scopes overrides work. * fixup! fixup! Bugfix #51: Ensures that user provided scopes overrides work. * Abstract the provider logic into a separate package. * Additional micro fixes and cleanups. * Simplify all the things. * fixup! Simplify all the things. * fixup! fixup! Simplify all the things. * fixup! fixup! fixup! Simplify all the things. * fixup! fixup! fixup! fixup! Simplify all the things. * ... * Cleanup tests. * fixup! Cleanup tests. * fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! Cleanup tests. * fixup! fixup! fixup! fixup! fixup! Cleanup tests. * Issue #53: Fix CSRF token handling in reverse proxy 1. ✅ HTTPS Detection Fixed (session.go:723) - Now uses X-Forwarded-Proto header instead of r.URL.Scheme - Properly detects HTTPS in reverse proxy environments 2. ✅ SameSite Cookie Attribute Fixed - Removed automatic SameSiteStrictMode for HTTPS (would break OAuth) - Keeps SameSiteLaxMode to allow OAuth callbacks from external domains - Only uses Strict for AJAX requests which don't involve OAuth redirects 3. ✅ Cookie Domain Handling Fixed - Now respects X-Forwarded-Host header for cookie domain - Ensures cookies are set for the public domain, not internal proxy domain 4. ✅ EnhanceSessionSecurity Properly Integrated - Function is now actually called during session save - Applies security enhancements without breaking OAuth flow Why Issue #53 Failed Before: 1. Cookies were not marked Secure in HTTPS environments (browser wouldn't send them back) 2. If they had been Secure with SameSite=Strict, Azure callbacks would still fail 3. Cookie domain might have been wrong (internal vs public domain) Why It Works Now: 1. Cookies are properly marked Secure for HTTPS 2. Uses SameSite=Lax to allow OAuth provider callbacks 3. Cookie domain uses public domain from X-Forwarded-Host 4. CSRF token persists through the entire OAuth flow * Next set of enhancements together with memory usage improvements. * Memory leak fixes and optimisations. * CSRF and Cookie Domain fixes * fixup! CSRF and Cookie Domain fixes * Metadata cache leak fix + profiling * fixup! Metadata cache leak fix + profiling * Memory leaks hunting, part 1337. * Further pursue of perfection. * fixup! Further pursue of perfection. * fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! fixup! Further pursue of perfection. * Clear race conditions * fixup! Clear race conditions * Weekend fun with memory leaks * Splitting code into multiple files with reasonable testing coverage. ``` ok github.com/lukaszraczylo/traefikoidc 117.017s coverage: 72.6% of statements ok github.com/lukaszraczylo/traefikoidc/auth 0.505s coverage: 87.1% of statements ok github.com/lukaszraczylo/traefikoidc/circuit_breaker 0.283s coverage: 99.0% of statements github.com/lukaszraczylo/traefikoidc/config coverage: 0.0% of statements ok github.com/lukaszraczylo/traefikoidc/handlers 0.349s coverage: 98.2% of statements ok github.com/lukaszraczylo/traefikoidc/internal/providers (cached) coverage: 94.3% of statements ok github.com/lukaszraczylo/traefikoidc/middleware 0.808s coverage: 78.0% of statements ok github.com/lukaszraczylo/traefikoidc/recovery 0.653s coverage: 100.0% of statements ok github.com/lukaszraczylo/traefikoidc/session/chunking (cached) coverage: 87.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/core (cached) coverage: 85.6% of statements ok github.com/lukaszraczylo/traefikoidc/session/crypto (cached) coverage: 81.8% of statements ok github.com/lukaszraczylo/traefikoidc/session/storage (cached) coverage: 93.5% of statements ok github.com/lukaszraczylo/traefikoidc/session/validators (cached) coverage: 98.8% of statements ```` * fixup! Splitting code into multiple files with reasonable testing coverage. * fixup! fixup! Splitting code into multiple files with reasonable testing coverage. * Weekend fun with further optimisations. * fixup! Weekend fun with further optimisations. * fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * fixup! fixup! fixup! fixup! fixup! Weekend fun with further optimisations. * Pre-release cleanup. * Enhance test coverage. * fixup! Enhance test coverage. * fixup! fixup! Enhance test coverage. * fixup! fixup! fixup! Enhance test coverage.
115 lines
2.6 KiB
Go
115 lines
2.6 KiB
Go
package traefikoidc
|
|
|
|
import (
|
|
"net/http"
|
|
"sync"
|
|
|
|
"github.com/gorilla/sessions"
|
|
)
|
|
|
|
// SessionChunkManager manages session chunks with proper cleanup
|
|
type SessionChunkManager struct {
|
|
mu sync.RWMutex
|
|
maxChunks int
|
|
}
|
|
|
|
// NewSessionChunkManager creates a new session chunk manager
|
|
func NewSessionChunkManager(maxChunks int) *SessionChunkManager {
|
|
if maxChunks <= 0 {
|
|
maxChunks = 20 // Reasonable default
|
|
}
|
|
return &SessionChunkManager{
|
|
maxChunks: maxChunks,
|
|
}
|
|
}
|
|
|
|
// CleanupChunks removes all chunks from a map and expires them if writer is provided
|
|
func (m *SessionChunkManager) CleanupChunks(chunks map[int]*sessions.Session, w http.ResponseWriter) {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
// Expire all chunk cookies if we have a response writer
|
|
if w != nil {
|
|
for _, session := range chunks {
|
|
if session != nil && session.Options != nil {
|
|
// Set MaxAge to -1 to expire the cookie
|
|
session.Options.MaxAge = -1
|
|
session.Save(nil, w) // Save with nil request is safe for expiration
|
|
}
|
|
}
|
|
}
|
|
|
|
// Clear the map
|
|
for k := range chunks {
|
|
delete(chunks, k)
|
|
}
|
|
}
|
|
|
|
// ValidateAndCleanChunks validates chunk count and cleans if exceeded
|
|
func (m *SessionChunkManager) ValidateAndCleanChunks(chunks map[int]*sessions.Session) bool {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
if len(chunks) > m.maxChunks {
|
|
// Too many chunks, clear them all
|
|
for k := range chunks {
|
|
delete(chunks, k)
|
|
}
|
|
return false
|
|
}
|
|
return true
|
|
}
|
|
|
|
// SafeSetChunk safely sets a chunk with bounds checking
|
|
func (m *SessionChunkManager) SafeSetChunk(chunks map[int]*sessions.Session, index int, session *sessions.Session) bool {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
// Validate index bounds
|
|
if index < 0 || index >= m.maxChunks {
|
|
return false
|
|
}
|
|
|
|
// Check if adding this would exceed limits
|
|
if len(chunks) >= m.maxChunks && chunks[index] == nil {
|
|
return false
|
|
}
|
|
|
|
chunks[index] = session
|
|
return true
|
|
}
|
|
|
|
// GetChunkCount returns the number of chunks in a map
|
|
func (m *SessionChunkManager) GetChunkCount(chunks map[int]*sessions.Session) int {
|
|
m.mu.RLock()
|
|
defer m.mu.RUnlock()
|
|
return len(chunks)
|
|
}
|
|
|
|
// CompactChunks removes nil entries and reindexes chunks
|
|
func (m *SessionChunkManager) CompactChunks(chunks map[int]*sessions.Session) map[int]*sessions.Session {
|
|
m.mu.Lock()
|
|
defer m.mu.Unlock()
|
|
|
|
compacted := make(map[int]*sessions.Session)
|
|
index := 0
|
|
|
|
// Find max key to know the range
|
|
maxKey := 0
|
|
for k := range chunks {
|
|
if k > maxKey {
|
|
maxKey = k
|
|
}
|
|
}
|
|
|
|
// Iterate in order and compact
|
|
for i := 0; i <= maxKey; i++ {
|
|
if session, exists := chunks[i]; exists && session != nil {
|
|
compacted[index] = session
|
|
index++
|
|
}
|
|
}
|
|
|
|
return compacted
|
|
}
|