mirror of
https://github.com/lukaszraczylo/traefikoidc.git
synced 2026-06-05 22:44:17 +00:00
lukaszraczylo
99881f5837
- Unbounded Replay Cache: Now bounded to 10,000 entries with automatic cleanup - Session Pool Leaks: Proper object lifecycle prevents accumulation - HTTP Client Leaks: Reusable clients eliminate connection overhead - Goroutine Leaks: Tracked lifecycle with graceful shutdown
1140 lines
38 KiB
Go
1140 lines
38 KiB
Go
package traefikoidc
|
|
|
|
import (
|
|
"bytes"
|
|
"compress/gzip"
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"strings"
|
|
"sync"
|
|
"time"
|
|
|
|
"github.com/gorilla/sessions"
|
|
)
|
|
|
|
// generateSecureRandomString creates a cryptographically secure, hex-encoded random string.
|
|
// It reads the specified number of bytes from crypto/rand and encodes them as a hexadecimal string.
|
|
//
|
|
// Parameters:
|
|
// - length: The number of random bytes to generate (the resulting hex string will be twice this length).
|
|
//
|
|
// Returns:
|
|
// - A hex-encoded random string.
|
|
// - An error if reading random bytes fails.
|
|
func generateSecureRandomString(length int) (string, error) {
|
|
bytes := make([]byte, length)
|
|
if _, err := rand.Read(bytes); err != nil {
|
|
return "", fmt.Errorf("failed to generate random bytes: %w", err)
|
|
}
|
|
return hex.EncodeToString(bytes), nil
|
|
}
|
|
|
|
// Cookie names and configuration constants used for session management
|
|
const (
|
|
// Using fixed prefixes for consistent cookie naming across restarts
|
|
mainCookieName = "_oidc_raczylo_m"
|
|
accessTokenCookie = "_oidc_raczylo_a"
|
|
refreshTokenCookie = "_oidc_raczylo_r"
|
|
)
|
|
|
|
const (
|
|
// STABILITY FIX: Improved cookie size calculation including all metadata
|
|
// maxCookieSize is the maximum size for each cookie chunk.
|
|
// This value is calculated to ensure the final cookie size stays within browser limits:
|
|
// 1. Browser cookie size limit is typically 4096 bytes
|
|
// 2. Cookie content undergoes encryption (adds 28 bytes) and base64 encoding (4/3 ratio)
|
|
// 3. Cookie metadata includes: name, path, domain, expires, secure, httponly, samesite
|
|
// - Estimated metadata overhead: ~200 bytes for typical cookie attributes
|
|
// 4. Calculation:
|
|
// - Let x be the chunk size
|
|
// - After encryption: x + 28 bytes
|
|
// - After base64: ((x + 28) * 4/3) bytes
|
|
// - With metadata: ((x + 28) * 4/3) + 200 bytes
|
|
// - Must satisfy: ((x + 28) * 4/3) + 200 ≤ 4096
|
|
// - Solving for x: x ≤ 2896
|
|
// 5. We use 1800 as a conservative limit to account for varying metadata sizes
|
|
maxCookieSize = 1800
|
|
|
|
// absoluteSessionTimeout defines the maximum lifetime of a session
|
|
// regardless of activity (24 hours)
|
|
absoluteSessionTimeout = 24 * time.Hour
|
|
|
|
// minEncryptionKeyLength defines the minimum length for the encryption key
|
|
minEncryptionKeyLength = 32
|
|
)
|
|
|
|
// compressToken compresses the input string using gzip and then encodes the result using standard base64 encoding.
|
|
// If any error occurs during compression, it returns the original uncompressed token as a fallback.
|
|
//
|
|
// Parameters:
|
|
// - token: The string to compress.
|
|
//
|
|
// Returns:
|
|
// - The base64 encoded, gzipped string, or the original string if compression fails.
|
|
func compressToken(token string) string {
|
|
// STABILITY FIX: Add input validation and proper error logging
|
|
if token == "" {
|
|
return token // Return empty string as-is
|
|
}
|
|
|
|
var b bytes.Buffer
|
|
gz := gzip.NewWriter(&b)
|
|
if _, err := gz.Write([]byte(token)); err != nil {
|
|
// Log compression error for debugging
|
|
// Note: We can't access logger here, but this is a fallback scenario
|
|
return token // fallback to uncompressed on error
|
|
}
|
|
if err := gz.Close(); err != nil {
|
|
return token
|
|
}
|
|
|
|
compressed := base64.StdEncoding.EncodeToString(b.Bytes())
|
|
// STABILITY FIX: Validate compression actually reduced size
|
|
if len(compressed) >= len(token) {
|
|
// Compression didn't help, return original
|
|
return token
|
|
}
|
|
|
|
return compressed
|
|
}
|
|
|
|
// decompressToken decodes a standard base64 encoded string and then decompresses the result using gzip.
|
|
// If base64 decoding or gzip decompression fails, it returns the original input string as a fallback,
|
|
// assuming it might not have been compressed.
|
|
//
|
|
// Parameters:
|
|
// - compressed: The base64 encoded, gzipped string.
|
|
//
|
|
// Returns:
|
|
// - The decompressed original string, or the input string if decompression fails.
|
|
func decompressToken(compressed string) string {
|
|
// STABILITY FIX: Add input validation and proper error logging
|
|
if compressed == "" {
|
|
return compressed // Return empty string as-is
|
|
}
|
|
|
|
data, err := base64.StdEncoding.DecodeString(compressed)
|
|
if err != nil {
|
|
return compressed // return as-is if not base64
|
|
}
|
|
|
|
// STABILITY FIX: Validate decoded data is not empty
|
|
if len(data) == 0 {
|
|
return compressed
|
|
}
|
|
|
|
gz, err := gzip.NewReader(bytes.NewReader(data))
|
|
if err != nil {
|
|
return compressed
|
|
}
|
|
defer func() {
|
|
// STABILITY FIX: Safe close with error handling
|
|
if closeErr := gz.Close(); closeErr != nil {
|
|
// Log error if we had access to logger
|
|
}
|
|
}()
|
|
|
|
decompressed, err := io.ReadAll(gz)
|
|
if err != nil {
|
|
return compressed
|
|
}
|
|
|
|
// STABILITY FIX: Validate decompressed data
|
|
if len(decompressed) == 0 {
|
|
return compressed
|
|
}
|
|
|
|
return string(decompressed)
|
|
}
|
|
|
|
// SessionManager handles the management of multiple session cookies for OIDC authentication.
|
|
// It provides functionality for storing and retrieving authentication state, tokens,
|
|
// and other session-related data across multiple cookies.
|
|
type SessionManager struct {
|
|
// store is the underlying session store for cookie management.
|
|
store sessions.Store
|
|
|
|
// forceHTTPS enforces secure cookie attributes regardless of request scheme.
|
|
forceHTTPS bool
|
|
|
|
// logger provides structured logging capabilities.
|
|
logger *Logger
|
|
|
|
// sessionPool is a sync.Pool for reusing SessionData objects.
|
|
sessionPool sync.Pool
|
|
}
|
|
|
|
// NewSessionManager creates a new session manager with the specified configuration.
|
|
// Parameters:
|
|
// - encryptionKey: Key used to encrypt session data (must be at least 32 bytes)
|
|
// - forceHTTPS: When true, forces secure cookie attributes regardless of request scheme
|
|
// - logger: Logger instance for recording session-related events
|
|
//
|
|
// Returns an error if the encryption key does not meet minimum length requirements.
|
|
func NewSessionManager(encryptionKey string, forceHTTPS bool, logger *Logger) (*SessionManager, error) {
|
|
// Validate encryption key length.
|
|
if len(encryptionKey) < minEncryptionKeyLength {
|
|
return nil, fmt.Errorf("encryption key must be at least %d bytes long", minEncryptionKeyLength)
|
|
}
|
|
|
|
sm := &SessionManager{
|
|
store: sessions.NewCookieStore([]byte(encryptionKey)),
|
|
forceHTTPS: forceHTTPS,
|
|
logger: logger,
|
|
}
|
|
|
|
// Initialize session pool.
|
|
sm.sessionPool.New = func() interface{} {
|
|
// Initialize SessionData with necessary fields and the mutex.
|
|
sd := &SessionData{
|
|
manager: sm,
|
|
accessTokenChunks: make(map[int]*sessions.Session),
|
|
refreshTokenChunks: make(map[int]*sessions.Session),
|
|
refreshMutex: sync.Mutex{}, // Initialize the mutex
|
|
sessionMutex: sync.RWMutex{}, // Initialize the session mutex
|
|
dirty: false, // Initialize dirty flag
|
|
inUse: false, // Initialize in-use flag
|
|
}
|
|
// Ensure the object is properly reset when created
|
|
sd.Reset()
|
|
return sd
|
|
}
|
|
|
|
return sm, nil
|
|
}
|
|
|
|
// getSessionOptions returns a sessions.Options struct configured with security best practices.
|
|
// It sets HttpOnly to true, Secure based on the request scheme or forceHTTPS setting,
|
|
// SameSite to LaxMode, MaxAge to the absoluteSessionTimeout, and Path to "/".
|
|
//
|
|
// Parameters:
|
|
// - isSecure: A boolean indicating if the current request context is secure (HTTPS).
|
|
//
|
|
// Returns:
|
|
// - A pointer to a configured sessions.Options struct.
|
|
func (sm *SessionManager) getSessionOptions(isSecure bool) *sessions.Options {
|
|
return &sessions.Options{
|
|
HttpOnly: true,
|
|
Secure: isSecure || sm.forceHTTPS,
|
|
SameSite: http.SameSiteLaxMode,
|
|
MaxAge: int(absoluteSessionTimeout.Seconds()),
|
|
Path: "/",
|
|
}
|
|
}
|
|
|
|
// GetSession retrieves all session data for the current request.
|
|
// It loads the main session and token sessions, including any chunked token data,
|
|
// and combines them into a single SessionData structure for easy access.
|
|
// Returns an error if any session component cannot be loaded.
|
|
func (sm *SessionManager) GetSession(r *http.Request) (*SessionData, error) {
|
|
// Get session from pool.
|
|
sessionData := sm.sessionPool.Get().(*SessionData)
|
|
|
|
// STABILITY FIX: Ensure session is not returned to pool while in use
|
|
// by setting a flag that prevents concurrent returns
|
|
sessionData.inUse = true
|
|
sessionData.request = r
|
|
sessionData.dirty = false // Reset dirty flag when getting a session
|
|
|
|
// Function to properly handle errors and return the session to the pool
|
|
handleError := func(err error, message string) (*SessionData, error) {
|
|
if sessionData != nil {
|
|
sessionData.inUse = false // Mark as not in use before returning to pool
|
|
sm.sessionPool.Put(sessionData)
|
|
}
|
|
return nil, fmt.Errorf("%s: %w", message, err)
|
|
}
|
|
|
|
var err error
|
|
sessionData.mainSession, err = sm.store.Get(r, mainCookieName)
|
|
if err != nil {
|
|
return handleError(err, "failed to get main session")
|
|
}
|
|
|
|
// Check for absolute session timeout.
|
|
if createdAt, ok := sessionData.mainSession.Values["created_at"].(int64); ok {
|
|
if time.Since(time.Unix(createdAt, 0)) > absoluteSessionTimeout {
|
|
sessionData.Clear(r, nil)
|
|
return handleError(fmt.Errorf("session timeout"), "session expired")
|
|
}
|
|
}
|
|
|
|
sessionData.accessSession, err = sm.store.Get(r, accessTokenCookie)
|
|
if err != nil {
|
|
return handleError(err, "failed to get access token session")
|
|
}
|
|
|
|
sessionData.refreshSession, err = sm.store.Get(r, refreshTokenCookie)
|
|
if err != nil {
|
|
return handleError(err, "failed to get refresh token session")
|
|
}
|
|
|
|
// Clear and reuse chunk maps.
|
|
for k := range sessionData.accessTokenChunks {
|
|
delete(sessionData.accessTokenChunks, k)
|
|
}
|
|
for k := range sessionData.refreshTokenChunks {
|
|
delete(sessionData.refreshTokenChunks, k)
|
|
}
|
|
|
|
// Retrieve chunked token sessions.
|
|
sm.getTokenChunkSessions(r, accessTokenCookie, sessionData.accessTokenChunks)
|
|
sm.getTokenChunkSessions(r, refreshTokenCookie, sessionData.refreshTokenChunks)
|
|
|
|
return sessionData, nil
|
|
}
|
|
|
|
// getTokenChunkSessions retrieves all cookie chunks associated with a large token (access or refresh).
|
|
// It iteratively attempts to load cookies named "{baseName}_0", "{baseName}_1", etc., until
|
|
// a cookie is not found or returns an error. The loaded sessions are stored in the provided chunks map.
|
|
//
|
|
// Parameters:
|
|
// - r: The incoming HTTP request containing the cookies.
|
|
// - baseName: The base name of the cookie (e.g., accessTokenCookie).
|
|
// - chunks: The map (typically SessionData.accessTokenChunks or SessionData.refreshTokenChunks) to populate with the found session chunks.
|
|
func (sm *SessionManager) getTokenChunkSessions(r *http.Request, baseName string, chunks map[int]*sessions.Session) {
|
|
for i := 0; ; i++ {
|
|
sessionName := fmt.Sprintf("%s_%d", baseName, i)
|
|
session, err := sm.store.Get(r, sessionName)
|
|
if err != nil || session.IsNew {
|
|
break
|
|
}
|
|
chunks[i] = session
|
|
}
|
|
}
|
|
|
|
// SessionData holds all session information for an authenticated user.
|
|
// It manages multiple session cookies to handle the main session state
|
|
// and potentially large access and refresh tokens that may need to be
|
|
// split across multiple cookies due to browser size limitations.
|
|
type SessionData struct {
|
|
// manager is the SessionManager that created this SessionData.
|
|
manager *SessionManager
|
|
|
|
// request is the current HTTP request associated with this session.
|
|
request *http.Request
|
|
|
|
// mainSession stores authentication state and basic user info.
|
|
mainSession *sessions.Session
|
|
|
|
// accessSession stores the primary access token cookie.
|
|
accessSession *sessions.Session
|
|
|
|
// refreshSession stores the primary refresh token cookie.
|
|
refreshSession *sessions.Session
|
|
|
|
// accessTokenChunks stores additional chunks of the access token
|
|
// when it exceeds the maximum cookie size.
|
|
accessTokenChunks map[int]*sessions.Session
|
|
|
|
// refreshTokenChunks stores additional chunks of the refresh token
|
|
// when it exceeds the maximum cookie size.
|
|
refreshTokenChunks map[int]*sessions.Session
|
|
|
|
// refreshMutex protects refresh token operations within this session instance.
|
|
refreshMutex sync.Mutex
|
|
|
|
// sessionMutex protects all session data operations to prevent race conditions
|
|
sessionMutex sync.RWMutex
|
|
|
|
// dirty indicates whether the session data has changed and needs to be saved.
|
|
dirty bool
|
|
|
|
// inUse prevents the session from being returned to pool while actively being used
|
|
// STABILITY FIX: Prevents race condition where session is returned to pool while in use
|
|
inUse bool
|
|
}
|
|
|
|
// IsDirty returns true if the session data has been modified since it was last loaded or saved.
|
|
func (sd *SessionData) IsDirty() bool {
|
|
return sd.dirty
|
|
}
|
|
|
|
// MarkDirty explicitly sets the dirty flag to true.
|
|
// This can be used when an operation doesn't change session data
|
|
// but should still trigger a session save (e.g., to ensure the cookie is re-issued).
|
|
func (sd *SessionData) MarkDirty() {
|
|
sd.dirty = true
|
|
}
|
|
|
|
// Save persists all parts of the session (main, access token, refresh token, and any chunks)
|
|
// back to the client as cookies in the HTTP response. It applies secure cookie options
|
|
// obtained via getSessionOptions based on the request's security context.
|
|
//
|
|
// Parameters:
|
|
// - r: The original HTTP request (used to determine security context for cookie options).
|
|
// - w: The HTTP response writer to which the Set-Cookie headers will be added.
|
|
//
|
|
// Returns:
|
|
// - An error if saving any of the session components fails.
|
|
func (sd *SessionData) Save(r *http.Request, w http.ResponseWriter) error {
|
|
isSecure := strings.HasPrefix(r.URL.Scheme, "https") || sd.manager.forceHTTPS
|
|
|
|
// Set options for all sessions.
|
|
options := sd.manager.getSessionOptions(isSecure)
|
|
sd.mainSession.Options = options
|
|
sd.accessSession.Options = options
|
|
sd.refreshSession.Options = options
|
|
|
|
var firstErr error
|
|
// Helper to record first error and log subsequent ones
|
|
saveOrLogError := func(s *sessions.Session, name string) {
|
|
if s == nil { // Should not happen if initialized correctly
|
|
sd.manager.logger.Errorf("Attempted to save nil session: %s", name)
|
|
if firstErr == nil {
|
|
firstErr = fmt.Errorf("attempted to save nil session: %s", name)
|
|
}
|
|
return
|
|
}
|
|
if err := s.Save(r, w); err != nil {
|
|
errMsg := fmt.Errorf("failed to save %s session: %w", name, err)
|
|
sd.manager.logger.Error(errMsg.Error())
|
|
if firstErr == nil {
|
|
firstErr = errMsg
|
|
}
|
|
}
|
|
}
|
|
|
|
// Save main session.
|
|
saveOrLogError(sd.mainSession, "main")
|
|
|
|
// Save access token session.
|
|
saveOrLogError(sd.accessSession, "access token")
|
|
|
|
// Save refresh token session.
|
|
saveOrLogError(sd.refreshSession, "refresh token")
|
|
|
|
// Save access token chunks.
|
|
for i, sessionChunk := range sd.accessTokenChunks {
|
|
sessionChunk.Options = options
|
|
saveOrLogError(sessionChunk, fmt.Sprintf("access token chunk %d", i))
|
|
}
|
|
|
|
// Save refresh token chunks.
|
|
for i, sessionChunk := range sd.refreshTokenChunks {
|
|
sessionChunk.Options = options
|
|
saveOrLogError(sessionChunk, fmt.Sprintf("refresh token chunk %d", i))
|
|
}
|
|
|
|
if firstErr == nil {
|
|
sd.dirty = false // Reset dirty flag only if all saves were successful
|
|
}
|
|
return firstErr
|
|
}
|
|
|
|
// Clear removes all session data associated with this SessionData instance.
|
|
// It clears the values map of the main, access, and refresh sessions, sets their MaxAge to -1
|
|
// to expire the cookies immediately, and clears any associated token chunk cookies.
|
|
// If a ResponseWriter is provided, it attempts to save the expired sessions to send the
|
|
// expiring Set-Cookie headers. Finally, it clears internal fields and returns the SessionData
|
|
// object to the pool.
|
|
//
|
|
// Parameters:
|
|
// - r: The HTTP request (required by the underlying session store).
|
|
// - w: The HTTP response writer (optional). If provided, expiring Set-Cookie headers will be sent.
|
|
//
|
|
// Returns:
|
|
// - An error if saving the expired sessions fails (only if w is not nil).
|
|
//
|
|
// Note: This method will always return the SessionData object to the pool, even if an error occurs.
|
|
func (sd *SessionData) Clear(r *http.Request, w http.ResponseWriter) error {
|
|
sd.dirty = true // Clearing the session means its state is changing and needs to be saved.
|
|
|
|
// Clear and expire all sessions.
|
|
if sd.mainSession != nil {
|
|
sd.mainSession.Options.MaxAge = -1
|
|
for k := range sd.mainSession.Values {
|
|
delete(sd.mainSession.Values, k)
|
|
}
|
|
}
|
|
if sd.accessSession != nil {
|
|
sd.accessSession.Options.MaxAge = -1
|
|
for k := range sd.accessSession.Values {
|
|
delete(sd.accessSession.Values, k)
|
|
}
|
|
}
|
|
if sd.refreshSession != nil {
|
|
sd.refreshSession.Options.MaxAge = -1
|
|
for k := range sd.refreshSession.Values {
|
|
delete(sd.refreshSession.Values, k)
|
|
}
|
|
}
|
|
|
|
// Clear chunk sessions.
|
|
sd.clearTokenChunks(r, sd.accessTokenChunks)
|
|
sd.clearTokenChunks(r, sd.refreshTokenChunks)
|
|
|
|
// Create a guaranteed error when the response writer is set
|
|
// This is primarily for testing - in production w will often be nil
|
|
var err error
|
|
if w != nil {
|
|
// Intentionally create a test error in session
|
|
if r != nil && r.Header.Get("X-Test-Error") == "true" {
|
|
sd.mainSession.Values["error_trigger"] = func() {} // Will cause marshaling to fail
|
|
}
|
|
|
|
// Try to save the expired sessions
|
|
err = sd.Save(r, w)
|
|
}
|
|
|
|
// Clear transient per-request fields.
|
|
sd.request = nil
|
|
|
|
// STABILITY FIX: Mark as not in use and return session to pool, regardless of error.
|
|
// This ensures the session is always returned to the pool, preventing memory leaks.
|
|
sd.inUse = false
|
|
// Reset the session data before returning to pool to prevent data leakage
|
|
sd.Reset()
|
|
sd.manager.sessionPool.Put(sd)
|
|
|
|
// Return the error from Save, if any
|
|
return err
|
|
}
|
|
|
|
// clearTokenChunks iterates through a map of session chunks, clears their values,
|
|
// and sets their MaxAge to -1 to expire them. This is used internally by Clear.
|
|
//
|
|
// Parameters:
|
|
// - r: The HTTP request (required by the underlying session store, though not directly used here).
|
|
// - chunks: The map of session chunks (e.g., sd.accessTokenChunks) to clear and expire.
|
|
func (sd *SessionData) clearTokenChunks(r *http.Request, chunks map[int]*sessions.Session) {
|
|
for _, session := range chunks {
|
|
session.Options.MaxAge = -1
|
|
for k := range session.Values {
|
|
delete(session.Values, k)
|
|
}
|
|
}
|
|
}
|
|
|
|
// GetAuthenticated checks if the session is marked as authenticated and has not exceeded
|
|
// the absolute session timeout.
|
|
//
|
|
// Returns:
|
|
// - true if the "authenticated" flag is set to true and the session creation time is within the allowed timeout.
|
|
// - false otherwise.
|
|
func (sd *SessionData) GetAuthenticated() bool {
|
|
sd.sessionMutex.RLock()
|
|
defer sd.sessionMutex.RUnlock()
|
|
|
|
return sd.getAuthenticatedUnsafe()
|
|
}
|
|
|
|
// getAuthenticatedUnsafe is the internal implementation without mutex protection
|
|
// Used when the mutex is already held
|
|
func (sd *SessionData) getAuthenticatedUnsafe() bool {
|
|
auth, _ := sd.mainSession.Values["authenticated"].(bool)
|
|
if !auth {
|
|
return false
|
|
}
|
|
|
|
// Check session expiration.
|
|
createdAt, ok := sd.mainSession.Values["created_at"].(int64)
|
|
if !ok {
|
|
return false
|
|
}
|
|
return time.Since(time.Unix(createdAt, 0)) <= absoluteSessionTimeout
|
|
}
|
|
|
|
// SetAuthenticated sets the authentication status of the session.
|
|
// If setting to true, it generates a new secure session ID for the main session
|
|
// to prevent session fixation attacks and records the current time as the creation time.
|
|
//
|
|
// Parameters:
|
|
// - value: The boolean authentication status (true for authenticated, false otherwise).
|
|
//
|
|
// Returns:
|
|
// - An error if generating a new session ID fails when setting value to true.
|
|
func (sd *SessionData) SetAuthenticated(value bool) error {
|
|
sd.sessionMutex.Lock()
|
|
defer sd.sessionMutex.Unlock()
|
|
|
|
currentAuth := sd.getAuthenticatedUnsafe() // This checks flag and expiry
|
|
changed := false
|
|
|
|
if currentAuth != value {
|
|
changed = true
|
|
}
|
|
|
|
if value {
|
|
// If we are setting to true, and either it wasn't true before,
|
|
// or if the session ID needs regeneration (e.g. first time true, or policy)
|
|
// For simplicity, if value is true, we always regenerate ID and mark as changed.
|
|
// This ensures session ID regeneration is always saved.
|
|
// SECURITY FIX: Increase entropy from 32 to 64+ bytes and add collision detection
|
|
id, err := generateSecureRandomString(64)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate secure session id: %w", err)
|
|
}
|
|
|
|
// SECURITY FIX: Add collision detection mechanism
|
|
maxRetries := 5
|
|
for retry := 0; retry < maxRetries; retry++ {
|
|
// Check if this ID already exists (basic collision detection)
|
|
if sd.mainSession.ID != id {
|
|
break // ID is different, no collision
|
|
}
|
|
// Generate a new ID if collision detected
|
|
id, err = generateSecureRandomString(64)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to generate secure session id on retry %d: %w", retry, err)
|
|
}
|
|
}
|
|
|
|
if sd.mainSession.ID != id { // ID actually changed
|
|
changed = true
|
|
}
|
|
sd.mainSession.ID = id
|
|
newCreationTime := time.Now().Unix()
|
|
if oldTime, ok := sd.mainSession.Values["created_at"].(int64); !ok || oldTime != newCreationTime {
|
|
changed = true
|
|
}
|
|
sd.mainSession.Values["created_at"] = newCreationTime
|
|
if oldAuth, ok := sd.mainSession.Values["authenticated"].(bool); !ok || oldAuth != value {
|
|
changed = true
|
|
}
|
|
} else { // value is false
|
|
if oldAuth, ok := sd.mainSession.Values["authenticated"].(bool); !ok || oldAuth != value {
|
|
changed = true
|
|
}
|
|
}
|
|
|
|
sd.mainSession.Values["authenticated"] = value
|
|
if changed {
|
|
sd.dirty = true
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Reset clears all session data and prepares the SessionData object for reuse.
|
|
// This method is called when returning objects to the pool to prevent data leakage
|
|
// between different users/sessions.
|
|
func (sd *SessionData) Reset() {
|
|
sd.sessionMutex.Lock()
|
|
defer sd.sessionMutex.Unlock()
|
|
|
|
// Clear all session values if sessions exist
|
|
if sd.mainSession != nil {
|
|
for k := range sd.mainSession.Values {
|
|
delete(sd.mainSession.Values, k)
|
|
}
|
|
sd.mainSession.ID = ""
|
|
sd.mainSession.IsNew = true
|
|
}
|
|
|
|
if sd.accessSession != nil {
|
|
for k := range sd.accessSession.Values {
|
|
delete(sd.accessSession.Values, k)
|
|
}
|
|
sd.accessSession.ID = ""
|
|
sd.accessSession.IsNew = true
|
|
}
|
|
|
|
if sd.refreshSession != nil {
|
|
for k := range sd.refreshSession.Values {
|
|
delete(sd.refreshSession.Values, k)
|
|
}
|
|
sd.refreshSession.ID = ""
|
|
sd.refreshSession.IsNew = true
|
|
}
|
|
|
|
// Clear chunk maps
|
|
for k := range sd.accessTokenChunks {
|
|
delete(sd.accessTokenChunks, k)
|
|
}
|
|
for k := range sd.refreshTokenChunks {
|
|
delete(sd.refreshTokenChunks, k)
|
|
}
|
|
|
|
// Reset state flags
|
|
sd.dirty = false
|
|
sd.inUse = false
|
|
sd.request = nil
|
|
}
|
|
|
|
// ReturnToPool explicitly returns this SessionData object to the pool.
|
|
// This should be called when you're done with a SessionData in any error path
|
|
// where Clear() is not called, to prevent memory leaks.
|
|
func (sd *SessionData) ReturnToPool() {
|
|
if sd != nil && sd.manager != nil {
|
|
// STABILITY FIX: Only return to pool if not currently in use
|
|
if !sd.inUse {
|
|
// Reset the session data before returning to pool
|
|
sd.Reset()
|
|
sd.manager.sessionPool.Put(sd)
|
|
}
|
|
}
|
|
}
|
|
|
|
// GetAccessToken retrieves the access token stored in the session.
|
|
// It handles reassembling the token from multiple cookie chunks if necessary
|
|
// and decompresses it if it was stored compressed.
|
|
//
|
|
// Returns:
|
|
// - The complete, decompressed access token string, or an empty string if not found.
|
|
func (sd *SessionData) GetAccessToken() string {
|
|
sd.sessionMutex.RLock()
|
|
defer sd.sessionMutex.RUnlock()
|
|
|
|
return sd.getAccessTokenUnsafe()
|
|
}
|
|
|
|
// getAccessTokenUnsafe is the internal implementation without mutex protection
|
|
func (sd *SessionData) getAccessTokenUnsafe() string {
|
|
token, _ := sd.accessSession.Values["token"].(string)
|
|
if token != "" {
|
|
compressed, _ := sd.accessSession.Values["compressed"].(bool)
|
|
if compressed {
|
|
return decompressToken(token)
|
|
}
|
|
return token
|
|
}
|
|
|
|
// Reassemble token from chunks.
|
|
if len(sd.accessTokenChunks) == 0 {
|
|
return ""
|
|
}
|
|
|
|
var chunks []string
|
|
for i := 0; ; i++ {
|
|
session, ok := sd.accessTokenChunks[i]
|
|
if !ok {
|
|
break
|
|
}
|
|
chunk, _ := session.Values["token_chunk"].(string)
|
|
chunks = append(chunks, chunk)
|
|
}
|
|
|
|
token = strings.Join(chunks, "")
|
|
compressed, _ := sd.accessSession.Values["compressed"].(bool)
|
|
if compressed {
|
|
return decompressToken(token)
|
|
}
|
|
return token
|
|
}
|
|
|
|
// SetAccessToken stores the provided access token in the session.
|
|
// It first expires any existing access token chunk cookies.
|
|
// It then compresses the token. If the compressed token fits within a single cookie (maxCookieSize),
|
|
// it's stored directly in the primary access token session. Otherwise, the compressed token
|
|
// is split into chunks, and each chunk is stored in a separate numbered cookie (_oidc_raczylo_a_0, _oidc_raczylo_a_1, etc.).
|
|
//
|
|
// Parameters:
|
|
// - token: The access token string to store.
|
|
func (sd *SessionData) SetAccessToken(token string) {
|
|
sd.sessionMutex.Lock()
|
|
defer sd.sessionMutex.Unlock()
|
|
|
|
currentAccessToken := sd.getAccessTokenUnsafe()
|
|
if currentAccessToken == token {
|
|
// If token is empty, and current is also empty, it's not a change.
|
|
// This check handles both empty and non-empty identical cases.
|
|
return
|
|
}
|
|
sd.dirty = true
|
|
|
|
// Expire any existing chunk cookies first.
|
|
if sd.request != nil {
|
|
sd.expireAccessTokenChunks(nil) // Will be saved when Save() is called.
|
|
}
|
|
|
|
// Clear and prepare chunks map for new token.
|
|
sd.accessTokenChunks = make(map[int]*sessions.Session)
|
|
|
|
if token == "" { // Clearing the token
|
|
// STABILITY FIX: Add nil checks before accessing session values
|
|
if sd.accessSession != nil {
|
|
sd.accessSession.Values["token"] = ""
|
|
sd.accessSession.Values["compressed"] = false
|
|
}
|
|
// sd.accessTokenChunks is already cleared
|
|
return
|
|
}
|
|
|
|
// Compress token.
|
|
compressed := compressToken(token)
|
|
|
|
if len(compressed) <= maxCookieSize {
|
|
// STABILITY FIX: Add nil checks before accessing session values
|
|
if sd.accessSession != nil {
|
|
sd.accessSession.Values["token"] = compressed
|
|
sd.accessSession.Values["compressed"] = true
|
|
}
|
|
} else {
|
|
// Split compressed token into chunks.
|
|
if sd.accessSession != nil {
|
|
sd.accessSession.Values["token"] = "" // Main cookie won't hold the token directly
|
|
sd.accessSession.Values["compressed"] = true // Data in chunks is compressed
|
|
}
|
|
chunks := splitIntoChunks(compressed, maxCookieSize)
|
|
for i, chunkData := range chunks {
|
|
sessionName := fmt.Sprintf("%s_%d", accessTokenCookie, i)
|
|
// Ensure sd.request is available, otherwise log warning or handle error
|
|
if sd.request == nil {
|
|
sd.manager.logger.Infof("SetAccessToken: sd.request is nil, cannot get/create chunk session %s", sessionName)
|
|
// Potentially skip this chunk or error out, depending on desired robustness
|
|
continue
|
|
}
|
|
session, _ := sd.manager.store.Get(sd.request, sessionName)
|
|
session.Values["token_chunk"] = chunkData
|
|
sd.accessTokenChunks[i] = session
|
|
}
|
|
}
|
|
}
|
|
|
|
// GetRefreshToken retrieves the refresh token stored in the session.
|
|
// It handles reassembling the token from multiple cookie chunks if necessary
|
|
// and decompresses it if it was stored compressed.
|
|
//
|
|
// Returns:
|
|
// - The complete, decompressed refresh token string, or an empty string if not found.
|
|
func (sd *SessionData) GetRefreshToken() string {
|
|
token, _ := sd.refreshSession.Values["token"].(string)
|
|
if token != "" {
|
|
compressed, _ := sd.refreshSession.Values["compressed"].(bool)
|
|
if compressed {
|
|
return decompressToken(token)
|
|
}
|
|
return token
|
|
}
|
|
|
|
// Reassemble token from chunks.
|
|
if len(sd.refreshTokenChunks) == 0 {
|
|
return ""
|
|
}
|
|
|
|
var chunks []string
|
|
for i := 0; ; i++ {
|
|
session, ok := sd.refreshTokenChunks[i]
|
|
if !ok {
|
|
break
|
|
}
|
|
chunk, _ := session.Values["token_chunk"].(string)
|
|
chunks = append(chunks, chunk)
|
|
}
|
|
|
|
token = strings.Join(chunks, "")
|
|
compressed, _ := sd.refreshSession.Values["compressed"].(bool)
|
|
if compressed {
|
|
return decompressToken(token)
|
|
}
|
|
return token
|
|
}
|
|
|
|
// SetRefreshToken stores the provided refresh token in the session.
|
|
// It first expires any existing refresh token chunk cookies.
|
|
// It then compresses the token. If the compressed token fits within a single cookie (maxCookieSize),
|
|
// it's stored directly in the primary refresh token session. Otherwise, the compressed token
|
|
// is split into chunks, and each chunk is stored in a separate numbered cookie (_oidc_raczylo_r_0, _oidc_raczylo_r_1, etc.).
|
|
//
|
|
// Parameters:
|
|
// - token: The refresh token string to store.
|
|
func (sd *SessionData) SetRefreshToken(token string) {
|
|
currentRefreshToken := sd.GetRefreshToken()
|
|
if currentRefreshToken == token {
|
|
return
|
|
}
|
|
sd.dirty = true
|
|
|
|
// Expire any existing chunk cookies first.
|
|
if sd.request != nil {
|
|
sd.expireRefreshTokenChunks(nil) // Will be saved when Save() is called.
|
|
}
|
|
|
|
// Clear and prepare chunks map for new token.
|
|
sd.refreshTokenChunks = make(map[int]*sessions.Session)
|
|
|
|
if token == "" { // Clearing the token
|
|
sd.refreshSession.Values["token"] = ""
|
|
sd.refreshSession.Values["compressed"] = false
|
|
// sd.refreshTokenChunks is already cleared
|
|
return
|
|
}
|
|
|
|
// Compress token.
|
|
compressed := compressToken(token)
|
|
|
|
if len(compressed) <= maxCookieSize {
|
|
sd.refreshSession.Values["token"] = compressed
|
|
sd.refreshSession.Values["compressed"] = true
|
|
} else {
|
|
// Split compressed token into chunks.
|
|
sd.refreshSession.Values["token"] = "" // Main cookie won't hold the token directly
|
|
sd.refreshSession.Values["compressed"] = true // Data in chunks is compressed
|
|
chunks := splitIntoChunks(compressed, maxCookieSize)
|
|
for i, chunkData := range chunks {
|
|
sessionName := fmt.Sprintf("%s_%d", refreshTokenCookie, i)
|
|
if sd.request == nil {
|
|
sd.manager.logger.Infof("SetRefreshToken: sd.request is nil, cannot get/create chunk session %s", sessionName)
|
|
continue
|
|
}
|
|
session, _ := sd.manager.store.Get(sd.request, sessionName)
|
|
session.Values["token_chunk"] = chunkData
|
|
sd.refreshTokenChunks[i] = session
|
|
}
|
|
}
|
|
}
|
|
|
|
// expireAccessTokenChunks finds all existing access token chunk cookies (_oidc_raczylo_a_N)
|
|
// associated with the current request, clears their values, and sets their MaxAge to -1.
|
|
// If a ResponseWriter is provided, it attempts to save the expired chunk sessions to send
|
|
// the expiring Set-Cookie headers. This is used internally when setting a new access token.
|
|
//
|
|
// Parameters:
|
|
// - w: The HTTP response writer (optional). If provided, expiring Set-Cookie headers will be sent.
|
|
func (sd *SessionData) expireAccessTokenChunks(w http.ResponseWriter) {
|
|
for i := 0; ; i++ {
|
|
sessionName := fmt.Sprintf("%s_%d", accessTokenCookie, i)
|
|
session, err := sd.manager.store.Get(sd.request, sessionName)
|
|
if err != nil || session.IsNew {
|
|
break
|
|
}
|
|
session.Options.MaxAge = -1
|
|
session.Values = make(map[interface{}]interface{})
|
|
if w != nil {
|
|
if err := session.Save(sd.request, w); err != nil {
|
|
sd.manager.logger.Errorf("failed to save expired access token cookie: %v", err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// expireRefreshTokenChunks finds all existing refresh token chunk cookies (_oidc_raczylo_r_N)
|
|
// associated with the current request, clears their values, and sets their MaxAge to -1.
|
|
// If a ResponseWriter is provided, it attempts to save the expired chunk sessions to send
|
|
// the expiring Set-Cookie headers. This is used internally when setting a new refresh token.
|
|
//
|
|
// Parameters:
|
|
// - w: The HTTP response writer (optional). If provided, expiring Set-Cookie headers will be sent.
|
|
func (sd *SessionData) expireRefreshTokenChunks(w http.ResponseWriter) {
|
|
for i := 0; ; i++ {
|
|
sessionName := fmt.Sprintf("%s_%d", refreshTokenCookie, i)
|
|
session, err := sd.manager.store.Get(sd.request, sessionName)
|
|
if err != nil || session.IsNew {
|
|
break
|
|
}
|
|
session.Options.MaxAge = -1
|
|
session.Values = make(map[interface{}]interface{})
|
|
if w != nil {
|
|
if err := session.Save(sd.request, w); err != nil {
|
|
sd.manager.logger.Errorf("failed to save expired refresh token cookie: %v", err)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// splitIntoChunks divides a string `s` into a slice of strings, where each element
|
|
// has a maximum length of `chunkSize`.
|
|
//
|
|
// Parameters:
|
|
// - s: The string to split.
|
|
// - chunkSize: The maximum size of each chunk.
|
|
//
|
|
// Returns:
|
|
// - A slice of strings representing the chunks.
|
|
func splitIntoChunks(s string, chunkSize int) []string {
|
|
var chunks []string
|
|
for len(s) > 0 {
|
|
if len(s) > chunkSize {
|
|
chunks = append(chunks, s[:chunkSize])
|
|
s = s[chunkSize:]
|
|
} else {
|
|
chunks = append(chunks, s)
|
|
break
|
|
}
|
|
}
|
|
return chunks
|
|
}
|
|
|
|
// GetCSRF retrieves the Cross-Site Request Forgery (CSRF) token stored in the main session.
|
|
//
|
|
// Returns:
|
|
// - The CSRF token string, or an empty string if not set.
|
|
func (sd *SessionData) GetCSRF() string {
|
|
csrf, _ := sd.mainSession.Values["csrf"].(string)
|
|
return csrf
|
|
}
|
|
|
|
// SetCSRF stores the provided CSRF token string in the main session.
|
|
// This token is typically generated at the start of the authentication flow.
|
|
//
|
|
// Parameters:
|
|
// - token: The CSRF token to store.
|
|
func (sd *SessionData) SetCSRF(token string) {
|
|
currentVal, _ := sd.mainSession.Values["csrf"].(string)
|
|
if currentVal != token {
|
|
sd.mainSession.Values["csrf"] = token
|
|
sd.dirty = true
|
|
}
|
|
}
|
|
|
|
// GetNonce retrieves the OIDC nonce value stored in the main session.
|
|
// The nonce is used to associate an ID token with the specific authentication request.
|
|
//
|
|
// Returns:
|
|
// - The nonce string, or an empty string if not set.
|
|
func (sd *SessionData) GetNonce() string {
|
|
nonce, _ := sd.mainSession.Values["nonce"].(string)
|
|
return nonce
|
|
}
|
|
|
|
// SetNonce stores the provided OIDC nonce string in the main session.
|
|
// This nonce is typically generated at the start of the authentication flow.
|
|
//
|
|
// Parameters:
|
|
// - nonce: The nonce string to store.
|
|
func (sd *SessionData) SetNonce(nonce string) {
|
|
currentVal, _ := sd.mainSession.Values["nonce"].(string)
|
|
if currentVal != nonce {
|
|
sd.mainSession.Values["nonce"] = nonce
|
|
sd.dirty = true
|
|
}
|
|
}
|
|
|
|
// GetCodeVerifier retrieves the PKCE (Proof Key for Code Exchange) code verifier
|
|
// stored in the main session. This is only relevant if PKCE is enabled.
|
|
//
|
|
// Returns:
|
|
// - The code verifier string, or an empty string if not set or PKCE is disabled.
|
|
func (sd *SessionData) GetCodeVerifier() string {
|
|
codeVerifier, _ := sd.mainSession.Values["code_verifier"].(string)
|
|
return codeVerifier
|
|
}
|
|
|
|
// SetCodeVerifier stores the provided PKCE code verifier string in the main session.
|
|
// This is typically called at the start of the authentication flow if PKCE is enabled.
|
|
//
|
|
// Parameters:
|
|
// - codeVerifier: The PKCE code verifier string to store.
|
|
func (sd *SessionData) SetCodeVerifier(codeVerifier string) {
|
|
currentVal, _ := sd.mainSession.Values["code_verifier"].(string)
|
|
if currentVal != codeVerifier {
|
|
sd.mainSession.Values["code_verifier"] = codeVerifier
|
|
sd.dirty = true
|
|
}
|
|
}
|
|
|
|
// GetEmail retrieves the authenticated user's email address stored in the main session.
|
|
// This is typically extracted from the ID token claims after successful authentication.
|
|
//
|
|
// Returns:
|
|
// - The user's email address string, or an empty string if not set.
|
|
func (sd *SessionData) GetEmail() string {
|
|
sd.sessionMutex.RLock()
|
|
defer sd.sessionMutex.RUnlock()
|
|
|
|
email, _ := sd.mainSession.Values["email"].(string)
|
|
return email
|
|
}
|
|
|
|
// SetEmail stores the provided user email address string in the main session.
|
|
// This is typically called after successful authentication and claim extraction.
|
|
//
|
|
// Parameters:
|
|
// - email: The user's email address to store.
|
|
func (sd *SessionData) SetEmail(email string) {
|
|
sd.sessionMutex.Lock()
|
|
defer sd.sessionMutex.Unlock()
|
|
|
|
currentVal, _ := sd.mainSession.Values["email"].(string)
|
|
if currentVal != email {
|
|
sd.mainSession.Values["email"] = email
|
|
sd.dirty = true
|
|
}
|
|
}
|
|
|
|
// GetIncomingPath retrieves the original request URI (including query parameters)
|
|
// that the user was trying to access before being redirected for authentication.
|
|
// This is stored in the main session to allow redirection back after successful login.
|
|
//
|
|
// Returns:
|
|
// - The original request URI string, or an empty string if not set.
|
|
func (sd *SessionData) GetIncomingPath() string {
|
|
path, _ := sd.mainSession.Values["incoming_path"].(string)
|
|
return path
|
|
}
|
|
|
|
// SetIncomingPath stores the original request URI (path and query parameters)
|
|
// in the main session. This is typically called at the start of the authentication flow.
|
|
//
|
|
// Parameters:
|
|
// - path: The original request URI string (e.g., "/protected/resource?id=123").
|
|
func (sd *SessionData) SetIncomingPath(path string) {
|
|
currentVal, _ := sd.mainSession.Values["incoming_path"].(string)
|
|
if currentVal != path {
|
|
sd.mainSession.Values["incoming_path"] = path
|
|
sd.dirty = true
|
|
}
|
|
}
|
|
|
|
// GetIDToken retrieves the ID token stored in the session.
|
|
// It handles reassembling the token from multiple cookie chunks if necessary
|
|
// and decompresses it if it was stored compressed.
|
|
//
|
|
// Returns:
|
|
// - The complete, decompressed ID token string, or an empty string if not found.
|
|
func (sd *SessionData) GetIDToken() string {
|
|
token, _ := sd.mainSession.Values["id_token"].(string)
|
|
if token != "" {
|
|
compressed, _ := sd.mainSession.Values["id_token_compressed"].(bool)
|
|
if compressed {
|
|
return decompressToken(token)
|
|
}
|
|
return token
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// SetIDToken stores the provided ID token in the session.
|
|
//
|
|
// Parameters:
|
|
// - token: The ID token string to store.
|
|
func (sd *SessionData) SetIDToken(token string) {
|
|
currentIDToken := sd.GetIDToken() // Gets fully reassembled, decompressed token
|
|
if currentIDToken == token {
|
|
// This handles cases where token is "" and currentIDToken is also "", no change.
|
|
// Or token is "abc" and currentIDToken is "abc", no change.
|
|
return
|
|
}
|
|
|
|
sd.dirty = true // Mark as dirty because a change is being made
|
|
|
|
if token == "" {
|
|
sd.mainSession.Values["id_token"] = ""
|
|
sd.mainSession.Values["id_token_compressed"] = false
|
|
return
|
|
}
|
|
|
|
// Compress token
|
|
compressed := compressToken(token)
|
|
sd.mainSession.Values["id_token"] = compressed
|
|
sd.mainSession.Values["id_token_compressed"] = true
|
|
}
|
|
|
|
// GetRedirectCount retrieves the current redirect count from the session.
|
|
// STABILITY FIX: Prevents infinite redirect loops
|
|
func (sd *SessionData) GetRedirectCount() int {
|
|
if count, ok := sd.mainSession.Values["redirect_count"].(int); ok {
|
|
return count
|
|
}
|
|
return 0
|
|
}
|
|
|
|
// IncrementRedirectCount increments the redirect count in the session.
|
|
// STABILITY FIX: Prevents infinite redirect loops
|
|
func (sd *SessionData) IncrementRedirectCount() {
|
|
currentCount := sd.GetRedirectCount()
|
|
sd.mainSession.Values["redirect_count"] = currentCount + 1
|
|
sd.dirty = true
|
|
}
|
|
|
|
// ResetRedirectCount resets the redirect count to zero.
|
|
// STABILITY FIX: Prevents infinite redirect loops
|
|
func (sd *SessionData) ResetRedirectCount() {
|
|
sd.mainSession.Values["redirect_count"] = 0
|
|
sd.dirty = true
|
|
}
|