diff options
Diffstat (limited to 'internal/auth/auth.go')
-rw-r--r-- | internal/auth/auth.go | 51 |
1 files changed, 8 insertions, 43 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index acef051b..6ac7eee2 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -85,41 +85,6 @@ type domain interface { ServeNotFoundAuthFailed(w http.ResponseWriter, r *http.Request) } -func (a *Auth) getSessionFromStore(r *http.Request) (*sessions.Session, error) { - session, err := a.store.Get(r, "gitlab-pages") - - if session != nil { - // Cookie just for this domain - session.Options.Path = "/" - session.Options.HttpOnly = true - session.Options.Secure = request.IsHTTPS(r) - session.Options.MaxAge = authSessionMaxAge - } - - return session, err -} - -func (a *Auth) checkSession(w http.ResponseWriter, r *http.Request) (*sessions.Session, error) { - // Create or get session - session, errsession := a.getSessionFromStore(r) - - if errsession != nil { - // Save cookie again - errsave := session.Save(r, w) - if errsave != nil { - logRequest(r).WithError(errsave).Error(saveSessionErrMsg) - captureErrWithReqAndStackTrace(errsave, r) - httperrors.Serve500(w) - return nil, errsave - } - - http.Redirect(w, r, getRequestAddress(r), http.StatusFound) - return nil, errsession - } - - return session, nil -} - // TryAuthenticate tries to authenticate user and fetch access token if request is a callback to /auth? func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, domains source.Source) bool { if a == nil { @@ -159,7 +124,7 @@ func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, domains s return false } -func (a *Auth) checkAuthenticationResponse(session *sessions.Session, w http.ResponseWriter, r *http.Request) { +func (a *Auth) checkAuthenticationResponse(session *hostSession, w http.ResponseWriter, r *http.Request) { if !validateState(r, session) { // State is NOT ok logRequest(r).Warn("Authentication state did not match expected") @@ -233,7 +198,7 @@ func (a *Auth) domainAllowed(ctx context.Context, name string, domains source.So return (domain != nil && err == nil) } -func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request, domains source.Source) bool { +func (a *Auth) handleProxyingAuth(session *hostSession, w http.ResponseWriter, r *http.Request, domains source.Source) bool { // handle auth callback e.g. https://gitlab.io/auth?domain=domain&state=state if shouldProxyAuthToGitlab(r) { domain := r.URL.Query().Get("domain") @@ -354,11 +319,11 @@ func shouldProxyAuthToGitlab(r *http.Request) bool { return r.URL.Query().Get("domain") != "" && r.URL.Query().Get("state") != "" } -func shouldProxyCallbackToCustomDomain(session *sessions.Session) bool { +func shouldProxyCallbackToCustomDomain(session *hostSession) bool { return session.Values["proxy_auth_domain"] != nil } -func validateState(r *http.Request, session *sessions.Session) bool { +func validateState(r *http.Request, session *hostSession) bool { state := r.URL.Query().Get("state") if state == "" { // No state param @@ -424,7 +389,7 @@ func (a *Auth) fetchAccessToken(ctx context.Context, code string) (tokenResponse return token, nil } -func (a *Auth) checkSessionIsValid(w http.ResponseWriter, r *http.Request) *sessions.Session { +func (a *Auth) checkSessionIsValid(w http.ResponseWriter, r *http.Request) *hostSession { session, err := a.checkSession(w, r) if err != nil { return nil @@ -438,7 +403,7 @@ func (a *Auth) checkSessionIsValid(w http.ResponseWriter, r *http.Request) *sess return session } -func (a *Auth) checkTokenExists(session *sessions.Session, w http.ResponseWriter, r *http.Request) bool { +func (a *Auth) checkTokenExists(session *hostSession, w http.ResponseWriter, r *http.Request) bool { // If no access token redirect to OAuth login page if session.Values["access_token"] == nil { logRequest(r).Debug("No access token exists, redirecting user to OAuth2 login") @@ -473,7 +438,7 @@ func (a *Auth) getProxyAddress(r *http.Request, state string) string { return fmt.Sprintf(authorizeProxyTemplate, a.redirectURI, getRequestDomain(r), state) } -func destroySession(session *sessions.Session, w http.ResponseWriter, r *http.Request) { +func destroySession(session *hostSession, w http.ResponseWriter, r *http.Request) { logRequest(r).Debug("Destroying session") // Invalidate access token and redirect back for refreshing and re-authenticating @@ -617,7 +582,7 @@ func (a *Auth) CheckResponseForInvalidToken(w http.ResponseWriter, r *http.Reque return false } -func checkResponseForInvalidToken(resp *http.Response, session *sessions.Session, w http.ResponseWriter, r *http.Request) bool { +func checkResponseForInvalidToken(resp *http.Response, session *hostSession, w http.ResponseWriter, r *http.Request) bool { if resp.StatusCode == http.StatusUnauthorized { errResp := errorResponse{} |