1
0
Fork 0
mirror of https://github.com/miniflux/v2.git synced 2025-07-02 16:38:37 +00:00

Session management refactoring

This commit is contained in:
Frédéric Guillot 2017-12-16 18:07:53 -08:00
parent 58acd1d5e3
commit 00257988ef
26 changed files with 465 additions and 276 deletions

View file

@ -4,23 +4,43 @@
package middleware
type contextKey struct {
// ContextKey represents a context key.
type ContextKey struct {
name string
}
func (c ContextKey) String() string {
return c.name
}
var (
// UserIDContextKey is the context key used to store the user ID.
UserIDContextKey = &contextKey{"UserID"}
UserIDContextKey = &ContextKey{"UserID"}
// UserTimezoneContextKey is the context key used to store the user timezone.
UserTimezoneContextKey = &contextKey{"UserTimezone"}
UserTimezoneContextKey = &ContextKey{"UserTimezone"}
// IsAdminUserContextKey is the context key used to store the user role.
IsAdminUserContextKey = &contextKey{"IsAdminUser"}
IsAdminUserContextKey = &ContextKey{"IsAdminUser"}
// IsAuthenticatedContextKey is the context key used to store the authentication flag.
IsAuthenticatedContextKey = &contextKey{"IsAuthenticated"}
IsAuthenticatedContextKey = &ContextKey{"IsAuthenticated"}
// TokenContextKey is the context key used to store CSRF token.
TokenContextKey = &contextKey{"CSRF"}
// UserSessionTokenContextKey is the context key used to store the user session ID.
UserSessionTokenContextKey = &ContextKey{"UserSessionToken"}
// SessionIDContextKey is the context key used to store the session ID.
SessionIDContextKey = &ContextKey{"SessionID"}
// CSRFContextKey is the context key used to store CSRF token.
CSRFContextKey = &ContextKey{"CSRF"}
// OAuth2StateContextKey is the context key used to store OAuth2 state.
OAuth2StateContextKey = &ContextKey{"OAuth2State"}
// FlashMessageContextKey is the context key used to store a flash message.
FlashMessageContextKey = &ContextKey{"FlashMessage"}
// FlashErrorMessageContextKey is the context key used to store a flash error message.
FlashErrorMessageContextKey = &ContextKey{"FlashErrorMessage"}
)

View file

@ -10,60 +10,66 @@ import (
"github.com/miniflux/miniflux/logger"
"github.com/miniflux/miniflux/model"
"github.com/miniflux/miniflux/server/route"
"github.com/miniflux/miniflux/server/cookie"
"github.com/miniflux/miniflux/storage"
"github.com/gorilla/mux"
)
// SessionMiddleware represents a session middleware.
type SessionMiddleware struct {
store *storage.Storage
router *mux.Router
store *storage.Storage
}
// Handler execute the middleware.
func (s *SessionMiddleware) Handler(next http.Handler) http.Handler {
func (t *SessionMiddleware) Handler(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
session := s.getSessionFromCookie(r)
var err error
session := t.getSessionValueFromCookie(r)
if session == nil {
logger.Debug("[Middleware:Session] Session not found")
if s.isPublicRoute(r) {
next.ServeHTTP(w, r)
} else {
http.Redirect(w, r, route.Path(s.router, "login"), http.StatusFound)
session, err = t.store.CreateSession()
if err != nil {
logger.Error("[Middleware:Session] %v", err)
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
http.SetCookie(w, cookie.New(cookie.CookieSessionID, session.ID, r.URL.Scheme == "https"))
} else {
logger.Debug("[Middleware:Session] %s", session)
ctx := r.Context()
ctx = context.WithValue(ctx, UserIDContextKey, session.UserID)
ctx = context.WithValue(ctx, IsAuthenticatedContextKey, true)
next.ServeHTTP(w, r.WithContext(ctx))
}
if r.Method == "POST" {
formValue := r.FormValue("csrf")
headerValue := r.Header.Get("X-Csrf-Token")
if session.Data.CSRF != formValue && session.Data.CSRF != headerValue {
logger.Error(`[Middleware:Session] Invalid or missing CSRF token: Form="%s", Header="%s"`, formValue, headerValue)
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid or missing CSRF session!"))
return
}
}
ctx := r.Context()
ctx = context.WithValue(ctx, SessionIDContextKey, session.ID)
ctx = context.WithValue(ctx, CSRFContextKey, session.Data.CSRF)
ctx = context.WithValue(ctx, OAuth2StateContextKey, session.Data.OAuth2State)
ctx = context.WithValue(ctx, FlashMessageContextKey, session.Data.FlashMessage)
ctx = context.WithValue(ctx, FlashErrorMessageContextKey, session.Data.FlashErrorMessage)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
func (s *SessionMiddleware) isPublicRoute(r *http.Request) bool {
route := mux.CurrentRoute(r)
switch route.GetName() {
case "login", "checkLogin", "stylesheet", "javascript", "oauth2Redirect", "oauth2Callback", "appIcon", "favicon":
return true
default:
return false
}
}
func (s *SessionMiddleware) getSessionFromCookie(r *http.Request) *model.UserSession {
sessionCookie, err := r.Cookie("sessionID")
func (t *SessionMiddleware) getSessionValueFromCookie(r *http.Request) *model.Session {
sessionCookie, err := r.Cookie(cookie.CookieSessionID)
if err == http.ErrNoCookie {
return nil
}
session, err := s.store.UserSessionByToken(sessionCookie.Value)
session, err := t.store.Session(sessionCookie.Value)
if err != nil {
logger.Error("[SessionMiddleware] %v", err)
logger.Error("[Middleware:Session] %v", err)
return nil
}
@ -71,6 +77,6 @@ func (s *SessionMiddleware) getSessionFromCookie(r *http.Request) *model.UserSes
}
// NewSessionMiddleware returns a new SessionMiddleware.
func NewSessionMiddleware(s *storage.Storage, r *mux.Router) *SessionMiddleware {
return &SessionMiddleware{store: s, router: r}
func NewSessionMiddleware(s *storage.Storage) *SessionMiddleware {
return &SessionMiddleware{store: s}
}

View file

@ -1,81 +0,0 @@
// Copyright 2017 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.
package middleware
import (
"context"
"net/http"
"github.com/miniflux/miniflux/logger"
"github.com/miniflux/miniflux/model"
"github.com/miniflux/miniflux/storage"
)
// TokenMiddleware represents a token middleware.
type TokenMiddleware struct {
store *storage.Storage
}
// Handler execute the middleware.
func (t *TokenMiddleware) Handler(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
var err error
token := t.getTokenValueFromCookie(r)
if token == nil {
logger.Debug("[Middleware:Token] Token not found")
token, err = t.store.CreateToken()
if err != nil {
logger.Error("[Middleware:Token] %v", err)
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
return
}
cookie := &http.Cookie{
Name: "tokenID",
Value: token.ID,
Path: "/",
Secure: r.URL.Scheme == "https",
HttpOnly: true,
}
http.SetCookie(w, cookie)
} else {
logger.Info("[Middleware:Token] %s", token)
}
isTokenValid := token.Value == r.FormValue("csrf") || token.Value == r.Header.Get("X-Csrf-Token")
if r.Method == "POST" && !isTokenValid {
logger.Error("[Middleware:CSRF] Invalid or missing CSRF token!")
w.WriteHeader(http.StatusBadRequest)
w.Write([]byte("Invalid or missing CSRF token!"))
} else {
ctx := r.Context()
ctx = context.WithValue(ctx, TokenContextKey, token.Value)
next.ServeHTTP(w, r.WithContext(ctx))
}
})
}
func (t *TokenMiddleware) getTokenValueFromCookie(r *http.Request) *model.Token {
tokenCookie, err := r.Cookie("tokenID")
if err == http.ErrNoCookie {
return nil
}
token, err := t.store.Token(tokenCookie.Value)
if err != nil {
logger.Error("[Middleware:Token] %v", err)
return nil
}
return token
}
// NewTokenMiddleware returns a new TokenMiddleware.
func NewTokenMiddleware(s *storage.Storage) *TokenMiddleware {
return &TokenMiddleware{store: s}
}

View file

@ -0,0 +1,78 @@
// Copyright 2017 Frédéric Guillot. All rights reserved.
// Use of this source code is governed by the Apache 2.0
// license that can be found in the LICENSE file.
package middleware
import (
"context"
"net/http"
"github.com/miniflux/miniflux/logger"
"github.com/miniflux/miniflux/model"
"github.com/miniflux/miniflux/server/cookie"
"github.com/miniflux/miniflux/server/route"
"github.com/miniflux/miniflux/storage"
"github.com/gorilla/mux"
)
// UserSessionMiddleware represents a user session middleware.
type UserSessionMiddleware struct {
store *storage.Storage
router *mux.Router
}
// Handler execute the middleware.
func (s *UserSessionMiddleware) Handler(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
session := s.getSessionFromCookie(r)
if session == nil {
logger.Debug("[Middleware:UserSession] Session not found")
if s.isPublicRoute(r) {
next.ServeHTTP(w, r)
} else {
http.Redirect(w, r, route.Path(s.router, "login"), http.StatusFound)
}
} else {
logger.Debug("[Middleware:UserSession] %s", session)
ctx := r.Context()
ctx = context.WithValue(ctx, UserIDContextKey, session.UserID)
ctx = context.WithValue(ctx, IsAuthenticatedContextKey, true)
ctx = context.WithValue(ctx, UserSessionTokenContextKey, session.Token)
next.ServeHTTP(w, r.WithContext(ctx))
}
})
}
func (s *UserSessionMiddleware) isPublicRoute(r *http.Request) bool {
route := mux.CurrentRoute(r)
switch route.GetName() {
case "login", "checkLogin", "stylesheet", "javascript", "oauth2Redirect", "oauth2Callback", "appIcon", "favicon":
return true
default:
return false
}
}
func (s *UserSessionMiddleware) getSessionFromCookie(r *http.Request) *model.UserSession {
sessionCookie, err := r.Cookie(cookie.CookieUserSessionID)
if err == http.ErrNoCookie {
return nil
}
session, err := s.store.UserSessionByToken(sessionCookie.Value)
if err != nil {
logger.Error("[Middleware:UserSession] %v", err)
return nil
}
return session
}
// NewUserSessionMiddleware returns a new UserSessionMiddleware.
func NewUserSessionMiddleware(s *storage.Storage, r *mux.Router) *UserSessionMiddleware {
return &UserSessionMiddleware{store: s, router: r}
}