diff --git a/CHANGELOG.md b/CHANGELOG.md index e2d38df..d122a22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ - Use JSON to encode session state to be stored in browser cookies - Implement legacy decode function to support existing cookies generated by older versions - Add detailed table driven tests in session_state_test.go +- [#120](https://github.com/pusher/oauth2_proxy/pull/120) Encrypting user/email from cookie (@costelmoraru) - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer) - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer) - [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr) diff --git a/providers/session_state.go b/providers/session_state.go index 4741b4a..5d4a892 100644 --- a/providers/session_state.go +++ b/providers/session_state.go @@ -62,6 +62,18 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) { } else { ss = *s var err error + if ss.Email != "" { + ss.Email, err = c.Encrypt(ss.Email) + if err != nil { + return "", err + } + } + if ss.User != "" { + ss.User, err = c.Encrypt(ss.User) + if err != nil { + return "", err + } + } if ss.AccessToken != "" { ss.AccessToken, err = c.Encrypt(ss.AccessToken) if err != nil { @@ -172,6 +184,20 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) { User: ss.User, } } else { + // Backward compatibility with using unecrypted Email + if ss.Email != "" { + decryptedEmail, errEmail := c.Decrypt(ss.Email) + if errEmail == nil { + ss.Email = decryptedEmail + } + } + // Backward compatibility with using unecrypted User + if ss.User != "" { + decryptedUser, errUser := c.Decrypt(ss.User) + if errUser == nil { + ss.User = decryptedUser + } + } if ss.AccessToken != "" { ss.AccessToken, err = c.Decrypt(ss.AccessToken) if err != nil { diff --git a/providers/session_state_test.go b/providers/session_state_test.go index 9557eea..dee81bb 100644 --- a/providers/session_state_test.go +++ b/providers/session_state_test.go @@ -41,8 +41,8 @@ func TestSessionStateSerialization(t *testing.T) { ss, err = DecodeSessionState(encoded, c2) t.Logf("%#v", ss) assert.Equal(t, nil, err) - assert.Equal(t, "user", ss.User) - assert.Equal(t, s.Email, ss.Email) + assert.NotEqual(t, "user", ss.User) + assert.NotEqual(t, s.Email, ss.Email) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.IDToken, ss.IDToken) @@ -77,8 +77,8 @@ func TestSessionStateSerializationWithUser(t *testing.T) { ss, err = DecodeSessionState(encoded, c2) t.Logf("%#v", ss) assert.Equal(t, nil, err) - assert.Equal(t, s.User, ss.User) - assert.Equal(t, s.Email, ss.Email) + assert.NotEqual(t, s.User, ss.User) + assert.NotEqual(t, s.Email, ss.Email) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.RefreshToken, ss.RefreshToken) @@ -229,7 +229,7 @@ func TestDecodeSessionState(t *testing.T) { ExpiresOn: e, RefreshToken: "refresh4321", }, - Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), + Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), Cipher: c, }, { @@ -237,7 +237,7 @@ func TestDecodeSessionState(t *testing.T) { Email: "user@domain.com", User: "just-user", }, - Encoded: `{"Email":"user@domain.com","User":"just-user"}`, + Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`, Cipher: c, }, {