Merge pull request #120 from costelmoraru/session_state_email

Encrypting user/email from cookie
This commit is contained in:
Joel Speed 2019-04-10 13:57:56 +01:00 committed by GitHub
commit 3f4420fd58
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 6 deletions

View File

@ -8,6 +8,7 @@
- Use JSON to encode session state to be stored in browser cookies - Use JSON to encode session state to be stored in browser cookies
- Implement legacy decode function to support existing cookies generated by older versions - Implement legacy decode function to support existing cookies generated by older versions
- Add detailed table driven tests in session_state_test.go - Add detailed table driven tests in session_state_test.go
- [#120](https://github.com/pusher/oauth2_proxy/pull/120) Encrypting user/email from cookie (@costelmoraru)
- [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer) - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added login.gov provider (@timothy-spencer)
- [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer) - [#55](https://github.com/pusher/oauth2_proxy/pull/55) Added environment variables for all config options (@timothy-spencer)
- [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr) - [#70](https://github.com/pusher/oauth2_proxy/pull/70) Fix handling of splitted cookies (@einfachchr)

View File

@ -62,6 +62,18 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) {
} else { } else {
ss = *s ss = *s
var err error var err error
if ss.Email != "" {
ss.Email, err = c.Encrypt(ss.Email)
if err != nil {
return "", err
}
}
if ss.User != "" {
ss.User, err = c.Encrypt(ss.User)
if err != nil {
return "", err
}
}
if ss.AccessToken != "" { if ss.AccessToken != "" {
ss.AccessToken, err = c.Encrypt(ss.AccessToken) ss.AccessToken, err = c.Encrypt(ss.AccessToken)
if err != nil { if err != nil {
@ -172,6 +184,20 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) {
User: ss.User, User: ss.User,
} }
} else { } else {
// Backward compatibility with using unecrypted Email
if ss.Email != "" {
decryptedEmail, errEmail := c.Decrypt(ss.Email)
if errEmail == nil {
ss.Email = decryptedEmail
}
}
// Backward compatibility with using unecrypted User
if ss.User != "" {
decryptedUser, errUser := c.Decrypt(ss.User)
if errUser == nil {
ss.User = decryptedUser
}
}
if ss.AccessToken != "" { if ss.AccessToken != "" {
ss.AccessToken, err = c.Decrypt(ss.AccessToken) ss.AccessToken, err = c.Decrypt(ss.AccessToken)
if err != nil { if err != nil {

View File

@ -41,8 +41,8 @@ func TestSessionStateSerialization(t *testing.T) {
ss, err = DecodeSessionState(encoded, c2) ss, err = DecodeSessionState(encoded, c2)
t.Logf("%#v", ss) t.Logf("%#v", ss)
assert.Equal(t, nil, err) assert.Equal(t, nil, err)
assert.Equal(t, "user", ss.User) assert.NotEqual(t, "user", ss.User)
assert.Equal(t, s.Email, ss.Email) assert.NotEqual(t, s.Email, ss.Email)
assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.AccessToken, ss.AccessToken)
assert.NotEqual(t, s.IDToken, ss.IDToken) assert.NotEqual(t, s.IDToken, ss.IDToken)
@ -77,8 +77,8 @@ func TestSessionStateSerializationWithUser(t *testing.T) {
ss, err = DecodeSessionState(encoded, c2) ss, err = DecodeSessionState(encoded, c2)
t.Logf("%#v", ss) t.Logf("%#v", ss)
assert.Equal(t, nil, err) assert.Equal(t, nil, err)
assert.Equal(t, s.User, ss.User) assert.NotEqual(t, s.User, ss.User)
assert.Equal(t, s.Email, ss.Email) assert.NotEqual(t, s.Email, ss.Email)
assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix())
assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.AccessToken, ss.AccessToken)
assert.NotEqual(t, s.RefreshToken, ss.RefreshToken) assert.NotEqual(t, s.RefreshToken, ss.RefreshToken)
@ -229,7 +229,7 @@ func TestDecodeSessionState(t *testing.T) {
ExpiresOn: e, ExpiresOn: e,
RefreshToken: "refresh4321", RefreshToken: "refresh4321",
}, },
Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString),
Cipher: c, Cipher: c,
}, },
{ {
@ -237,7 +237,7 @@ func TestDecodeSessionState(t *testing.T) {
Email: "user@domain.com", Email: "user@domain.com",
User: "just-user", User: "just-user",
}, },
Encoded: `{"Email":"user@domain.com","User":"just-user"}`, Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`,
Cipher: c, Cipher: c,
}, },
{ {