From 4f7517b2f91cca30a71cb8a8c7f6efa0d83b6008 Mon Sep 17 00:00:00 2001 From: Costel Moraru Date: Tue, 9 Apr 2019 14:55:33 +0300 Subject: [PATCH] Encrypting user/email from cookie --- providers/session_state.go | 27 +++++++++++++++++++++++++++ providers/session_state_test.go | 12 ++++++------ 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/providers/session_state.go b/providers/session_state.go index 4741b4a..10cbba4 100644 --- a/providers/session_state.go +++ b/providers/session_state.go @@ -62,6 +62,19 @@ func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) { } else { ss = *s var err error + // Encrypt also Email and User when cipher is provided + if ss.Email != "" { + ss.Email, err = c.Encrypt(ss.Email) + if err != nil { + return "", err + } + } + if ss.User != "" { + ss.User, err = c.Encrypt(ss.User) + if err != nil { + return "", err + } + } if ss.AccessToken != "" { ss.AccessToken, err = c.Encrypt(ss.AccessToken) if err != nil { @@ -172,6 +185,20 @@ func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) { User: ss.User, } } else { + // Backward compatibility with using unecrypted Email + if ss.Email != "" { + decryptedEmail, err := c.Decrypt(ss.Email) + if err == nil { + ss.Email = decryptedEmail + } + } + // Backward compatibility with using unecrypted User + if ss.User != "" { + decryptedUser, err := c.Decrypt(ss.User) + if err == nil { + ss.User = decryptedUser + } + } if ss.AccessToken != "" { ss.AccessToken, err = c.Decrypt(ss.AccessToken) if err != nil { diff --git a/providers/session_state_test.go b/providers/session_state_test.go index 9557eea..dee81bb 100644 --- a/providers/session_state_test.go +++ b/providers/session_state_test.go @@ -41,8 +41,8 @@ func TestSessionStateSerialization(t *testing.T) { ss, err = DecodeSessionState(encoded, c2) t.Logf("%#v", ss) assert.Equal(t, nil, err) - assert.Equal(t, "user", ss.User) - assert.Equal(t, s.Email, ss.Email) + assert.NotEqual(t, "user", ss.User) + assert.NotEqual(t, s.Email, ss.Email) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.IDToken, ss.IDToken) @@ -77,8 +77,8 @@ func TestSessionStateSerializationWithUser(t *testing.T) { ss, err = DecodeSessionState(encoded, c2) t.Logf("%#v", ss) assert.Equal(t, nil, err) - assert.Equal(t, s.User, ss.User) - assert.Equal(t, s.Email, ss.Email) + assert.NotEqual(t, s.User, ss.User) + assert.NotEqual(t, s.Email, ss.Email) assert.Equal(t, s.ExpiresOn.Unix(), ss.ExpiresOn.Unix()) assert.NotEqual(t, s.AccessToken, ss.AccessToken) assert.NotEqual(t, s.RefreshToken, ss.RefreshToken) @@ -229,7 +229,7 @@ func TestDecodeSessionState(t *testing.T) { ExpiresOn: e, RefreshToken: "refresh4321", }, - Encoded: fmt.Sprintf(`{"Email":"user@domain.com","User":"just-user","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), + Encoded: fmt.Sprintf(`{"Email":"FsKKYrTWZWrxSOAqA/fTNAUZS5QWCqOBjuAbBlbVOw==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw==","AccessToken":"I6s+ml+/MldBMgHIiC35BTKTh57skGX24w==","IDToken":"xojNdyyjB1HgYWh6XMtXY/Ph5eCVxa1cNsklJw==","RefreshToken":"qEX0x6RmASxo4dhlBG6YuRs9Syn/e9sHu/+K","ExpiresOn":%s}`, eString), Cipher: c, }, { @@ -237,7 +237,7 @@ func TestDecodeSessionState(t *testing.T) { Email: "user@domain.com", User: "just-user", }, - Encoded: `{"Email":"user@domain.com","User":"just-user"}`, + Encoded: `{"Email":"EGTllJcOFC16b7LBYzLekaHAC5SMMSPdyUrg8hd25g==","User":"rT6JP3dxQhxUhkWrrd7yt6c1mDVyQCVVxw=="}`, Cipher: c, }, {