From 84190ab19aa9fe414e2440d7582eb8748337c1cd Mon Sep 17 00:00:00 2001 From: Mike Bland Date: Sat, 9 May 2015 16:48:39 -0400 Subject: [PATCH] Validate user during cookie refresh --- oauthproxy.go | 2 +- oauthproxy_test.go | 20 +++++++++++++++++++- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 9f099df..12023eb 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -302,7 +302,7 @@ func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (e } else if p.CookieRefresh != time.Duration(0) { refresh_threshold := time.Now().Add(p.CookieRefresh) if refresh_threshold.Unix() > timestamp.Unix() { - ok = p.ValidateToken(access_token) + ok = p.Validator(email) && p.ValidateToken(access_token) if ok { p.SetCookie(rw, req, value) } diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 2627341..2b792d8 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -397,6 +397,7 @@ type ProcessCookieTest struct { req *http.Request backend *httptest.Server response_code int + validate_user bool } func NewProcessCookieTest() *ProcessCookieTest { @@ -414,7 +415,7 @@ func NewProcessCookieTest() *ProcessCookieTest { pc_test.opts.Validate() pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool { - return true + return pc_test.validate_user }) // Now, zero-out proxy.CookieRefresh for the cases that don't involve @@ -422,6 +423,7 @@ func NewProcessCookieTest() *ProcessCookieTest { pc_test.proxy.CookieRefresh = time.Duration(0) pc_test.rw = httptest.NewRecorder() pc_test.req, _ = http.NewRequest("GET", "/", strings.NewReader("")) + pc_test.validate_user = true return &pc_test } @@ -529,3 +531,19 @@ func TestProcessCookieFailIfRefreshSetAndTokenNoLongerValid(t *testing.T) { assert.Equal(t, false, ok) assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"]) } + +func TestProcessCookieFailIfRefreshSetAndUserNoLongerValid(t *testing.T) { + pc_test := NewProcessCookieTest() + pc_test.InstantiateBackend() + defer pc_test.Close() + pc_test.validate_user = false + + cookie := pc_test.MakeCookie("michael.bland@gsa.gov", "my_access_token") + cookie.Expires = time.Now().Add(time.Duration(23) * time.Hour) + pc_test.req.AddCookie(cookie) + + pc_test.proxy.CookieRefresh = time.Duration(24) * time.Hour + _, _, _, ok := pc_test.ProcessCookie() + assert.Equal(t, false, ok) + assert.Equal(t, []string(nil), pc_test.rw.HeaderMap["Set-Cookie"]) +}