From bd4eae8fec75d885295a936c53eaf33e8506e217 Mon Sep 17 00:00:00 2001 From: Mike Bland Date: Sat, 9 May 2015 16:08:55 -0400 Subject: [PATCH] Store access token when cookie-refresh is set cookie-refresh now no longer requires pass-access-token in order to work. --- oauthproxy.go | 6 ++++-- oauthproxy_test.go | 7 ++++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index 1726515..c91441b 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -49,6 +49,7 @@ type OauthProxy struct { DisplayHtpasswdForm bool serveMux http.Handler PassBasicAuth bool + PassAccessToken bool AesCipher cipher.Block skipAuthRegex []string compiledRegex []*regexp.Regexp @@ -122,7 +123,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy { log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain) var aes_cipher cipher.Block - if opts.PassAccessToken { + if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) { var err error aes_cipher, err = aes.NewCipher([]byte(opts.CookieSecret)) if err != nil { @@ -153,6 +154,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy { skipAuthRegex: opts.SkipAuthRegex, compiledRegex: opts.CompiledRegex, PassBasicAuth: opts.PassBasicAuth, + PassAccessToken: opts.PassAccessToken, AesCipher: aes_cipher, templates: loadTemplates(opts.CustomTemplatesDir), } @@ -496,7 +498,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { req.Header["X-Forwarded-User"] = []string{user} req.Header["X-Forwarded-Email"] = []string{email} } - if access_token != "" { + if p.PassAccessToken { req.Header["X-Forwarded-Access-Token"] = []string{access_token} } if email == "" { diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 4946a43..1823896 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -407,14 +407,19 @@ func NewProcessCookieTest() *ProcessCookieTest { pc_test.opts.CookieSecret = "foobar" pc_test.opts.ClientID = "bazquux" pc_test.opts.ClientSecret = "xyzzyplugh" - pc_test.opts.PassAccessToken = true pc_test.opts.CookieSecret = "0123456789abcdef" + // First, set the CookieRefresh option so proxy.AesCipher is created, + // needed to encrypt the access_token. + pc_test.opts.CookieRefresh = time.Duration(24) * time.Hour pc_test.opts.Validate() pc_test.proxy = NewOauthProxy(pc_test.opts, func(email string) bool { return true }) + // Now, zero-out proxy.CookieRefresh for the cases that don't involve + // access_token validation. + pc_test.proxy.CookieRefresh = time.Duration(0) pc_test.rw = httptest.NewRecorder() pc_test.req, _ = http.NewRequest("GET", "/", strings.NewReader("")) return &pc_test