token-validator: use cookies instead of localStorage to store auth token
This commit is contained in:
parent
72a4015288
commit
a4a7b48a4f
|
|
@ -1,9 +1,11 @@
|
|||
package main
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/julienschmidt/httprouter"
|
||||
)
|
||||
|
|
@ -12,55 +14,84 @@ var AuthFunc = checkAuth
|
|||
|
||||
func init() {
|
||||
router.GET("/api/auth", apiAuthHandler(validateAuthToken))
|
||||
router.POST("/api/auth", apiHandler(func(ps httprouter.Params, body []byte) (interface{}, error) {
|
||||
return AuthFunc(ps, body)
|
||||
router.POST("/api/auth", apiRawHandler(func(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
|
||||
return AuthFunc(w, ps, body)
|
||||
}))
|
||||
router.POST("/api/auth/logout", apiRawHandler(logout))
|
||||
}
|
||||
|
||||
func validateAuthToken(s Student, _ httprouter.Params, _ []byte) (interface{}, error) {
|
||||
return s, nil
|
||||
}
|
||||
|
||||
func logout(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "auth",
|
||||
Value: "",
|
||||
Path: baseURL,
|
||||
Expires: time.Unix(0,0),
|
||||
Secure: true,
|
||||
HttpOnly: true,
|
||||
})
|
||||
|
||||
return true, nil
|
||||
}
|
||||
|
||||
type loginForm struct {
|
||||
Username string
|
||||
Password string
|
||||
}
|
||||
|
||||
func dummyAuth(_ httprouter.Params, body []byte) (interface{}, error) {
|
||||
var lf loginForm
|
||||
if err := json.Unmarshal(body, &lf); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
func completeAuth(w http.ResponseWriter, username string, session *Session) (err error) {
|
||||
var std Student
|
||||
var err error
|
||||
if !studentExists(lf.Username) {
|
||||
if std, err = NewStudent(lf.Username); err != nil {
|
||||
return nil, err
|
||||
if !studentExists(username) {
|
||||
if std, err = NewStudent(username); err != nil {
|
||||
return err
|
||||
}
|
||||
} else if std, err = getStudentByLogin(lf.Username); err != nil {
|
||||
return nil, err
|
||||
} else if std, err = getStudentByLogin(username); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if session == nil {
|
||||
var s Session
|
||||
s, err = std.NewSession()
|
||||
session = &s
|
||||
} else {
|
||||
_, err = session.SetStudent(std)
|
||||
}
|
||||
|
||||
session, err := std.NewSession()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
|
||||
res := map[string]interface{}{}
|
||||
res["status"] = "OK"
|
||||
res["id_session"] = session.Id
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "auth",
|
||||
Value: base64.StdEncoding.EncodeToString(session.Id),
|
||||
Path: baseURL,
|
||||
Expires: time.Now().Add(30 * 24 * time.Hour),
|
||||
Secure: true,
|
||||
HttpOnly: true,
|
||||
})
|
||||
|
||||
return res, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
|
||||
func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
||||
var lf loginForm
|
||||
if err := json.Unmarshal(body, &lf); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2020/", nil); err != nil {
|
||||
return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
|
||||
}
|
||||
|
||||
func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
|
||||
var lf loginForm
|
||||
if err := json.Unmarshal(body, &lf); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2021/", nil); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
r.SetBasicAuth(lf.Username, lf.Password)
|
||||
|
|
@ -71,7 +102,7 @@ func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
|
|||
defer resp.Body.Close()
|
||||
|
||||
if resp.StatusCode == http.StatusOK {
|
||||
return dummyAuth(nil, body)
|
||||
return dummyAuth(w, nil, body)
|
||||
} else {
|
||||
return nil, errors.New(`{"status": "Invalid username or password"}`)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -109,7 +109,7 @@ CREATE TABLE IF NOT EXISTS student_pong(
|
|||
if _, err := db.Exec(`
|
||||
CREATE TABLE IF NOT EXISTS student_sessions(
|
||||
id_session BLOB(255) NOT NULL,
|
||||
id_student INTEGER NOT NULL,
|
||||
id_student INTEGER,
|
||||
time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||
FOREIGN KEY(id_student) REFERENCES students(id_student)
|
||||
) DEFAULT CHARACTER SET = utf8 COLLATE = utf8_bin;
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ import (
|
|||
"log"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/julienschmidt/httprouter"
|
||||
|
|
@ -51,13 +50,16 @@ func rawHandler(f func(http.ResponseWriter, *http.Request, httprouter.Params, []
|
|||
|
||||
// Read Authorization header
|
||||
var student *Student = nil
|
||||
if flds := strings.Fields(r.Header.Get("Authorization")); len(flds) == 2 && flds[0] == "Bearer" {
|
||||
if sessionid, err := base64.StdEncoding.DecodeString(flds[1]); err != nil {
|
||||
if cookie, err := r.Cookie("auth"); err == nil {
|
||||
if sessionid, err := base64.StdEncoding.DecodeString(cookie.Value); err != nil {
|
||||
http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusNotAcceptable)
|
||||
return
|
||||
} else if session, err := getSession(sessionid); err != nil {
|
||||
http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized)
|
||||
return
|
||||
} else if std, err := getStudent(int(session.IdStudent)); err != nil {
|
||||
} else if session.IdStudent == nil {
|
||||
student = nil
|
||||
} else if std, err := getStudent(int(*session.IdStudent)); err != nil {
|
||||
http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized)
|
||||
return
|
||||
} else {
|
||||
|
|
@ -156,13 +158,15 @@ func apiHandler(f DispatchFunction, access ...func(*Student, *http.Request) erro
|
|||
|
||||
func apiAuthHandler(f func(Student, httprouter.Params, []byte) (interface{}, error), access ...func(*Student, *http.Request) error) func(http.ResponseWriter, *http.Request, httprouter.Params) {
|
||||
return rawHandler(responseHandler(func (r *http.Request, ps httprouter.Params, b []byte) (interface{}, error) {
|
||||
if flds := strings.Fields(r.Header.Get("Authorization")); len(flds) != 2 || flds[0] != "Bearer" {
|
||||
if cookie, err := r.Cookie("auth"); err != nil {
|
||||
return nil, errors.New("Authorization required")
|
||||
} else if sessionid, err := base64.StdEncoding.DecodeString(flds[1]); err != nil {
|
||||
} else if sessionid, err := base64.StdEncoding.DecodeString(cookie.Value); err != nil {
|
||||
return nil, err
|
||||
} else if session, err := getSession(sessionid); err != nil {
|
||||
return nil, err
|
||||
} else if std, err := getStudent(int(session.IdStudent)); err != nil {
|
||||
} else if session.IdStudent == nil {
|
||||
return nil, errors.New("Authorization required")
|
||||
} else if std, err := getStudent(int(*session.IdStudent)); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
return f(std, ps, b)
|
||||
|
|
|
|||
|
|
@ -35,18 +35,9 @@ angular.module("AdLinApp")
|
|||
angular.module("AdLinApp")
|
||||
.run(function($rootScope, $interval, $http) {
|
||||
$rootScope.checkLoginState = function() {
|
||||
if (sessionStorage.token === undefined) {
|
||||
$rootScope.isLogged = false;
|
||||
return;
|
||||
}
|
||||
|
||||
var token = sessionStorage.token;
|
||||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/auth",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + token
|
||||
}
|
||||
}).then(function(response) {
|
||||
$rootScope.isLogged = response.data;
|
||||
$rootScope.student = response.data;
|
||||
|
|
@ -58,9 +49,13 @@ angular.module("AdLinApp")
|
|||
$interval($rootScope.checkLoginState, 20000);
|
||||
|
||||
$rootScope.disconnectCurrentUser = function() {
|
||||
sessionStorage.token = undefined;
|
||||
delete sessionStorage.token;
|
||||
$rootScope.isLogged = false;
|
||||
$http({
|
||||
method: 'POST',
|
||||
url: "/api/auth/logout"
|
||||
}).then(function(response) {
|
||||
$rootScope.isLogged = false;
|
||||
$rootScope.student = null;
|
||||
});
|
||||
}
|
||||
})
|
||||
|
||||
|
|
@ -88,7 +83,6 @@ angular.module("AdLinApp")
|
|||
url: "/api/auth",
|
||||
data: $scope.auth
|
||||
}).then(function(response) {
|
||||
sessionStorage.token = response.data.id_session
|
||||
$scope.pleaseWait = false;
|
||||
$rootScope.checkLoginState();
|
||||
$location.url("/");
|
||||
|
|
@ -105,9 +99,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/wginfo",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
}
|
||||
}).then(function(response) {
|
||||
$scope.wginfo = response.data;
|
||||
});
|
||||
|
|
@ -118,9 +109,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/wg/",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
}
|
||||
}).then(function(response) {
|
||||
$scope.tunnels = response.data;
|
||||
}, function(response) {
|
||||
|
|
@ -136,9 +124,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'POST',
|
||||
url: "/api/wg/",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
data: {}
|
||||
}).then(function(response) {
|
||||
$scope.updateTunnelsList();
|
||||
|
|
@ -154,9 +139,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'DELETE',
|
||||
url: "/api/wg/" + tunnel.TokenText,
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
data: {}
|
||||
}).then(function(response) {
|
||||
$scope.updateTunnelsList();
|
||||
|
|
@ -184,18 +166,12 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/adomains/",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
$scope.adomains = [];
|
||||
response.data.forEach(function(domain) {
|
||||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/adomains/" + domain,
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
response.data.forEach(function(rr) {
|
||||
$scope.adomains.push(rr);
|
||||
|
|
@ -213,9 +189,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/ddomains/",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
response.data.forEach(function(domain) {
|
||||
$scope.ddomains = response.data;
|
||||
|
|
@ -231,9 +204,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'POST',
|
||||
url: "/api/adomains/",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
$scope.updateAssociationD();
|
||||
$scope.pleaseWaitNewAssociation = false;
|
||||
|
|
@ -308,9 +278,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: (nsrr.valuesfrom !== undefined)?'PATCH':'POST',
|
||||
url: "/api/ddomains/" + nsrr.domain + "/" + nsrr.rr,
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
data: nsrr,
|
||||
}).then(function(response) {
|
||||
$('#NSModal').modal('hide');
|
||||
|
|
@ -325,9 +292,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'DELETE',
|
||||
url: "/api/ddomains/" + domain + "/" + rr.rr,
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
data: rr,
|
||||
}).then(function(response) {
|
||||
callOnUpdateEvt();
|
||||
|
|
@ -344,9 +308,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/ddomains/" + $scope.domain + "/NS",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
$scope.domainNS = response.data;
|
||||
});
|
||||
|
|
@ -360,9 +321,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/ddomains/" + $scope.domain + "/GLUE",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
$scope.domainGLUE = response.data;
|
||||
});
|
||||
|
|
@ -376,9 +334,6 @@ angular.module("AdLinApp")
|
|||
$http({
|
||||
method: 'GET',
|
||||
url: "/api/ddomains/" + $scope.domain + "/DS",
|
||||
headers: {
|
||||
'Authorization': "Bearer " + sessionStorage.token
|
||||
},
|
||||
}).then(function(response) {
|
||||
$scope.domainDS = response.data;
|
||||
});
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ import (
|
|||
"syscall"
|
||||
)
|
||||
|
||||
var baseURL string = "/"
|
||||
var sharedSecret string
|
||||
|
||||
type ResponseWriterPrefix struct {
|
||||
|
|
@ -59,7 +60,7 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
|
|||
func main() {
|
||||
var bind = flag.String("bind", ":8081", "Bind port/socket")
|
||||
var dsn = flag.String("dsn", DSNGenerator(), "DSN to connect to the MySQL server")
|
||||
var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
|
||||
flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
|
||||
flag.StringVar(&sharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
|
||||
flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
|
||||
flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
|
||||
|
|
@ -72,12 +73,10 @@ func main() {
|
|||
if err = sanitizeStaticOptions(); err != nil {
|
||||
log.Fatal(err)
|
||||
}
|
||||
if *baseURL != "/" {
|
||||
tmp := path.Clean(*baseURL)
|
||||
baseURL = &tmp
|
||||
if baseURL != "/" {
|
||||
baseURL = path.Clean(baseURL)
|
||||
} else {
|
||||
tmp := ""
|
||||
baseURL = &tmp
|
||||
baseURL = ""
|
||||
}
|
||||
|
||||
if *dummyauth {
|
||||
|
|
@ -102,7 +101,7 @@ func main() {
|
|||
|
||||
srv := &http.Server{
|
||||
Addr: *bind,
|
||||
Handler: StripPrefix(*baseURL, Router()),
|
||||
Handler: StripPrefix(baseURL, Router()),
|
||||
}
|
||||
|
||||
// Serve content
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@ import (
|
|||
|
||||
type Session struct {
|
||||
Id []byte `json:"id"`
|
||||
IdStudent int64 `json:"login"`
|
||||
IdStudent *int64 `json:"login"`
|
||||
Time time.Time `json:"time"`
|
||||
}
|
||||
|
||||
|
|
@ -16,6 +16,17 @@ func getSession(id []byte) (s Session, err error) {
|
|||
return
|
||||
}
|
||||
|
||||
func NewSession() (Session, error) {
|
||||
session_id := make([]byte, 255)
|
||||
if _, err := rand.Read(session_id); err != nil {
|
||||
return Session{}, err
|
||||
} else if _, err := DBExec("INSERT INTO student_sessions (id_session, time) VALUES (?, ?)", session_id, time.Now()); err != nil {
|
||||
return Session{}, err
|
||||
} else {
|
||||
return Session{session_id, nil, time.Now()}, nil
|
||||
}
|
||||
}
|
||||
|
||||
func (student Student) NewSession() (Session, error) {
|
||||
session_id := make([]byte, 255)
|
||||
if _, err := rand.Read(session_id); err != nil {
|
||||
|
|
@ -23,10 +34,16 @@ func (student Student) NewSession() (Session, error) {
|
|||
} else if _, err := DBExec("INSERT INTO student_sessions (id_session, id_student, time) VALUES (?, ?, ?)", session_id, student.Id, time.Now()); err != nil {
|
||||
return Session{}, err
|
||||
} else {
|
||||
return Session{session_id, student.Id, time.Now()}, nil
|
||||
return Session{session_id, &student.Id, time.Now()}, nil
|
||||
}
|
||||
}
|
||||
|
||||
func (s Session) SetStudent(student Student) (Session, error) {
|
||||
s.IdStudent = &student.Id
|
||||
_, err := s.Update()
|
||||
return s, err
|
||||
}
|
||||
|
||||
func (s Session) Update() (int64, error) {
|
||||
if res, err := DBExec("UPDATE student_sessions SET id_student = ?, time = ? WHERE id_session = ?", s.IdStudent, s.Time, s.Id); err != nil {
|
||||
return 0, err
|
||||
|
|
|
|||
Reference in New Issue
Block a user