From a4a7b48a4fa6022a0aa576377e90cf6f211b57de Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sun, 1 Mar 2020 18:15:19 +0100
Subject: [PATCH] token-validator: use cookies instead of localStorage to store
 auth token

---
 token-validator/auth.go                 | 77 +++++++++++++++++--------
 token-validator/db.go                   |  2 +-
 token-validator/handler.go              | 18 +++---
 token-validator/htdocs/js/adlin-main.js | 59 +++----------------
 token-validator/main.go                 | 13 ++---
 token-validator/session.go              | 21 ++++++-
 6 files changed, 98 insertions(+), 92 deletions(-)

diff --git a/token-validator/auth.go b/token-validator/auth.go
index 03b9b6b..2cb7f54 100644
--- a/token-validator/auth.go
+++ b/token-validator/auth.go
@@ -1,9 +1,11 @@
 package main
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"net/http"
+	"time"
 
 	"github.com/julienschmidt/httprouter"
 )
@@ -12,55 +14,84 @@ var AuthFunc = checkAuth
 
 func init() {
 	router.GET("/api/auth", apiAuthHandler(validateAuthToken))
-	router.POST("/api/auth", apiHandler(func(ps httprouter.Params, body []byte) (interface{}, error) {
-		return AuthFunc(ps, body)
+	router.POST("/api/auth", apiRawHandler(func(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
+		return AuthFunc(w, ps, body)
 	}))
+	router.POST("/api/auth/logout", apiRawHandler(logout))
 }
 
 func validateAuthToken(s Student, _ httprouter.Params, _ []byte) (interface{}, error) {
 	return s, nil
 }
 
+func logout(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
+	http.SetCookie(w, &http.Cookie{
+		Name: "auth",
+		Value: "",
+		Path: baseURL,
+		Expires: time.Unix(0,0),
+		Secure: true,
+		HttpOnly: true,
+	})
+
+	return true, nil
+}
+
 type loginForm struct {
 	Username string
 	Password string
 }
 
-func dummyAuth(_ httprouter.Params, body []byte) (interface{}, error) {
-	var lf loginForm
-	if err := json.Unmarshal(body, &lf); err != nil {
-		return nil, err
-	}
-
+func completeAuth(w http.ResponseWriter, username string, session *Session) (err error) {
 	var std Student
-	var err error
-	if !studentExists(lf.Username) {
-		if std, err = NewStudent(lf.Username); err != nil {
-			return nil, err
+	if !studentExists(username) {
+		if std, err = NewStudent(username); err != nil {
+			return err
 		}
-	} else if std, err = getStudentByLogin(lf.Username); err != nil {
-		return nil, err
+	} else if std, err = getStudentByLogin(username); err != nil {
+		return err
+	}
+
+	if session == nil {
+		var s Session
+		s, err = std.NewSession()
+		session = &s
+	} else {
+		_, err = session.SetStudent(std)
 	}
 
-	session, err := std.NewSession()
 	if err != nil {
-		return nil, err
+		return err
 	}
 
-	res := map[string]interface{}{}
-	res["status"] = "OK"
-	res["id_session"] = session.Id
+	http.SetCookie(w, &http.Cookie{
+		Name: "auth",
+		Value: base64.StdEncoding.EncodeToString(session.Id),
+		Path: baseURL,
+		Expires: time.Now().Add(30 * 24 * time.Hour),
+		Secure: true,
+		HttpOnly: true,
+	})
 
-	return res, nil
+	return nil
 }
 
-func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
+func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
 	var lf loginForm
 	if err := json.Unmarshal(body, &lf); err != nil {
 		return nil, err
 	}
 
-	if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2020/", nil); err != nil {
+	return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
+}
+
+func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
+	var lf loginForm
+	if err := json.Unmarshal(body, &lf); err != nil {
+		return nil, err
+	}
+
+	if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2021/", nil); err != nil {
 		return nil, err
 	} else {
 		r.SetBasicAuth(lf.Username, lf.Password)
@@ -71,7 +102,7 @@ func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
 			defer resp.Body.Close()
 
 			if resp.StatusCode == http.StatusOK {
-				return dummyAuth(nil, body)
+				return dummyAuth(w, nil, body)
 			} else {
 				return nil, errors.New(`{"status": "Invalid username or password"}`)
 			}
diff --git a/token-validator/db.go b/token-validator/db.go
index a821cee..71dd483 100644
--- a/token-validator/db.go
+++ b/token-validator/db.go
@@ -109,7 +109,7 @@ CREATE TABLE IF NOT EXISTS student_pong(
 	if _, err := db.Exec(`
 CREATE TABLE IF NOT EXISTS student_sessions(
   id_session BLOB(255) NOT NULL,
-  id_student INTEGER NOT NULL,
+  id_student INTEGER,
   time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
   FOREIGN KEY(id_student) REFERENCES students(id_student)
 ) DEFAULT CHARACTER SET = utf8 COLLATE = utf8_bin;
diff --git a/token-validator/handler.go b/token-validator/handler.go
index faccb11..e5bfe5e 100644
--- a/token-validator/handler.go
+++ b/token-validator/handler.go
@@ -11,7 +11,6 @@ import (
 	"log"
 	"net/http"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/julienschmidt/httprouter"
@@ -51,13 +50,16 @@ func rawHandler(f func(http.ResponseWriter, *http.Request, httprouter.Params, []
 
 		// Read Authorization header
 		var student *Student = nil
-		if flds := strings.Fields(r.Header.Get("Authorization")); len(flds) == 2 && flds[0] == "Bearer" {
-			if sessionid, err := base64.StdEncoding.DecodeString(flds[1]); err != nil {
+		if cookie, err := r.Cookie("auth"); err == nil {
+			if sessionid, err := base64.StdEncoding.DecodeString(cookie.Value); err != nil {
 				http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusNotAcceptable)
+				return
 			} else if session, err := getSession(sessionid); err != nil {
 				http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized)
 				return
-			} else if std, err := getStudent(int(session.IdStudent)); err != nil {
+			} else if session.IdStudent == nil {
+				student = nil
+			} else if std, err := getStudent(int(*session.IdStudent)); err != nil {
 				http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized)
 				return
 			} else {
@@ -156,13 +158,15 @@ func apiHandler(f DispatchFunction, access ...func(*Student, *http.Request) erro
 
 func apiAuthHandler(f func(Student, httprouter.Params, []byte) (interface{}, error), access ...func(*Student, *http.Request) error) func(http.ResponseWriter, *http.Request, httprouter.Params) {
 	return rawHandler(responseHandler(func (r *http.Request, ps httprouter.Params, b []byte) (interface{}, error) {
-		if flds := strings.Fields(r.Header.Get("Authorization")); len(flds) != 2 || flds[0] != "Bearer" {
+		if cookie, err := r.Cookie("auth"); err != nil {
 			return nil, errors.New("Authorization required")
-		} else if sessionid, err := base64.StdEncoding.DecodeString(flds[1]); err != nil {
+		} else if sessionid, err := base64.StdEncoding.DecodeString(cookie.Value); err != nil {
 			return nil, err
 		} else if session, err := getSession(sessionid); err != nil {
 			return nil, err
-		} else if std, err := getStudent(int(session.IdStudent)); err != nil {
+		} else if session.IdStudent == nil {
+			return nil, errors.New("Authorization required")
+		} else if std, err := getStudent(int(*session.IdStudent)); err != nil {
 			return nil, err
 		} else {
 			return f(std, ps, b)
diff --git a/token-validator/htdocs/js/adlin-main.js b/token-validator/htdocs/js/adlin-main.js
index 018a42c..41c29b7 100644
--- a/token-validator/htdocs/js/adlin-main.js
+++ b/token-validator/htdocs/js/adlin-main.js
@@ -35,18 +35,9 @@ angular.module("AdLinApp")
 angular.module("AdLinApp")
     .run(function($rootScope, $interval, $http) {
 	$rootScope.checkLoginState = function() {
-	    if (sessionStorage.token === undefined) {
-		$rootScope.isLogged = false;
-		return;
-	    }
-
-	    var token = sessionStorage.token;
 	    $http({
 		method: 'GET',
 		url: "/api/auth",
-		headers: {
-		    'Authorization': "Bearer " + token
-		}
 	    }).then(function(response) {
 		$rootScope.isLogged = response.data;
 		$rootScope.student = response.data;
@@ -58,9 +49,13 @@ angular.module("AdLinApp")
 	$interval($rootScope.checkLoginState, 20000);
 
 	$rootScope.disconnectCurrentUser = function() {
-	    sessionStorage.token = undefined;
-	    delete sessionStorage.token;
-	    $rootScope.isLogged = false;
+	    $http({
+		method: 'POST',
+		url: "/api/auth/logout"
+	    }).then(function(response) {
+		$rootScope.isLogged = false;
+		$rootScope.student = null;
+	    });
 	}
     })
 
@@ -88,7 +83,6 @@ angular.module("AdLinApp")
 		url: "/api/auth",
 		data: $scope.auth
 	    }).then(function(response) {
-		sessionStorage.token = response.data.id_session
 		$scope.pleaseWait = false;
 		$rootScope.checkLoginState();
 		$location.url("/");
@@ -105,9 +99,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/wginfo",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		}
 	    }).then(function(response) {
 		$scope.wginfo = response.data;
 	    });
@@ -118,9 +109,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/wg/",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		}
 	    }).then(function(response) {
 		$scope.tunnels = response.data;
 	    }, function(response) {
@@ -136,9 +124,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'POST',
 		url: "/api/wg/",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 		data: {}
 	    }).then(function(response) {
 		$scope.updateTunnelsList();
@@ -154,9 +139,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'DELETE',
 		url: "/api/wg/" + tunnel.TokenText,
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 		data: {}
 	    }).then(function(response) {
 		$scope.updateTunnelsList();
@@ -184,18 +166,12 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/adomains/",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 	    }).then(function(response) {
 		$scope.adomains = [];
 		response.data.forEach(function(domain) {
 		    $http({
 			method: 'GET',
 			url: "/api/adomains/" + domain,
-			headers: {
-			    'Authorization': "Bearer " + sessionStorage.token
-			},
 		    }).then(function(response) {
 			response.data.forEach(function(rr) {
 			    $scope.adomains.push(rr);
@@ -213,9 +189,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/ddomains/",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 	    }).then(function(response) {
 		response.data.forEach(function(domain) {
 		    $scope.ddomains = response.data;
@@ -231,9 +204,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'POST',
 		url: "/api/adomains/",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 	    }).then(function(response) {
 		$scope.updateAssociationD();
 		$scope.pleaseWaitNewAssociation = false;
@@ -308,9 +278,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: (nsrr.valuesfrom !== undefined)?'PATCH':'POST',
 		url: "/api/ddomains/" + nsrr.domain + "/" + nsrr.rr,
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 		data: nsrr,
 	    }).then(function(response) {
 		$('#NSModal').modal('hide');
@@ -325,9 +292,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'DELETE',
 		url: "/api/ddomains/" + domain + "/" + rr.rr,
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 		data: rr,
 	    }).then(function(response) {
 		callOnUpdateEvt();
@@ -344,9 +308,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/ddomains/" + $scope.domain + "/NS",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 	    }).then(function(response) {
 		$scope.domainNS = response.data;
 	    });
@@ -360,9 +321,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/ddomains/" + $scope.domain + "/GLUE",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 	    }).then(function(response) {
 		$scope.domainGLUE = response.data;
 	    });
@@ -376,9 +334,6 @@ angular.module("AdLinApp")
 	    $http({
 		method: 'GET',
 		url: "/api/ddomains/" + $scope.domain + "/DS",
-		headers: {
-		    'Authorization': "Bearer " + sessionStorage.token
-		},
 	    }).then(function(response) {
 		$scope.domainDS = response.data;
 	    });
diff --git a/token-validator/main.go b/token-validator/main.go
index 4075b22..b846184 100644
--- a/token-validator/main.go
+++ b/token-validator/main.go
@@ -14,6 +14,7 @@ import (
 	"syscall"
 )
 
+var baseURL string = "/"
 var sharedSecret string
 
 type ResponseWriterPrefix struct {
@@ -59,7 +60,7 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
 func main() {
 	var bind = flag.String("bind", ":8081", "Bind port/socket")
 	var dsn = flag.String("dsn", DSNGenerator(), "DSN to connect to the MySQL server")
-	var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
+	flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
 	flag.StringVar(&sharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
 	flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
 	flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
@@ -72,12 +73,10 @@ func main() {
 	if err = sanitizeStaticOptions(); err != nil {
 		log.Fatal(err)
 	}
-	if *baseURL != "/" {
-		tmp := path.Clean(*baseURL)
-		baseURL = &tmp
+	if baseURL != "/" {
+		baseURL = path.Clean(baseURL)
 	} else {
-		tmp := ""
-		baseURL = &tmp
+		baseURL = ""
 	}
 
 	if *dummyauth {
@@ -102,7 +101,7 @@ func main() {
 
 	srv := &http.Server{
 		Addr:    *bind,
-		Handler: StripPrefix(*baseURL, Router()),
+		Handler: StripPrefix(baseURL, Router()),
 	}
 
 	// Serve content
diff --git a/token-validator/session.go b/token-validator/session.go
index 382b4b6..8443acd 100644
--- a/token-validator/session.go
+++ b/token-validator/session.go
@@ -7,7 +7,7 @@ import (
 
 type Session struct {
 	Id        []byte    `json:"id"`
-	IdStudent int64     `json:"login"`
+	IdStudent *int64    `json:"login"`
 	Time      time.Time `json:"time"`
 }
 
@@ -16,6 +16,17 @@ func getSession(id []byte) (s Session, err error) {
 	return
 }
 
+func NewSession() (Session, error) {
+	session_id := make([]byte, 255)
+	if _, err := rand.Read(session_id); err != nil {
+		return Session{}, err
+	} else if _, err := DBExec("INSERT INTO student_sessions (id_session, time) VALUES (?, ?)", session_id, time.Now()); err != nil {
+		return Session{}, err
+	} else {
+		return Session{session_id, nil, time.Now()}, nil
+	}
+}
+
 func (student Student) NewSession() (Session, error) {
 	session_id := make([]byte, 255)
 	if _, err := rand.Read(session_id); err != nil {
@@ -23,10 +34,16 @@ func (student Student) NewSession() (Session, error) {
 	} else if _, err := DBExec("INSERT INTO student_sessions (id_session, id_student, time) VALUES (?, ?, ?)", session_id, student.Id, time.Now()); err != nil {
 		return Session{}, err
 	} else {
-		return Session{session_id, student.Id, time.Now()}, nil
+		return Session{session_id, &student.Id, time.Now()}, nil
 	}
 }
 
+func (s Session) SetStudent(student Student) (Session, error) {
+	s.IdStudent = &student.Id
+	_, err := s.Update()
+	return s, err
+}
+
 func (s Session) Update() (int64, error) {
 	if res, err := DBExec("UPDATE student_sessions SET id_student = ?, time = ? WHERE id_session = ?", s.IdStudent, s.Time, s.Id); err != nil {
 		return 0, err