token-validator: use cookies instead of localStorage to store auth token

2020-03-01 18:15:19 +01:00 · 2020-03-01 18:15:19 +01:00 · a4a7b48a4f
commit a4a7b48a4f
parent 72a4015288
6 changed files with 98 additions and 92 deletions
--- a/token-validator/auth.go
+++ b/token-validator/auth.go
@ -1,9 +1,11 @@
 package main

 import (
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"net/http"
+	"time"

 	"github.com/julienschmidt/httprouter"
 )
@ -12,55 +14,84 @@ var AuthFunc = checkAuth

 func init() {
 	router.GET("/api/auth", apiAuthHandler(validateAuthToken))
-	router.POST("/api/auth", apiHandler(func(ps httprouter.Params, body []byte) (interface{}, error) {
-		return AuthFunc(ps, body)
+	router.POST("/api/auth", apiRawHandler(func(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
+		return AuthFunc(w, ps, body)
 	}))
+	router.POST("/api/auth/logout", apiRawHandler(logout))
 }

 func validateAuthToken(s Student, _ httprouter.Params, _ []byte) (interface{}, error) {
 	return s, nil
 }

+func logout(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
+	http.SetCookie(w, &http.Cookie{
+		Name: "auth",
+		Value: "",
+		Path: baseURL,
+		Expires: time.Unix(0,0),
+		Secure: true,
+		HttpOnly: true,
+	})
+
+	return true, nil
+}
+
 type loginForm struct {
 	Username string
 	Password string
 }

-func dummyAuth(_ httprouter.Params, body []byte) (interface{}, error) {
-	var lf loginForm
-	if err := json.Unmarshal(body, &lf); err != nil {
-		return nil, err
-	}
-
+func completeAuth(w http.ResponseWriter, username string, session *Session) (err error) {
 	var std Student
-	var err error
-	if !studentExists(lf.Username) {
-		if std, err = NewStudent(lf.Username); err != nil {
-			return nil, err
+	if !studentExists(username) {
+		if std, err = NewStudent(username); err != nil {
+			return err
 		}
-	} else if std, err = getStudentByLogin(lf.Username); err != nil {
-		return nil, err
+	} else if std, err = getStudentByLogin(username); err != nil {
+		return err
+	}
+
+	if session == nil {
+		var s Session
+		s, err = std.NewSession()
+		session = &s
+	} else {
+		_, err = session.SetStudent(std)
 	}

-	session, err := std.NewSession()
 	if err != nil {
-		return nil, err
+		return err
 	}

-	res := map[string]interface{}{}
-	res["status"] = "OK"
-	res["id_session"] = session.Id
+	http.SetCookie(w, &http.Cookie{
+		Name: "auth",
+		Value: base64.StdEncoding.EncodeToString(session.Id),
+		Path: baseURL,
+		Expires: time.Now().Add(30 * 24 * time.Hour),
+		Secure: true,
+		HttpOnly: true,
+	})

-	return res, nil
+	return nil
 }

-func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
+func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
 	var lf loginForm
 	if err := json.Unmarshal(body, &lf); err != nil {
 		return nil, err
 	}

-	if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2020/", nil); err != nil {
+	return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
+}
+
+func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
+	var lf loginForm
+	if err := json.Unmarshal(body, &lf); err != nil {
+		return nil, err
+	}
+
+	if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2021/", nil); err != nil {
 		return nil, err
 	} else {
 		r.SetBasicAuth(lf.Username, lf.Password)
@ -71,7 +102,7 @@ func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
 			defer resp.Body.Close()

 			if resp.StatusCode == http.StatusOK {
-				return dummyAuth(nil, body)
+				return dummyAuth(w, nil, body)
 			} else {
 				return nil, errors.New(`{"status": "Invalid username or password"}`)
 			}