teach/adlin
Archived
0
0
Fork 0
Code Issues 1 Pull Requests 4 Releases Activity

token-validator: use cookies instead of localStorage to store auth token

Browse Source
This commit is contained in:
nemunaire 2020-03-01 18:15:19 +01:00
parent 72a4015288
commit a4a7b48a4f
6 changed files with 98 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
token-validator/auth.go
View File

@ -1,9 +1,11 @@
package main package main
import ( import (
"encoding/base64"
"encoding/json" "encoding/json"
"errors" "errors"
"net/http" "net/http"
"time"
"github.com/julienschmidt/httprouter" "github.com/julienschmidt/httprouter"
) )
@ -12,55 +14,84 @@ var AuthFunc = checkAuth
func init() { func init() {
router.GET("/api/auth", apiAuthHandler(validateAuthToken)) router.GET("/api/auth", apiAuthHandler(validateAuthToken))
router.POST("/api/auth", apiHandler(func(ps httprouter.Params, body []byte) (interface{}, error) { router.POST("/api/auth", apiRawHandler(func(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
return AuthFunc(ps, body) return AuthFunc(w, ps, body)
})) }))
router.POST("/api/auth/logout", apiRawHandler(logout))
} }
func validateAuthToken(s Student, _ httprouter.Params, _ []byte) (interface{}, error) { func validateAuthToken(s Student, _ httprouter.Params, _ []byte) (interface{}, error) {
return s, nil return s, nil
} }
func logout(w http.ResponseWriter, ps httprouter.Params, body []byte) (interface{}, error) {
http.SetCookie(w, &http.Cookie{
Name: "auth",
Value: "",
Path: baseURL,
Expires: time.Unix(0,0),
Secure: true,
HttpOnly: true,
})
return true, nil
}
type loginForm struct { type loginForm struct {
Username string Username string
Password string Password string
} }
func dummyAuth(_ httprouter.Params, body []byte) (interface{}, error) { func completeAuth(w http.ResponseWriter, username string, session *Session) (err error) {
var lf loginForm
if err := json.Unmarshal(body, &lf); err != nil {
return nil, err
}
var std Student var std Student
var err error if !studentExists(username) {
if !studentExists(lf.Username) { if std, err = NewStudent(username); err != nil {
if std, err = NewStudent(lf.Username); err != nil { return err
return nil, err
} }
} else if std, err = getStudentByLogin(lf.Username); err != nil { } else if std, err = getStudentByLogin(username); err != nil {
return nil, err return err
}
if session == nil {
var s Session
s, err = std.NewSession()
session = &s
} else {
_, err = session.SetStudent(std)
} }
session, err := std.NewSession()
if err != nil { if err != nil {
return nil, err return err
} }
res := map[string]interface{}{} http.SetCookie(w, &http.Cookie{
res["status"] = "OK" Name: "auth",
res["id_session"] = session.Id Value: base64.StdEncoding.EncodeToString(session.Id),
Path: baseURL,
Expires: time.Now().Add(30 * 24 * time.Hour),
Secure: true,
HttpOnly: true,
})
return res, nil return nil
} }
func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) { func dummyAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
var lf loginForm var lf loginForm
if err := json.Unmarshal(body, &lf); err != nil { if err := json.Unmarshal(body, &lf); err != nil {
return nil, err return nil, err
} }
if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2020/", nil); err != nil { return map[string]string{"status": "OK"}, completeAuth(w, lf.Username, nil)
}
func checkAuth(w http.ResponseWriter, _ httprouter.Params, body []byte) (interface{}, error) {
var lf loginForm
if err := json.Unmarshal(body, &lf); err != nil {
return nil, err
}
if r, err := http.NewRequest("GET", "https://fic.srs.epita.fr/2021/", nil); err != nil {
return nil, err return nil, err
} else { } else {
r.SetBasicAuth(lf.Username, lf.Password) r.SetBasicAuth(lf.Username, lf.Password)
@ -71,7 +102,7 @@ func checkAuth(_ httprouter.Params, body []byte) (interface{}, error) {
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode == http.StatusOK { if resp.StatusCode == http.StatusOK {
return dummyAuth(nil, body) return dummyAuth(w, nil, body)
} else { } else {
return nil, errors.New(`{"status": "Invalid username or password"}`) return nil, errors.New(`{"status": "Invalid username or password"}`)
} }

2
token-validator/db.go
View File

@ -109,7 +109,7 @@ CREATE TABLE IF NOT EXISTS student_pong(
if _, err := db.Exec(` if _, err := db.Exec(`
CREATE TABLE IF NOT EXISTS student_sessions( CREATE TABLE IF NOT EXISTS student_sessions(
id_session BLOB(255) NOT NULL, id_session BLOB(255) NOT NULL,
id_student INTEGER NOT NULL, id_student INTEGER,
time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP, time TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
FOREIGN KEY(id_student) REFERENCES students(id_student) FOREIGN KEY(id_student) REFERENCES students(id_student)
) DEFAULT CHARACTER SET = utf8 COLLATE = utf8_bin; ) DEFAULT CHARACTER SET = utf8 COLLATE = utf8_bin;

18
token-validator/handler.go
View File

@ -11,7 +11,6 @@ import (
"log" "log"
"net/http" "net/http"
"strconv" "strconv"
"strings"
"time" "time"
"github.com/julienschmidt/httprouter" "github.com/julienschmidt/httprouter"
@ -51,13 +50,16 @@ func rawHandler(f func(http.ResponseWriter, *http.Request, httprouter.Params, []
// Read Authorization header // Read Authorization header
var student *Student = nil var student *Student = nil
if flds := strings.Fields(r.Header.Get("Authorization")); len(flds) == 2 && flds[0] == "Bearer" { if cookie, err := r.Cookie("auth"); err == nil {
if sessionid, err := base64.StdEncoding.DecodeString(flds[1]); err != nil { if sessionid, err := base64.StdEncoding.DecodeString(cookie.Value); err != nil {
http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusNotAcceptable) http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusNotAcceptable)
return
} else if session, err := getSession(sessionid); err != nil { } else if session, err := getSession(sessionid); err != nil {
http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized) http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized)
return return
} else if std, err := getStudent(int(session.IdStudent)); err != nil { } else if session.IdStudent == nil {
student = nil
} else if std, err := getStudent(int(*session.IdStudent)); err != nil {
http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized) http.Error(w, fmt.Sprintf(`{"errmsg": %q}`, err), http.StatusUnauthorized)
return return
} else { } else {
@ -156,13 +158,15 @@ func apiHandler(f DispatchFunction, access ...func(*Student, *http.Request) erro
func apiAuthHandler(f func(Student, httprouter.Params, []byte) (interface{}, error), access ...func(*Student, *http.Request) error) func(http.ResponseWriter, *http.Request, httprouter.Params) { func apiAuthHandler(f func(Student, httprouter.Params, []byte) (interface{}, error), access ...func(*Student, *http.Request) error) func(http.ResponseWriter, *http.Request, httprouter.Params) {
return rawHandler(responseHandler(func (r *http.Request, ps httprouter.Params, b []byte) (interface{}, error) { return rawHandler(responseHandler(func (r *http.Request, ps httprouter.Params, b []byte) (interface{}, error) {
if flds := strings.Fields(r.Header.Get("Authorization")); len(flds) != 2 || flds[0] != "Bearer" { if cookie, err := r.Cookie("auth"); err != nil {
return nil, errors.New("Authorization required") return nil, errors.New("Authorization required")
} else if sessionid, err := base64.StdEncoding.DecodeString(flds[1]); err != nil { } else if sessionid, err := base64.StdEncoding.DecodeString(cookie.Value); err != nil {
return nil, err return nil, err
} else if session, err := getSession(sessionid); err != nil { } else if session, err := getSession(sessionid); err != nil {
return nil, err return nil, err
} else if std, err := getStudent(int(session.IdStudent)); err != nil { } else if session.IdStudent == nil {
return nil, errors.New("Authorization required")
} else if std, err := getStudent(int(*session.IdStudent)); err != nil {
return nil, err return nil, err
} else { } else {
return f(std, ps, b) return f(std, ps, b)

59
token-validator/htdocs/js/adlin-main.js
View File

@ -35,18 +35,9 @@ angular.module("AdLinApp")
angular.module("AdLinApp") angular.module("AdLinApp")
.run(function($rootScope, $interval, $http) { .run(function($rootScope, $interval, $http) {
$rootScope.checkLoginState = function() { $rootScope.checkLoginState = function() {
if (sessionStorage.token === undefined) {
$rootScope.isLogged = false;
return;
}
var token = sessionStorage.token;
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/auth", url: "/api/auth",
headers: {
'Authorization': "Bearer " + token
}
}).then(function(response) { }).then(function(response) {
$rootScope.isLogged = response.data; $rootScope.isLogged = response.data;
$rootScope.student = response.data; $rootScope.student = response.data;
@ -58,9 +49,13 @@ angular.module("AdLinApp")
$interval($rootScope.checkLoginState, 20000); $interval($rootScope.checkLoginState, 20000);
$rootScope.disconnectCurrentUser = function() { $rootScope.disconnectCurrentUser = function() {
sessionStorage.token = undefined; $http({
delete sessionStorage.token; method: 'POST',
$rootScope.isLogged = false; url: "/api/auth/logout"
}).then(function(response) {
$rootScope.isLogged = false;
$rootScope.student = null;
});
} }
}) })
@ -88,7 +83,6 @@ angular.module("AdLinApp")
url: "/api/auth", url: "/api/auth",
data: $scope.auth data: $scope.auth
}).then(function(response) { }).then(function(response) {
sessionStorage.token = response.data.id_session
$scope.pleaseWait = false; $scope.pleaseWait = false;
$rootScope.checkLoginState(); $rootScope.checkLoginState();
$location.url("/"); $location.url("/");
@ -105,9 +99,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/wginfo", url: "/api/wginfo",
headers: {
'Authorization': "Bearer " + sessionStorage.token
}
}).then(function(response) { }).then(function(response) {
$scope.wginfo = response.data; $scope.wginfo = response.data;
}); });
@ -118,9 +109,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/wg/", url: "/api/wg/",
headers: {
'Authorization': "Bearer " + sessionStorage.token
}
}).then(function(response) { }).then(function(response) {
$scope.tunnels = response.data; $scope.tunnels = response.data;
}, function(response) { }, function(response) {
@ -136,9 +124,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'POST', method: 'POST',
url: "/api/wg/", url: "/api/wg/",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
data: {} data: {}
}).then(function(response) { }).then(function(response) {
$scope.updateTunnelsList(); $scope.updateTunnelsList();
@ -154,9 +139,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'DELETE', method: 'DELETE',
url: "/api/wg/" + tunnel.TokenText, url: "/api/wg/" + tunnel.TokenText,
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
data: {} data: {}
}).then(function(response) { }).then(function(response) {
$scope.updateTunnelsList(); $scope.updateTunnelsList();
@ -184,18 +166,12 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/adomains/", url: "/api/adomains/",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
$scope.adomains = []; $scope.adomains = [];
response.data.forEach(function(domain) { response.data.forEach(function(domain) {
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/adomains/" + domain, url: "/api/adomains/" + domain,
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
response.data.forEach(function(rr) { response.data.forEach(function(rr) {
$scope.adomains.push(rr); $scope.adomains.push(rr);
@ -213,9 +189,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/ddomains/", url: "/api/ddomains/",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
response.data.forEach(function(domain) { response.data.forEach(function(domain) {
$scope.ddomains = response.data; $scope.ddomains = response.data;
@ -231,9 +204,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'POST', method: 'POST',
url: "/api/adomains/", url: "/api/adomains/",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
$scope.updateAssociationD(); $scope.updateAssociationD();
$scope.pleaseWaitNewAssociation = false; $scope.pleaseWaitNewAssociation = false;
@ -308,9 +278,6 @@ angular.module("AdLinApp")
$http({ $http({
method: (nsrr.valuesfrom !== undefined)?'PATCH':'POST', method: (nsrr.valuesfrom !== undefined)?'PATCH':'POST',
url: "/api/ddomains/" + nsrr.domain + "/" + nsrr.rr, url: "/api/ddomains/" + nsrr.domain + "/" + nsrr.rr,
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
data: nsrr, data: nsrr,
}).then(function(response) { }).then(function(response) {
$('#NSModal').modal('hide'); $('#NSModal').modal('hide');
@ -325,9 +292,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'DELETE', method: 'DELETE',
url: "/api/ddomains/" + domain + "/" + rr.rr, url: "/api/ddomains/" + domain + "/" + rr.rr,
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
data: rr, data: rr,
}).then(function(response) { }).then(function(response) {
callOnUpdateEvt(); callOnUpdateEvt();
@ -344,9 +308,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/ddomains/" + $scope.domain + "/NS", url: "/api/ddomains/" + $scope.domain + "/NS",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
$scope.domainNS = response.data; $scope.domainNS = response.data;
}); });
@ -360,9 +321,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/ddomains/" + $scope.domain + "/GLUE", url: "/api/ddomains/" + $scope.domain + "/GLUE",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
$scope.domainGLUE = response.data; $scope.domainGLUE = response.data;
}); });
@ -376,9 +334,6 @@ angular.module("AdLinApp")
$http({ $http({
method: 'GET', method: 'GET',
url: "/api/ddomains/" + $scope.domain + "/DS", url: "/api/ddomains/" + $scope.domain + "/DS",
headers: {
'Authorization': "Bearer " + sessionStorage.token
},
}).then(function(response) { }).then(function(response) {
$scope.domainDS = response.data; $scope.domainDS = response.data;
}); });

13
token-validator/main.go
View File

@ -14,6 +14,7 @@ import (
"syscall" "syscall"
) )
var baseURL string = "/"
var sharedSecret string var sharedSecret string
type ResponseWriterPrefix struct { type ResponseWriterPrefix struct {
@ -59,7 +60,7 @@ func StripPrefix(prefix string, h http.Handler) http.Handler {
func main() { func main() {
var bind = flag.String("bind", ":8081", "Bind port/socket") var bind = flag.String("bind", ":8081", "Bind port/socket")
var dsn = flag.String("dsn", DSNGenerator(), "DSN to connect to the MySQL server") var dsn = flag.String("dsn", DSNGenerator(), "DSN to connect to the MySQL server")
var baseURL = flag.String("baseurl", "/", "URL prepended to each URL") flag.StringVar(&baseURL, "baseurl", baseURL, "URL prepended to each URL")
flag.StringVar(&sharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator") flag.StringVar(&sharedSecret, "sharedsecret", "adelina", "secret used to communicate with remote validator")
flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine") flag.StringVar(&AuthorizedKeysLocation, "authorizedkeyslocation", AuthorizedKeysLocation, "File for allowing user to SSH to the machine")
flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd") flag.StringVar(&SshPiperLocation, "sshPiperLocation", SshPiperLocation, "Directory containing directories for sshpiperd")
@ -72,12 +73,10 @@ func main() {
if err = sanitizeStaticOptions(); err != nil { if err = sanitizeStaticOptions(); err != nil {
log.Fatal(err) log.Fatal(err)
} }
if *baseURL != "/" { if baseURL != "/" {
tmp := path.Clean(*baseURL) baseURL = path.Clean(baseURL)
baseURL = &tmp
} else { } else {
tmp := "" baseURL = ""
baseURL = &tmp
} }
if *dummyauth { if *dummyauth {
@ -102,7 +101,7 @@ func main() {
srv := &http.Server{ srv := &http.Server{
Addr: *bind, Addr: *bind,
Handler: StripPrefix(*baseURL, Router()), Handler: StripPrefix(baseURL, Router()),
} }
// Serve content // Serve content

21
token-validator/session.go
View File

@ -7,7 +7,7 @@ import (
type Session struct { type Session struct {
Id []byte `json:"id"` Id []byte `json:"id"`
IdStudent int64 `json:"login"` IdStudent *int64 `json:"login"`
Time time.Time `json:"time"` Time time.Time `json:"time"`
} }
@ -16,6 +16,17 @@ func getSession(id []byte) (s Session, err error) {
return return
} }
func NewSession() (Session, error) {
session_id := make([]byte, 255)
if _, err := rand.Read(session_id); err != nil {
return Session{}, err
} else if _, err := DBExec("INSERT INTO student_sessions (id_session, time) VALUES (?, ?)", session_id, time.Now()); err != nil {
return Session{}, err
} else {
return Session{session_id, nil, time.Now()}, nil
}
}
func (student Student) NewSession() (Session, error) { func (student Student) NewSession() (Session, error) {
session_id := make([]byte, 255) session_id := make([]byte, 255)
if _, err := rand.Read(session_id); err != nil { if _, err := rand.Read(session_id); err != nil {
@ -23,10 +34,16 @@ func (student Student) NewSession() (Session, error) {
} else if _, err := DBExec("INSERT INTO student_sessions (id_session, id_student, time) VALUES (?, ?, ?)", session_id, student.Id, time.Now()); err != nil { } else if _, err := DBExec("INSERT INTO student_sessions (id_session, id_student, time) VALUES (?, ?, ?)", session_id, student.Id, time.Now()); err != nil {
return Session{}, err return Session{}, err
} else { } else {
return Session{session_id, student.Id, time.Now()}, nil return Session{session_id, &student.Id, time.Now()}, nil
} }
} }
func (s Session) SetStudent(student Student) (Session, error) {
s.IdStudent = &student.Id
_, err := s.Update()
return s, err
}
func (s Session) Update() (int64, error) { func (s Session) Update() (int64, error) {
if res, err := DBExec("UPDATE student_sessions SET id_student = ?, time = ? WHERE id_session = ?", s.IdStudent, s.Time, s.Id); err != nil { if res, err := DBExec("UPDATE student_sessions SET id_student = ?, time = ? WHERE id_session = ?", s.IdStudent, s.Time, s.Id); err != nil {
return 0, err return 0, err