2020-10-29 20:42:01 +00:00
|
|
|
package proxy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"strings"
|
|
|
|
"time"
|
|
|
|
|
|
|
|
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/cookies"
|
2021-07-29 10:30:30 +01:00
|
|
|
"goauthentik.io/internal/utils/web"
|
2020-10-29 20:42:01 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// MakeCSRFCookie creates a cookie for CSRF
|
|
|
|
func (p *OAuthProxy) MakeCSRFCookie(req *http.Request, value string, expiration time.Duration, now time.Time) *http.Cookie {
|
|
|
|
return p.makeCookie(req, p.CSRFCookieName, value, expiration, now)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (p *OAuthProxy) makeCookie(req *http.Request, name string, value string, expiration time.Duration, now time.Time) *http.Cookie {
|
|
|
|
cookieDomain := cookies.GetCookieDomain(req, p.CookieDomains)
|
|
|
|
|
|
|
|
if cookieDomain != "" {
|
2021-07-29 10:30:30 +01:00
|
|
|
domain := web.GetHost(req)
|
2020-10-29 20:42:01 +00:00
|
|
|
if h, _, err := net.SplitHostPort(domain); err == nil {
|
|
|
|
domain = h
|
|
|
|
}
|
|
|
|
if !strings.HasSuffix(domain, cookieDomain) {
|
|
|
|
p.logger.Errorf("Warning: request host is %q but using configured cookie domain of %q", domain, cookieDomain)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return &http.Cookie{
|
|
|
|
Name: name,
|
|
|
|
Value: value,
|
|
|
|
Path: p.CookiePath,
|
|
|
|
Domain: cookieDomain,
|
|
|
|
HttpOnly: p.CookieHTTPOnly,
|
|
|
|
Secure: p.CookieSecure,
|
|
|
|
Expires: now.Add(expiration),
|
|
|
|
SameSite: cookies.ParseSameSite(p.CookieSameSite),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// ClearCSRFCookie creates a cookie to unset the CSRF cookie stored in the user's
|
|
|
|
// session
|
|
|
|
func (p *OAuthProxy) ClearCSRFCookie(rw http.ResponseWriter, req *http.Request) {
|
|
|
|
http.SetCookie(rw, p.MakeCSRFCookie(req, "", time.Hour*-1, time.Now()))
|
|
|
|
}
|
|
|
|
|
|
|
|
// SetCSRFCookie adds a CSRF cookie to the response
|
|
|
|
func (p *OAuthProxy) SetCSRFCookie(rw http.ResponseWriter, req *http.Request, val string) {
|
|
|
|
http.SetCookie(rw, p.MakeCSRFCookie(req, val, p.CookieExpire, time.Now()))
|
|
|
|
}
|
|
|
|
|
|
|
|
// ClearSessionCookie creates a cookie to unset the user's authentication cookie
|
|
|
|
// stored in the user's session
|
|
|
|
func (p *OAuthProxy) ClearSessionCookie(rw http.ResponseWriter, req *http.Request) error {
|
|
|
|
return p.sessionStore.Clear(rw, req)
|
|
|
|
}
|
|
|
|
|
|
|
|
// LoadCookiedSession reads the user's authentication details from the request
|
|
|
|
func (p *OAuthProxy) LoadCookiedSession(req *http.Request) (*sessionsapi.SessionState, error) {
|
|
|
|
return p.sessionStore.Load(req)
|
|
|
|
}
|
|
|
|
|
|
|
|
// SaveSession creates a new session cookie value and sets this on the response
|
|
|
|
func (p *OAuthProxy) SaveSession(rw http.ResponseWriter, req *http.Request, s *sessionsapi.SessionState) error {
|
|
|
|
return p.sessionStore.Save(rw, req, s)
|
|
|
|
}
|