From 230e87fc56832ea370dd6da53d6d7260562ff9a7 Mon Sep 17 00:00:00 2001 From: Adrian Salamon Date: Sun, 27 Oct 2024 23:35:13 +0800 Subject: [PATCH] #1: fix redirect issue with passkey remove hard-coded cookie names --- services/dev/handlers.go | 3 ++- services/passkey/handlers.go | 15 ++++++++++++--- services/passkey/passkey.templ | 1 - services/passkey/passkey_templ.go | 10 +++++----- services/static/public/hx-clone.js | 1 - services/user/auth/auth.go | 16 ++++++++++++++++ services/user/handlers.go | 8 +++++--- services/user/user.go | 16 +++++----------- 8 files changed, 45 insertions(+), 25 deletions(-) create mode 100644 services/user/auth/auth.go diff --git a/services/dev/handlers.go b/services/dev/handlers.go index aff6321..0af8feb 100644 --- a/services/dev/handlers.go +++ b/services/dev/handlers.go @@ -4,6 +4,7 @@ import ( "net/http" "github.com/datasektionen/logout/pkg/httputil" + "github.com/datasektionen/logout/services/user/auth" ) func (s *service) login(w http.ResponseWriter, r *http.Request) httputil.ToResponse { @@ -19,7 +20,7 @@ func (s *service) login(w http.ResponseWriter, r *http.Request) httputil.ToRespo return err } http.SetCookie(w, &http.Cookie{ - Name: "session", + Name: auth.SessionCookieName, Value: sessionID.String(), Path: "/", }) diff --git a/services/passkey/handlers.go b/services/passkey/handlers.go index 2f27030..fb2bec3 100644 --- a/services/passkey/handlers.go +++ b/services/passkey/handlers.go @@ -8,6 +8,7 @@ import ( "github.com/datasektionen/logout/pkg/database" "github.com/datasektionen/logout/pkg/httputil" "github.com/datasektionen/logout/services/passkey/export" + "github.com/datasektionen/logout/services/user/auth" "github.com/go-webauthn/webauthn/protocol" "github.com/go-webauthn/webauthn/webauthn" "github.com/google/uuid" @@ -40,8 +41,8 @@ func (s *service) beginLoginPasskey(w http.ResponseWriter, r *http.Request) http func (s *service) finishLoginPasskey(w http.ResponseWriter, r *http.Request) httputil.ToResponse { var body struct { - KTHID string `json:"kthid"` - Cred protocol.CredentialAssertionResponse `json:"cred"` + KTHID string `json:"kthid"` + Cred protocol.CredentialAssertionResponse `json:"cred"` } if err := json.NewDecoder(r.Body).Decode(&body); err != nil { return httputil.BadRequest("Invalid credential") @@ -67,7 +68,15 @@ func (s *service) finishLoginPasskey(w http.ResponseWriter, r *http.Request) htt if err != nil { return err } - return s.user.LoginUser(r.Context(), user.KTHID) + + sessionID, err := s.db.CreateSession(r.Context(), user.KTHID) + if err != nil { + return err + } + + http.SetCookie(w, auth.SessionCookie(sessionID.String())) + + return nil } // --- diff --git a/services/passkey/passkey.templ b/services/passkey/passkey.templ index ae4cea5..2ae2ba1 100644 --- a/services/passkey/passkey.templ +++ b/services/passkey/passkey.templ @@ -25,7 +25,6 @@ templ passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) { for (let ac of credAss.publicKey.allowCredentials) { ac.id = decodebase64url(ac.id); } - console.log(credAss); event.preventDefault(); try { let cred = await navigator.credentials.get(credAss); diff --git a/services/passkey/passkey_templ.go b/services/passkey/passkey_templ.go index 42b7d45..fd1b4fd 100644 --- a/services/passkey/passkey_templ.go +++ b/services/passkey/passkey_templ.go @@ -63,7 +63,7 @@ func passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) templ.Com return templ_7745c5c3_Err } if credAss != nil { - _, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("") + _, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString("") if templ_7745c5c3_Err != nil { return templ_7745c5c3_Err } @@ -75,7 +75,7 @@ func passkeyLogin(kthid string, credAss *protocol.CredentialAssertion) templ.Com var templ_7745c5c3_Var3 string templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(kthid) if templ_7745c5c3_Err != nil { - return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 76, Col: 17} + return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 75, Col: 17} } _, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3)) if templ_7745c5c3_Err != nil { @@ -143,7 +143,7 @@ func showPasskey(passkey export.Passkey) templ.Component { var templ_7745c5c3_Var7 string templ_7745c5c3_Var7, templ_7745c5c3_Err = templ.JoinStringErrs(passkey.Name) if templ_7745c5c3_Err != nil { - return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 98, Col: 22} + return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 97, Col: 22} } _, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var7)) if templ_7745c5c3_Err != nil { @@ -156,7 +156,7 @@ func showPasskey(passkey export.Passkey) templ.Component { var templ_7745c5c3_Var8 string templ_7745c5c3_Var8, templ_7745c5c3_Err = templ.JoinStringErrs("/passkey/" + passkey.ID.String()) if templ_7745c5c3_Err != nil { - return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 105, Col: 48} + return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 104, Col: 48} } _, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var8)) if templ_7745c5c3_Err != nil { @@ -237,7 +237,7 @@ func addPasskeyForm(cc *protocol.CredentialCreation) templ.Component { var templ_7745c5c3_Var11 string templ_7745c5c3_Var11, templ_7745c5c3_Err = templ.JoinStringErrs(templ.JSONString(cc)) if templ_7745c5c3_Err != nil { - return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 138, Col: 49} + return templ.Error{Err: templ_7745c5c3_Err, FileName: `passkey.templ`, Line: 137, Col: 49} } _, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var11)) if templ_7745c5c3_Err != nil { diff --git a/services/static/public/hx-clone.js b/services/static/public/hx-clone.js index ff0f867..233b938 100644 --- a/services/static/public/hx-clone.js +++ b/services/static/public/hx-clone.js @@ -7,7 +7,6 @@ htmx.defineExtension('clone', { const get = evt.detail.elt.getAttribute('hx-get') if (get && get.startsWith('clone-template#')) { const selector = get.substring(15) - //console.log('htmx-clone: Intercepting xhr request to inject template with selector:', selector) const template = document.querySelector(selector) let templateContent = '' if (!template) { diff --git a/services/user/auth/auth.go b/services/user/auth/auth.go new file mode 100644 index 0000000..7a50159 --- /dev/null +++ b/services/user/auth/auth.go @@ -0,0 +1,16 @@ +package auth + +import "net/http" + +const SessionCookieName string = "_logout_session" + +func SessionCookie(sessionID string) *http.Cookie { + return &http.Cookie{ + Name: SessionCookieName, + Value: sessionID, + Path: "/", + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteLaxMode, + } +} diff --git a/services/user/handlers.go b/services/user/handlers.go index ed48cb4..5f1afb6 100644 --- a/services/user/handlers.go +++ b/services/user/handlers.go @@ -13,6 +13,8 @@ import ( "github.com/jackc/pgx/v5" ) +const nextUrlCookie string = "_logout_next-url" + func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToResponse { returnURL := r.FormValue("next-url") if returnURL != "" && returnURL[0] != '/' { @@ -20,7 +22,7 @@ func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToRespo } hasCookie := false if returnURL == "" { - c, _ := r.Cookie("next-url") + c, _ := r.Cookie(nextUrlCookie) if c != nil { returnURL = c.Value hasCookie = true @@ -33,14 +35,14 @@ func (s *service) index(w http.ResponseWriter, r *http.Request) httputil.ToRespo return err } else if kthid != "" { if hasCookie { - http.SetCookie(w, &http.Cookie{Name: "next-url", MaxAge: -1}) + http.SetCookie(w, &http.Cookie{Name: nextUrlCookie, MaxAge: -1}) } http.Redirect(w, r, returnURL, http.StatusSeeOther) return nil } if returnURL != "" { http.SetCookie(w, &http.Cookie{ - Name: "next-url", + Name: nextUrlCookie, Value: returnURL, MaxAge: int((time.Minute * 10).Seconds()), Secure: true, diff --git a/services/user/user.go b/services/user/user.go index e57f594..860dd58 100644 --- a/services/user/user.go +++ b/services/user/user.go @@ -9,6 +9,7 @@ import ( "github.com/datasektionen/logout/pkg/httputil" dev "github.com/datasektionen/logout/services/dev/export" passkey "github.com/datasektionen/logout/services/passkey/export" + "github.com/datasektionen/logout/services/user/auth" "github.com/datasektionen/logout/services/user/export" "github.com/google/uuid" "github.com/jackc/pgx/v5" @@ -70,20 +71,13 @@ func (s *service) LoginUser(ctx context.Context, kthid string) httputil.ToRespon return err } return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - http.SetCookie(w, &http.Cookie{ - Name: "session", - Value: sessionID.String(), - Path: "/", - HttpOnly: true, - Secure: true, - SameSite: http.SameSiteLaxMode, - }) + http.SetCookie(w, auth.SessionCookie(sessionID.String())) http.Redirect(w, r, "/", http.StatusSeeOther) }) } func (s *service) GetLoggedInKTHID(r *http.Request) (string, error) { - sessionCookie, _ := r.Cookie("session") + sessionCookie, _ := r.Cookie(auth.SessionCookieName) if sessionCookie == nil { return "", nil } @@ -113,7 +107,7 @@ func (s *service) GetLoggedInUser(r *http.Request) (*export.User, error) { } func (s *service) Logout(w http.ResponseWriter, r *http.Request) httputil.ToResponse { - sessionCookie, _ := r.Cookie("session") + sessionCookie, _ := r.Cookie(auth.SessionCookieName) if sessionCookie != nil { sessionID, err := uuid.Parse(sessionCookie.Value) if err != nil { @@ -122,7 +116,7 @@ func (s *service) Logout(w http.ResponseWriter, r *http.Request) httputil.ToResp } } } - http.SetCookie(w, &http.Cookie{Name: "session", MaxAge: -1}) + http.SetCookie(w, &http.Cookie{Name: auth.SessionCookieName, MaxAge: -1}) http.Redirect(w, r, "/", http.StatusSeeOther) return nil }