mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-15 11:58:11 -05:00
01d957677f
* initial stuff for oauth2 login, fails on: * login button on the signIn page to start the OAuth2 flow and a callback for each provider Only GitHub is implemented for now * show login button only when the OAuth2 consumer is configured (and activated) * create macaron group for oauth2 urls * prevent net/http in modules (other then oauth2) * use a new data sessions oauth2 folder for storing the oauth2 session data * add missing 2FA when this is enabled on the user * add password option for OAuth2 user , for use with git over http and login to the GUI * add tip for registering a GitHub OAuth application * at startup of Gitea register all configured providers and also on adding/deleting of new providers * custom handling of errors in oauth2 request init + show better tip * add ExternalLoginUser model and migration script to add it to database * link a external account to an existing account (still need to handle wrong login and signup) and remove if user is removed * remove the linked external account from the user his settings * if user is unknown we allow him to register a new account or link it to some existing account * sign up with button on signin page (als change OAuth2Provider structure so we can store basic stuff about providers) * from gorilla/sessions docs: "Important Note: If you aren't using gorilla/mux, you need to wrap your handlers with context.ClearHandler as or else you will leak memory!" (we're using gorilla/sessions for storing oauth2 sessions) * use updated goth lib that now supports getting the OAuth2 user if the AccessToken is still valid instead of re-authenticating (prevent flooding the OAuth2 provider)
295 lines
8.5 KiB
Go
295 lines
8.5 KiB
Go
// Copyright 2012 The Gorilla Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package sessions
|
|
|
|
import (
|
|
"encoding/base32"
|
|
"io/ioutil"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"strings"
|
|
"sync"
|
|
|
|
"github.com/gorilla/securecookie"
|
|
)
|
|
|
|
// Store is an interface for custom session stores.
|
|
//
|
|
// See CookieStore and FilesystemStore for examples.
|
|
type Store interface {
|
|
// Get should return a cached session.
|
|
Get(r *http.Request, name string) (*Session, error)
|
|
|
|
// New should create and return a new session.
|
|
//
|
|
// Note that New should never return a nil session, even in the case of
|
|
// an error if using the Registry infrastructure to cache the session.
|
|
New(r *http.Request, name string) (*Session, error)
|
|
|
|
// Save should persist session to the underlying store implementation.
|
|
Save(r *http.Request, w http.ResponseWriter, s *Session) error
|
|
}
|
|
|
|
// CookieStore ----------------------------------------------------------------
|
|
|
|
// NewCookieStore returns a new CookieStore.
|
|
//
|
|
// Keys are defined in pairs to allow key rotation, but the common case is
|
|
// to set a single authentication key and optionally an encryption key.
|
|
//
|
|
// The first key in a pair is used for authentication and the second for
|
|
// encryption. The encryption key can be set to nil or omitted in the last
|
|
// pair, but the authentication key is required in all pairs.
|
|
//
|
|
// It is recommended to use an authentication key with 32 or 64 bytes.
|
|
// The encryption key, if set, must be either 16, 24, or 32 bytes to select
|
|
// AES-128, AES-192, or AES-256 modes.
|
|
//
|
|
// Use the convenience function securecookie.GenerateRandomKey() to create
|
|
// strong keys.
|
|
func NewCookieStore(keyPairs ...[]byte) *CookieStore {
|
|
cs := &CookieStore{
|
|
Codecs: securecookie.CodecsFromPairs(keyPairs...),
|
|
Options: &Options{
|
|
Path: "/",
|
|
MaxAge: 86400 * 30,
|
|
},
|
|
}
|
|
|
|
cs.MaxAge(cs.Options.MaxAge)
|
|
return cs
|
|
}
|
|
|
|
// CookieStore stores sessions using secure cookies.
|
|
type CookieStore struct {
|
|
Codecs []securecookie.Codec
|
|
Options *Options // default configuration
|
|
}
|
|
|
|
// Get returns a session for the given name after adding it to the registry.
|
|
//
|
|
// It returns a new session if the sessions doesn't exist. Access IsNew on
|
|
// the session to check if it is an existing session or a new one.
|
|
//
|
|
// It returns a new session and an error if the session exists but could
|
|
// not be decoded.
|
|
func (s *CookieStore) Get(r *http.Request, name string) (*Session, error) {
|
|
return GetRegistry(r).Get(s, name)
|
|
}
|
|
|
|
// New returns a session for the given name without adding it to the registry.
|
|
//
|
|
// The difference between New() and Get() is that calling New() twice will
|
|
// decode the session data twice, while Get() registers and reuses the same
|
|
// decoded session after the first call.
|
|
func (s *CookieStore) New(r *http.Request, name string) (*Session, error) {
|
|
session := NewSession(s, name)
|
|
opts := *s.Options
|
|
session.Options = &opts
|
|
session.IsNew = true
|
|
var err error
|
|
if c, errCookie := r.Cookie(name); errCookie == nil {
|
|
err = securecookie.DecodeMulti(name, c.Value, &session.Values,
|
|
s.Codecs...)
|
|
if err == nil {
|
|
session.IsNew = false
|
|
}
|
|
}
|
|
return session, err
|
|
}
|
|
|
|
// Save adds a single session to the response.
|
|
func (s *CookieStore) Save(r *http.Request, w http.ResponseWriter,
|
|
session *Session) error {
|
|
encoded, err := securecookie.EncodeMulti(session.Name(), session.Values,
|
|
s.Codecs...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
http.SetCookie(w, NewCookie(session.Name(), encoded, session.Options))
|
|
return nil
|
|
}
|
|
|
|
// MaxAge sets the maximum age for the store and the underlying cookie
|
|
// implementation. Individual sessions can be deleted by setting Options.MaxAge
|
|
// = -1 for that session.
|
|
func (s *CookieStore) MaxAge(age int) {
|
|
s.Options.MaxAge = age
|
|
|
|
// Set the maxAge for each securecookie instance.
|
|
for _, codec := range s.Codecs {
|
|
if sc, ok := codec.(*securecookie.SecureCookie); ok {
|
|
sc.MaxAge(age)
|
|
}
|
|
}
|
|
}
|
|
|
|
// FilesystemStore ------------------------------------------------------------
|
|
|
|
var fileMutex sync.RWMutex
|
|
|
|
// NewFilesystemStore returns a new FilesystemStore.
|
|
//
|
|
// The path argument is the directory where sessions will be saved. If empty
|
|
// it will use os.TempDir().
|
|
//
|
|
// See NewCookieStore() for a description of the other parameters.
|
|
func NewFilesystemStore(path string, keyPairs ...[]byte) *FilesystemStore {
|
|
if path == "" {
|
|
path = os.TempDir()
|
|
}
|
|
fs := &FilesystemStore{
|
|
Codecs: securecookie.CodecsFromPairs(keyPairs...),
|
|
Options: &Options{
|
|
Path: "/",
|
|
MaxAge: 86400 * 30,
|
|
},
|
|
path: path,
|
|
}
|
|
|
|
fs.MaxAge(fs.Options.MaxAge)
|
|
return fs
|
|
}
|
|
|
|
// FilesystemStore stores sessions in the filesystem.
|
|
//
|
|
// It also serves as a reference for custom stores.
|
|
//
|
|
// This store is still experimental and not well tested. Feedback is welcome.
|
|
type FilesystemStore struct {
|
|
Codecs []securecookie.Codec
|
|
Options *Options // default configuration
|
|
path string
|
|
}
|
|
|
|
// MaxLength restricts the maximum length of new sessions to l.
|
|
// If l is 0 there is no limit to the size of a session, use with caution.
|
|
// The default for a new FilesystemStore is 4096.
|
|
func (s *FilesystemStore) MaxLength(l int) {
|
|
for _, c := range s.Codecs {
|
|
if codec, ok := c.(*securecookie.SecureCookie); ok {
|
|
codec.MaxLength(l)
|
|
}
|
|
}
|
|
}
|
|
|
|
// Get returns a session for the given name after adding it to the registry.
|
|
//
|
|
// See CookieStore.Get().
|
|
func (s *FilesystemStore) Get(r *http.Request, name string) (*Session, error) {
|
|
return GetRegistry(r).Get(s, name)
|
|
}
|
|
|
|
// New returns a session for the given name without adding it to the registry.
|
|
//
|
|
// See CookieStore.New().
|
|
func (s *FilesystemStore) New(r *http.Request, name string) (*Session, error) {
|
|
session := NewSession(s, name)
|
|
opts := *s.Options
|
|
session.Options = &opts
|
|
session.IsNew = true
|
|
var err error
|
|
if c, errCookie := r.Cookie(name); errCookie == nil {
|
|
err = securecookie.DecodeMulti(name, c.Value, &session.ID, s.Codecs...)
|
|
if err == nil {
|
|
err = s.load(session)
|
|
if err == nil {
|
|
session.IsNew = false
|
|
}
|
|
}
|
|
}
|
|
return session, err
|
|
}
|
|
|
|
// Save adds a single session to the response.
|
|
//
|
|
// If the Options.MaxAge of the session is <= 0 then the session file will be
|
|
// deleted from the store path. With this process it enforces the properly
|
|
// session cookie handling so no need to trust in the cookie management in the
|
|
// web browser.
|
|
func (s *FilesystemStore) Save(r *http.Request, w http.ResponseWriter,
|
|
session *Session) error {
|
|
// Delete if max-age is <= 0
|
|
if session.Options.MaxAge <= 0 {
|
|
if err := s.erase(session); err != nil {
|
|
return err
|
|
}
|
|
http.SetCookie(w, NewCookie(session.Name(), "", session.Options))
|
|
return nil
|
|
}
|
|
|
|
if session.ID == "" {
|
|
// Because the ID is used in the filename, encode it to
|
|
// use alphanumeric characters only.
|
|
session.ID = strings.TrimRight(
|
|
base32.StdEncoding.EncodeToString(
|
|
securecookie.GenerateRandomKey(32)), "=")
|
|
}
|
|
if err := s.save(session); err != nil {
|
|
return err
|
|
}
|
|
encoded, err := securecookie.EncodeMulti(session.Name(), session.ID,
|
|
s.Codecs...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
http.SetCookie(w, NewCookie(session.Name(), encoded, session.Options))
|
|
return nil
|
|
}
|
|
|
|
// MaxAge sets the maximum age for the store and the underlying cookie
|
|
// implementation. Individual sessions can be deleted by setting Options.MaxAge
|
|
// = -1 for that session.
|
|
func (s *FilesystemStore) MaxAge(age int) {
|
|
s.Options.MaxAge = age
|
|
|
|
// Set the maxAge for each securecookie instance.
|
|
for _, codec := range s.Codecs {
|
|
if sc, ok := codec.(*securecookie.SecureCookie); ok {
|
|
sc.MaxAge(age)
|
|
}
|
|
}
|
|
}
|
|
|
|
// save writes encoded session.Values to a file.
|
|
func (s *FilesystemStore) save(session *Session) error {
|
|
encoded, err := securecookie.EncodeMulti(session.Name(), session.Values,
|
|
s.Codecs...)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
filename := filepath.Join(s.path, "session_"+session.ID)
|
|
fileMutex.Lock()
|
|
defer fileMutex.Unlock()
|
|
return ioutil.WriteFile(filename, []byte(encoded), 0600)
|
|
}
|
|
|
|
// load reads a file and decodes its content into session.Values.
|
|
func (s *FilesystemStore) load(session *Session) error {
|
|
filename := filepath.Join(s.path, "session_"+session.ID)
|
|
fileMutex.RLock()
|
|
defer fileMutex.RUnlock()
|
|
fdata, err := ioutil.ReadFile(filename)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
if err = securecookie.DecodeMulti(session.Name(), string(fdata),
|
|
&session.Values, s.Codecs...); err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// delete session file
|
|
func (s *FilesystemStore) erase(session *Session) error {
|
|
filename := filepath.Join(s.path, "session_"+session.ID)
|
|
|
|
fileMutex.RLock()
|
|
defer fileMutex.RUnlock()
|
|
|
|
err := os.Remove(filename)
|
|
return err
|
|
}
|