idanoo/autobrr
1
0
Fork 0
mirror of https://github.com/idanoo/autobrr synced 2025-07-23 08:49:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(auth): force invalidate invalid session cookies in middleware (#1358)

Browse source 
* fix(auth): invalidate session cookies in middleware

* fix(auth): set path for invalid cookie
This commit is contained in:
ze0s 2024-01-20 20:10:26 +01:00 committed by GitHub
parent eb626de683
commit f488c88f1b
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 62 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

49
internal/http/auth.go
View file

@ -66,36 +66,37 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
return
}
h.cookieStore.Options.HttpOnly = true
h.cookieStore.Options.SameSite = http.SameSiteLaxMode
h.cookieStore.Options.Path = h.config.BaseURL
if _, err := h.service.Login(r.Context(), data.Username, data.Password); err != nil {
h.log.Error().Err(err).Msgf("Auth: Failed login attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
h.encoder.StatusError(w, http.StatusForbidden, errors.New("could not login: bad credentials"))
return
}
// create new session
session, err := h.cookieStore.Get(r, "user_session")
if err != nil {
h.log.Error().Err(err).Msgf("Auth: Failed to create cookies with attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not create cookies"))
return
}
// Set user as authenticated
session.Values["authenticated"] = true
// Set cookie options
session.Options.HttpOnly = true
session.Options.SameSite = http.SameSiteLaxMode
session.Options.Path = h.config.BaseURL
// autobrr does not support serving on TLS / https, so this is only available behind reverse proxy
// if forwarded protocol is https then set cookie secure
// SameSite Strict can only be set with a secure cookie. So we overwrite it here if possible.
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
if r.Header.Get("X-Forwarded-Proto") == "https" {
h.cookieStore.Options.Secure = true
h.cookieStore.Options.SameSite = http.SameSiteStrictMode
session.Options.Secure = true
session.Options.SameSite = http.SameSiteStrictMode
}
if _, err := h.service.Login(r.Context(), data.Username, data.Password); err != nil {
h.log.Error().Err(err).Msgf("Auth: Failed login attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("could not login: bad credentials"))
return
}
// create new session
session, err := h.cookieStore.New(r, "user_session")
if err != nil {
h.log.Error().Err(err).Msgf("Auth: Failed to parse cookies with attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("could not parse cookies"))
return
}
// Set user as authenticated
session.Values["authenticated"] = true
if err := session.Save(r, w); err != nil {
h.encoder.StatusError(w, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
return
@ -118,6 +119,8 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
// MaxAge<0 means delete cookie immediately
session.Options.MaxAge = -1
session.Options.Path = h.config.BaseURL
if err := session.Save(r, w); err != nil {
h.log.Error().Err(err).Msgf("could not store session: %s", r.RemoteAddr)
h.encoder.StatusError(w, http.StatusInternalServerError, err)
@ -168,7 +171,7 @@ func (h authHandler) onboardEligible(ctx context.Context) (int, error) {
}
if userCount > 0 {
return http.StatusForbidden, errors.New("onboarding unavailable")
return http.StatusServiceUnavailable, errors.New("onboarding unavailable")
}
return http.StatusOK, nil