fix(auth): force invalidate invalid session cookies in middleware (#1358)

* fix(auth): invalidate session cookies in middleware * fix(auth): set path for invalid cookie
2025-07-23 08:49:13 +00:00 · 2024-01-20 20:10:26 +01:00 · 2024-01-20 20:10:26 +01:00 · f488c88f1b
commit f488c88f1b
parent eb626de683
4 changed files with 62 additions and 34 deletions
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@ -66,36 +66,37 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
-	h.cookieStore.Options.HttpOnly = true
+	if _, err := h.service.Login(r.Context(), data.Username, data.Password); err != nil {
-	h.cookieStore.Options.SameSite = http.SameSiteLaxMode
+		h.log.Error().Err(err).Msgf("Auth: Failed login attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
-	h.cookieStore.Options.Path = h.config.BaseURL
+		h.encoder.StatusError(w, http.StatusForbidden, errors.New("could not login: bad credentials"))
 		return
 	}
 	// create new session
 	session, err := h.cookieStore.Get(r, "user_session")
 	if err != nil {
 		h.log.Error().Err(err).Msgf("Auth: Failed to create cookies with attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
 		h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not create cookies"))
 		return
 	}
 	// Set user as authenticated
 	session.Values["authenticated"] = true
 	// Set cookie options
 	session.Options.HttpOnly = true
 	session.Options.SameSite = http.SameSiteLaxMode
 	session.Options.Path = h.config.BaseURL
 	// autobrr does not support serving on TLS / https, so this is only available behind reverse proxy
 	// if forwarded protocol is https then set cookie secure
 	// SameSite Strict can only be set with a secure cookie. So we overwrite it here if possible.
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
 	if r.Header.Get("X-Forwarded-Proto") == "https" {
-		h.cookieStore.Options.Secure = true
+		session.Options.Secure = true
-		h.cookieStore.Options.SameSite = http.SameSiteStrictMode
+		session.Options.SameSite = http.SameSiteStrictMode
 	}
 	if _, err := h.service.Login(r.Context(), data.Username, data.Password); err != nil {
 		h.log.Error().Err(err).Msgf("Auth: Failed login attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
 		h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("could not login: bad credentials"))
 		return
 	}
 	// create new session
 	session, err := h.cookieStore.New(r, "user_session")
 	if err != nil {
 		h.log.Error().Err(err).Msgf("Auth: Failed to parse cookies with attempt username: [%s] ip: %s", data.Username, r.RemoteAddr)
 		h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("could not parse cookies"))
 		return
 	}
 	// Set user as authenticated
 	session.Values["authenticated"] = true
 	if err := session.Save(r, w); err != nil {
 		h.encoder.StatusError(w, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
 		return
@ -118,6 +119,8 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 		// MaxAge<0 means delete cookie immediately
 		session.Options.MaxAge = -1
 		session.Options.Path = h.config.BaseURL
 		if err := session.Save(r, w); err != nil {
 			h.log.Error().Err(err).Msgf("could not store session: %s", r.RemoteAddr)
 			h.encoder.StatusError(w, http.StatusInternalServerError, err)
@ -168,7 +171,7 @@ func (h authHandler) onboardEligible(ctx context.Context) (int, error) {
 	}
 	if userCount > 0 {
-		return http.StatusForbidden, errors.New("onboarding unavailable")
+		return http.StatusServiceUnavailable, errors.New("onboarding unavailable")
 	}
 	return http.StatusOK, nil
--- a/internal/http/auth_test.go
+++ b/internal/http/auth_test.go
@ -272,8 +272,8 @@ func TestAuthHandlerValidateBad(t *testing.T) {
 	defer resp.Body.Close()
-	if status := resp.StatusCode; status != http.StatusUnauthorized {
+	if status := resp.StatusCode; status != http.StatusNoContent {
-		t.Errorf("validate: handler returned wrong status code: got %v want %v", status, http.StatusUnauthorized)
+		t.Errorf("validate: handler returned wrong status code: got %v want %v", status, http.StatusNoContent)
 	}
 }
@ -320,9 +320,9 @@ func TestAuthHandlerLoginBad(t *testing.T) {
 	defer resp.Body.Close()
-	// check for response, here we'll just check for 204 NoContent
+	// check for response, here we'll just check for 403 Forbidden
-	if status := resp.StatusCode; status != http.StatusUnauthorized {
+	if status := resp.StatusCode; status != http.StatusForbidden {
-		t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusUnauthorized)
+		t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusForbidden)
 	}
 }
--- a/internal/http/middleware.go
+++ b/internal/http/middleware.go
@ -24,7 +24,7 @@ func (s Server) IsAuthenticated(next http.Handler) http.Handler {
 			}
 		} else if key := r.URL.Query().Get("apikey"); key != "" {
-			// check query param lke ?apikey=TOKEN
+			// check query param like ?apikey=TOKEN
 			if !s.apiService.ValidateAPIKey(r.Context(), key) {
 				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 				return
@ -33,18 +33,31 @@ func (s Server) IsAuthenticated(next http.Handler) http.Handler {
 			// check session
 			session, err := s.cookieStore.Get(r, "user_session")
 			if err != nil {
-				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+				s.log.Error().Err(err).Msgf("could not get session from cookieStore")
 				session.Values["authenticated"] = false
 				// MaxAge<0 means delete cookie immediately
 				session.Options.MaxAge = -1
 				session.Options.Path = s.config.Config.BaseURL
 				if err := session.Save(r, w); err != nil {
 					s.log.Error().Err(err).Msgf("could not store session: %s", r.RemoteAddr)
 					http.Error(w, err.Error(), http.StatusInternalServerError)
 					return
 				}
 				http.Error(w, err.Error(), http.StatusForbidden)
 				return
 			}
 			if session.IsNew {
-				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+				http.Error(w, http.StatusText(http.StatusNoContent), http.StatusNoContent)
 				return
 			}
 			// Check if user is authenticated
 			if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
-				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+				http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
 				return
 			}
--- a/web/src/api/APIClient.ts
+++ b/web/src/api/APIClient.ts
@ -89,10 +89,18 @@ export async function HttpClient<T = unknown>(
  case 401: {
    // Remove auth info from localStorage
    AuthContext.reset();
  }
    // Show an error toast to notify the user what occurred
-    return Promise.reject(new Error(`[401] Unauthorized: "${endpoint}"`));
+    // return Promise.reject(new Error(`[401] Unauthorized: "${endpoint}"`));
    return Promise.reject(response);
  }
  case 403: {
    // Remove auth info from localStorage
    AuthContext.reset();
    // Show an error toast to notify the user what occurred
    return Promise.reject(response);
  }
  case 404: {
    return Promise.reject(new Error(`[404] Not found: "${endpoint}"`));
  }
@ -105,6 +113,10 @@ export async function HttpClient<T = unknown>(
    }
    break;
  }
  case 503: {
    // Show an error toast to notify the user what occurred
    return Promise.reject(new Error(`[503] Service unavailable: "${endpoint}"`));
  }
  default:
    break;
  }