outposts/proxy: fix session not expiring correctly due to miscalculation

closes #1976 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-21 13:10:57 +01:00 · 2021-12-21 13:10:57 +01:00 · 3c048a1921
parent 8a60a7e26f
commit 3c048a1921
4 changed files with 13 additions and 12 deletions
--- a/internal/outpost/ak/api.go
+++ b/internal/outpost/ak/api.go
@ -81,7 +81,8 @@ func NewAPIController(akURL url.URL, token string) *APIController {
 	}
 	log.Debug("Fetched global configuration")

-	doGlobalSetup(outpost, akConfig)
+	// doGlobalSetup is called by the OnRefresh handler, which ticks on start
+	// doGlobalSetup(outpost, akConfig)

 	ac := &APIController{
 		Client:       apiClient,
--- a/internal/outpost/ak/api_ws.go
+++ b/internal/outpost/ak/api_ws.go
@ -194,12 +194,7 @@ func (ac *APIController) startWSHealth() {
 func (ac *APIController) startIntervalUpdater() {
 	logger := ac.logger.WithField("loop", "interval-updater")
 	ticker := time.NewTicker(5 * time.Minute)
-	initial := false
 	for ; true; <-ticker.C {
-		if !initial {
-			initial = true
-			continue
-		}
 		logger.Debug("Running interval update")
 		err := ac.OnRefresh()
 		if err != nil {
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@ -3,6 +3,7 @@ package application
 import (
 	"encoding/base64"
 	"net/http"
+	"time"

 	"github.com/gorilla/securecookie"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
@ -49,7 +50,7 @@ func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) {
 		}
 		return
 	}
-	s.Options.MaxAge = claims.Exp / 1000
+	s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
 	s.Values[constants.SessionClaims] = &claims
 	err = s.Save(r, rw)
 	if err != nil {
--- a/internal/outpost/proxyv2/application/session.go
+++ b/internal/outpost/proxyv2/application/session.go
@ -19,11 +19,13 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
 		if err != nil {
 			panic(err)
 		}
-		rs.SetMaxLength(math.MaxInt64)
+		rs.SetMaxLength(math.MaxInt)
 		if p.TokenValidity.IsSet() {
 			t := p.TokenValidity.Get()
 			// Add one to the validity to ensure we don't have a session with indefinite length
-			rs.Options.MaxAge = int(*t) + 1
+			rs.SetMaxAge(int(*t) + 1)
+		} else {
+			rs.SetMaxAge(0)
 		}
 		rs.Options.Domain = *p.CookieDomain
 		a.log.Info("using redis session backend")
@ -31,19 +33,21 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
 	} else {
 		dir := os.TempDir()
 		cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret))
-		cs.Options.Domain = *p.CookieDomain
 		// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
 		// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
 		// securecookie: the value is too long
 		// when using OpenID Connect , since this can contain a large amount of extra information in the id_token

 		// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
-		cs.MaxLength(math.MaxInt64)
+		cs.MaxLength(math.MaxInt)
 		if p.TokenValidity.IsSet() {
 			t := p.TokenValidity.Get()
 			// Add one to the validity to ensure we don't have a session with indefinite length
-			cs.Options.MaxAge = int(*t) + 1
+			cs.MaxAge(int(*t) + 1)
+		} else {
+			cs.MaxAge(0)
 		}
+		cs.Options.Domain = *p.CookieDomain
 		a.log.WithField("dir", dir).Info("using filesystem session backend")
 		store = cs
 	}