outposts/proxy: fix session not expiring correctly due to miscalculation

closes #1976

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-21 13:10:57 +01:00
parent 8a60a7e26f
commit 3c048a1921
4 changed files with 13 additions and 12 deletions

View File

@ -81,7 +81,8 @@ func NewAPIController(akURL url.URL, token string) *APIController {
} }
log.Debug("Fetched global configuration") log.Debug("Fetched global configuration")
doGlobalSetup(outpost, akConfig) // doGlobalSetup is called by the OnRefresh handler, which ticks on start
// doGlobalSetup(outpost, akConfig)
ac := &APIController{ ac := &APIController{
Client: apiClient, Client: apiClient,

View File

@ -194,12 +194,7 @@ func (ac *APIController) startWSHealth() {
func (ac *APIController) startIntervalUpdater() { func (ac *APIController) startIntervalUpdater() {
logger := ac.logger.WithField("loop", "interval-updater") logger := ac.logger.WithField("loop", "interval-updater")
ticker := time.NewTicker(5 * time.Minute) ticker := time.NewTicker(5 * time.Minute)
initial := false
for ; true; <-ticker.C { for ; true; <-ticker.C {
if !initial {
initial = true
continue
}
logger.Debug("Running interval update") logger.Debug("Running interval update")
err := ac.OnRefresh() err := ac.OnRefresh()
if err != nil { if err != nil {

View File

@ -3,6 +3,7 @@ package application
import ( import (
"encoding/base64" "encoding/base64"
"net/http" "net/http"
"time"
"github.com/gorilla/securecookie" "github.com/gorilla/securecookie"
"goauthentik.io/internal/outpost/proxyv2/constants" "goauthentik.io/internal/outpost/proxyv2/constants"
@ -49,7 +50,7 @@ func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) {
} }
return return
} }
s.Options.MaxAge = claims.Exp / 1000 s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
s.Values[constants.SessionClaims] = &claims s.Values[constants.SessionClaims] = &claims
err = s.Save(r, rw) err = s.Save(r, rw)
if err != nil { if err != nil {

View File

@ -19,11 +19,13 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
if err != nil { if err != nil {
panic(err) panic(err)
} }
rs.SetMaxLength(math.MaxInt64) rs.SetMaxLength(math.MaxInt)
if p.TokenValidity.IsSet() { if p.TokenValidity.IsSet() {
t := p.TokenValidity.Get() t := p.TokenValidity.Get()
// Add one to the validity to ensure we don't have a session with indefinite length // Add one to the validity to ensure we don't have a session with indefinite length
rs.Options.MaxAge = int(*t) + 1 rs.SetMaxAge(int(*t) + 1)
} else {
rs.SetMaxAge(0)
} }
rs.Options.Domain = *p.CookieDomain rs.Options.Domain = *p.CookieDomain
a.log.Info("using redis session backend") a.log.Info("using redis session backend")
@ -31,19 +33,21 @@ func (a *Application) getStore(p api.ProxyOutpostConfig) sessions.Store {
} else { } else {
dir := os.TempDir() dir := os.TempDir()
cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret)) cs := sessions.NewFilesystemStore(dir, []byte(*p.CookieSecret))
cs.Options.Domain = *p.CookieDomain
// https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7 // https://github.com/markbates/goth/commit/7276be0fdf719ddff753f3574ef0f967e4a5a5f7
// set the maxLength of the cookies stored on the disk to a larger number to prevent issues with: // set the maxLength of the cookies stored on the disk to a larger number to prevent issues with:
// securecookie: the value is too long // securecookie: the value is too long
// when using OpenID Connect , since this can contain a large amount of extra information in the id_token // when using OpenID Connect , since this can contain a large amount of extra information in the id_token
// Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk // Note, when using the FilesystemStore only the session.ID is written to a browser cookie, so this is explicit for the storage on disk
cs.MaxLength(math.MaxInt64) cs.MaxLength(math.MaxInt)
if p.TokenValidity.IsSet() { if p.TokenValidity.IsSet() {
t := p.TokenValidity.Get() t := p.TokenValidity.Get()
// Add one to the validity to ensure we don't have a session with indefinite length // Add one to the validity to ensure we don't have a session with indefinite length
cs.Options.MaxAge = int(*t) + 1 cs.MaxAge(int(*t) + 1)
} else {
cs.MaxAge(0)
} }
cs.Options.Domain = *p.CookieDomain
a.log.WithField("dir", dir).Info("using filesystem session backend") a.log.WithField("dir", dir).Info("using filesystem session backend")
store = cs store = cs
} }