This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/internal/outpost/proxyv2/application/oauth.go
Jens Langhammer 3c048a1921 outposts/proxy: fix session not expiring correctly due to miscalculation
closes #1976

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-21 13:10:57 +01:00

68 lines
2 KiB
Go

package application
import (
"encoding/base64"
"net/http"
"time"
"github.com/gorilla/securecookie"
"goauthentik.io/internal/outpost/proxyv2/constants"
)
func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) {
state := base64.RawStdEncoding.EncodeToString(securecookie.GenerateRandomKey(32))
s, _ := a.sessions.Get(r, constants.SeesionName)
s.Values[constants.SessionOAuthState] = state
err := s.Save(r, rw)
if err != nil {
a.log.WithError(err).Warning("failed to save session")
}
if loop, ok := s.Values[constants.SessionLoopDetection]; ok {
if loop.(int) > 10 {
rw.WriteHeader(http.StatusBadRequest)
a.ErrorPage(rw, r, "Detected redirect loop, make sure /akprox is accessible without authentication.")
return
}
}
http.Redirect(rw, r, a.oauthConfig.AuthCodeURL(state), http.StatusFound)
}
func (a *Application) handleCallback(rw http.ResponseWriter, r *http.Request) {
s, _ := a.sessions.Get(r, constants.SeesionName)
state, ok := s.Values[constants.SessionOAuthState]
if !ok {
a.log.Warning("No state saved in session")
http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
return
}
claims, err := a.redeemCallback(r, state.(string))
if err != nil {
a.log.WithError(err).Warning("failed to redeem code")
rw.WriteHeader(400)
// To prevent the user from just refreshing and cause more errors, delete
// the state from the session
delete(s.Values, constants.SessionOAuthState)
err := s.Save(r, rw)
if err != nil {
a.log.WithError(err).Warning("failed to save session")
rw.WriteHeader(400)
return
}
return
}
s.Options.MaxAge = int(time.Until(time.Unix(int64(claims.Exp), 0)).Seconds())
s.Values[constants.SessionClaims] = &claims
err = s.Save(r, rw)
if err != nil {
a.log.WithError(err).Warning("failed to save session")
rw.WriteHeader(400)
return
}
redirect := a.proxyConfig.ExternalHost
redirectR, ok := s.Values[constants.SessionRedirect]
if ok {
redirect = redirectR.(string)
}
http.Redirect(rw, r, redirect, http.StatusFound)
}