From 295285707ee199a4485026635e4b85733fa45f53 Mon Sep 17 00:00:00 2001 From: Tobie Morgan Hitchcock Date: Mon, 14 May 2018 02:37:49 +0100 Subject: [PATCH] =?UTF-8?q?Don=E2=80=99t=20use=20a=20cookie=20for=20unique?= =?UTF-8?q?=20Session=20ID?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- db/session.go | 2 +- db/vars.go | 2 +- web/auth.go | 18 ++++++++++++++++ web/sess.go | 60 --------------------------------------------------- web/vars.go | 2 +- web/web.go | 7 +----- 6 files changed, 22 insertions(+), 69 deletions(-) delete mode 100644 web/sess.go diff --git a/db/session.go b/db/session.go index 2f428baf..f118a287 100644 --- a/db/session.go +++ b/db/session.go @@ -24,7 +24,7 @@ func session(c *fibre.Context) (out map[string]interface{}) { out[varKeyIp] = c.IP().String() - out[varKeyId] = c.Get(varKeyCook) + out[varKeyId] = c.Get(varKeyUniq) out[varKeyOrigin] = c.Origin() diff --git a/db/vars.go b/db/vars.go index 9694d63f..ed3219f2 100644 --- a/db/vars.go +++ b/db/vars.go @@ -61,7 +61,7 @@ const ( varKeyIp = "ip" varKeyEnv = "ENV" varKeyAuth = "auth" - varKeyCook = "cook" + varKeyUniq = "uniq" varKeyThis = "this" varKeyScope = "scope" varKeyValue = "value" diff --git a/web/auth.go b/web/auth.go index b2d03ac5..5ca8171a 100644 --- a/web/auth.go +++ b/web/auth.go @@ -86,6 +86,14 @@ func auth() fibre.MiddlewareFunc { auth.Selected.DB = subs[1] } + // If there is a Session ID specified in + // the request headers, then mark it as + // the connection Session ID. + + if id := c.Request().Header().Get(varKeyId); len(id) != 0 { + c.Set(varKeyUniq, id) + } + // If there is a namespace specified in // the request headers, then mark it as // the selected namespace. @@ -136,6 +144,16 @@ func auth() fibre.MiddlewareFunc { if len(head) == 0 { + // If there is a Session ID specified as + // one of the socket protocols then use + // this as the connection Session ID. + + for _, prot := range websocket.Subprotocols(c.Request().Request) { + if len(prot) > 3 && prot[0:3] == "id-" { + c.Set(varKeyUniq, prot[3:]) + } + } + // If there is a NS configuration option // defined as one of the socket protocols // then use this as the selected NS. diff --git a/web/sess.go b/web/sess.go deleted file mode 100644 index 7dd578ff..00000000 --- a/web/sess.go +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright © 2016 Abcum Ltd -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package web - -import ( - "time" - - "net/http" - - "github.com/abcum/fibre" - "github.com/abcum/surreal/cnf" - "github.com/abcum/surreal/util/rand" -) - -const cookie = "surreal" - -func uniq(val *http.Cookie) string { - if val != nil && len(val.Value) == 64 { - return val.Value - } - return rand.String(64) -} - -func sess() fibre.MiddlewareFunc { - return func(h fibre.HandlerFunc) fibre.HandlerFunc { - return func(c *fibre.Context) (err error) { - - val, _ := c.Request().Cookie(cookie) - crt := len(cnf.Settings.Cert.Crt) != 0 - key := len(cnf.Settings.Cert.Key) != 0 - - val = &http.Cookie{ - Name: cookie, - Value: uniq(val), - Secure: (crt && key), - HttpOnly: true, - Expires: time.Now().Add(365 * 24 * time.Hour), - } - - c.Response().Header().Set("Set-Cookie", val.String()) - - c.Set(varKeyCook, val.Value) - - return h(c) - - } - } -} diff --git a/web/vars.go b/web/vars.go index 82c06fcf..3d9df8a9 100644 --- a/web/vars.go +++ b/web/vars.go @@ -25,5 +25,5 @@ const ( varKeyAuth = "auth" varKeyUser = "user" varKeyPass = "pass" - varKeyCook = "cook" + varKeyUniq = "uniq" ) diff --git a/web/web.go b/web/web.go index b3bd9153..823c1be7 100644 --- a/web/web.go +++ b/web/web.go @@ -65,8 +65,7 @@ func Setup(opts *cnf.Options) (err error) { "DB", "ID", }, - AccessControlMaxAge: 1800, - AccessControlAllowCredentials: true, + AccessControlMaxAge: 1800, })) // Check body size @@ -75,10 +74,6 @@ func Setup(opts *cnf.Options) (err error) { AllowedLength: 1 << 20, // 1mb })) - // Setup session cookie - - s.Use(sess()) - // Setup authentication s.Use(auth())