From e120f8961cb9776628249868172b676a7884e576 Mon Sep 17 00:00:00 2001 From: Tobie Morgan Hitchcock Date: Wed, 9 May 2018 23:10:30 +0100 Subject: [PATCH] Add server-generated session info to queries --- db/db.go | 14 ++++--------- db/session.go | 33 +++++++++++++++++++++++++++++ db/socket.go | 3 +-- db/vars.go | 26 ++++++++++++----------- glide.lock | 28 ++++++++++++------------- web/sess.go | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++ web/vars.go | 1 + web/web.go | 10 +++++++-- 8 files changed, 132 insertions(+), 41 deletions(-) create mode 100644 db/session.go create mode 100644 web/sess.go diff --git a/db/db.go b/db/db.go index 352cf554..43b67b54 100644 --- a/db/db.go +++ b/db/db.go @@ -149,17 +149,11 @@ func Process(fib *fibre.Context, ast *sql.Query, vars map[string]interface{}) (o fib.Set(ctxKeyId, uuid.New().String()) } - // Ensure that the IP address of the - // user signing in is available so that - // it can be used within signin queries. + // Ensure that the session details, such + // as id, ip, and origin, are available on + // the 'conn' object on each query. - vars[varKeyIp] = fib.IP().String() - - // Ensure that the website origin of the - // user signing in is available so that - // it can be used within signin queries. - - vars[varKeyOrigin] = fib.Origin() + vars[varKeySession] = session(fib) // Ensure that the specified environment // variable 'ENV' is available to the diff --git a/db/session.go b/db/session.go new file mode 100644 index 00000000..2f428baf --- /dev/null +++ b/db/session.go @@ -0,0 +1,33 @@ +// Copyright © 2016 Abcum Ltd +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package db + +import ( + "github.com/abcum/fibre" +) + +func session(c *fibre.Context) (out map[string]interface{}) { + + out = make(map[string]interface{}) + + out[varKeyIp] = c.IP().String() + + out[varKeyId] = c.Get(varKeyCook) + + out[varKeyOrigin] = c.Origin() + + return + +} diff --git a/db/socket.go b/db/socket.go index 0feea446..edf5a564 100644 --- a/db/socket.go +++ b/db/socket.go @@ -68,8 +68,7 @@ func (s *socket) ctx(ns, db string) (ctx context.Context) { vars := data.New() vars.Set(auth.Data, varKeyAuth) vars.Set(auth.Scope, varKeyScope) - vars.Set(s.fibre.Origin(), varKeyOrigin) - vars.Set(s.fibre.IP().String(), varKeyIp) + vars.Set(session(s.fibre), varKeySession) ctx = context.WithValue(ctx, ctxKeyVars, vars) return diff --git a/db/vars.go b/db/vars.go index bc3c77be..9694d63f 100644 --- a/db/vars.go +++ b/db/vars.go @@ -57,18 +57,20 @@ const ( ) const ( - varKeyId = "id" - varKeyIp = "ip" - varKeyEnv = "ENV" - varKeyAuth = "auth" - varKeyThis = "this" - varKeyScope = "scope" - varKeyValue = "value" - varKeyAfter = "after" - varKeyBefore = "before" - varKeyMethod = "method" - varKeyParent = "parent" - varKeyOrigin = "origin" + varKeyId = "id" + varKeyIp = "ip" + varKeyEnv = "ENV" + varKeyAuth = "auth" + varKeyCook = "cook" + varKeyThis = "this" + varKeyScope = "scope" + varKeyValue = "value" + varKeyAfter = "after" + varKeyBefore = "before" + varKeyMethod = "method" + varKeyParent = "parent" + varKeyOrigin = "origin" + varKeySession = "session" ) var ( diff --git a/glide.lock b/glide.lock index 1165fe27..38e638ba 100644 --- a/glide.lock +++ b/glide.lock @@ -1,8 +1,8 @@ hash: c56e5bd935dd1933a6e7370fe3fc67ea26169ec91aa05c171543866c6c2490ed -updated: 2018-05-02T12:28:08.963393+01:00 +updated: 2018-05-09T23:03:18.058567+01:00 imports: - name: cloud.google.com/go - version: 29f476ffa9c4cd4fd14336b6043090ac1ad76733 + version: 056a55f54a6cc77b440b31a56a5e7c3982d32811 subpackages: - compute/metadata - iam @@ -16,7 +16,7 @@ imports: - name: github.com/abcum/cork version: c246208017d0b81f2e9a3fc2fb7a993c89153839 - name: github.com/abcum/fibre - version: 24b2157453a929f7a86616c415d01b94916b3ed5 + version: 58f82632f8a973b56347ffdb5632674cd22686c1 subpackages: - mw - name: github.com/abcum/ptree @@ -35,7 +35,7 @@ imports: - name: github.com/armon/go-metrics version: 783273d703149aaeb9897cf58613d5af48861c25 - name: github.com/aws/aws-sdk-go - version: 236a3fce423171d03ae327a8aa2512e6fb24df36 + version: 31bd69f7db00cbf3d85d129e16d42304cb6e455f subpackages: - aws - aws/awserr @@ -117,7 +117,7 @@ imports: - name: github.com/jmespath/go-jmespath version: c2b33e8439af944379acbdd9c3a5fe0bc44bd8a5 - name: github.com/kr/text - version: 7cafcd837844e784b526369c9bce262804aebc60 + version: e2ffdb16a802fe2bb95e2e35ff34f0e53aeef34f - name: github.com/mattn/go-colorable version: efa589957cd060542a26d2dd7832fd6a6c6c3ade - name: github.com/mattn/go-isatty @@ -125,7 +125,7 @@ imports: - name: github.com/mgutz/ansi version: 9520e82c474b0a04dd04f8a40959027271bab992 - name: github.com/miekg/dns - version: 01d59357d468872339068bcd5d55a00e2463051f + version: eac804ceef194db2da6ee80c728d7658c8c805ff - name: github.com/mitchellh/mapstructure version: 00c29f56e2386353d58c599509e8dc3801b0d716 - name: github.com/newrelic/go-agent @@ -160,7 +160,7 @@ imports: subpackages: - codec - name: go.opencensus.io - version: 10cec2c05ea2cfb8b0d856711daedc49d8a45c56 + version: c11636694056ed1d664b058521f3aa61016da8ba subpackages: - exporter/stackdriver/propagation - internal @@ -175,7 +175,7 @@ imports: - trace/internal - trace/propagation - name: golang.org/x/crypto - version: 613d6eafa307c6881a737a3c35c0e312e8d3a8c5 + version: 2d027ae1dddd4694d54f7a8b6cbe78dca8720226 subpackages: - bcrypt - blowfish @@ -185,7 +185,7 @@ imports: - scrypt - ssh/terminal - name: golang.org/x/net - version: 5f9ae10d9af5b1c89ae6904293b14b064d4ada23 + version: f73e4c9ed3b7ebdd5f699a16a880c2b1994e50dd subpackages: - bpf - context @@ -199,17 +199,16 @@ imports: - internal/timeseries - ipv4 - ipv6 - - lex/httplex - trace - name: golang.org/x/oauth2 - version: 6881fee410a5daf86371371f9ad451b95e168b71 + version: cdc340f7c179dbbfa4afd43b7614e8fcadde4269 subpackages: - google - internal - jws - jwt - name: golang.org/x/sys - version: 78d5f264b493f125018180c204871ecf58a2dce1 + version: 64746a42f36bf0832f86b76004f1699dbeb33e4f subpackages: - unix - windows @@ -226,7 +225,7 @@ imports: - unicode/bidi - unicode/norm - name: google.golang.org/api - version: ce90db2c36a2cb8c9c06779ed8bb96f92ea6e3b8 + version: 4bd7f4beb291148443ed4553071c4e0697ff4afb subpackages: - gensupport - googleapi @@ -257,7 +256,7 @@ imports: - googleapis/rpc/code - googleapis/rpc/status - name: google.golang.org/grpc - version: e538e04cad1b83e47b2ccbbbfe6d5fd5a816d290 + version: 45d7f3a23f0b937ba711aa0e3e3426325d3b9ae4 subpackages: - balancer - balancer/base @@ -271,7 +270,6 @@ imports: - grpclb/grpc_lb_v1/messages - grpclog - internal - - internal/msgdecoder - keepalive - metadata - naming diff --git a/web/sess.go b/web/sess.go new file mode 100644 index 00000000..1eb3669f --- /dev/null +++ b/web/sess.go @@ -0,0 +1,58 @@ +// Copyright © 2016 Abcum Ltd +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package web + +import ( + "time" + + "net/http" + + "github.com/abcum/fibre" + "github.com/abcum/surreal/cnf" + "github.com/abcum/surreal/util/rand" +) + +const cookie = "surreal" + +func sess() fibre.MiddlewareFunc { + return func(h fibre.HandlerFunc) fibre.HandlerFunc { + return func(c *fibre.Context) (err error) { + + val, err := c.Request().Cookie(cookie) + + if err != nil { + + crt := len(cnf.Settings.Cert.Crt) != 0 + key := len(cnf.Settings.Cert.Key) != 0 + + val = &http.Cookie{ + Name: cookie, + Value: rand.String(64), + Secure: (crt && key), + HttpOnly: true, + Expires: time.Now().Add(365 * 24 * time.Hour), + } + + } + + c.Response().Header().Set("Set-Cookie", val.String()) + + c.Set(varKeyCook, val.Value) + + return h(c) + + } + } +} diff --git a/web/vars.go b/web/vars.go index 767f8153..82c06fcf 100644 --- a/web/vars.go +++ b/web/vars.go @@ -25,4 +25,5 @@ const ( varKeyAuth = "auth" varKeyUser = "user" varKeyPass = "pass" + varKeyCook = "cook" ) diff --git a/web/web.go b/web/web.go index a2cc5e71..b3bd9153 100644 --- a/web/web.go +++ b/web/web.go @@ -46,7 +46,7 @@ func Setup(opts *cnf.Options) (err error) { // Add cors headers s.Use(mw.Cors(&mw.CorsOpts{ - AllowedOrigin: "*", + AllowedOrigin: "=", AllowedMethods: []string{ "GET", "PUT", @@ -63,8 +63,10 @@ func Setup(opts *cnf.Options) (err error) { "Origin", "NS", "DB", + "ID", }, - AccessControlMaxAge: 600, + AccessControlMaxAge: 1800, + AccessControlAllowCredentials: true, })) // Check body size @@ -73,6 +75,10 @@ func Setup(opts *cnf.Options) (err error) { AllowedLength: 1 << 20, // 1mb })) + // Setup session cookie + + s.Use(sess()) + // Setup authentication s.Use(auth())