Compare commits

...

3 Commits

Author SHA1 Message Date
wpetit ce7415af20 fix: prevent nil pointer when err session retrieval fails
Cadoles/bouncer/pipeline/head This commit looks good Details
see https://sentry.in.nuonet.fr/share/issue/48b82c13ee3f4721bb6306b533799709/
2024-11-14 10:10:16 +01:00
wpetit 7cc9de180c feat(authn): add configurable global ttl for session storage 2024-11-14 10:09:33 +01:00
wpetit 74c2a2c055 fix(authn): correctly handle session-limited cookies
Cadoles/bouncer/pipeline/head This commit looks good Details
See CNOUS/mse#4347
2024-11-08 12:21:23 +01:00
4 changed files with 35 additions and 6 deletions

View File

@ -21,6 +21,9 @@ func NewDefaultLayersConfig() LayersConfig {
Timeout: NewInterpolatedDuration(10 * time.Second),
},
},
Sessions: AuthnLayerSessionConfig{
TTL: NewInterpolatedDuration(time.Hour),
},
},
}
}
@ -34,6 +37,11 @@ type AuthnLayerConfig struct {
Debug InterpolatedBool `yaml:"debug"`
TemplateDir InterpolatedString `yaml:"templateDir"`
OIDC AuthnOIDCLayerConfig `yaml:"oidc"`
Sessions AuthnLayerSessionConfig `yaml:"sessions"`
}
type AuthnLayerSessionConfig struct {
TTL *InterpolatedDuration `yaml:"ttl"`
}
type AuthnOIDCLayerConfig struct {

View File

@ -10,6 +10,7 @@ import (
type Options struct {
Session sessions.Options
KeyPrefix string
TTL time.Duration
}
type OptionFunc func(opts *Options)
@ -25,6 +26,7 @@ func NewOptions(funcs ...OptionFunc) *Options {
SameSite: http.SameSiteDefaultMode,
},
KeyPrefix: "session:",
TTL: time.Hour,
}
for _, fn := range funcs {
@ -45,3 +47,9 @@ func WithKeyPrefix(prefix string) OptionFunc {
opts.KeyPrefix = prefix
}
}
func WithTTL(ttl time.Duration) OptionFunc {
return func(opts *Options) {
opts.TTL = ttl
}
}

View File

@ -31,6 +31,7 @@ type Store struct {
keyPrefix string
keyGen KeyGenFunc
serializer SessionSerializer
ttl time.Duration
}
type KeyGenFunc func() (string, error)
@ -43,6 +44,7 @@ func NewStore(adapter StoreAdapter, funcs ...OptionFunc) *Store {
keyPrefix: opts.KeyPrefix,
keyGen: generateRandomKey,
serializer: GobSerializer{},
ttl: opts.TTL,
}
return rs
@ -62,20 +64,21 @@ func (s *Store) New(r *http.Request, name string) (*sessions.Session, error) {
if err != nil {
return session, nil
}
session.ID = c.Value
err = s.load(r.Context(), session)
if err == nil {
session.IsNew = false
} else if !errors.Is(err, ErrNotFound) {
return nil, errors.WithStack(err)
return session, errors.WithStack(err)
}
return session, nil
}
func (s *Store) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
if session.Options.MaxAge <= 0 {
if session.Options.MaxAge < 0 {
if err := s.delete(r.Context(), session); err != nil {
return errors.WithStack(err)
}
@ -120,7 +123,12 @@ func (s *Store) save(ctx context.Context, session *sessions.Session) error {
return errors.WithStack(err)
}
if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, time.Duration(session.Options.MaxAge)*time.Second); err != nil {
ttl := time.Duration(session.Options.MaxAge) * time.Second
if s.ttl < ttl || ttl == 0 {
ttl = s.ttl
}
if err := s.adapter.Set(ctx, s.keyPrefix+session.ID, b, ttl); err != nil {
return errors.WithStack(err)
}

View File

@ -218,6 +218,11 @@ layers:
authn:
# Répertoire contenant les templates
templateDir: "/etc/bouncer/layers/authn/templates"
# Configuration des sessions
sessions:
# Temps de persistence sans actualisation des sessions dans le store
# (prévalent sur le MaxAge de la session)
ttl: "1h"
# Configuration d'une série de proxy/layers
# à créer par défaut par le serveur d'administration