Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix htpasswd auth when cookie-refresh is enabled #1

Merged
merged 2 commits into from
Nov 23, 2018
Merged

fix htpasswd auth when cookie-refresh is enabled #1

merged 2 commits into from
Nov 23, 2018

Conversation

ploxiln
Copy link
Owner

@ploxiln ploxiln commented Nov 21, 2018

If cookie-refresh is enabled, a cookie cipher will be enabled
for encrypting the access token. But htpasswd-authenticated sessions
will never have a session token and will always use the "plain"
session state. We cannot assume that the "encrypted" form will
always be used if we have a cookie cipher.

(The "plain" form is still wrapped with authentication and expiry.)

@ploxiln ploxiln mentioned this pull request Nov 21, 2018
Closed
@ploxiln
detect "plain" session state even if cookie cipher present
8570ca0 
If cookie-refresh is enabled, a cookie cipher will be enabled
for encrypting the access token. But htpasswd-authenticated sessions
will never have a session token and will always use the "plain"
session state. We cannot assume that the "encrypted" form will
always be used if we have a cookie cipher.

(The "plain" form is still wrapped with authentication and expiry.)
@ploxiln ploxiln force-pushed the session_state_htpasswd branch from 3fa91d8 to 8570ca0 Compare November 22, 2018 18:36
@ploxiln
Copy link
Owner Author

ploxiln commented Nov 22, 2018

one downside is that this results in a log message on every request after cookie-refresh and before cookie-expire for an htpasswd authed session:

2018/11/22 23:51:30 oauthproxy.go:641: 127.0.0.1:31944 ("100.37.172.200") refreshing 4m35s old session cookie for Session{email: user:goertek} (refresh after 3m0s)
2018/11/22 23:51:31 oauthproxy.go:641: 127.0.0.1:31944 ("100.37.172.200") refreshing 4m36s old session cookie for Session{email: user:goertek} (refresh after 3m0s)

@ploxiln
Copy link
Owner Author

ploxiln commented Nov 22, 2018

... but otherwise this works fine. Tested with github provider, htpasswd auth, and cookie-refresh

@ploxiln
do not re-save session if not re-validated
a4c57be 
htpasswd-authenticated sessions, which do not have a token,
were re-saved after cookie-refresh period, but were not
re-validated in any way, because they have no token

(in the future we could use the password-hash as the token,
and check that it is still present in the htpasswd file)
@ploxiln ploxiln force-pushed the session_state_htpasswd branch from 08097da to a4c57be Compare November 23, 2018 17:39
@ploxiln
Copy link
Owner Author

ploxiln commented Nov 23, 2018
edited
Loading

ok, fixed the logging issue, with just one more little tweak to Authenticate() ... this function was already a confusing bundle of logic but will have to be cleaned-up sometime later ™️

@ploxiln ploxiln merged commit 7b43805 into master Nov 23, 2018
@ploxiln ploxiln deleted the session_state_htpasswd branch January 6, 2019 13:23
@ploxiln ploxiln mentioned this pull request Apr 2, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ploxiln