From 1effcdd830a92d74ab13db16bf3ee46115f318f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9mi=20PAILHAREY?= <rpailharey@grandlyon.com>
Date: Tue, 12 Nov 2024 17:13:08 +0100
Subject: [PATCH] fix(auth): prevent too large cookie
---
internal/auth/oauth2.go | 15 ++++++++++++---
internal/rootmux/rootmux_test.go | 2 +-
internal/tokens/tokens_test.go | 5 -----
3 files changed, 13 insertions(+), 9 deletions(-)
diff --git a/internal/auth/oauth2.go b/internal/auth/oauth2.go
index 423df8e..3e9521d 100644
--- a/internal/auth/oauth2.go
+++ b/internal/auth/oauth2.go
@@ -106,11 +106,11 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
}
////////////////////////////////////////////////
// UNCOMMENT THIS TO DEBUG USERINFO RESPONSE //
- // readBody, err := ioutil.ReadAll(response.Body)
+ // readBody, err := io.ReadAll(response.Body)
// if err != nil {
// panic(err)
// }
- // newBody := ioutil.NopCloser(bytes.NewBuffer(readBody))
+ // newBody := io.NopCloser(bytes.NewBuffer(readBody))
// response.Body = newBody
// if string(readBody) != "" {
// fmt.Printf("BODY : %q \n", readBody)
@@ -126,6 +126,15 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
user.Roles[key] = strings.TrimPrefix(strings.Split(role, ",")[0], "CN=")
}
+ // Filter only allowed roles to reduce the cookie size
+ var filteredRoles []string
+ for _, role := range user.Roles {
+ if role == AdminRole || role == AnimatorRole {
+ filteredRoles = append(filteredRoles, role)
+ }
+ }
+ user.Roles = filteredRoles
+
// Check if user has the correct role
err = checkUserHasRole(TokenData{User: user}, []string{AdminRole, AnimatorRole})
@@ -145,7 +154,7 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
}
tokenData := TokenData{User: user, XSRFToken: xsrfToken}
tokens.CreateCookie(tokenData, m.Hostname, authTokenKey, 24*time.Hour, w)
- // Log the connexion
+ // Log the connection
log.Printf("| %v (%v %v) | Login success | %v", user.Login, user.Name, user.Surname, req.RemoteAddr)
// Redirect
http.Redirect(w, r, "/", http.StatusFound)
diff --git a/internal/rootmux/rootmux_test.go b/internal/rootmux/rootmux_test.go
index 1258e60..15425b9 100644
--- a/internal/rootmux/rootmux_test.go
+++ b/internal/rootmux/rootmux_test.go
@@ -247,7 +247,7 @@ func animatorTests(t *testing.T) {
do("GET", "/api/common/monthlyReport?year=2021&month=1", noH, "", http.StatusOK, `{"year":2021,"month":1,"subject":"[Ecolyo] Votre bilan de décembre 2020","info":"Informations du mois","image":"imagebase64","newsTitle":"","newsContent":"","question":"","link":""`)
// Try to get SGE consents (must fail)
- do("GET", "/api/admin/consent?limit=50&page=0", xsrfHeader, "", http.StatusForbidden, "no user role among [ANIMATORS OTHER_GROUP] is in allowed roles ([ADMINS])")
+ do("GET", "/api/admin/consent?limit=50&page=0", xsrfHeader, "", http.StatusForbidden, "no user role among [ANIMATORS] is in allowed roles ([ADMINS])")
}
// Try to login (must pass)
do("GET", "/OAuth2Login", noH, "", http.StatusOK, "")
diff --git a/internal/tokens/tokens_test.go b/internal/tokens/tokens_test.go
index 66a24e0..66e4b5c 100644
--- a/internal/tokens/tokens_test.go
+++ b/internal/tokens/tokens_test.go
@@ -1,7 +1,6 @@
package tokens
import (
- "fmt"
"testing"
"time"
@@ -13,10 +12,6 @@ type user struct {
Password string
}
-func (u user) String() string {
- return fmt.Sprintf("Login: %v, Password: %v", u.Login, u.Password)
-}
-
func TestManagerCreateTokenUnStoreData(t *testing.T) {
key, _ := common.GenerateRandomBytes(32)
key2, _ := common.GenerateRandomBytes(32)
--
GitLab