fix(auth): prevent too large cookie

1effcdd8 · Rémi PAILHAREY · 2915dc5f · 1effcdd8 · 1effcdd8 · 1effcdd8
Commit 1effcdd8 authored 7 months ago by Rémi PAILHAREY
--- a/internal/auth/oauth2.go
+++ b/internal/auth/oauth2.go
@@ -106,11 +106,11 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
 		}
 		////////////////////////////////////////////////
 		// UNCOMMENT THIS TO DEBUG USERINFO RESPONSE //
-		// readBody, err := ioutil.ReadAll(response.Body)
+		// readBody, err := io.ReadAll(response.Body)
 		// if err != nil {
 		// 	panic(err)
 		// }
-		// newBody := ioutil.NopCloser(bytes.NewBuffer(readBody))
+		// newBody := io.NopCloser(bytes.NewBuffer(readBody))
 		// response.Body = newBody
 		// if string(readBody) != "" {
 		// 	fmt.Printf("BODY : %q \n", readBody)
@@ -126,6 +126,15 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
 			user.Roles[key] = strings.TrimPrefix(strings.Split(role, ",")[0], "CN=")
 		}

+		// Filter only allowed roles to reduce the cookie size
+		var filteredRoles []string
+		for _, role := range user.Roles {
+			if role == AdminRole || role == AnimatorRole {
+				filteredRoles = append(filteredRoles, role)
+			}
+		}
+		user.Roles = filteredRoles
+
 		// Check if user has the correct role
 		err = checkUserHasRole(TokenData{User: user}, []string{AdminRole, AnimatorRole})

@@ -145,7 +154,7 @@ func (m Manager) HandleOAuth2Callback() http.Handler {
 		}
 		tokenData := TokenData{User: user, XSRFToken: xsrfToken}
 		tokens.CreateCookie(tokenData, m.Hostname, authTokenKey, 24*time.Hour, w)
-		// Log the connexion
+		// Log the connection
 		log.Printf("| %v (%v %v) | Login success | %v", user.Login, user.Name, user.Surname, req.RemoteAddr)
 		// Redirect
 		http.Redirect(w, r, "/", http.StatusFound)

--- a/internal/rootmux/rootmux_test.go
+++ b/internal/rootmux/rootmux_test.go
@@ -247,7 +247,7 @@ func animatorTests(t *testing.T) {
 		do("GET", "/api/common/monthlyReport?year=2021&month=1", noH, "", http.StatusOK, `{"year":2021,"month":1,"subject":"[Ecolyo] Votre bilan de décembre 2020","info":"Informations du mois","image":"imagebase64","newsTitle":"","newsContent":"","question":"","link":""`)

 		// Try to get SGE consents (must fail)
-		do("GET", "/api/admin/consent?limit=50&page=0", xsrfHeader, "", http.StatusForbidden, "no user role among [ANIMATORS OTHER_GROUP] is in allowed roles ([ADMINS])")
+		do("GET", "/api/admin/consent?limit=50&page=0", xsrfHeader, "", http.StatusForbidden, "no user role among [ANIMATORS] is in allowed roles ([ADMINS])")
 	}
 	// Try to login (must pass)
 	do("GET", "/OAuth2Login", noH, "", http.StatusOK, "")

--- a/internal/tokens/tokens_test.go
+++ b/internal/tokens/tokens_test.go
 package tokens

 import (
-	"fmt"
 	"testing"
 	"time"

@@ -13,10 +12,6 @@ type user struct {
 	Password string
 }

-func (u user) String() string {
-	return fmt.Sprintf("Login: %v, Password: %v", u.Login, u.Password)
-}
-
 func TestManagerCreateTokenUnStoreData(t *testing.T) {
 	key, _ := common.GenerateRandomBytes(32)
 	key2, _ := common.GenerateRandomBytes(32)