2017-04-06 18:40:57 +00:00
|
|
|
package oauth2
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"net/http"
|
|
|
|
"time"
|
|
|
|
)
|
|
|
|
|
|
|
|
const (
|
|
|
|
// DefaultCookieName is the name of the stored cookie
|
|
|
|
DefaultCookieName = "session"
|
2017-04-14 07:12:52 +00:00
|
|
|
// DefaultInactivityDuration is the duration a token is valid without any new activity
|
|
|
|
DefaultInactivityDuration = 5 * time.Minute
|
2017-04-06 18:40:57 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
var _ Authenticator = &cookie{}
|
|
|
|
|
|
|
|
// cookie represents the location and expiration time of new cookies.
|
|
|
|
type cookie struct {
|
2017-04-14 07:12:52 +00:00
|
|
|
Name string // Name is the name of the cookie stored on the browser
|
|
|
|
Lifespan time.Duration // Lifespan is the expiration date of the cookie. 0 means session cookie
|
|
|
|
Inactivity time.Duration // Inactivity is the length of time a token is valid if there is no activity
|
|
|
|
Now func() time.Time
|
|
|
|
Tokens Tokenizer
|
2017-04-06 18:40:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NewCookieJWT creates an Authenticator that uses cookies for auth
|
2017-04-14 07:12:52 +00:00
|
|
|
func NewCookieJWT(secret string, lifespan time.Duration) Authenticator {
|
2017-04-06 18:40:57 +00:00
|
|
|
return &cookie{
|
2017-04-14 07:12:52 +00:00
|
|
|
Name: DefaultCookieName,
|
|
|
|
Lifespan: lifespan,
|
|
|
|
Inactivity: DefaultInactivityDuration,
|
2017-04-17 15:39:01 +00:00
|
|
|
Now: DefaultNowTime,
|
2017-04-06 18:40:57 +00:00
|
|
|
Tokens: &JWT{
|
|
|
|
Secret: secret,
|
2017-04-17 15:39:01 +00:00
|
|
|
Now: DefaultNowTime,
|
2017-04-06 18:40:57 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Validate returns Principal of the Cookie if the Token is valid.
|
2017-04-14 07:12:52 +00:00
|
|
|
func (c *cookie) Validate(ctx context.Context, w http.ResponseWriter, r *http.Request) (Principal, error) {
|
2017-04-06 18:40:57 +00:00
|
|
|
cookie, err := r.Cookie(c.Name)
|
|
|
|
if err != nil {
|
|
|
|
return Principal{}, ErrAuthentication
|
|
|
|
}
|
2017-04-14 07:12:52 +00:00
|
|
|
|
|
|
|
p, err := c.Tokens.ValidPrincipal(ctx, Token(cookie.Value), c.Lifespan)
|
|
|
|
if err != nil {
|
|
|
|
return Principal{}, ErrAuthentication
|
|
|
|
}
|
|
|
|
|
|
|
|
// Refresh the token by extending its life another Inactivity duration
|
|
|
|
p, err = c.Tokens.ExtendPrincipal(ctx, p, c.Inactivity)
|
|
|
|
if err != nil {
|
|
|
|
return Principal{}, ErrAuthentication
|
|
|
|
}
|
|
|
|
|
|
|
|
token, err := c.Tokens.Create(ctx, p)
|
|
|
|
if err != nil {
|
|
|
|
return Principal{}, ErrAuthentication
|
|
|
|
}
|
|
|
|
|
|
|
|
// Cookie lifespan can be indirectly figured out by taking the token's
|
|
|
|
// issued at time and adding the lifespan setting The token's issued at
|
|
|
|
// time happens to correspond to the cookie's original issued at time.
|
|
|
|
exp := p.IssuedAt.Add(c.Lifespan)
|
|
|
|
// Once the token has been extended, write it out as a new cookie.
|
|
|
|
c.setCookie(w, string(token), exp)
|
|
|
|
|
|
|
|
return p, nil
|
2017-04-06 18:40:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Authorize will create cookies containing token information. It'll create
|
|
|
|
// a token with cookie.Duration of life to be stored as the cookie's value.
|
|
|
|
func (c *cookie) Authorize(ctx context.Context, w http.ResponseWriter, p Principal) error {
|
2017-04-14 07:12:52 +00:00
|
|
|
// Principal will be issued at Now() and will expire
|
|
|
|
// c.Inactivity into the future
|
2017-04-17 15:39:01 +00:00
|
|
|
now := c.Now()
|
2017-04-14 07:12:52 +00:00
|
|
|
p.IssuedAt = now
|
|
|
|
p.ExpiresAt = now.Add(c.Inactivity)
|
|
|
|
|
|
|
|
token, err := c.Tokens.Create(ctx, p)
|
2017-04-06 18:40:57 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2017-04-14 07:12:52 +00:00
|
|
|
|
|
|
|
// The time when the cookie expires
|
|
|
|
exp := now.Add(c.Lifespan)
|
|
|
|
c.setCookie(w, string(token), exp)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// setCookie creates a cookie with value expiring at exp and writes it as a cookie into the response
|
|
|
|
func (c *cookie) setCookie(w http.ResponseWriter, value string, exp time.Time) {
|
2017-04-06 18:40:57 +00:00
|
|
|
// Cookie has a Token baked into it
|
|
|
|
cookie := http.Cookie{
|
|
|
|
Name: DefaultCookieName,
|
2017-04-14 07:12:52 +00:00
|
|
|
Value: value,
|
2017-04-06 18:40:57 +00:00
|
|
|
HttpOnly: true,
|
|
|
|
Path: "/",
|
|
|
|
}
|
|
|
|
|
|
|
|
// Only set a cookie to be persistent (endure beyond the browser session)
|
|
|
|
// if auth duration is greater than zero
|
2017-04-17 15:39:01 +00:00
|
|
|
if c.Lifespan > 0 || exp.Before(c.Now()) {
|
2017-04-14 07:12:52 +00:00
|
|
|
cookie.Expires = exp
|
2017-04-06 18:40:57 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
http.SetCookie(w, &cookie)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Expire returns a cookie that will expire an existing cookie
|
|
|
|
func (c *cookie) Expire(w http.ResponseWriter) {
|
2017-04-14 07:12:52 +00:00
|
|
|
// to expire cookie set the time in the past
|
2017-04-17 15:39:01 +00:00
|
|
|
c.setCookie(w, "none", c.Now().Add(-1*time.Hour))
|
2017-04-06 18:40:57 +00:00
|
|
|
}
|