auth
auth/session_test.go
Enable CSRF protection, add expiration to sessions. Sessions gain a CSRF token, which is passed as a parameter to the login page. The login page now checks for that CSRF token, and logs a CSRF attempt if the token does not match. I also added an expiration to sessions, so they don't last forever. Sessions should be pretty short--we just need to stay logged in for long enough to approve the OAuth request. Everything after that should be cookie based. Finally, I added a configuration parameter to control whether the session cookie should be set to Secure, requiring the use of HTTPS. For production use, this flag is a requirement, but it makes testing extremely difficult, so we need a way to disable it.
1.1 --- a/session_test.go Sat Jan 24 10:34:33 2015 -0500 1.2 +++ b/session_test.go Wed Jan 28 07:27:32 2015 -0500 1.3 @@ -25,12 +25,18 @@ 1.4 if !session1.Created.Equal(session2.Created) { 1.5 return false, "Created", session1.Created, session2.Created 1.6 } 1.7 + if !session1.Expires.Equal(session2.Expires) { 1.8 + return false, "Expires", session1.Expires, session2.Expires 1.9 + } 1.10 if session1.Login != session2.Login { 1.11 return false, "Login", session1.Login, session2.Login 1.12 } 1.13 if session1.Active != session2.Active { 1.14 return false, "Active", session1.Active, session2.Active 1.15 } 1.16 + if session1.CSRFToken != session2.CSRFToken { 1.17 + return false, "CSRFToken", session1.CSRFToken, session2.CSRFToken 1.18 + } 1.19 return true, "", nil, nil 1.20 } 1.21