auth
auth/authd/server.go
Enable CSRF protection, add expiration to sessions. Sessions gain a CSRF token, which is passed as a parameter to the login page. The login page now checks for that CSRF token, and logs a CSRF attempt if the token does not match. I also added an expiration to sessions, so they don't last forever. Sessions should be pretty short--we just need to stay logged in for long enough to approve the OAuth request. Everything after that should be cookie based. Finally, I added a configuration parameter to control whether the session cookie should be set to Secure, requiring the use of HTTPS. For production use, this flag is a requirement, but it makes testing extremely difficult, so we need a way to disable it.
1 package main
3 import (
4 "html/template"
5 "log"
6 "net/http"
8 "code.secondbit.org/auth.hg"
9 "github.com/gorilla/mux"
10 )
12 func main() {
13 store := auth.NewMemstore()
14 config := auth.Config{
15 ClientStore: store,
16 AuthCodeStore: store,
17 ProfileStore: store,
18 TokenStore: store,
19 SessionStore: store,
20 Template: template.Must(template.New("base").ParseGlob("./templates/*.gotmpl")),
21 LoginURI: "/login",
22 }
23 err := config.Init()
24 if err != nil {
25 log.Fatal(err)
26 }
27 context, err := auth.NewContext(config)
28 if err != nil {
29 panic(err)
30 }
32 router := mux.NewRouter()
33 auth.RegisterOAuth2(router, context)
34 auth.RegisterSessionHandlers(router, context)
35 auth.RegisterProfileHandlers(router, context)
36 auth.RegisterClientHandlers(router, context)
37 http.Handle("/", router)
38 log.Fatal(http.ListenAndServe(":8080", nil))
39 }