auth

Paddy 2015-01-28 Parent:267483f168b5 Child:d103a598548c

132:163ce22fa4c9 Go to Latest

auth/config.go

Enable CSRF protection, add expiration to sessions. Sessions gain a CSRF token, which is passed as a parameter to the login page. The login page now checks for that CSRF token, and logs a CSRF attempt if the token does not match. I also added an expiration to sessions, so they don't last forever. Sessions should be pretty short--we just need to stay logged in for long enough to approve the OAuth request. Everything after that should be cookie based. Finally, I added a configuration parameter to control whether the session cookie should be set to Secure, requiring the use of HTTPS. For production use, this flag is a requirement, but it makes testing extremely difficult, so we need a way to disable it.

Download raw file
View source Diff to previous Annotate
History
1 package auth
2
3 import (
4 "errors"
5 "html/template"
6 "log"
7 )
8
9 var (
10 // ErrInvalidLoginURI is returned when a Context is instantiated with a Config object that specifies a LoginURI that can't be parsed as a URL.
11 ErrInvalidLoginURI = errors.New("invalid login URI")
12 // ErrConfigNotInitialized is returned when a Context is instantiated with a Config object that hasn't had its Init function called.
13 ErrConfigNotInitialized = errors.New("config not initialized")
14 )
15
16 // Config holds the configuration values necessary to run a server. A Config
17 // instance is the only way to instantiate a Context variable.
18 type Config struct {
19 ClientStore clientStore
20 AuthCodeStore authorizationCodeStore
21 ProfileStore profileStore
22 TokenStore tokenStore
23 SessionStore sessionStore
24 Template *template.Template
25 LoginURI string
26 iterations int
27 secureCookie bool
28 }
29
30 // Init is a function that preps the Config object to be used for Context creation, setting variables
31 // that are determined at the beginning of program execution.
32 func (c *Config) Init() error {
33 scheme, ok := passphraseSchemes[CurPassphraseScheme]
34 if !ok {
35 return ErrInvalidPassphraseScheme
36 }
37 var err error
38 c.iterations, err = scheme.calculateIterations()
39 if err != nil {
40 return err
41 }
42 log.Printf("Generating passphrases with %d iterations...\n", c.iterations)
43 return nil
44 }